Long-Awaited Directorate of Defense Trade Controls Compliance Program Guidelines Highlight Best Practices for Due Diligence

Entities considering acquiring a DDTC registrant or an organization that engages in ITAR-controlled activities should keep the following in mind:

• Notification Requirements. DDTC registrants must notify DDTC within timeframes established in ITAR part 122 regarding certain changes in registration, including ownership and legal organizational structure.
  • If the transaction will result in a change of ownership or control, per ITAR part 122.4(a), the registrant must provide written notification to DDTC within five days post-close.
  • If the transaction will result in foreign ownership or control, per ITAR part 122.4(b), the registrant must provide written notification to DDTC 60 days prior to closing as well as within five days post-close. The ITAR defines “foreign ownership” as when “more than 50 percent of the outstanding voting securities of the firm are owned by one or more foreign persons” and “foreign control” as when “one or more foreign persons have the authority or ability to establish or direct the general policies or day-to-day operations of the firm” and is presumed to exist where “foreign persons own 25 percent or more of the outstanding voting securities unless one U.S. person controls an equal or larger percentage.”
• Scope of Due Diligence Review. Due diligence reviews should assess the effectiveness of the target’s ITAR compliance program and promptly identify potential past ITAR violations. If the target appears to have violated the ITAR, the target or the acquiring organization should consider submitting a voluntary disclosure prior to or immediately after closing.
• Post-Close Audit Recommendation. Depending on the strength of the target’s ITAR compliance program, the acquiring organization should conduct post-close either an in-depth audit (e.g., should due diligence uncover multiple unresolved compliance issues) or a “functional,” risk-based audit (e.g., if the target has a robust compliance program and history of audits and remediation).
• Addressing Potential Violations. If either due diligence or a post-close audit reveal a potential ongoing ITAR violation, the target or the acquiring organization, as appropriate, should cease the potentially violative conduct and follow the procedures identified in ITAR part 127.12 to investigate and, if warranted, voluntarily disclose the potential violation.
• As with all proposed M&A transactions, but particularly when a DDTC registrant or organization engaging in ITAR-controlled activities is involved, the parties should assess whether the transaction is subject to the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) and whether a CFIUS filing is mandatory or prudent.

At a minimum, during due diligence, an entity that is considering acquiring a DDTC registrant or an organization that engages in ITAR-controlled activities should consider the following compliance program specific questions:

• Does the target have written policies and procedures regarding ITAR compliance? Describe the training given on those policies.
• Does the target have a robust compliance program including licensing reviews, regular audits, and a process for reporting potential ITAR violations?
• Is the target’s ITAR compliance function adequately staffed in light of the target’s size and volume of ITAR-controlled business?
• Are ITAR compliance requirements taken into account by the target’s HR department, IT department, and groups responsible for physical security? 
• How does the target classify its products?
• Does the target share ITAR-controlled defense articles and defense services, including technical data, with third parties? If so, does the target conduct diligence on those third parties in advance?

Finally, the acquiring organization should review the sample audit checklists provided in the ITAR Compliance Guidelines and apply them to the target as appropriate.

The fact that the ITAR Compliance Guidelines are detailed and similar to those issued by OFAC and BIS should put acquiring organizations on notice that the U.S. government emphasizes these issues and will respond accordingly to noncompliance. Moreover, this guidance is a further indication that the Biden administration will continue to emphasize a whole-of-government approach where multiple agencies with authority over and interest in an issue collaborate on policy, investigations, and enforcement. Although government agencies have worked together consistently in the past, the Biden administration’s emphasis on this approach has led to increased information sharing, cooperation, and coordination among agencies in the area of trade compliance, which could result in additional scrutiny as multiple agencies and their resources are directed at transactions of interest.

Finally, the U.S. Department of the Treasury recently released its first-ever CFIUS Enforcement and Penalty Guidelines, which Sidley wrote about here. Just as these guidelines make clear that parties should conduct proper and thorough diligence when entering into a M&A transaction, so too do the ITAR Compliance Guidelines emphasize proper due diligence. Failure to do so could open the acquiring organization to civil or even criminal liability and administrative penalties.