So what is a good program for a small company or any company that doesn’t want to spend a lot of money on compliance? The key is a compliance program that outlines the company’s policy as well as various internal procedures to implement the policy and having a solid set of documents to evidence the compliance activities at all levels of the company.

A good compliance policy should include a statement of the prohibition that it seeks to enforce and should state that it is every employee’s responsibility to be vigilant in identifying and reporting potential violations. Clearly identifying the name of the compliance officer is another must. Short questionnaires and certifications protect the company and ensure that new employees, agents, partners, distributors, and other third parties understand the policy. They also identify any red flags related to those parties. Indemnification language and appropriate dispute resolution provisions in third party contracts will give force to such certifications and representations.

Internal forms and standard form contracts offer opportunities to include compliance verification mechanisms in existing procedures and to regularly remind employees of compliance obligations.  For example, a form that a business development manager completes to report the engagement of a new agent abroad can include answers to questions intended to elicit red flags for bribery.  A form contract for the sale of software can require the buyer to agree that it is not in violation of and will not violate any U.S. export controls laws.

Next we will address management buy in and tone at the top.  I am trying not to write too much in each blog.   Please let me know if this is too much info, too little or just enough!
Best Regards,

For those of you who don’t know me I have been an import/export attorney for over 20 years (See my bio for the real details) and I counsel on a variety of legal compliance issues daily.  I started in this business when international trade topics were reserved for boutique law firms on both coasts.  No one else cared. Really.  Hard to believe that now!  I would go around “marketing” to businesses and I often felt like Chicken Little yelling “but don’t forget about Foreign Corrupt Practices Act (FCPA) compliance!”  Businesses, banks, universities and hospitals didn’t pay much attention to trade issues. No one cared enough to pay for any help.  In fact, most companies only learned of such compliance issues when Commerce enforcement officials with guns and badges knocked on the door and took all of the company’s computers.  We had a client that called its lawyer about such a raid and management literally had no idea what happened or why.  Turned out it was an Iranian Transactions Regulations violation.

Fast forward 20 some years.  I received a call today from what I thought was a VP of Compliance working for an EB5 Regional Center*.  There were at least 8 individuals on the call ranging from the company president to compliance officers and their staffs to a bank and a holding company all related to the Regional Center’s business.  They called me about what I thought was a specific need for an OFAC license to bring money for an investor into the United States. Instead, they wanted to talk about compliance and appropriate due diligence.  Basic OFAC compliance to protect the business, the bank, and the investors now requires documentation of all compliance efforts.  The United States Government is auditing, inquiring, and requiring documents to see exactly what businesses, banks and investment capital firms have done to document their OFAC compliance. The individuals on the call were stressed knowing what happened to JPMorgan Chase Bank and its recent 88.3 million settlement for alleged OFAC violations.   If the big guys failed at compliance when they have entire compliance departments how is a small organization supposed to be compliant?

Compliance with OFAC and exporting laws now must be part of the due diligence for mergers and acquisitions to protect the buying entity from future liability.  Human Resource managers now have to certify that they have read the Arms Export Control Act and the Export Administration Act to comply with I-129 requirements  (For example: When employing foreign students and foreign workers).  Banks and investment companies that accept foreign funds now must question the path of funds for investments and be able to produce such documentation under the Iranian Transactions Regulations, Cuban Assets Control Regulations, Syria Accountability Act and the Bank Secrecy Act (just as some examples).

So my take away point for you is that – compliance issues are real and require attention by all businesses not just defense contractors.  But it doesn’t have to be scary.  Do you employ foreign workers? Are foreign students interning on a project? Are you exporting and checking the denied parties lists?  You just need to spend some time thinking about a program to document your compliance to protect yourself and your company.  So our goal here is to simplify, clear up confusion and answer tricky questions. We do this every day and if we don’t understand something clearly we assume you don’t understand it either.  We all know that the government bureaucracy isn’t perfect. It is hard to get your questions answered and sometimes the answer actually is that the government hasn’t thought about a specific application yet!  So here we go with some of the basics of compliance and some of the imponderables…

Happy reading,


*An EB5 Regional Center is an area designated by the United States Citizenship and Immigration Services (USCIS) as eligible to receive immigrant investor capital.