Lessons for Exporters from DDTC's ITAR Consent Agreement with Keysight Technologies
On August 9, 2021, the U.S. Department of State, Directorate of Defense Trade Controls (DDTC), announced a new consent agreement with Keysight Technologies, Inc. A publicly traded U.S. company that designs and manufactures electronic test equipment and software, Keysight was spun off from Agilent Technologies in 2014. This is the first publicly known enforcement action by DDTC against Keysight.
The consent agreement resolves the 24 alleged violations of the International Traffic in Arms Regulations (ITAR) detailed in DDTC's Proposed Charging Letter, including the unauthorized export of technical data in the form of software to a proscribed country. In effect for a term of three years, the consent agreement will require Keysight to appoint a Special Compliance Officer and imposes a $6.6 million fine (of which $2.5 million is suspended and may be applied towards Keysight's remedial compliance costs).
In November 2017, DDTC's policy office (which oversees the commodity jurisdiction process and the U.S. Munitions List) expressed concerns to Keysight that its Multi-Emitter Scenario Generation software may be subject to the ITAR. DDTC recommended the submission of a commodity jurisdiction request to resolve those concerns, which is the official government mechanism to determine whether an item is subject to the ITAR. The Multi-Emitter Scenario Generation software is described as for use with certain test equipment to model and simulate electronic warfare scenarios to test radar equipment. Keysight had self-determined that software as subject to the Export Administration Regulations (EAR) and controlled it as EAR99, the lowest level of control under U.S. export controls that often does not require export licensing.
In January 2018, Keysight submitted the commodity jurisdiction request and, believing its original self-determination as correct despite the government's concerns, continued to export the software as EAR99 while the commodity jurisdiction was pending. According to the Proposed Charging Letter, a total of eight such exports of the software were made while the commodity jurisdiction review was ongoing, and which involved transfers to China, Russia, Japan, Israel and Canada. Notably, China is a proscribed destination under the ITAR, which means that export licenses are under a policy of denial. Additionally, at the time of Keysight's exports, Russia was subject to restrictive licensing measures under the ITAR due to an April 2014 policy determination. (Since March 2021, Russia is now also a proscribed destination under a licensing policy of denial.1)
In April 2018, DDTC responded to the commodity jurisdiction request by determining that the software is subject to the ITAR under Category XI(d) of the U.S. Munitions List, as it is directly related to electronic warfare test sets that are controlled under Category XI(a)(11), which meant that the software would generally require an export license from DDTC. After receiving that determination in April 2018, Keysight started to treat the software as subject to the ITAR and it submitted a disclosure to DDTC's compliance office in May 2018 concerning the previous exports of the software as EAR99 (i.e., without a DDTC export license). In August 2018, Keysight also appealed the original commodity jurisdiction determination, and DDTC affirmed its original decision in January 2019.
After reviewing Keysight's full disclosure, DDTC alleged 24 violations of the ITAR caused by Keysight's EAR99 exports of the software between December 2015 to April 2018, including the 8 exports that took place during the commodity jurisdiction review. DDTC's review focused particularly on the exports to China and Russia, which constituted 15 of the 24 alleged violations and in DDTC's assessment had harmed U.S. national security. Consequently, DDTC determined that a consent agreement was appropriate to resolve the alleged violations in these circumstances, though it acknowledged there were mitigating factors in determining the charges, such as Keysight's cooperation, its implementation of remedial measures, and its agreement to toll the statute of limitations.
In entering into a consent agreement with DDTC, Keysight is neither admitting to nor denying the allegations. The consent agreement is in effect for a term of three years and requires the appointment of a Special Compliance Officer. The consent agreement will further require that Keysight strengthen its export compliance program (through policies, procedures, and training), perform a classification review to verify the export control jurisdiction of all its products (including its software and technical data), and to perform at least one audit. Finally, the consent agreement imposes a $6.6 million fine, of which up to $2.5 million will be forgiven if Keysight spends that amount towards remedial measures.
Enforcement & Penalty Trends
- This is yet another recent consent agreement where DDTC highlights the critical importance of companies ensuring the correctness of their jurisdiction and classification assessments—particularly with respect to the ITAR's application to intangibles, such as software and technical data. In this case, the importance of reaching the correct jurisdiction and classification decision is displayed by a single incorrect determination cascading into 24 alleged violations.
- Similarly, this is the fourth consent agreement in three years to impose the requirement for the company to review and verify the jurisdiction and classification status of all hardware and software pertaining to its ITAR-regulated business activities, including any directly related defense services and technical data. That is one of the most rigorous and time-consuming consent agreement requirements to satisfy, and it can lead to the discovery of further misclassifications (and possible accompanying violations). While it may be negotiated, DDTC is also getting more aggressive with that requirement, as earlier consent agreements permitted companies more time to complete the review, while Keysight must complete it within 12 months.
- Keysight received credit for cooperating with DDTC's investigation, which was applied as a mitigating factor in assessing the charges, even if the disclosure that it filed was not credited as a voluntary disclosure. The treatment of Keysight's cooperation as a mitigating factor continues a long trend by DDTC of still offering other avenues for mitigation even where a voluntary disclosure is not filed or will not be credited.
- DDTC continues to afford exceptional benefits to companies who cooperate with the government's investigation. As the ITAR can impose a maximum civil penalty of $1,197,728 per violation, the 24 alleged violations could have resulted in a maximum fine of $28,745,472. The $6.6 million fine thus represents a reduction of 77 percent of that maximum amount, and it represents a nearly 86 percent reduction if the $2.5 million suspended amount is forgiven.
Regulatory and Policy Notes
- The consent agreement does not signal that DDTC has changed its current position that an item subject to a commodity jurisdiction request should be — as opposed to must be — treated as ITAR-controlled while that review is taking place.2 However, the Proposed Charging Letter is clear that DDTC may consider such unlicensed ITAR exports during the pendency of that review as an aggravating factor if the item is ultimately determined as subject to the ITAR. In this case, Keysight's continued exports of the software as EAR99 during the commodity jurisdiction review process were considered an aggravating factor. DDTC further considered it an aggravating factor that the potential ITAR violations were uncovered because the government raised concerns about Keysight's classification.
- The consent agreement did not treat the software's availability on Keysight's website as a distinct violation. Notably, DDTC has taken the position that merely making technical data (which includes software) publicly available without a license is itself sufficient to violate the ITAR.3 That is also the position that DDTC took in federal court before the U.S. Court of Appeals for the Fifth Circuit concerning the Defense Distributed litigation.4 Although the Proposed Charging Letter noted that Keysight made a trial version of its software available on its website for download, which is still indicated as an ITAR-controlled version of the software, DDTC did not allege any distinct violation of the ITAR for doing so.
- This latest consent agreement displays the numerous difficult issues that arise when there is a jurisdiction and classification dispute regarding an item that has already been developed and has a significant history of international sales. In this situation, Keysight continued to export the software under its original self-determination of EAR99, even though the government questioned that decision. Should a company in such a situation treat the item as ITAR-controlled out of an abundance of caution? Should the company find a middle ground by limiting sales to only certain countries? How does the company handle its relationship with the government during this process, especially if it will continue to treat the items as not ITAR? These are important considerations, and they need to be carefully examined based on the facts and circumstances.
Jurisdiction and Classification: The Keysight consent agreement highlights how it is crucial for companies to ensure the appropriate export jurisdiction and classification of their items, which may involve continuous review to account for development and production revisions, as well as to account for regulatory changes. Such assessments should be well-documented to both inform the decision-making process and to survive possible government scrutiny. To perform those reviews, expertise is required, whether through internal or external resources. Occasionally, a determination depends on resolving a purely legal question, such as the meaning of a term or phrase.
Software and Technical Data: These items remain the more difficult areas to perform jurisdiction and classification analysis. Most software and technical data that is ITAR-controlled fall under catch-all controls, which control any technical data (including software) that is "directly related" to a defense article.5 As such, it is often necessary for companies to understand how "directly related" applies — a term that the ITAR does not define but does have a meaning. Moreover, DDTC's recent consent agreements have focused particularly on software and technical data, thus demonstrating its aggressive enforcement in this complex area.
Commodity Jurisdiction Requests: As the Keysight consent agreement demonstrates, the commodity jurisdiction procedure can take on even greater importance when it is the government, rather than a private party, that expresses doubt as to the item's export control jurisdiction. Such situations must be taken extremely seriously, and the request needs to be carefully researched, written, and argued to increase the chances of receiving a ruling that the item is not subject to the ITAR. In Keysight's case, a determination that the software is not ITAR-controlled would have also then mooted the issue of whether there were previous ITAR violations involving that item.
Agency Appeals: This consent agreement also shows the importance of using the agency appeals process, as Keysight appealed the original commodity jurisdiction determination. When a company receives an unfavorable or adverse response from DDTC, such as through a commodity jurisdiction determination, it must be carefully assessed whether to appeal or to seek reconsideration. An appeal or reconsideration that reaffirms DDTC's previous position can be detrimental in some situations. Seeking reversal of the government's prior determination is often a last resort situation, and it needs to be approached differently from the original submission.
Disclosures and Cooperation: The Proposed Charging Letter indicated that Keysight waited for the results of the commodity jurisdiction determination before it filed a disclosure regarding any potential violations. It is noticeably unclear whether Keysight filed a voluntary disclosure or whether it was directed by DDTC to file a disclosure. Nevertheless, while the decision to submit a disclosure (including when to submit it) is fact and circumstance specific, this consent agreement once again demonstrates that DDTC continues to afford great credit as a mitigating factor to companies that cooperate with the government's investigation.
* * *
Miller & Chevalier will be monitoring these developments closely and will be putting on a series of webinars to discuss these important issues. For any questions you may have about the potential impact of these developments on your business, please contact a member of the Miller & Chevalier team to discuss further.
186 Fed. Reg. 14,802 (March 18, 2021) (adding Russia to the ITAR’s proscribed countries list).
2DDTC's current position is indicated on the commodity jurisdiction DS‐4076 form instructions. (PDF) (last accessed August 16, 2021) ("[T]he filer is strongly encouraged to treat the export as subject to the ITAR and to obtain any required licensing approvals prior to export. Doing so may avoid export violations should the item or service be determined to be subject to the ITAR."). By contrast, in a statement that was withdrawn in 2018, DDTC's website previously stated that: "If you want to export your item or perform service while the CJ determination is in the review process, you must be registered and obtain the appropriate approval from DDTC prior to export."
3E.g., 80 Fed. Reg. 31,525, 31,528 (June 3, 2015) ("clarifying [DDTC's current position] that 'technical data' may not be made available to the public without authorization").
4Def. Distributed v. U.S. Dep't of State, 838 F.3d 451, 456 (5th Cir. 2016) ("the State Department contended [that] posting ITAR-controlled files on the internet for foreign nationals to download constitutes [an] 'export'").
5The ITAR also controls software and technical data if it is enumerated on the U.S. Munitions List. For example, the ITAR enumerates the control of "[m]ilitary or intelligence cryptanalytic . . . software." 22 C.F.R. § 121.1, Category XIII(b)(3).
This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.