U.S.-Japan Export Controls and Recent Developments in Practice – Part 2: Approaches to Internal Control Systems, and Export Control Classification and Customer Management –

Approaches to Internal Control Systems

Osawa

Next, we will discuss how to structure specific internal control systems taking into account export control regulations in Japan and the U.S. In Part 1, we discussed how to gather information on regulatory developments and how to respond appropriately based on such information. However, another key consideration is how to establish a group-wide, global compliance system, including subsidiaries and affiliates, particularly for companies operating on a global scale.

Isaji

Based on my experience advising Japanese companies on export control regulations, I have seen two primary types of internal control systems for export controls. The first is a centralized model under which the export control department is consolidated within the Japan headquarters, which then centrally manages all export control-related activities. The second is a decentralized model under which export control personnel are assigned to each regional location or office, with such personnel being primarily responsible for managing export control at the regional level at each location or office. The decision on which model to adopt depends on various factors, including the number of group companies, the types of products handled, each group company’s scale of business and whether it engages in import/export activities, and the complexity of the distribution networks and supply chains.

Osawa

Indeed. In recent years, clients have often asked us to provide support in relation to their own export control systems. Additionally, as part of the due diligence (DD) process in M&A transactions, clients occasionally ask us to assess an intended target company’s compliance status with import/export control regulations and economic sanctions, as well as to review its internal compliance system. As a result, we often have the opportunity to review companies’ export control systems and see that many companies adopt one of these systems.
Under both systems, the personnel responsible for export control do not review each and every export transaction or technology transfer from the outset. Rather, it appears that the sales department or similar personnel, who are often the first point of contact personnel for export transactions and technology transfers, are the first line of defense for export control compliance. In such cases, it is important that such front-line export control personnel have a solid understanding of the export control system and key compliance checkpoints, or at least enough awareness to recognize that “this could be problematic and I should escalate it to the export control department.” From this perspective, it is essential that in-house training is designed and implemented in such a way that it helps to raise the awareness and proficiency of frontline personnel responsible for export control.

Isaji

It should be relatively easy for companies that have previously faced “serious consequences for export control violations” to establish internal control systems that place a high priority on export control compliance. However, for companies that have not experienced such consequences, particularly those with limited awareness of export controls outside Japan, it is not an easy task to instill export control awareness throughout the company. Although it will take some time, I believe that the key to building highly effective internal control systems will be to continually raise awareness of export controls and to steadily strengthen training efforts through conducting regular internal training and export control audits of group companies.
In addition, from a U.S. law perspective, companies establishing internal control systems for export controls should consider whether they have mechanisms in place to facilitate the prompt disclosure of identified violations. In other words, the headquarters should establish internal control procedures that enable it to detect violations not only within the headquarters but also within group companies in order to assess the situation promptly and consider countermeasures. For example, if a group company identifies a potential EAR violation, a key issue is whether such entity is authorized to promptly identify and assess the problematic conduct and has the ability to report it to the parent company’s management in Japan.

Osawa

The key point is not only to establish a system that effectively identifies potential export control violations across the entire group, including group companies, but also to go further and establish an internal system that ensures that actual violations are promptly reported to the parent company.

Isaji

Precisely. In addition, in July 2023, U.S. authorities issued a compliance note strongly recommending that companies proactively disclose any potential EAR violations once they are identified. In the past, U.S. authorities have offered significant reductions in potential civil penalties to companies that voluntary self-disclose and provide timely, full, and complete cooperation, and have sometimes waived civil penalties entirely in cases that are not considered egregious. However, in recent years, voluntary disclosure has been strongly recommend as means of more effectively enforcement for EAR violations.

Osawa

Japan’s export controls do not require companies to voluntarily disclose violations, and in practice, voluntary self-disclosures are rare. On the other hand, companies engaged in the export of so-called List-Controlled items are subject to the Exporters’ Compliance Standard, which requires them to “promptly report to the Minister of METI in the event of a violation or potential violation of the applicable laws and regulations, and to take the necessary measures to prevent a recurrence.” METI has stated that “voluntary self-disclosures based on internal audits or similar measures may be taken into consideration by the authorities when determining the penalties to be imposed for violations.” Accordingly, even companies that do not export List-Controlled items should consider making appropriate voluntary reports when violations are discovered.

Isaji

The compliance note published in March 2024 outlines several key points for establishing an EAR compliance system. The most important point is that a risk-based approach should be adopted when establishing compliance systems. In the context of export controls, a risk-based approach means identifying and assessing the export control-related risks facing the company in a timely and appropriate manner and then taking preventive and mitigating measures proportionate to such risks. If a company applies the same compliance oversight to all of its counterparties and products, its resources will inevitably be spread thinly across a wide range of areas, and more resources could be devoted to low-risk areas than is necessary. As a result, compliance oversight should be focused on the appropriate areas, as insufficient oversight of high-risk areas can lead to compliance issues. As we will discuss next in relation to export control classification and customer management, it is important to consider these issues from this risk-based perspective.

Export Control Classification

Osawa

Let us now turn to some of the more specific aspects of transaction management. Under Japan’s export control regulations, the transaction management process is broadly divided into two categories: export control classification, which assess whether the items to be exported is classified as a List-Controlled items; and customer management, which determines whether Catch-All regulations apply based on the end-user and the intended end-use. In some cases, economic sanctions, including those against Russia, are also considered as part of customer management. Let us start by examining how export control classifications are handled in practice.

Isaji

In relation to U.S. law, the EAR establishes a list of controlled items known as the Commerce Control List (CCL), and each controlled item is assigned a five-digit Export Control Classification Number (ECCN). As discussed in Chapter 01, items subject to the EAR are categorized into two types: List-Control items, which correspond to specific ECCNs, or “EAR99,” which are non-listed items. In addition, although List-Controlled items are subject to various restrictions under the EAR, “EAR99” items generally do not require an export license.

Osawa

In Japan, List-Controlled goods fall under items 1 to 15 of the Appended Table 1 of the Export Trade Control Order if they are physical goods, and items 1 to 15 of the Appended Table of the Foreign Exchange Order if they are technologies (including software). Their detailed specifications are set out in the “Ministerial Order Specifying Goods and Technologies Pursuant to the Provisions of the Appended Table 1 of the Export Trade Control Order and the Appended Table of the Foreign Exchange Order” (the Ministerial Order on Goods, etc.). The interpretation of these provisions is supplemented by the “Operational Notification on the Export Trade Control Order” (Operational Notification) and the “Notification on Transactions or Acts Involving the Provision of Technologies Requiring a License under Article 25, Paragraph 1 of the Foreign Exchange and Foreign Trade Act and Article 17, Paragraph 2 of the Foreign Exchange Order” (Service Notification). Consequently, export control classification must be conducted with reference to multiple Cabinet Orders, ministerial orders, and notifications. In practice, METI publishes a “matrix table” that classifies List-Controlled items in the Export Trade Control Order Appended Table 1 and the Foreign Exchange Order Appended Table by item number, and lists the provisions of ministerial orders and notifications. In addition, CISTEC also provides “Item-by-Item Comparison Tables” and “Parameter Sheets” as tools to assist in export control classification. Many companies use these tools when making export control classification.

Isaji

When actually making ECCN determinations, companies will need to identify the categories and product groups in the CCL to narrow which ECCNs might apply. This can be seen by accessing the list. The ECCNs are subdivided into highly detailed categories, with detailed technical parameters. As a result, close collaboration between the export control department and the department with technical expertise in relation to the relevant items is essential when considering the matter.

Osawa

The same holds true for Japan’s controlled items. Each cabinet order and ministerial order contains detailed specifications for controlled items. Therefore, a sound technical understanding is required for export control classification. In fact, many export control personnel who makes export control classification have a scientific or engineering background, and this may be one of the reasons for this.

Isaji

In addition, issues often arise when actually proceeding with transactions with counterparties. Once the transaction begins to take shape and both parties become aware that they will be doing business together, their awareness of export control regulations, including export control classification, increases. However, in the initial stages of the business negotiations, that is, when the transaction is still flexible or tentative, there are cases where technical or specification data is exchanged without export control classification having been made, and only later does the company realize that this may have been problematic.

Osawa

Exactly. When goods are physically exported, the need for a pre-shipment review is more obvious, given that the goods are physically moved, and customs procedures are required. However, in relation to technology and software, where merely sending a single email may suffice, many companies struggle to determine when export control checks are needed. We often advise on a case-by-case basis, depending on factors such as how the transaction came about. For example, in the early stages of business negotiations, one approach would be to limit the provision of technology to publicly available technology covered by a license exception.

Isaji

Finally, I would also like to add that, as a recent development, Japanese companies’ business structures have undergone significant changes, which should be kept in mind when making export control classification. In particular, the commercialization of AI and supercomputers has led to a major shift in the industrial structure, from hardware to software and services, and this has also led to a shift in the focus of export control classification from goods to services. Since the provision of services involves drawing on a variety of knowledge, information, and technology within the company, the export control classification process now requires more sophisticated and cross-functional analysis than ever before.

Customer Management

Osawa

Finally, we would like to discuss customer management.

Isaji

As I mentioned earlier, the Entity List under the EAR is frequently updated. The U.S. government also maintains a Consolidated Screening List, which allows users to cross-search restricted party lists maintained by the Departments of Commerce, the U.S. Department of State, and the U.S. Department of the Treasury. By entering a counterparty’s name, companies can easily check online whether such partner appears on any of these lists.

Osawa

Focusing specifically on end-user verification under Japan’s Catch-All regulations, companies will need to check whether the end-user is (or has been) involved in activities such as the development of weapons of mass destruction and review the “End User List” published by METI. However, if companies need to check whether a party is subject to sanctions such as asset freezes or embargoes, they will need to check not only METI website but also the Ministry of Finance website. In addition, as lists can vary depending on the factors such as the grounds for sanctions, the relevant lists should be checked individually. In this regard, some companies streamline the process by utilizing CISTEC’s “Consolidated Sanctions List Information” or data vendor search tools. Furthermore, as these lists are constantly being updated, they should be checked each time a transaction is entered into, or on a regular basis, and for companies that deal with a large number of counterparties, this process can be quite burdensome.

Isaji

From the perspective of establishing a compliance system, it is also important to put in place a system that allows for the centralized management of counterparty-related data, including that of group companies, and ensures that information, such as whether a counterparty is on the Entity List, is shared within the group.

Osawa

In addition to checking whether a counterparty is on a restricted list, there are cases under the EAR where the identity of the end-user or the purpose of the end-use may determine whether a transaction is controlled. What level of due diligence is required in such cases?

Isaji

Under EAR’s Direct Product Rule and end-use restrictions, whether a transaction is subject to the EAR depends on the identity of the end-user and the ultimate purpose of the end-use. This is particularly relevant for semiconductor and AI-related items, which are subject to these restrictions. In such cases, companies are expected to conduct careful due diligence, including on their supply chains, before proceeding with the transaction. According to the Know Your Customer Guidance published by U.S. authorities, the level of investigation (that is, due diligence) required depends on whether there are any so-called “red flags.” If there are no suspicious circumstances based on publicly available information regarding the relevant transaction or the counterparty, it is generally permissible to rely on certifications, letters of undertaking, or similar representations obtained from the counterparty.

Osawa

In this discussion, we have examined the increasingly important topic of export control regulations from multiple perspectives, including the Japan-U.S. regulatory framework and recent developments in practice.
In recent years, as regulatory requirements and practical developments change with increasing speed and complexity, it is essential not only to gather information, but also to analyze and evaluate such information thoroughly. Companies must establish internal control systems that are both effective and practical for day-to-day operations, while developing processes for export control classification and customer management. We hope that today’s discussion will serve as a useful reference for companies seeking to implement effective and practical export controls.