Minimizing Liability with Export Control Compliance

February 21, 2017
Eric McClafferty and Brooke Ringel

Eric McClafferty is Partner, and Brooke Ringel is Senior Associate, at Kelley Drye (Washington, DC).

Brooke Ringel and Eric McClafferty outline steps companies should take to ensure compliance with export controls.

Brooke Ringel and Eric McClafferty outline steps companies should take to ensure compliance with export controls.

Many firms or organizations in the biopharmaceutical industry are not adequately protecting themselves from very real regulatory risk. Cutting-edge research and commercialization possibilities – for example, the development of new antibiotics, the creation of customizable large molecule biologic medicines, or the discovery treatments to combat emerging zootonic diseases – also bring new or expanded responsibilities for complying with the numerous, often complex sets of regulations that govern the biopharmaceutical product life cycle. When companies are laser-focused on the many moving parts of getting a new product to market, it is not uncommon to lose sight of what should be another critical piece of a company’s compliance profile: export controls.

The risk of non-compliance with export controls, and the associated civil and criminal penalties, are very real given the sensitive and global nature of the biopharmaceutical industry’s work. Failure to address export control regulatory risk in a systematic way can lead to violations by otherwise well-intentioned companies, resulting in penalties, reputational damage, and threats to national security. Adding an export compliance component to your existing regulatory or biosecurity program does not need to be onerous, but does protect your business and your personnel (including executive) if an export problem emerges down the line.

Export control basics

U.S. export control rules are designed to keep the industry’s benevolent, potentially life-saving technological advances out of the hands of those who would use them for nefarious purposes. Many people are surprised to learn that a number of materials, chemicals, and processing and lab equipment that they work with are controlled under these rules. Export control regulations govern the transfer of military-grade and less-sensitive dual-use chemicals and biological material (moving between facilities with authorization or perhaps as the infamous “vial in the pocket”), the equipment required to process those materials (the same equipment used by bad actors), and the technology, or “know-how”, to develop or produce those items (which can be unwittingly shared by researchers or business personnel).

The U.S. Department of State administers the International Traffic in Arms Regulations governing military “defense articles.” Additionally, the U.S. Treasury Department’s Office of Foreign Assets Control implements international economic and trade sanctions that limit or prohibit “dealing with” – a very broad concept – individuals, financial institutions, and other governmental or private entities under 26 country-specific and transnational programs (e.g., non-proliferation sanctions).       

The biopharmaceutical industry is most likely affected by the U.S. Department of Commerce’s Export Administration Regulations (EAR)[1] controlling dual-use products, software, and technology – items or information that can be used for both commercial and military (or terrorist) purposes. Commerce’s Bureau of Industry and Security (BIS) maintains a list of controlled items called the Commerce Control List (CCL). Many chemicals and biological agents, equipment, and technology common in the biopharmaceutical industry are covered under the EAR. For example, certain cross-flow filtration equipment used to produce vaccines (a very good thing) can also be used to recover a bacterial toxin to be used as a biological weapon (a very bad thing).

While export rules are often thought of as controlling the physical shipment of items outside the United States, an unlawful “export” can also occur by transferring a controlled item or information to certain non-U.S. persons even within the United States. For dual-use items, the countries (or non-U.S. persons who are nationals of those countries) that are off-limits vary depending on the level of control on that specific item. That is why it is so critical to classify products and know-how under the regulations. Moreover, a necessary export, such as the need to share certain controlled information with your non-U.S. person engineer or partner lab in China, often requires an export license issued in advance. Understanding the contours of these rules is critical to limiting your risk of violation even if your lab or company is not regularly sending products or equipment outside of the United States.

Where is our risk?

You should start by thinking about the EAR controls on chemicals and biological agents found in Category 1 of the CCL. On the pharmaceutical side, Export Control Classification Numbers (ECCN) 1C350, 1C355, and 1C995 control the movement of Chemical Weapons Convention (CWC) Schedule 2 and Schedule 3 chemicals, certain mixtures thereof, and other non-CWC chemicals that may be used as precursors for toxic chemical agents.

On the biotechnology side, ECCNs 1C351 and 1C354 control human, animal, and plant viral and bacterial pathogens (and plant fungi) and toxins. ECCN 1C353 controls genetic elements (e.g., chromosomes, genomes, plasmids), whether or not genetically modified or chemically synthesized, and genetically modified organisms. Other ECCNs cover medical, diagnostic, food testing, and other kits, vaccines, and immunotoxins.

Categories 1 and 2 of the EAR also include controls on much of the equipment commonly found around biotechnology and pharmaceutical facilities. Chances are very good that you have equipment that should be closely examined to determine if it is controlled under the rules or if some of the specifications and exceptions that narrow the controls on these broad categories apply.

A blind spot for many companies, particularly those who do not have significant international operations or sales, is the issue of “deemed exports.” The EAR control the technology related to the development and production (and disposal in the case of chemicals and biological agents) of controlled items – in other words, the rules cover the transmission of know-how outside the U.S. and sometimes to foreign nations in your company or lab. The regulations deem the transfer of this technology to a non-U.S. person as the equivalent of a shipment of that underlying material or equipment outside the United States. Foreign national employees are a great asset to companies in the biopharmaceutical industry, but the information they have access to in the lab or production facility can create liability for the company if not managed in accordance with the rules.

What is our potential liability?

There is value for company leadership in the biopharmaceutical industry to carefully assess compliance with export control regulations. Does your company have foreign subsidiaries or affiliates that share supply chains and IT systems with U.S. facilities, or a partnership with a foreign university lab? Foreign access to data on a U.S. IT system is considered an export to that country. Many dual-use exports required for your business or university to operate are permitted without a license or are licensable through an online system, making the cost to putting the right policies and procedures in place much less than the potential penalties for a violation.

Without a full evaluation and program designed to mitigate risk, exposure to civil and criminal penalties can be severe. U.S. export control regulations are enforced on a strict liability basis – even an unintentional violation is punishable by up to $250,000 per violation (or twice the value of the transaction, whichever is greater), a possible denial order (loss of the right to export), loss of the right to do business with the U.S. government, imposition of a third-party auditor, and property seizure. A willful violation can lead to criminal sanctions of imprisonment and fines of $250,000 per violation for individuals and $1 million per violation for companies. Note that a single transaction can have multiple violations and implicate action by other regulatory agencies (e.g. Customs and Border Protection).

The potential for reputational harm is also quite significant. BIS publicly reports enforcement actions, as does the Department of Justice in the case of criminal prosecution. In this industry, the release of technology, even if unintentional, could seriously undermine U.S. national security interests by providing those who would do us harm through chemical or biological weapons access to some of the know-how to do so.

How can we manage our liability in a cost-effective way?

Biopharmaceutical companies can leverage existing regulatory and/or biosecurity compliance efforts by building export control policies and procedures into that system. Basic export control compliance tools can also boost compliance across different regulatory programs, further mitigating risk through a uniform approach.

(1)  Organizational structure: identify compliance personnel responsible for implementing compliance and managing issue escalation.

(2)  Corporate policy: show the value of compliance through effective endorsement of a policy by company leadership.

(3)  Procedures: develop processes to identify, classify, and track controlled products and technology; track and license exports and re-exports; avoid restricted or prohibited transactions; and address potential violations.

(4)  Recordkeeping: implement a recordkeeping and retention plan, as required by the regulations.

(5)  Awareness: regularly train employees to ensure competency, earn buy-in, and to gain feedback.

(6)  Maintenance: tailor internal monitoring and auditing to your company’s unique risk profile and business processes.

While export controls may present potentially unanticipated or unexamined challenges for biopharmaceutical companies, there are also important gains to be made from discovering, addressing, and taking steps to avoid liability. Just as your company protects its investment in the science, it should protect its investment in the business and employees that make those scientific advances possible.

Eric McClafferty is Partner, and Brooke Ringel is Senior Associate, at Kelley Drye (Washington, DC).

[1] 15 C.F.R. § 730 et seq.

Related Content:

Regulatory