Johnson - A Guide to International Compliance for Universities

DON’T PANIC, A Guide to International Compliance for

UniversitiesQuinton JohnsonDirector, Export Compliance OfficeOffice of Research and Innovation

Laws/Regs Business Processes Internal ControlMechanisms

Partner Offices

Export Compliance and Research Security

Travel, Procurement, Shipping, Visa Sponsorship, Study Abroad, Visitors/Volunteers, HR, Surplus (GovDeals), Sponsored Programs

Policy, Compliance Notice/SOP,Review Committee

Research Compliance,Procurement/Travel, EHS, Global Education, Provost, HR, Central IT, Compliance Office, OSP, Fixed Assets, Facilities, School/Department Leadership, Legal

Foreign Corrupt Practices Act Travel Policy, Compliance Notice Legal

U.S. Anti‐boycott Regulations Travel, Contracting Policy, Compliance Notice Legal

Dangerous Goods Shipping Regulations

Shipping Policy, Compliance Notice EHS, School/Departments

Dual Use Research of Concern in the Life Sciences (DURC)

Sponsored Programs, Visa Sponsorship, Safety

Policy, Compliance Notice, Review Committee

EHS, Research Compliance

Controlled Unclassified Information (CUI)

Sponsored Programs, IT Services, Visa

Policy, Compliance Notice Research Compliance, Central IT, Compliance Office, School/Department

General Data Protection Regulation (GDPR)

Sponsored Programs, Other research compliance, IT Services, Visa, Study Abroad


U.S. Export Laws• International Traffic in Arms Regulations (ITAR), 22 C.F.R. Section § 120‐130

• Directorate of Defense Trade Controls (DDTC) – State Department

• United State Munitions List (USML)

• ITAR Fact Sheet – Prison time and fines over 1 million dollars possible per violation

• Export Administration Regulations (EAR) 15 CFR §§730‐774• Bureau of Industry and Security (BIS) – Commerce Department

• Commerce Control List (CCL)

• Enforcement Guidance – Both Civil (up to $120,000 fines per violation) and Criminal (20 years in prison and 1 million dollar fines) Liability

• Trade Sanctions Regulations• Office of Foreign Assets Controls (OFAC) – Treasury Department

• CACR, ITSR, etc….

• Enforcement Guidance – Prison time and fines over 1 million dollars possible per violation

U.S. Export LawsWhat is an Export?

• Physically sending export controlled items to a foreign country

• Transmitting export controlled information or software electronically or digitally to a foreign country or foreign person

• Use of export controlled technology on behalf or for the benefit of a foreign person or foreign country (Defense Service)

• Deemed Export

Key Definitions• Deemed Export: A "deemed export" occurs when there is a "release in the United States of 'technology' or source code to a foreign person." Similarly, "release" is defined in the BIS Rules as "visual or other inspection by a foreign person of items that reveals 'technology' or source code subject to the EAR to a foreign person.

May occur by such means as:• Tours of laboratories• Involvement of foreign persons in the research• Oral exchanges, emails, or visual inspection• Hosting a foreign researcher

• U.S. Person: U.S. Citizen, Green Card Holders, Asylee or Refugee Designations, Incorporated to do business in the U.S.

• Foreign Person: any U.S. Person effectively owned or controlled by a foreign interest, foreign businesses not incorporated in the U.S., individuals holding a work or student visa (F1, J1, H1B)

Strategies for Compliance

• ECO Processes • Sponsored Programs (publication, hiring, DoD, Defense Contractors)• MTA/DUA (items sent and received by VCU, select agents)• International Travel (Chromeriver, Christopherson, travel laptop)• Visitors/Volunteers (Visiting Scholar Agreements)• Visa Reviews (H1‐B, J‐1)• International Shipping (Contact ECO, customs broker support for imports) • OFAC Restricted Parties (Review all VCU partnerships)• (FCPA) Foreign Corrupt Practices Act • U.S. Anti‐boycott Regulations • ECO Training Initiatives • Dual Use Research of Concern in the Life Sciences (DURC)

Export Compliance Committee Membership Roster

College of Humanities and Sciences

Fixed Assets

Global Education

Human Resources

Integrity and Compliance Office

Office of Environmental Health and Safety

Office of Procurement

Office of Sponsored Programs

Provost Office

School of Engineering

School of Medicine

VCU Qatar

VCU Technology Services


Partner Offices



















Foreign Corrupt Practices Act Summary

• The Foreign Corrupt Practices Act (FCPA) was enacted by Congress in 1977 to bring a halt to the bribery of foreign officials. Bribes to foreign officials do not have to be cash payments and may not always seem like a bribe. It might be socially acceptable and even an everyday practice to make “facilitating payments” to a foreign official, but those payments may be illegal under the FCPA. When traveling internationally one must be mindful of different cultural practices and norms, and at the same time realize that the laws of the United States and other countries still apply regardless of cultural practices. Any facilitating payments must be discussed in advance with University Counsel.

• Civil Penalty up to $10,000 per violation • Criminal Penalty up to $250,000 per violation and imprisonment up to 5 years

Foreign Corrupt Practices Act Summary

• Who The FCPA Applies to• The anti‐bribery provisions of the FCPA make it unlawful for:

• A U.S. person, including the University to bribe a foreign official for the purpose of:• Obtaining or retaining business• Or directing business to any person• Or for the purpose of otherwise securing an improper advantage.

• What Constitutes a Bribe• Bribes are not limited to payments of money, the FCPA also prohibits favors and

other inducements that are of value to the recipient• Examples include: Lavish or inappropriate gifts and entertainment

• Both Direct and Indirect bribes to a foreign official are prohibited• Indirect bribes made through a third party such as a consultant or other agent are also

prohibited

Foreign Corrupt Practices Act

• Elements of a Violation• The Actor is the University, University Employees, or any member of the University community

conducting University business overseas• The individual being bribed is a “foreign official” which means any:

• Officer or employee of a foreign government or of a public international organization or any department or agency thereof, or any person acting in an official capacity

• or executives and other employees of state‐owned or ‐controlled businesses or enterprises such as• the president of state‐owned company• or, a professor at a state‐run university

• Types of bribes• Donations to a charity favored by the foreign official• Uncompensated use of University facilities or property• Favors such as hiring a family member or a certain vendor


Partner Offices



















U.S. Anti‐boycott RegulationsThese regulations were designed to prohibit U.S. companies from complying with aspects of foreign

countries’ boycotts that are not supported by the United States

Six Key Prohibitions:Refuse (or agree to refuse) to do business with another country or entity.

Example:refuse to do business with someone on “Arab League Blacklist”Refuse to business with IsraelRefuse to do business with a company even if is not on the Blacklist

Exceptions:Can comply with import and export requirements of boycotting countryCan agree not to ship Israel products directly to Arab League Country (Arab League countries can control what comes into their boarders)May agree to not route shipments via boycotted countryMay agree not to use boycotted country carriers when dealing with boycotting countryResident of a boycotting country may place a “positive” order for specific goods but may not exclude items (so if they order only china origin goods its ok as long as they do not tell you they do not want any Israeli origin goods).

Furnish (or agree to furnish) information about your business relationship with a boycotted country or blacklisted persons.Discriminate against a US person on the basis of race, religion, sex or national origin.Furnish information about race, religion, sex or national origin of a US person.Furnish information concerning association with fraternal and charitable organizationsImplement letter of credit containing prohibited condition.


Partner Offices




















• Training should focus on International Air Transport Association (IATA) and US Department of Transportation (DOT) regulations as related to the shipment of:

• infectious agents• biological substances• patient specimens• hazardous chemicals• genetically modified organisms or plants• dry ice

• The training should cover the packing and labeling requirements for dangerous goods.• If you are shipping internationally you need to consider customs issues and whether you need

to file Electronic Export Information (EEI) in the Automated Export System (AES).


Partner Offices



















Dual Use Research of Concern(DURC)

• The Policy for Institutional Oversight of Life Sciences DURC applies to all institutions (and their investigators) that receive Federal funding for life sciences research and that conduct research (funded by any source) involving any of 15 agents and toxins listed in the policy.

• This Policy is to establish regular review of research (regardless of the source of funding) with certain high consequence pathogens and toxins for its potential to be Dual Use Research of Concern (DURC) as defined by the US Government Policy on Institutional Oversight of Life Sciences Dual Use Research of Concern.

• The DURC review is designed to: • (a) mitigate risks where appropriate; and • (b) collect information needed to inform the development of an updated

policy, as needed, for the oversight of DURC. • Requires the establishment of an Institutional Review Entity (IRE)


Partner Offices




















• Overview:• Established by Executive Order 13556, the CUI Program standardizes the way the executive

branch handles information that requires protection under laws, regulations, or Government‐wide policies, but that does not qualify as classified.

• The National Archives and Records Administration (NARA) curates a list of the 23 categories and 84 subcategories of CUI from the various US government agencies.

• NARA has posted a Marking Handbook for CUI data

• NIST SP 800‐171• All Department of Defense (DoD) contractors that process, store or transmit Controlled

Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.


Partner Offices




















• May 25, 2018 – implementation day for GDPR for the European Economic Area (EEA) – applies in 28 EU member states and Iceland, Liechtenstein, and Norway.

• GDPR replaces the EU Data Protection Directive that has been in place since 1995 (Directive 95/46/EC).

• The GDPR is a data privacy regulation that established natural persons’, resident in the EU, control over their own personal data as a fundamental right.

GDPREU Resident Data Rights

• Right of access• Right to rectification• Right to erasure • Right to restriction of processing• Right to data portability• Right to object• Right not to be subject to automated decision makingGDPR, Arts. 15‐21.

GDPRWhat is Covered?

• Personal Data – any information relating to an identified or identifiable natural person (Anonymized vs pseudonymised data)

• Prohibition on processing of “Special Categories” of Personal Data (must have an exception) – health data, ethnic origin, genetic data, etc..

• Processing Data – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

GDPRRoles

• Controller ‐‐ the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

• Controllers must provide notices to data subjects, responding to exercise of subject rights, appointing representative in EEA, notifying supervisory authorities and data subjects of data breaches, maintaining records of processing.

• Processor ‐‐ a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

GDPRScope ‐ Jurisdiction

• Article 3 of the GDPR applies GDPR if:• Entity is “established in the EEA and is acting as a data controller or processor, or

• Place of business physically established, mailing address, legal rep

• Entity offers goods or services to individuals in the EEA, or • Offering considered irrespective of payment, (questions is does entity envisage offering), is there an agreement in place, written in EU state language, etc….

• Entity monitors the behavior of individuals in the EEA• App to enroll research subjects and monitor activity, track location, etc…

*GDPR applies to personal data of EU residents – citizenship does not matter

GDPRLegal Basis for Processing

GDPR requires entities have a legal basis for processing EU resident personal data• Data subject has given consent to processing.• Processing necessary for the performance of a contract to which the data subject

is a party.• Processing necessary for compliance with a legal obligation.• Processing necessary to protect vital interests of the data subject or a natural

person.• Processing necessary for a task carried out in the public interest.• Processing necessary for the legitimate interests of the controller or a third party,

except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject.GDPR, Art. 6(1).

GDPRWhat to Do

•Conduct a Data Audit• Identify Control Points•Review legal basis for processing GDPR data•Develop a process for meeting data rights requirements

•Appoint a Data Protection Officer if you are processing special categories of data


Partner Offices



















Contact Information

• Quinton Johnson, Director, Export Compliance Office• [email protected]• [email protected]• (804) 827‐6088

Date post:	23-Dec-2021
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Johnson - A Guide to International Compliance for Universities

Documents