BPE Global Hot Topic – February 2017
License Exception "ENC" Reporting Requirements
Last year, I wrote an article about recordkeeping. The first step in tackling record keeping is understanding what regulatory agency recordkeeping requirements you are subject to. Hopefully you have addressed recordkeeping requirements in 2016, and are ready to take a look at another important area, encryption reporting requirements. As with recordkeeping requirements, you must know what U.S. regulatory agencies reporting rules are applicable to your organization such as the Bureau of Industry and Security and the National Security Agency. Our readership is comprised of exporters, carriers and third parties involved in international transportation, however I imagine many reading this article have never submitted a semi-annual encryption report, or an annual self-classification report. However, I am pretty certain someone within your company has exported an encryption item in CY2016!
The subject of encryption reporting is fresh in my mind, as the first deadline of 2017 was on Feb. 1st, and being in trade compliance consulting, well, it is a bit like tax season is for accountants in the month of January. Whether or not your company has a trade compliance function, or someone in shipping/logistics who does your export classifications, licensing, electronic export information “EEI” filings etc. awareness needs to be raised that encryption reporting is required for certain encryption exports. You may not design or sell encryption items, but most companies in the U.S. today ship encryption items cross-border to support global operations. Items like software (including downloads), servers, and network security appliances, are not only export controlled, but when exported under license exception “ENC”, there may be applicable semi-annual ENC reporting or annual self-classification reporting required.
Where should you start to identify these exports? There are a number of places depending if the items are revenue or non-revenue. The most common encryption export that would impact all companies would be a non-revenue item, when your IT Department exports equipment to support an operation, engineering sends hardware to a development firm, or software is posted for download by a customer or third-party. Thus, the export of items like this might not show in your ERP system as an export. However, the data may be stored elsewhere. Finance may track company assets in the ERP system, and downloads from support sites may be captured electronically. Shipping/Logistics certainly would generate the shipment paperwork for physical export shipments, and perhaps that may be the only place certain exports are captured.
ERP, GTM and shipping systems for couriers should have some or most of the data required to generate the semi-annual ENC report. The driving data point are any items with an Export Control Classification Number (ECCN) of 5A002, 5D002 or 5E002.
"Semi-annual reporting is required for exports to all destinations other than Canada, and for reexports from Canada for items described under paragraphs Export Administration Regulations 740.17 (b)(2) and (b)(3)(iii)." And, there are exclusions.
Thus, it is not as simple as running an export report by ECCN, unless your company is capturing the ENC citation also. And, close reading is required to understand what the exact reporting requirements are, and what falls under each ENC citation. In the past, there were general buckets referred to as "Restricted" and "Unrestricted" that helped with reporting. Those terms are history.
Annual self-classification reporting is required for items classified as ECCN 5A002, 5B002, or 5D002 described in 740.17(b)(1) that do not have a CCATS and for Mass Market items classified as 5A992.c or 5D992.c under EAR Category 5 - Part 2 Note 3.
This is a lot of regulatory information to absorb, so it is suggested once you have searched your systems for the ECCN’s listed, you visit the BIS website: www.bis.doc.gov and under the “Regulations” tab, click on “Export Administration Regulations”, and then click on “Part 740 License exception”. Locate section 740.17 Encryption Commodities, Software, and Technology, to read and understand the requirements for using license exception ENC, and the reporting requirements. It is important to note that there were some regulatory changes impacting encryption reporting which occurred on September 20, 2016. If you search for encryption reporting guidance on the BIS website, there is obsolete information posted under “Policy Guidance”. This caused a great deal of confusion for companies preparing encryption reporting on February 1st, as the reporting requirements changed. Some requirements were eliminated, and others were expanded. Some companies had built reports to streamline the ENC reporting process, and found they had to build new reports.
They say the best time is the present to understand regulations impacting your company, and ensure you are compliant. It may not be your job, but if no one is preparing these encryption reports, you have a trade compliance gap. Government agencies are sharing information more than ever, and if they see you are exporting encryption items, but failing to do the applicable required reporting, there may be negative consequences.
As this is may be a big undertaking, if not historically addressed, we recommend creating an ENC reporting team consisting of Logistics/Shipping, Export, IT, Customer Support, Engineering, Marketing, Sales, and Finance to understand and identify what revenue and non-revenue exports (physical and download) may be occurring. Retain external expertise to help you wade through the regulations and apply them to your export scenarios, and applicable reporting required. Then develop policies and procedures to capture the required data, and automate reporting as much as possible.
The next ENC reporting deadline is August 1st. Will you be ready?
We hope you enjoyed this Hot Topic and it inspired you to perform a review of your current encryption reporting process in advance of the next reporting deadline.
If you have any questions, or need help with encryption reporting, BPE Global is here to help! BPE Global is a global trade consulting and training firm. Renee Roe is a Director of BPE Global. You can reach Renee by email at Renee@bpeglobal.com.