Frequent questions pertaining to a company’s ICP
Companies or authorities may use the following non-exhaustive list of frequent questions pertaining to a company’s ICP. The questions relate to all core elements, but not necessarily to every step described.
These frequent questions can either be useful when developing an ICP, or at a later stage to review an existing ICP.
1. Top-level management commitment to compliance
Ø Is a top-level management commitment clearly stating the company’s commitment to dual-use trade controls available?
Ø Is the statement easily accessible for all employees?
2. Organizational structure, responsibilities and resources
Ø Did your company nominate the person(s) in charge of answering employees' questions on the company’s compliance procedures, on a suspicious enquiry or on possible violations? Are the contact details of the responsible person(s) available to all affected staff?
Ø What are the parts or activities of your company that are concerned by dual-use trade control and compliance?
Ø In which part of your company is the dual-use trade compliance personnel situated? Could there be a conflict of interests?
Ø In case your company decides to outsource the dual-use trade compliance management, how is the interaction with your company organized?
Ø How many people are either employed solely to deal with dual-use trade control or have responsibility for it with other tasks? Are back-up persons available?
Ø How is the relationship between the export control staff and the top-level management organized, for example, concerning information exchange?
Ø Is a compliance manual that describes the operational and organizational compliance procedures available to dual-use trade control staff?
Ø Are there electronic tools available that assist your company’s compliance procedures?
3. Training and awareness raising
Ø Does your company provide for (tailored) compliance training or awareness raising activities?
Ø What compliance training or awareness raising formats does the company offer? Examples are external seminars, subscription to information sessions offered by competent authorities, inhouse training events, etc.
4. Transaction screening process and procedures
4.1. Item classification
ü Are all products assessed against the EU and national dual-use control lists or restrictive measures, and who is responsible for this?
ü Is your company involved in the electronic transmission of dual-use software or technology? If so, how does the company ensure compliance with the electronic transmission of software technology?
ü Are there procedures in place for employees accessing controlled technology or software when visiting abroad?
ü Is the classification of products received or manufactured by the company recorded?
ü Are changes in the national and EU dual-use control lists translated into the company’s classification procedures?
ü When considering Article 22(10) of the EU dual-use regulation, do the commercial documents relating to the export of dual-use items listed mention that those items are subject to controls if exported from the EU?
4.2. Transaction risk assessment
Checks on embargoed, sanctioned or sensitive destinations and entities
ü During the transaction risk assessment, how does your company take into account restrictive measures (including sanctions)?
Stated end-use and involved parties screening
ü What are the internal procedures for the stated end-use and involved parties screening process?
ü How are (new) involved parties screened? Do you periodically screen existing customers again?
‘Catch-all’ controls for non-listed dual-use items
ü How is information of concern about the stated end-use (in the sense of the catch-all provisions*) collected and put to use?
* Article 4 of Council Regulation (EC) no 428/2009.
Diversion risk screening
ü Has your company procedures in place for risk diversion screening.
4.3. License determination and application, including for controlled brokering, transfer and transit activities
ü What are the internal procedures for the stated end-use and involved parties screening process?
4.4. Post-licensing, including shipment control and compliance with the conditions of the authorization
ü Does a final transaction risk assessment place before the shipment?
ü How does your company ensure that the terms and conditions (including reporting) of the license(s) are being complied with?
v What are the procedures for dealing with positive and negative results from the transaction risk assessment?
v How are false positive results (an unnecessary hit of concern) from the transaction risk assessment resolved?
5. Performance reviews, audits, internal reporting and corrective actions
Ø Are the daily relevant business operating procedures subject to a (random) dual-use trade control performance review?
Ø Does your company have internal or external audit procedures in place?
Ø Does your company have whistleblowing or escalation procedures in place?
Ø What corrective actions does your company undertake in case of non-compliance?
6. Recordkeeping and documentation
Ø What are the company’s procedures for filing and retrieving documents related to dual-use trade control? Did your company consider including a record of past contacts with the competent authority?
Ø Are the legal requirements for recordkeeping known to the dual-use trade control staff and relevant commercial partners?
Ø Are records being inspected for completeness, accuracy and quality?
7. Physical and information security
Ø Did your company consider safeguarding cybersecurity measures for dual-use software and technology to ensure that they do not get lost, are easily stolen or exported without a valid license?
Ø Can your company identify critical steps and related physical and information security vulnerabilities regarding dual-use items?