# ITAR Compliance Programme — Penalties, VSD, and TCP

## ITAR Compliance Programme Elements

An effective ITAR compliance programme (recognised by DDTC as a mitigating factor) includes:

### 1. Governance and Leadership
- Designated **Empowered Official (EO)** (22 CFR § 120.67): A US person with authority to sign licence applications and ensure ITAR compliance; must be in a senior position with ability to override business decisions for compliance reasons
- Written **ITAR Compliance Policy** signed by senior management
- Clear escalation path for export control questions
- Annual management review of compliance programme effectiveness

### 2. Training
- **Initial training** for all employees with ITAR access within 30 days of hire
- **Annual refresher training** covering recent regulatory changes, enforcement actions, and company-specific procedures
- **Role-specific training** for: Empowered Officials, shipping/logistics, engineering/R&D, legal, IT
- Training records retained 5 years

### 3. Technology Control Plan (TCP)

A TCP controls access to ITAR-controlled technical data, especially by foreign nationals.

**TCP Sections:**
```
1. Purpose and Scope
2. ITAR-controlled items and data inventory
3. Physical access controls (secure areas, visitor escorts, badging)
4. IT access controls (network segregation, access lists, encryption)
5. Foreign national screening procedure
   - Collect citizenship information at hire/engagement
   - Screen against denied parties lists
   - Determine if TAA/licence required before granting access
6. Visitor and contractor procedures
7. Annual ITAR training programme
8. Incident identification, reporting, and response
9. Records management (5-year retention)
10. TCP review and update cycle (annual minimum)
```

### 4. Screening and Due Diligence
Screen all parties (customers, suppliers, employees, visitors) against:
- **DDTC Debarred Parties List** (22 CFR § 127.7)
- **OFAC Specially Designated Nationals (SDN) List**
- **BIS Denied Persons List, Entity List, Unverified List**
- **US State Department Watch Lists**

Screening must be documented and re-run at each transaction.

### 5. Jurisdiction and Classification Review
- Formal **product classification process** for every new item, component, and software
- Document classification decisions (USML citation or EAR ECCN) with rationale
- Review classifications when product is modified, use-case changes, or regulations change
- Consider **Commodity Jurisdiction (CJ)** requests for ambiguous items

### 6. Licence Management
- Centralised tracking of all active licences, TAAs, MLAs
- Pre-shipment licence review checklist
- Licence condition compliance (quantities, end-users, re-export restrictions)
- Timely licence renewals (track expiry dates with 90-day advance reminders)
- Post-shipment filing (Automated Export System / Electronic Export Information)

### 7. Audits
- Annual internal ITAR compliance audit (or third-party audit every 2–3 years)
- Audit scope: registration currency, licence compliance, TCP effectiveness, training records, screening logs, record retention
- Findings documented with corrective action plans and owners

---

## Penalties — 22 CFR Part 127 and 22 USC § 2778

### Civil Penalties
- Up to **$1,369,000 per violation** (amount adjusted annually under the Federal Civil Penalties Inflation Adjustment Act)
- Each unlicensed export, each unlicensed disclosure of technical data, each brokering violation = separate violation
- DDTC may impose civil penalties via Consent Agreement without criminal referral

### Criminal Penalties
- Up to **$1,000,000 fine** per violation (22 USC § 2778(c))
- Up to **20 years imprisonment** per violation
- Criminal cases referred to Department of Justice; prosecuted by DOJ National Security Division

### Debarment
- DDTC may debar any person from ITAR privileges (22 CFR § 127.7)
- Duration: typically 3 years; can be permanent for egregious violations
- Debarment prevents: registration, licensing, TAA/MLA participation, US government contracting
- Published on the DDTC Debarred Parties List

### Other Consequences
- **Seizure and forfeiture** of articles involved in violations (22 USC § 2778(e))
- **Suspension of export privileges** pending investigation
- **Congressional notification** requirements for significant violations involving foreign governments
- **Reputational harm** — consent agreements are publicly disclosed

---

## Voluntary Self-Disclosure (VSD) — 22 CFR § 127.12

### Why Disclose
VSD is the strongest available mitigating factor. DDTC's guidelines recognise that companies with effective compliance programmes that self-discover and promptly disclose violations deserve leniency.

### VSD Process

**Step 1 — Initial Notification** (~30 days from discovery)
- Submit brief written notification to DDTC Director of Compliance
- Include: company name, registration number, general description of the potential violation, estimated number of occurrences
- Request a tolling agreement to preserve statute of limitations while investigation proceeds

**Step 2 — Internal Investigation** (30–90 days)
- Investigate all facts: who knew what, when, what was exported/disclosed, to whom
- Pull all records (licences, shipping docs, emails, TAA files)
- Identify root cause (process failure, training gap, deliberate act)
- Preserve all evidence; place litigation hold if appropriate

**Step 3 — Final VSD Report** (within ~60–90 days of initial notification)
Submit comprehensive written report including:
- Detailed factual narrative of all violations
- CFR sections violated for each occurrence
- Identification of all parties involved
- Timeline of events
- Root cause analysis
- Corrective actions already implemented
- Proposed additional remediation

**Step 4 — DDTC Review and Resolution**
- DDTC reviews report; may request additional information
- Outcomes: no action, warning letter, civil penalty (usually reduced), or referral for criminal review
- Most cooperative VSDs resolved within 6–18 months

### Mitigating Factors
- Voluntary self-disclosure
- Cooperation with DDTC investigation
- Effective pre-existing compliance programme
- Prompt remediation
- No prior ITAR violations
- Low national security harm
- Relatively low transaction value

### Aggravating Factors
- Wilful/deliberate violation
- Senior management involvement or awareness
- Harm to national security
- Pattern of violations
- Obstruction or lack of cooperation
- High-risk end-users (state sponsors of terrorism, arms embargoes)
- Prior violations

---

## DDTC Blue Lantern End-Use Monitoring

The **Blue Lantern** programme is DDTC's end-use monitoring initiative. US embassy personnel conduct post-shipment verifications to confirm items reached the stated end-user and are being used as authorised.

**Implications for exporters:**
- Cooperate fully with Blue Lantern checks (failure to cooperate can trigger licence suspension)
- Maintain accurate shipping records to facilitate verification
- Include cooperation obligations in contracts with foreign distributors
- Report if you discover items have been diverted or misused

---

## Checklist — ITAR Compliance Programme Readiness

| Area | ✅ | Key Questions |
|------|----|--------------|
| Registration | | Is registration current? Renewal filed on time? |
| Empowered Official | | Named EO with written authority? |
| Policy | | IS Policy signed by senior management? |
| TCP | | Written TCP? Reviewed in last 12 months? |
| Training | | All ITAR-access employees trained in last 12 months? Records retained? |
| Classification | | All products/components formally classified? CJ obtained where needed? |
| Screening | | SDN/debarment screening at every transaction? Documented? |
| Licence tracking | | All licences logged? Expiry alerts set? Conditions tracked? |
| Record retention | | 5-year retention in place? Accessible for audit? |
| Internal audit | | Annual ITAR audit completed? Findings tracked? |
| Incident response | | VSD procedure documented and communicated? |
