Countries may implement import controls for encryption products for reasons of national security and/or to protect the local economy.  The need for a comprehensive compliance program that addresses all regulatory requirements is necessary to avoid business disruption and prevent fines, penalties, increased inspections, supply chain disruption, and in the worst cases, loss of import privileges and criminal penalties.

Encryption regulations can be complex and require interpretation. Understanding the regulations and translating them into specific guidance for the business can be difficult.  Not all countries publish their regulations or provide translated versions.  In addition, not all countries provide a method for industry to get clarification on the requirements from the regulatory body.  As a result, there is implied risk on the importer from the start.

In some countries, products with only benign uses of encryption have been deregulated, while others still require every product with encryption to be registered/licensed.  This places a heavy burden on the importer and on the regulatory body that must review and approve each application.  Some countries review a product once and either allow unlimited imports or a specific number of imports before re-registering, or they want to review every time the product is imported after the customer is known.

Ensuring compliance

A comprehensive compliance program has multiple elements.  Understanding regulations and providing guidance to the business is the natural place to start.  Monitoring for new and revised regulations is a significant component as well.  The absence of a consistent practice for notifying those impacted by new or changing requirements puts a heavy burden on industry.  This is especially a significant challenge for large multinational companies that do business in many countries.  As such, a multi-layered approach to assigning responsibilities in this area can be effective.  The task of monitoring regulations is given to multiple organizations, including in-country logistics and legal counsel, and also to the trade compliance function at a corporate level.  Having multiple organizations responsible helps to mitigate the risk of noncompliance due to lack of knowledge of new or changing requirements.  When a new requirement is made effective, communicating broadly to those that are affected is critical.  Modifying global processes can take time.  If the regulatory body establishes a future implementation date, this can ease the burden on industry.  This is not always the case.  If immediate compliance is required, this can result in interruption to the supply chain with delays in delivering goods to the customer.

Import regulations for encryption tend to be more inclusive than export regulations.  Typically, all encryption functionality in a product must be understood and assessed against criteria defined by the regulatory body.  This assessment requires in-depth technical knowledge about the product and its use of encryption.  Therefore, subject matter expertise plays a critical role in getting approvals to import.  There is additional coordination required when the final product includes other third-party products.  Often the subject matter expertise does not reside in the importer's company, so reaching out to the third party for the technical information adds complexity and time to the overall process.  This is another area of this process that stresses the importance of key relationship management.

It is not uncommon for the business area that has the responsibility to apply for these licenses/approvals is an in-country legal or logistics function.  The enforcement arm for the regulations is commonly the Customs Agencies in each country.  It can be highly beneficial, if not a business requirement, that someone in-country maintain a relationship with Customs and addresses any questions or issues, and that is typically a logistics role. This can also aid in translations and in understanding the local practices.

Process Design

Operational process design is complex given dependencies on multiple organizations that do not commonly have a need to communicate with each other.  Whenever a process has a dependency across multiple functional areas, there is added complexity and subsequent risk associated.  The operational process must have adequate controls to ensure information is complete, accurate and available in a timely manner.  Inserting a control point into the standard development processes is one way to ensure the information comes from the right source and is available to downstream functions, such as logistics in another country.  In addition to standard development practices, there can be an additional consideration.  Companies that acquire another company or its products need to get import approvals for the new products without them first going through standard development processes.  It is not uncommon that the development processes from the acquired company are continued for a specific period of time until integration into the standard development processes.  As part of the standard set of tasks to integrate a newly acquired company, there should be an action to obtain the import approvals.  In either case, making this task a prerequisite to announcing products in the countries helps to ensure the right priority is given and completion of the task.

An important element of process and controls design is the organizational structure of the various parties involved.  For large multinational companies, there are often multiple business units or divisions and a corporate function that supports the units.  Operating this type of complex process can require a combination of a centralized and de-centralized set of responsibilities.  The responsibilities for understanding requirements and providing guidance are typically centralized at the corporate level, but with open communication and partnering with the in-country legal and logistics teams.  These in-country functions are decentralized by definition.  And finally, the development organizations across the products sets are centralized and not replicated within each country.  There can be numerous other organizations involved in the overall process, but these are the main ones.  Adding controls points at the process steps where handoffs between organizations exist will help to ensure proper end-to-end execution.  Clear proactive communication is paramount when there are multiple organizations with different expertise and in different countries.

And finally, including a set of testing requirements is critical to monitoring the health of the process.  Checklists can be used by development to ensure completion of this task before they are allowed to proceed with announcement.  Also, pre-export (outbound testing) from the shipping location, and post-import (inbound testing) at the ship-to or receiving location would help identify any errors.  Root cause analysis and action plans will help to ensure the errors are not repeated.

Additional controls for consideration include order monitoring and fulfillment holds.  At order time, a step can be included to validate the import approvals have been obtained previously, or to initiate the task to get them.  The challenge for large multinational companies is that there can be many front end applications that accept orders and all would have to be monitored.  The same type of validation can be performed by manufacturing before final shipment of the products.  There are typically fewer manufacturing sites /processes to monitor than there are ordering systems.  As a result, the manufacturing or fulfillment hold is often easier to and faster to implement.  These controls can be effective for exception or urgent situations, but they are typically manual, disruptive to the business and more prone to human error.

Investing time to educate the development community is imperative to ensure they understand the business significance to what they are being asked to do. International shipping and regulatory requirements are not common knowledge in development organizations.  Because the requirements are different for each country, each has its own forms to submit. Asking development to complete various forms can be inefficient and frustrating.  Given the critical role development has in this process, creating an efficient and clear set of tasks, and maintaining a positive relationship will help to produce the right result.  A central repository to house all needed encryption information for all countries is optimal.  The leveraging of common processes, shared resources and IT investment can make the process more efficient, more cost effective and help to ensure compliance.

The compliance program must also include ongoing validation of the operational process steps, ensure awareness of the requirements and validate necessary skills to perform the roles.  The primary purpose of these types of reviews is to determine that internal controls related to importing products with encryption are effectively implemented and executed to ensure compliance with the regulatory requirements.

Source: IBM


Keywords international trade, supply chain management, logistics management, logistics & supply chain, government import-export controls