Boeing slapped with multimillion-dollar ITAR fine

Boeing recently agreed to pay a $51 million civil penalty for violating U.S. export regulations, specifically the International Traffic in Arms Regulations (ITAR) and the Arms Export Control Act (AECA), adding to a seemingly never-ending list of problems. The company also agreed to take remedial steps and reached a consent agreement with the U.S. State Department. This is one of the largest fines ever imposed by the U.S. government for violations of ITAR and AECA.

Boeing is a multi-billion dollar company with hundreds of full-time trade compliance staff. So, what happened? What can we learn? This case is important and can serve as a warning to the entire industry. Despite Boeing’s vast resources and history, it was still accused of nearly 200 export violations.

What did Boeing do?

According to the U.S. State Department’s Directorate of Defense Trade Controls (DDTC), Boeing is suspected of committing multiple violations, including:

• Unauthorized export and transfer of controlled technical data to foreign employees and contractors
• Unauthorized export to the People’s Republic of China
• Violation of export license terms, conditions, and riders in DDTC export authorizations
• Failure to implement promised corrective actions

What are the details?

DDTC found that the company may have violated ITAR regulations in several areas. Specifically:

• Boeing’s Chinese employees allegedly downloaded technical information from the company’s library 25 times over four years;
• The information involves technical data for ITAR-controlled F-18, F-15, and F-22 fighter aircraft, AH-64 Apache helicopters, AGM-84E Standoff Land Attack Missiles, and AGM-131 Short-Range Attack Missile II;
• DDTC also charged foreign employees and contractors in 18 other countries, including Russia, with 80 unauthorized accesses to ITAR-controlled technical data;
• They also accused Boeing of falsifying five permanent export licenses to export ITAR-controlled hardware to Portugal and Turkey; (Professional Compliance Tip: If you cannot obtain True If you don’t have an export license, then don’t forge one.
• Boeing was also accused of not complying with the terms of its export license by allowing the release of technical data controlled by the International Traffic in Arms Regulations to Lebanese Armed Forces pilots, even though the terms clearly told Boeing that the practice was unauthorized.

Launch failure: Boeing pledges corrective action

To add insult to injury for DDTC, Boeing also apparently failed to implement corrective actions it had committed to the agency in other areas of its compliance program. These actions included:

• Boeing Australia subcontractor re-transferred ITAR-controlled technical data without U.S. government authorization
• Failure to provide training to prevent the recurrence of unauthorized disclosure of Air Force One technical data to foreign persons (initially disclosed in 2019, but repeated in 2020)

Are there any mitigating factors?

We are looking at a large fine — $51 million to be exact. So the natural question is, are there any mitigating factors or circumstances that could reduce this fine?

Believe it or not, the DDTC did cite some mitigating factors that made the penalty lower than it otherwise would have been, including Boeing’s voluntary disclosure of the violations to the U.S. government and its full cooperation with DDTC’s additional information requests and follow-up actions to understand the true nature of the activities at issue.

Agree to the Agreement

Boeing signed a consent agreement with the U.S. Department of State that holds Boeing accountable for all remedial measures set forth in the agreement. If Boeing does not implement these measures, they risk administrative decertification, which would result in Boeing being unable to do business internationally. Examples of these measures are as follows:

• Boeing must appoint a Special Compliance Officer (SCO), who must be approved in advance by DDTC and must report directly to Boeing’s CEO
• SCO is responsible for monitoring/enforcement of all export control policies/procedures, including strengthening these policies/procedures to address past violations and prevent recurrence
• Implement a cradle-to-grave export compliance system across all business units and subsidiaries
• Conduct global training on electronic export of technical data in accordance with revised export compliance policy/procedures
• All hardware and software must be reviewed and verified by global and export control jurisdictions prior to export
• Two audits must be conducted during the validity period of the consent agreement

While it may be hard to find a silver lining in all of this, the $51 million civil penalty enables Boeing to put $24 million toward the remedial compliance measures mentioned above.

in conclusion

The export, re-export, transfer, retransfer, whether in physical or electronic form, of U.S. origin items (including controlled technical data) or items exported from the U.S. must be evaluated and controlled throughout the export process. ITAR technical data must always be protected by an authorized access process that should include approval from multiple sources including the access requester’s manager, SCO or designee, and IT.

Companies need to know what their subsidiaries and contractors control and who has access to that information. U.S. export controls extend beyond the continental United States. This means that parent companies should be as careful when evaluating compliance programs in foreign countries as they would in the United States. Holding international locations to the same standards as U.S. entities is critical to preventing these types of violations.