On August 3, 2021, the U.S. State Department Directorate of Defense Trade Controls (DDTC) issued an order laying out charges and imposing a monetary penalty of $6.6 million on Keysight Technologies, a U.S. technology and software company, for 24 alleged violations of the International Traffic in Arms Regulations (ITAR). The ITAR are the primary U.S. regulations that control exports of defense articles, services, and technology, including software.
Keysight and DDTC settled the matter through a Consent Agreement that also requires Keysight to take specific compliance measures, including maintaining a designated compliance officer, for a period of three years.
We want to highlight three particular elements of this matter.
1. Unauthorized Exports Were Based on Incorrect Commodity Classification
In its Proposed Charging Letter to Keysight, DDTC indicates that it had “raised concern” with Keysight in November 2017 about the export classification of certain software manufactured by Keysight. (The 24 alleged violations occurred between December 2015 and April 2018.) DDTC also “recommended” to Keysight that the company submit a Commodity Jurisdiction (CJ) request to obtain a formal determination from DDTC as to whether the software was covered under the ITAR. Keysight apparently believed the software was covered under the Export Administration Regulations (EAR), the main regulations that govern exports of commercial items.
Keysight did submit a CJ request, and in April 2018, DDTC concluded that the software is controlled under the ITAR. Keysight appealed this decision, which ultimately was upheld.
During the pendency of the CJ application, however, Keysight relied on its self-classification that the software was subject to U.S. Commerce Department jurisdiction and covered under EAR99. Items – including software – covered under EAR99 do not require a license for export to most destinations or end-users. Software and other defense articles covered under the ITAR require a license for virtually all destinations and end-users.
Because of the dramatically different licensing requirements for items controlled under the EAR and the ITAR, it is essential to know the export jurisdiction and classification of products. Exporting based on an unconfirmed export jurisdiction and classification, based on self-classification, is particularly fraught when undertaken in the midst of a CJ application – or a commodity classification request in the case of a formal classification request under the EAR. The resolution of this matter makes plain that DDTC was not pleased about the unlicensed exports Keysight made while the CJ application was under review.
2. ITAR Exports Are Tightly Controlled to China, Russia, as well as U.S. Allies
In the proposed charging letter, DDTC noted that many of the unauthorized exports were to China and Russia, both of which are proscribed destinations under the ITAR. DDTC likewise emphasized that these exports harmed U.S. national security.
But many of the violations also involved countries, such as Australia, Canada, Germany, Japan, and the United Kingdom, that are close U.S. allies. The penalty would likely have been less severe if the violations only involved these destinations. Yet ITAR exports to these countries still require a license other than in very limited situations. U.S. defense contractors must realize that nearly every ITAR export requires a license; failure to do so, as was the case for Keysight, can lead to significant penalties.
3. Software and Technology Cross National Borders Easily Yet Export Authorization May Still Be Required
As noted above, the violations entailed sharing software in both hardcopy and electronic form. It is well established that export violations can involve both traditional exports, i.e., packing up a physical defense article and shipping it to another country, and technology exports, i.e., making software available for download from a U.S. website.
However, the compliance challenges associated with each are considerably different, which is why so many export violations – both under the ITAR and under the EAR – involve unauthorized exports of technology. In the proposed charging letter, DDTC explains that Keysight made trial versions of its software available to potential non-U.S. customers. This is precisely the sort of marketing and business development that companies engage in on a regular basis so that potential customers can assess whether to purchase a product. As underscored by this enforcement action, even providing a trial, test, or sample product to a non-U.S. customer can trigger export licensing requirements regardless of jurisdiction.
Key Takeaway: Dedicate Resources to Compliance – Especially Classification and Jurisdiction
We do not know the root cause of the alleged violations here. Keysight is registered under the ITAR as a manufacturer of defense articles, so this was not a case of an otherwise commercial manufacturer and exporter inadvertently sliding into the (very different) regulatory landscape of the ITAR.
What we can say is that this matter underscores the value of a proactive approach to compliance, including ensuring commodity jurisdiction and classifications are clearly established. An appropriately scoped risk assessment can help identify risks so they can be addressed before they turn into violations. Among other things, we would suggest there is especial importance in understanding potential risks in the case of a company that makes its technology available electronically: technology crosses international borders very easily.