Export Administration Regulations: Establishment of License Exception Intra-Company Transfer (ICT), 57554-57564 [E8-23506]

Download as PDF 57554 Proposed Rules Federal Register Vol. 73, No. 193 Friday, October 3, 2008 This section of the FEDERAL REGISTER contains notices to the public of the proposed issuance of rules and regulations. The purpose of these notices is to give interested persons an opportunity to participate in the rule making prior to the adoption of the final rules. Policy Division, 14th & Pennsylvania Avenue, NW., Room 2705, Washington, DC 20230, ATTN: RIN 0694–AE21. FOR FURTHER INFORMATION CONTACT: Steven Emme, Regulatory Policy Division; Telephone: 202–482–2440; Email: semme@bis.doc.gov. SUPPLEMENTARY INFORMATION: DEPARTMENT OF COMMERCE Background Bureau of Industry and Security Presidential Directives on U.S. Export Control Reform and Deemed Export Advisory Committee On January 22, 2008, the President announced a package of directives to ensure that the export control policies and practices of the United States support the National Security Strategy of 2006, while facilitating the United States’ continued international economic and technological leadership. These directives focus the export control system to meet the unprecedented security challenges as well as the economic challenges faced by the United States, due to the increasing worldwide diffusion of high technology and impact of global markets. The directives recognize that the economic and technological competitiveness of the United States is essential to meet long-term national security interests. Export controls must, therefore, cover the export and reexport of sensitive items without unduly burdening U.S. economic competitiveness and innovation. This is particularly critical in light of the current and increasing globalization of research, development, and production, as well as the rise of new economic competitors and the diffusion of global supply networks that challenge U.S. economic and technological competitiveness. Shortly before the President announced the package of directives on U.S. export control reforms, the Deemed Export Advisory Committee (DEAC) presented its findings to the Secretary of Commerce on deemed export controls. The DEAC, a federal advisory committee established by the Secretary, undertook a comprehensive examination of the national security, technology, and competitiveness aspects of the deemed export rule. A deemed export is the release of technology and source code subject to the EAR to foreign nationals in the United States that is ‘‘deemed’’ to be an export to the home country or 15 CFR Parts 740 and 772 [Docket No. 071213838–81132–01] RIN 0694–AE21 Export Administration Regulations: Establishment of License Exception Intra-Company Transfer (ICT) Bureau of Industry and Security, Commerce. ACTION: Proposed rule. jlentini on PROD1PC65 with PROPOSALS AGENCY: SUMMARY: This proposed rule would amend the Export Administration Regulations (EAR) to establish a new license exception entitled ‘‘IntraCompany Transfer (ICT).’’ This license exception would allow an approved parent company and its approved wholly-owned or controlled in fact entities to export, reexport, or transfer (in-country) many items on the Commerce Control List (CCL) among themselves for internal company use. Prior authorization from the Bureau of Industry and Security (BIS) would be required to use this license exception. This rule describes the criteria pursuant to which entities would be eligible to use License Exception ICT and the procedure by which they must apply for such authorization. This proposed rule is one of the initiatives in the export control directive announced by the President on January 22, 2008. DATES: Comments must be received by November 17, 2008. ADDRESSES: You may submit comments, identified by RIN 0694–AE21, by any of the following methods: • Federal eRulemaking Portal: https:// www.regulations.gov. Follow the instructions for submitting comments. • E-mail: rpd2@bis.doc.gov. Include ‘‘RIN 0694–AE21’’ in the subject line of the message. • Fax: 202–482–3355 • Mail/Hand Delivery: Steven Emme, U.S. Department of Commerce, Bureau of Industry and Security, Regulatory VerDate Aug<31>2005 18:05 Oct 02, 2008 Jkt 217001 PO 00000 Frm 00001 Fmt 4702 Sfmt 4702 countries of the foreign national. In its final report, which was issued in December 2007, the DEAC concluded that the deemed export rule ‘‘no longer effectively serves its intended purpose and should be replaced with an approach that better reflects the realities of today’s national security needs and global economy.’’ In order to address this concern, the DEAC made several recommendations, including creating a category of ‘‘Trusted Entities’’ that voluntarily elect to qualify for streamlined treatment after meeting certain criteria. Further, the DEAC recommended that these ‘‘Trusted Entities’’ include subsidiaries abroad so that individuals and ideas could move within the company structure without the need for separate deemed export licenses. It is in the context of the President’s directives on U.S. export control reforms and with respect to the DEAC’s recommendations on deemed export controls that BIS is proposing this rule creating a license exception for intracompany transfers. The Impact of U.S. Export Controls on Intra-Company Transfers As global markets and manufacturing continue to evolve, many parent companies have numerous operations in multiple countries for distribution, service and repair, manufacturing and development, product testing, and other uses. In this environment, parent companies increasingly export commodities, software, and technology to their foreign branches, subsidiaries, and/or ultimate foreign parent companies around the world. Consequently, many companies may need multiple export licenses from BIS under a variety of scenarios for their own internal operations. For example, to conduct day-to-day operations, many companies in the United States must export commodities, software, and technology to their foreign branches and subsidiaries, resulting in the need for export licenses. In addition, companies may also require reexport licenses to transfer items among their foreign branches, foreign subsidiaries, and/or their ultimate foreign parent companies, located in multiple countries. On occasion, a company will have several branches or subsidiaries within the same foreign country and must then seek authorization to make in-country E:\FR\FM\03OCP1.SGM 03OCP1 Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / Proposed Rules jlentini on PROD1PC65 with PROPOSALS transfers of technology and other items between those entities. Finally, releasing technology and source code subject to the EAR to foreign national employees at locations of the company in the United States or at the location of another foreign branch or subsidiary could generate the need for deemed export or deemed reexport licenses. Generally, obtaining these licenses for intra-company transfers can negatively impact transactions due to the delay involved in waiting for a licensing decision. Moreover, obtaining licenses for intra-company transfers can hinder more than just individual transactions; they can also hinder product development and the ability to be first to market—activities key to the competitiveness of U.S. companies. For many companies, product development entails large capital investments, compressed product cycles, and intensive coordination of research and development. With the current licensing requirements in place, however, many companies with U.S. operations may be forced to segregate their research and development activities. For instance, while waiting for the approval of a deemed export license, U.S. employees and certain foreign national employees would be precluded from collaborating together on projects. Furthermore, once the license is approved, companies may still need to segregate their research and development activities in the future because product breakthroughs could exceed the licensing parameters and require a new round of export licensing. Establishment of License Exception ICT In order to facilitate secure exports, reexports, and in-country transfers to, from, and among a parent company and its wholly-owned or controlled in fact entities, the Bureau of Industry and Security is proposing to amend the Export Administration Regulations (EAR) to create License Exception IntraCompany Transfer (ICT). License Exception ICT, which would be set forth in new § 740.19 of the EAR, would provide companies a process for intracompany exports, reexports, and incountry transfers without individual licenses. This license exception would allow parent companies and the entities that the parent company wholly owns or controls in fact to export, reexport, and transfer (in-country) many items on the Commerce Control List (CCL) among themselves for internal company use. The grant of ICT would be restricted to those approved companies and those Export Control Classification Numbers (ECCNs) that are authorized by BIS. Companies authorized to use License Exception ICT would benefit because it VerDate Aug<31>2005 18:05 Oct 02, 2008 Jkt 217001 would relieve them of some of the administrative requirements of obtaining, tracking, and reporting on individual licenses and would reduce the lag time, expense, and uncertainty in the licensing process. This license exception would also improve research and development and other internal company activities, thus leading to improved competitiveness and innovation for companies with operations in the United States. In proposing this license exception for intra-company exports, reexports, and in-country transfers, BIS recognizes that industry and government share the goal of protecting controlled commodities, software, and technology, since these often represent proprietary information and property. Moreover, BIS also recognizes that many companies devote considerable financial and workforce resources to ensuring compliance with export controls. BIS would authorize License Exception ICT for those companies that demonstrate effective internal control plans, submit annual reports on their use of ICT, and agree to audits by BIS officials as requested. By authorizing this license exception for companies that have effective internal control plans and have agreed to audits, BIS can focus its resources on evaluating transactions involving lesserknown items and entities to better prevent exports to persons who may act contrary to U.S. national security and foreign policy interests. Greater focus on such transactions would increase the national security value of the remaining reviews of individual license applications. Definitions For purposes of this rule, BIS is defining multiple terms used with respect to License Exception ICT. These terms are ‘‘controlled in fact,’’ ‘‘employee,’’ and ‘‘parent company.’’ This rule would amend § 772.1 of the EAR to include these new definitions as described below. First, BIS is amending the definition of ‘‘controlled in fact’’ in § 772.1 by applying aspects of the definition of the same term set forth in § 760.1(c) of the EAR to specify the circumstances in which one entity will be presumed to have control over another entity for purposes of License Exception ICT. In order to include any entity in its application to use License Exception ICT, the parent company must either wholly own or control in fact that individual entity. Next, BIS is amending § 772.1 to add the term ‘‘employee,’’ for purposes of License Exception ICT, to refer to persons who work, with or without PO 00000 Frm 00002 Fmt 4702 Sfmt 4702 57555 compensation, in the interest of an entity that is an approved eligible user or an approved eligible recipient of ICT. Such persons must work at the approved eligible entity’s locations, including overseas locations, or at locations assigned by the approved eligible entity, such as at remote sites or on business trips. This definition may include permanent employees, contractors, and interns. Finally, BIS is amending § 772.1 to add the term ‘‘parent company,’’ which will be defined for purposes of License Exception ICT, to mean any entity that wholly owns or controls in fact a different entity, such as a subsidiary or branch. The parent company does not have to be an ultimate parent company, as that term is referred to in the definition of parent company; it may be wholly-owned or controlled by another entity or other entities. Also, the parent company does not need to be incorporated in or have its principal place of business in the United States. However, in order to be eligible for and use License Exception ICT, the parent company must be incorporated in or have its principal place of business in a country listed in Supplement No. 4 to part 740 (see new § 740.19(b)(1)). This definition does not include colleges and universities. Thus, the research conducted by colleges and universities that is not fundamental research (see § 734.8(a) of the EAR) and that requires a license would not qualify for License Exception ICT. However, a university professor who enters into a contractual relationship with a company to conduct proprietary research could qualify as an ‘‘employee’’ if all conditions in that definition are met. Information Required for Submission to BIS for Review to Use License Exception ICT In order to avail themselves of License Exception ICT, a ‘‘parent company’’ and the entities that it wholly owns or ‘‘controls in fact’’ must maintain an internal control plan, hereinafter referred to as an ICT control plan. Upon implementation of the ICT control plan, the parent company, as the eligible applicant under new § 740.19(b)(1), must submit the plan to BIS for review pursuant to new § 740.19(e). Additionally, the eligible applicant must submit documentation showing that the ICT control plan has been implemented. Such documentation should include a representative sample of records showing effective compliance with the screening, training, and selfevaluation elements of the ICT control plan, as described below in further detail. E:\FR\FM\03OCP1.SGM 03OCP1 57556 Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / Proposed Rules jlentini on PROD1PC65 with PROPOSALS Along with the ICT control plan and supporting documentation, the eligible applicant parent company must list the wholly-owned entities and controlled in fact entities that the applicant parent company intends to be eligible users (see new § 740.19(b)(2)) or eligible recipients (see new § 740.19(b)(3)(i)) of this license exception. It is possible for an entity to be both an eligible user and an eligible recipient. For itself, and for each eligible user and eligible recipient entity, the eligible applicant parent company must list any individual or group that has at least a 10% ownership interest. Finally, the eligible applicant parent company must list the ECCNs of the items it plans to export, reexport, or transfer (in-country) under ICT; provide a narrative describing the purpose for which the requested ECCNs will be used and the anticipated resulting commodities, if applicable; disclose its relationship with each entity that is intended to be an eligible user and/or eligible recipient; and provide a signed statement by a company officer of the eligible applicant parent company stating that each entity will allow BIS to conduct audits on the use of License Exception ICT. ICT Control Plan An ICT control plan seeks to ensure that items on the Commerce Control List will not be exported, reexported, or transferred in violation of this license exception. As this license exception may be used for commodities, software, and technology, the ICT control plan must address how the parent company and the entities that it wholly owns or controls in fact, as eligible users and eligible recipients, will maintain items authorized for export, reexport, or transfer by this license exception within the company structure, as authorized by BIS. Within the ICT control plan, eligible applicants must describe how certain mandatory elements will be met. These mandatory elements, which are listed in new § 740.19(d)(1), include corporate commitment to export compliance, a physical security plan, an information security plan, personnel screening procedures, a training and awareness program, a self-evaluation program, a letter of assurance for software and technology, non-disclosure agreements, and end-user list reviews. All of these elements are aspects of export control compliance programs that establish effective internal control plans. In turn, these internal control plans generate an increased level of awareness of export control compliance issues among employees and help secure a company’s proprietary information. VerDate Aug<31>2005 18:05 Oct 02, 2008 Jkt 217001 For the required ICT control plan elements in paragraphs (d)(1)(i) through (d)(1)(vi) of new § 740.19, BIS is not specifying how each company must achieve them due to the varying characteristics of companies. However, paragraphs (d)(1)(i) through (d)(1)(vi) do contain illustrative examples of evidence that a company may use in its descriptions detailing how it will implement those mandatory elements. While companies may include additional elements in their ICT control plan, they must, at a minimum, describe how the minimum mandatory elements set forth in § 740.19(d)(1) will be met. One mandatory element—the selfevaluation program in paragraph (d)(1)(vi)—requires the creation and performance of regular internal selfaudits, creation of a checklist of critical areas and items to review, and development of corrective procedures or measures implemented to correct identified deficiencies. If any identified deficiencies rise to the level of a violation of the EAR, the company should make a voluntary self-disclosure pursuant to § 764.5. If a company plans to use this license exception for commodities only, then the company may state in the ICT control plan that the mandatory elements of the ICT control plan set forth in paragraphs (d)(1)(iii) (information security plan), (d)(1)(iv) (personnel screening procedures), (d)(1)(vii) (letter of assurance for software and technology), (d)(1)(viii) (signing of non-disclosure agreements), and (d)(1)(ix) (review of end-user lists) are not applicable because the license exception will be used for commodities only and not used for software or technology. Similarly, if a company plans to use this license exception for software (excluding source code) only, or if a company plans to use this license exception for commodities and software (excluding source code) only, then the company may state in the ICT control plan that the mandatory elements found in paragraphs (d)(1)(iv) (personnel screening procedures), (d)(1)(viii) (signing of non-disclosure agreements), and (d)(1)(ix) (review of end-user lists) are not applicable because the license exception will be used for software (excluding source code) only, or, if appropriate, for software (excluding source code) and commodities only, and not used for technology or source code. Mandatory Requirements for Technology and Source Code Under an ICT Control Plan Entities that seek to be approved eligible users and/or eligible recipients of this license exception must ensure PO 00000 Frm 00003 Fmt 4702 Sfmt 4702 that non-U.S. national employees, wherever located, sign non-disclosure agreements before receiving technology or source code under this license exception. Such non-disclosure agreements must state that the employee agrees not to release any technology or source code in violation of the EAR, and such agreements must be binding as long as the technology or source code remains subject to export controls, regardless of the signatory’s employment relationship with the employer. In other words, even if the signatory’s employment relationship with the employer were severed, the signatory would remain prohibited from releasing any technology or source code received under License Exception ICT while employed. The non-disclosure agreement must also specify that the prohibition would remain in effect until the technology or source code no longer required a license to any destination under the EAR. In addition, entities that seek to be approved eligible users and/or eligible recipients of ICT must screen non-U.S. national employees who are also foreign national employees in the country in which they are working against lists of end-user concern. This screening requirement applies if such individuals are to receive technology or source code under ICT. The lists of end-users of concern are compiled by the U.S. government and may be accessed at the BIS Web site at https://www.bis.doc.gov. Upon publication of a final rule, BIS plans to provide guidance on its website with respect to screening such employees for purposes of ICT. Non-U.S. national employees are those employees who are not U.S. citizens, U.S. permanent residents, or protected individuals under the Immigration and Naturalization Act (8 U.S.C. 1324b(a)(3)). Foreign national employees are those non-U.S. national employees, wherever located, who are not citizens or legal permanent residents of the country in which they work. For instance, a German national working in the United States and a German national working in France are both considered foreign national employees for purposes of this rule (and more generally for purposes of the EAR). However, a French national working in France is not a foreign national employee from the perspective of BIS. Therefore, all foreign national employees are non-U.S. national employees, but not all non-U.S. national employees are foreign national employees. This distinction is important because the non-disclosure agreement element in an ICT control plan applies to the German national working in France as well as to the French national E:\FR\FM\03OCP1.SGM 03OCP1 Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / Proposed Rules jlentini on PROD1PC65 with PROPOSALS working in France. Thus, it applies to non-U.S. national employees who would otherwise be permitted to receive technology or source code subject to the EAR, if not for the grant of ICT, under a deemed export license, deemed reexport license, license to a facility where the employee works, or other license exception. Unlike the non-disclosure agreement requirement, the screening element applies only to foreign national employees. Hence, it would apply to a German national working in France but not to a French national working in France. The release of technology or source code subject to the EAR to a foreign national employee may occur under a deemed export or deemed reexport license or by operation of a license exception, but it may also occur under a license that has been issued to a facility. For example, a technology license approved for a French facility may have a condition allowing all EU nationals to receive the technology as well as the French employees. The screening requirement is intended to apply to all foreign national employees receiving technology or source code under ICT that would otherwise require a license, whether it be through a license for a deemed export or deemed reexport, a license issued to a facility, or other license exception. Additionally, foreign national employees of companies located in the United States must comply with U.S. immigration laws and maintain current and valid visa authorization. Authorization From BIS to Use License Exception ICT Following receipt of the ICT control plan and all information required under new § 740.19(e)(1), BIS will review and refer the submission to the reviewing agencies consistent with §§ 750.3 and 750.4 of the EAR and Executive Order 12981, as amended by Executive Orders 13020, 13026, and 13117. In order to determine ICT eligibility, BIS will consider prior licensing history of the eligible applicant parent company and its wholly-owned or controlled in fact entities that are part of the authorization request, demonstration of an effective ICT control plan, need for this license exception within the company structure as articulated by the applicant parent company, and relationship of the wholly-owned or controlled in fact entities to the eligible applicant parent company. Upon reaching a decision, BIS will inform the eligible applicant parent company in writing if it may use this license exception pursuant to new § 740.19(f). BIS will specify the terms of VerDate Aug<31>2005 18:05 Oct 02, 2008 Jkt 217001 the ICT authorization, including identifying the wholly-owned or controlled in fact entities of the eligible applicant parent company that may use ICT and the ECCNs of the items that may be exported, reexported, or transferred (in-country) for internal company use under ICT. After receiving authorization, approved parent companies and their approved whollyowned or controlled in fact entities, if covered under the ICT control plan, may use this license exception to export, reexport, or transfer (in-country) approved commodities, software, and/or technology among themselves for internal company use only. Any entity that seeks to become an eligible user and/or eligible recipient, as described in new §§ 740.19(b)(2) and 740.19(b)(3)(i), must be specifically covered by the ICT control plan submitted to BIS and maintain the ICT control plan of the eligible applicant parent company. Exports, reexports, and in-country transfers for any purpose other than internal company use are not authorized under License Exception ICT. With respect to an item that has been exported, reexported, or transferred (incountry) pursuant to License Exception ICT, the entity must submit a license application if required under the EAR before using the item for a purpose other than that covered by this license exception. Also, should control of the approved eligible applicant parent company change, then use of License Exception ICT is no longer valid. The newly-controlled eligible applicant parent company must re-submit the information required for ICT authorization, as described in new § 740.19(g)(3). Annual Reporting Requirements After submitting a request for authorization to use License Exception ICT pursuant to new § 740.19(e) and after receiving approval from BIS, approved eligible applicant parent companies must submit an annual report to BIS on the use of this license exception by itself and by its approved wholly-owned or controlled in fact entities. Specifically, approved eligible applicant parent companies must list the name, nationality, and date of birth of each foreign national employee, as described in note 2 to new § 740.19(b)(3)(ii), who has received technology or source code under this license exception. The requirement is limited to those employees, who would have required a license to receive technology or source code if not for ICT, and who are not citizens or legal permanent residents of the country in which they are employed. Therefore, it PO 00000 Frm 00004 Fmt 4702 Sfmt 4702 57557 applies to foreign national employees working in the United States and to foreign national employees working outside of the United States. Also, approved eligible applicant parent companies must submit the names of those foreign national employees, as described in note 2 to new § 740.19(b)(3)(ii), who previously received technology or source code under this license exception and have ended their employment. This requirement does not apply to those who have merely switched positions within the company structure of the parent company, so long as the new employer is an approved eligible entity under the same parent company. BIS is requesting this information in order to examine the use of License Exception ICT and measure its effectiveness. Further, a company officer must certify to BIS that the approved eligible applicant parent company and its approved eligible users and eligible recipient entities are in compliance with the terms and conditions of ICT. This certification should include the results of the self-evaluation described in paragraph (d)(1)(vi) of this section. Auditing Use of License Exception ICT BIS will conduct audits of approved eligible applicant parent companies and their approved wholly-owned or controlled in fact entities to ensure proper compliance with License Exception ICT. These reviews will take place approximately once every two years. Generally, BIS will give notice to the relevant parties before conducting an audit. However, if BIS has reason to believe that an entity is improperly using ICT, BIS may conduct an unannounced audit at its discretion that is separate from the biennial audit. Restrictions on the Use of License Exception ICT and the Direct Product Rule Consistent with other license exceptions, License Exception ICT is subject to the restrictions on the use of all license exceptions, which are set forth in § 740.2 of the EAR. Therefore, ICT cannot be used for certain items, such as items controlled for missile technology reasons or certain items that are ‘‘space qualified.’’ Moreover, ICT is subject to revision, suspension, or revocation, in whole or in part, without notice. Also, new § 740.19(c) lists restrictions on using ICT. For instance, items controlled for Encryption Items (EI) reasons and items controlled for Significant Items (SI) reasons are ineligible for export, reexport, or transfer (in-country) under ICT. At this E:\FR\FM\03OCP1.SGM 03OCP1 57558 Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / Proposed Rules jlentini on PROD1PC65 with PROPOSALS time, License Exception ENC will remain the primary resource for providing the authorization necessary for many intra-company transfers of encryption items. Further, no items exported, reexported, or transferred within country under this license exception may be subsequently exported, reexported, or transferred for purposes other than internal company use, unless done so in accordance with the EAR. However, items that have been exported, reexported, or transferred (incountry) under License Exception ICT may not be subsequently exported, reexported, or transferred (in-country) under License Exception APR (see § 740.16). Finally, note that whether the foreign direct product of U.S. software or technology exported from abroad, reexported, or transferred under License Exception ICT is subject to the EAR is determined under § 736.2(b)(3) of the EAR, when the foreign direct product is exported from abroad, reexported, or transferred (in-country) for other than internal use within a Country Group D:1 country or Cuba. Although the Export Administration Act expired on August 20, 2001, the President, through Executive Order 13222 of August 17, 2001, 3 CFR, 2001 Comp., p. 783 (2002), as extended by the Notice of July 23, 2008, 73 FR 43603 (July 25, 2008), has continued the Export Administration Regulations in effect under the International Emergency Economic Powers Act. Rulemaking Requirements 1. This proposed rule has been determined to be significant for purposes of Executive Order 12866. 2. Notwithstanding any other provision of law, no person is required to respond to nor be subject to a penalty for failure to comply with a collection of information, subject to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA), unless that collection of information displays a currently valid Office of Management and Budget (OMB) Control Number. This proposed rule contains a collection previously approved by the OMB under control numbers 0694–0088, ‘‘Multi-Purpose Application,’’ which carries a burden hour estimate of 58 minutes to prepare and submit form BIS–748. Miscellaneous and recordkeeping activities account for 12 minutes per submission. In addition, this proposed rule contains a new collection for reporting, recordkeeping, and auditing requirements, which would be submitted for approval to use License Exception ICT, carries an estimated VerDate Aug<31>2005 18:05 Oct 02, 2008 Jkt 217001 burden of 19.6 hours for companies having an existing internal control plan and 265.6 hours for companies not having an existing internal control plan in place. A request for new collection authority will be submitted to OMB for approval. Public comment will be sought regarding the burden of the collection of information associated with preparation and submission of these proposed voluntary requirements. BIS estimates that this rule will reduce the number of multi-purpose application forms that must be filed by 582 annually. Send comments regarding this burden estimate or any other aspect of this collection information, including suggestions for reducing the burden, to Jasmeet K. Seehra, Office of Management and Budget (OMB), and to the Regulatory Policy Division, Bureau of Industry and Security, Department of Commerce, as indicated in the ADDRESSES section of this proposed rule. 3. This rule does not contain policies with Federalism implications as that term is defined in Executive Order 13132. 4. The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), 5 U.S.C. 601 et seq., generally requires an agency to prepare a regulatory flexibility analysis of any rule subject to the notice and comment rulemaking requirements under the Administrative Procedure Act (5 U.S.C. 553) or any other statute, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. Under section 605(b) of the RFA, however, if the head of an agency certifies that a rule will not have a significant economic impact on a substantial number of small entities, the statute does not require the agency to prepare a regulatory flexibility analysis. Pursuant to section 605(b), the Chief Counsel for Regulations, Department of Commerce, certified to the Chief Counsel for Advocacy, Small Business Administration, that this proposed rule, if promulgated, will not have a significant economic impact on a substantial number of small entities for the reasons explained below. Consequently, BIS has not prepared a regulatory flexibility analysis. The EAR applies to all entities that export, reexport, or transfer commodities, software, and technology that are subject to the EAR. The EAR potentially affects any entity in any sector that chooses to export, reexport, or transfer items subject to the EAR. Thus, while this proposed rule could potentially have a significant economic impact on small entities, BIS believes PO 00000 Frm 00005 Fmt 4702 Sfmt 4702 that this proposed rule will not impact a substantial number of small entities. BIS does not have data on the total number of small entities that are potentially impacted by the requirements of the EAR, but BIS does maintain data on actual licenses applied for by entities of all sizes. In order to examine the number of small entities that would be impacted by this proposed rule, BIS examined the licensing data to find approved licenses that would potentially qualify as an intra-company transfer. Using this data as well as using estimated burden hours in gaining ICT authorization, BIS conducted a cost-benefit analysis to see which entities would likely choose to apply for authorization. BIS also examined all approved licenses that could qualify as intra-company transfers to determine whether any entities were small entities. Upon initial examination of licensing data from 2004 to 2006, BIS found that approximately 200 companies had licenses approved that could potentially qualify as an intra-company transfer. Of those companies, the vast majority consisted of large parent companies, medium-sized companies, or companies that were owned by larger domestic or foreign companies. This result supports the premise that entities that would avail themselves of ICT must be large enough to have subsidiaries or branches located in different countries that the entities control in fact. To look at which of those approximately 200 companies would most likely choose to apply for ICT authorization, BIS conducted a costbenefit analysis by estimating the burden hours involved in gaining ICT authorization as well as with complying with recordkeeping and reporting requirements under ICT. BIS determined that over a three-year period it would take 280.8 hours (or 16,848 minutes) for a company without an internal control program to seek ICT authorization and 34.8 hours (or 2088 minutes) for a company with an existing internal control program to seek ICT authorization. The threshold by which companies would likely be inclined to apply for authorization to use ICT is the point at which the burden of applying for licenses over a three-year period (at 70 minutes per license) exceeds the total ICT burden hours over three years (at 16,848 minutes for companies without an existing internal control program or at 2088 minutes for companies with an internal control program). In order to meet that threshold, companies without an internal control program would have to apply for about 241 licenses over a three-year period, and companies with E:\FR\FM\03OCP1.SGM 03OCP1 jlentini on PROD1PC65 with PROPOSALS Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / Proposed Rules an existing internal control program would have to apply for about 30 licenses per year over a three-year period. Only two companies meet the 241 license threshold, and those companies are not small entities under the North American Industry Classification System (NAICS) standards. Sixteen companies meet the 30 license threshold or come close (within five licenses) of meeting the threshold, and none of those companies is a small entity under the NAICS standards. In addition to burden hours, companies without an existing internal compliance program may be less likely to choose to seek ICT authorization because additional investments would likely need to be made to implement an internal control program. While these upfront investments could greatly vary depending on company size as well as the type and number of items in the company portfolio, it is likely that companies would need to invest in physical and information security as well as incur travel expenses to visit overseas facilities to ensure that the internal compliance program is operating effectively. All of these additional costs would likely increase the burden in any cost-benefit analysis and would likely make an entity of any size that does not have an internal compliance program less likely to seek ICT authorization and thus not be impacted by this proposed rule. Even if an entity without an internal compliance program utilizes a different cost-benefit analysis and decides to apply for ICT authorization, BIS licensing data shows that the potential ICT candidate would not be a small entity. Only four companies, for which public information was available, were found to qualify as small entities under the NAICS. However, the potential intra-company licenses approved for these four entities would all be ineligible under License Exception ICT. The items approved for export were all items listed under § 740.2 that are restricted for export, reexport, or incountry transfer under all license exceptions. Therefore, no small entity was found to have licenses that were approved by BIS over a three-year period that would qualify under ICT. Consequently, this proposed rule would not affect a significant number of small entities. This proposed rule was mandated by the President in National Security Presidential Directive (NSPD) 55. While this proposed rule will increase burden hours for those entities choosing to seek authorization for License Exception ICT, BIS licensing data and publicly available information show that no VerDate Aug<31>2005 18:05 Oct 02, 2008 Jkt 217001 small entities in the period of review received approved licenses for intracompany transfers that would be eligible for License Exception ICT. Thus, a substantial number of small entities will not be impacted by this proposed rule. List of Subjects 15 CFR Part 740 Administrative practice and procedure, Exports, Reporting and recordkeeping requirements. 15 CFR Part 772 Exports. For the reasons set forth in the preamble, parts 740 and 772 of the Export Administration Regulations (15 CFR 730–774) are amended as follows: PART 740—[AMENDED] 1. The authority citation for 15 CFR part 740 is revised to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008). 2. Section 740.19 is added to read as follows: § 740.19 Intra-Company Transfer (ICT). (a) Scope. This license exception authorizes exports, reexports, and incountry transfers of items on the Commerce Control List for internal company use among approved eligible applicants, eligible users, and eligible recipients, as described in paragraphs (b)(1), (b)(2), and (b)(3) respectively, of this section. Use of License Exception ICT is limited to those entities and those ECCNs that are authorized by BIS, pursuant to paragraph (f) of this section. (b) Eligibility. (1) Eligible applicant. The eligible applicant is the ‘‘parent company,’’ as that term is defined in section 772.1, that institutes an ICT control plan, as described in paragraph (d) of this section, and that applies for authorization from BIS to use this license exception. The eligible applicant must be incorporated in or have its principal place of business in any country listed in Supplement No. 4 to part 740. In addition, the eligible applicant may be, but is not required to be, the ultimate parent company, as that term is referred to in the definition of ‘‘parent company’’ set forth in section 772.1; hence the eligible applicant may be owned or controlled by other entities. However, the ultimate parent company cannot be an eligible user under this license exception unless it is also the PO 00000 Frm 00006 Fmt 4702 Sfmt 4702 57559 eligible applicant. Application requirements are set forth in paragraph (e) of this section. (2) Eligible users. Eligible users may be eligible applicants, as described in paragraph (b)(1) of this section, and their wholly-owned or ‘‘controlled in fact’’ entities that implement and maintain the ICT control plan of the eligible applicant and that are included in the applications submitted by eligible applicants pursuant to paragraph (e) of this section. Eligible applicants must ensure that each eligible user implements the eligible applicant’s ICT control plan, including the use of nondisclosure agreements as described in paragraph (d)(1)(viii) of this section. (3) Eligible recipients. (i) Entities. Eligible recipients of items under this license exception may be eligible applicants as described in paragraph (b)(1) of this section, eligible users as described in paragraph (b)(2) of this section, and eligible applicants’ other wholly-owned or controlled in fact companies that implement and maintain the ICT control plan of the eligible applicant and that are named in the applications submitted by the eligible applicant pursuant to paragraph (e) of this section. Eligible applicants must ensure that each eligible recipient, as described in this paragraph, implements the eligible applicant’s ICT control plan, including the use of nondisclosure agreements as described in paragraph (d)(1)(viii) of this section. (ii) Non-U.S. national employees receiving technology or source code. Non-U.S. national employees (wherever located) of entities that are eligible applicants, eligible users, and/or eligible recipients of this license exception may be eligible recipients of technology and source code under this license exception provided the non-U.S. national employees sign non-disclosure agreements with their employer in which the non-U.S. national employees agree not to release any technology or source code in violation of the EAR. Additionally, if non-U.S. national employees are also foreign national employees in their country of employment, then such non-U.S. national employees must also be screened by the appropriate eligible user against end-user lists compiled by the U.S. government. For further information on employees, nondisclosure agreements, and screening requirements, see §§ 772.1, 740.19(d)(1)(viii), and 740.19(d)(1)(ix) respectively. Note 1 to Paragraph (B)(3)(II) of this Section: Non-U.S. national employees are those employees who are not U.S. citizens, lawful permanent residents of the United E:\FR\FM\03OCP1.SGM 03OCP1 57560 Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / Proposed Rules States, or individuals protected under the Immigration and Naturalization Act (8 U.S.C. 1324b(a)(3)). Non-U.S. national employees include those working in the United States and outside of the United States. Furthermore, non-U.S. national employees include those employees who would otherwise be permitted to receive technology or source code only under: (1) A deemed export or deemed reexport license; (2) a license issued to a facility, and the employee is a citizen or legal permanent resident of the same country where the facility is located; and (3) a license issued to a facility, but the employee is not a citizen or legal permanent resident of the country where the facility is located; (4) another authorization such as a license exception other than ICT. jlentini on PROD1PC65 with PROPOSALS Note 2 to Paragraph (B)(3)(II) of this Section: Foreign national employees are those non-U.S. national employees who are not citizens or legal permanent residents of the country in which they are employed. Foreign national employees include those employees who would otherwise receive technology or source code under: (1) A deemed export or deemed reexport license; or (2) a license to a facility, but the employee is not a citizen or legal permanent resident of the country where the facility is located; or (3) another authorization such as a license exception other than ICT. (4) Eligible uses. Items exported, reexported, or transferred within country under this license exception may be exported, reexported, or transferred only for purposes of the internal company use by approved eligible applicants and approved eligible users of this license exception, as described in paragraphs (b)(1) and (b)(2) respectively, of this section. (c) Restrictions. (1) No item may be exported, reexported, or transferred within country under this license exception to destinations in or nationals of Country Group E or North Korea. (2) No item exported, reexported, or transferred within country under this license exception may be subsequently exported, reexported, or transferred for purposes other than the internal company use of approved eligible applicants, eligible users, and eligible recipients, as described in paragraphs (b)(1), (b)(2), and (b)(3)(i) respectively, of this section, unless done so in accordance with the EAR. See paragraph (c)(3) of this section for further restrictions. (3) No items that have been exported, reexported, or transferred (in-country) under License Exception ICT may be subsequently exported, reexported, or transferred (in-country) under License Exception APR (see § 740.16). (4) No release of technology or source code is authorized under this license exception to foreign national employees whose visa or authority to work has VerDate Aug<31>2005 18:05 Oct 02, 2008 Jkt 217001 been revoked, denied, or is otherwise not valid. It is the responsibility of the exporter to ensure that foreign national employees working in the United States maintain a valid U.S. visa if they are required to hold a visa from the United States. (5) No release of technology or source code is authorized under this license exception to a foreign national employee, as described in note 2 to paragraph (b)(3)(ii), if that employee or a prior employer of that employee is listed on any of the end-user lists of concern compiled by the U.S. government. In such instances, eligible applicants (or eligible users, as appropriate) should obtain the appropriate authorization required under the EAR. (6) No items controlled for Encryption Items (EI) reasons under ECCNs 5A002, 5D002, or 5E002 may be exported, reexported, or transferred (in-country) under this license exception. (7) No items controlled for Significant Items (SI) reasons may be exported, reexported, or transferred (in-country) under this license exception. (d) ICT control plan. Prior to submitting an application to BIS under paragraph (e) of this section, and before making any exports, reexports, or incountry transfers under this license exception, eligible applicants must implement an ICT control plan that is designed to ensure compliance with this license exception and the EAR. In addition, eligible users and eligible recipient entities must implement the ICT control plan of the eligible applicant. Under an ICT control plan, which may be a component of a more comprehensive export compliance program, all entities that seek to use this license exception must ensure that commodities, software, and technology, where applicable, will not be exported, reexported, or transferred in violation of this license exception. With their application for authorization (as described in paragraph (e) of this section) to use this license exception, eligible applicants must submit a copy of the ICT control plan and must specifically note which of their whollyowned or controlled in fact entities are covered by the plan. BIS may require the eligible applicant to modify the ICT control plan before authorizing use of this license exception. Paragraph (d)(1) of this section lists the mandatory elements of an ICT control plan. Paragraph (d)(2) of this section lists exceptions to addressing certain mandatory elements in paragraph (d)(1) in the ICT control plan. (1) Mandatory elements of an ICT control plan. The following elements are PO 00000 Frm 00007 Fmt 4702 Sfmt 4702 mandatory, subject to the exceptions in paragraph (d)(2) of this section. The ICT control plan must describe how each mandatory element will be implemented. In order to provide guidance, the mandatory elements described in paragraphs (d)(1)(i) through (d)(1)(v) include illustrative examples of evidence demonstrating how the element may be addressed. Note that these illustrative examples are guidelines only; satisfying the five required elements in paragraphs (d)(1)(i) through (d)(1)(v) of this section is dependent upon the nature and complexity of company activities, the type of items that will be exported, reexported, or transferred under this license exception (i.e., commodities, software, and/or technology), the countries involved, and the relationship between the eligible users and eligible recipients of this license exception, as described in paragraphs (b)(2) and (b)(3)(i) respectively of this section. With respect to the other four elements of the ICT control plan, eligible applicants must fulfill certain specified requirements. For paragraphs (d)(1)(vi), (d)(1)(vii), (d)(1)(viii), and (d)(1)(ix) of this section, no illustrative examples are included. Note, however, that to satisfy the self-evaluation element in paragraph (d)(1)(vi) of this section, establishing self-audits, creating a checklist, and developing corrective measures are required, but the self-audits may be structured in a manner that works best for the eligible applicant and its whollyowned or controlled in fact entities. In order to use this license exception for technology or software, a letter of assurance, consistent with §§ 740.19(c) and 740.6, must be provided by a company officer of the eligible applicant. Additionally, in order to use this license exception for non-U.S. national employees, wherever located, to receive technology or source code under this license exception, submitting a template or sample of the nondisclosure agreement to be used is a mandatory element. Also, in order to use this license exception for non-U.S. national employees who are also foreign national employees, reviewing lists of end-users of concern compiled by the U.S. government is a mandatory element. (i) Corporate commitment to export compliance. Evidence of a corporate commitment to export compliance may include: An organizational chain of command for export controls compliance issues and related issues of concern; senior management member(s) responsible for export controls compliance, who are able to E:\FR\FM\03OCP1.SGM 03OCP1 jlentini on PROD1PC65 with PROPOSALS Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / Proposed Rules demonstrate how compliance issues are resolved; internal recordkeeping requirements in accordance with the EAR; maintenance of a sound commodity classification methodology; and commitment of resources to implement and maintain an ICT control plan. (ii) Physical security plan. Evidence of a physical security plan may include: Methods of physical security that prevent the transfer of commodities, software, and technology on the Commerce Control List outside of the internal company structure; and organization and maintenance of up-todate building layouts, including a description of physical security measures, such as secured doors and badges as well as biometric, guard, and perimeter controls. (iii) Information security plan. Evidence of an information security plan may include: Organization and maintenance of up-to-date virtual security layouts and descriptions of what information security methods are in place, such as password protection, firewalls, segregated servers, nonnetwork computers, and intranet security. (iv) Personnel screening procedures. Evidence of personnel screening procedures may include: Thorough prescreening analysis of new foreign national employees, as described in note 2 to paragraph (b)(3)(ii), which includes, but is not limited to, criminal background, driver’s license, and credit history, before allowing them to receive technology or source code through a license or license exception. (v) Training and awareness program. Evidence of a training and awareness program may include: Creation, scheduling, and performance of regular training programs (for all employees working in areas relevant to export controls) to inform employees about export controls and limits on their access to technology or source code. (vi) Self-evaluation program. Evidence of a self-evaluation program must include the following three components: Creation and performance of regular internal self-audits, which may be conducted through the use of internal and/or external resources depending upon the needs and demands of the organization; creation of a checklist of critical areas and items to review, including identification of any deficiencies; and development of corrective procedures or measures implemented to correct identified deficiencies. Note: Disclosure of identified deficiencies and corrective actions will be considered when evaluating effective ICT control plans VerDate Aug<31>2005 18:05 Oct 02, 2008 Jkt 217001 under paragraph (f)(2). Failure to disclose this information could result in revocation, as noted in paragraph (j). Any violations of the EAR that are uncovered in the process of conducting this self-evaluation should be disclosed to BIS in accordance with the voluntary self-disclosure procedures found in section 764.5. (vii) Letter of assurance for software and technology. A company officer of the eligible applicant must submit a signed statement on company letterhead stating that under this license exception, the eligible applicant and each eligible user and/or eligible recipient entity will not export, reexport, or transfer (incountry) software (including the source code for the software) and technology, consistent with paragraph (c)(1) of this section and consistent with paragraphs (a)(1) and (a)(2) of § 740.6. (viii) Signing of non-disclosure agreements. Non-disclosure agreements not to release any technology or source code must be binding with respect to any technology or source code that has been released or otherwise provided to any non-U.S. national employee, wherever located, on the basis of this license exception, until such technology or source code no longer requires a license to any destination under the EAR, regardless of whether the non-U.S. national’s employment relationship with the company remains in effect. Non-disclosure agreements should be completed in both English and the nonU.S. national employee’s native language. (ix) Review of end-user lists. Foreign national employees, as described in note 2 to paragraph (b)(3)(ii), who are eligible to receive technology or source code under this license exception, must be screened against all lists of end-users of concern compiled by the U.S. government. In addition, prior employers of the foreign national employees must also be screened. These lists can be accessed at https:// www.bis.doc.gov. See paragraph (c)(5) of this section for specific restrictions. (2) Exceptions to certain mandatory elements of an ICT control plan. (i) If this license exception will be used only for commodities, then the ICT control plan elements described in paragraphs (d)(1)(iii), (d)(1)(iv), (d)(1)(vii), (d)(1)(viii), and (d)(1)(ix) are not mandatory. In this situation, the ICT control plan must state that this license exception will be used for commodities only and not used for software or technology. (ii) If this license exception will be used only for software (excluding source code), or if this license exception will be used only for commodities and software PO 00000 Frm 00008 Fmt 4702 Sfmt 4702 57561 (excluding source code), then the ICT control plan elements described in paragraphs (d)(1)(iv), (d)(1)(viii), and (d)(1)(ix) are not mandatory. In this situation, the ICT control plan must state that this license exception will be used for software (excluding source code) only, or will be used for commodities and software (excluding source code) only, and not used for technology or source code. (e) Information required for grant of ICT authorization. (1) Prior to the export, reexport, or incountry transfer of items on the Commerce Control List under this license exception, an eligible applicant, as described in paragraph (b)(1) of this section, must submit the following information to BIS: (i) For the eligible applicant: Full name of company; location of company headquarters; location of principal place of business; complete physical addresses (listing a post office box is insufficient) of company’s headquarters and principal place of business; post office box if used as an alternate address; location of registration or incorporation; ownership of company, including listing all individuals or groups that have at least a 10% ownership interest; and need for License Exception ICT, including listing the ECCNs of the items that will be exported, reexported, or transferred (incountry) under this license exception and a detailed narrative describing the intended use of the items covered by the listed ECCNs and the anticipated resulting commodities, where relevant; (ii) For each company, separate from the eligible applicant, that is intended to be an eligible user or eligible recipient that will export, reexport, transfer (incountry), or receive items under this license exception: Full name of entity; location of entity’s principal place of business; complete physical address (listing a post office box is insufficient) of entity’s principal place of business; post office box if used as an alternate address; location of entity’s registration or incorporation; relationship of the entity to the eligible applicant; and ownership of company, including listing all individuals or groups that have at least a 10% ownership interest, where relevant; (iii) Name and contact information of the employee(s) responsible for implementing the ICT control plan of the eligible applicant and its whollyowned or controlled in fact entities that are eligible users and/or eligible recipients; (iv) A full copy of the ICT control plan, as described in paragraph (d) of this section, covering the eligible E:\FR\FM\03OCP1.SGM 03OCP1 jlentini on PROD1PC65 with PROPOSALS 57562 Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / Proposed Rules applicant and its wholly-owned or controlled in fact entities that are eligible users and/or eligible recipients; (v) Documentation showing implementation of screening, training, and self-evaluation elements in the ICT control plan, as described in paragraphs (d)(1)(iv), (d)(1)(v), (d)(1)(vi), and (d)(1)(ix), where applicable; and (vi) A signed statement, on company letterhead, by a company officer of the eligible applicant that states each eligible user and/or eligible recipient entity will allow BIS, at the agency’s discretion, to conduct audits to ensure compliance with this license exception. (2) Submit all required information to: Bureau of Industry and Security, Attn: License Exception ICT, HCHB Room 2705, 14th Street & Pennsylvania Ave., NW., Washington, DC 20230. (f) Review of License Exception ICT submissions. Upon receipt of completed information required under paragraph (e)(1) of this section, BIS will conduct a review described in paragraph (f)(1) of this section. During the review, BIS will use the factors described in paragraph (f)(2) of this section to determine authorization. In addition to informing the eligible applicant whether it may use this license exception, BIS will provide the terms of the ICT authorization including which whollyowned or controlled in fact entities may use this license exception and the ECCNs of the items that may be exported, reexported, or transferred under this license exception. BIS will respond in writing to the eligible applicant once a decision is reached. (1) Processing procedures. For purposes of review only, License Exception ICT submissions will be reviewed in the manner that license applications are reviewed pursuant to §§ 750.3 and 750.4 of the EAR and Executive Order 12981, as amended by Executive Orders 13020, 13026, and 13117. (2) Review factors. The following factors will be considered in determining License Exception ICT authorization: Prior licensing history; demonstration of an effective ICT control plan; and need for the license exception, as expressed in the submission for ICT authorization, including the requested ECCNs and the relationship of the wholly-owned or controlled in fact entities to the parent company or other entities of national security or foreign policy concern. BIS will also consider any deficiencies, including violations of the EAR, that are uncovered as part of the self-evaluation element of the eligible applicant’s ICT control plan described in (d)(vi) of this part, and, if appropriate, disclosed to VerDate Aug<31>2005 18:05 Oct 02, 2008 Jkt 217001 BIS in accordance with section 764.5, as well as any corrective action that was subsequently taken. (g) Changes to Submitted Information Following Receipt of Authorization. (1) Before an entity not previously identified in an approved eligible applicant’s initial submission under paragraph (e) of this section may use this license exception, the approved eligible applicant must submit the information regarding the new entity in accordance with paragraph (e)(1)(ii) of this section to BIS at the address listed in paragraph (e)(2) of this section. This submission will undergo the same process of review as the initial submission, which is described in paragraph (f)(1) of this section. (2) After obtaining authorization to use this license exception, an approved eligible applicant may request License Exception ICT eligibility for additional ECCNs that were not previously identified in its initial submission. To make such a request, the approved eligible applicant must submit the necessary information required under paragraph (e)(1)(i) regarding the additional ECCNs to BIS at the address listed in paragraph (e)(2) of this section. This submission will undergo the same process of review as the initial submission, which is described in paragraph (f)(1) of this section. (3) If control of an approved eligible applicant changes after obtaining prior authorization to use this license exception (e.g., through change of ownership, acquisition, or merger), authorization to use this license exception will no longer be valid. Under such circumstances, the new eligible applicant must submit all information required under paragraph (e)(1) of this section to obtain new authorization to use this license exception. This submission will undergo the same process of review described in paragraph (f)(1) of this section. The new eligible applicant and its wholly-owned or controlled in fact entities may export, reexport, or transfer within country items under this license exception only upon receipt of written authorization from BIS. See the definition of ‘‘controlled in fact’’ in § 772.1 for further information regarding changes in ownership. (4) If an approved eligible applicant’s control of an approved eligible user or eligible recipient entity changes after obtaining prior authorization to use this license exception (e.g., through a different organization’s acquisition or merger of the approved eligible user or eligible recipient entity), the newlycontrolled eligible user or eligible recipient entity must immediately PO 00000 Frm 00009 Fmt 4702 Sfmt 4702 terminate use of this license exception. In addition, the approved eligible applicant must notify BIS in writing of the removal of the newly-controlled entity from use of this license exception within fifteen (15) days after the change in control. Notification letters should be submitted to the address in paragraph (g)(5) of this section. Subject to paragraph (g)(3) of this section, the approved eligible applicant and its other approved eligible users and/or eligible recipient entities may continue to use this license exception. See the definition of ‘‘controlled in fact’’ in § 772.1 for further information. (5) After obtaining authorization to use this license exception, if the legal name of an approved eligible applicant, eligible user, or eligible recipient entity of this license exception, as described in paragraphs (b)(1), (b)(2), and (b)(3)(i) of this section respectively, changes, the approved eligible applicant must notify BIS of the name change within fifteen (15) days after the name change. Subject to paragraph (g)(3) of this section, the approved eligible applicant may continue to use this license exception after the name change but must submit a letter informing BIS of the name change to the Director of the Office of Exporter Services at: Office of Exporter Services, HCHB Room 2705, 14th Street & Pennsylvania Ave., NW., Washington, DC 20230. (h) Annual reporting requirement. (1) After receiving authorization to use License Exception ICT pursuant to paragraph (e) of this section, approved eligible applicants must submit the following information to BIS on an annual basis: (i) The name, nationality, and date of birth of foreign national employees, as described in note 2 to paragraph (b)(3)(ii) of this section, who have received technology or source code under License Exception ICT during the prior reporting year. (ii) The name, nationality, and date of birth of foreign national employees, as described in note 2 to paragraph (b)(3)(ii), who are subject to the reporting requirement in paragraph (h)(1)(i) of this section and who have terminated their employment with the approved eligible applicant, eligible user, or eligible recipient entity. This requirement does not apply to employees subject to the reporting requirement in paragraphs (h)(1)(i) and (h)(1)(ii) of this section who have changed positions within the parent company’s structure (i.e., among the approved eligible applicant parent company’s wholly-owned or controlled in fact entities that are approved eligible E:\FR\FM\03OCP1.SGM 03OCP1 jlentini on PROD1PC65 with PROPOSALS Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / Proposed Rules users and/or eligible recipients of this license exception). (iii) A certification signed by a company officer stating that the approved eligible applicant and its approved eligible users and eligible recipient entities are in compliance with the terms and conditions of License Exception ICT. This certification should include the results of the selfevaluations described in paragraph (d)(1)(vi) of this section. (2) Annual reports must be submitted to and received by BIS no later than February 15 of each year, and must cover the period of January 1 through December 31 of the prior year. Reports must be submitted to the address listed in paragraph (e)(2) of this section. (i) Auditing use of License Exception ICT. (1) Biennial audit. BIS will review the use of License Exception ICT by the approved eligible applicant and its approved eligible users and/or eligible recipients approximately once every two years. Generally, BIS will give reasonable notice to approved eligible applicants in advance of an audit of their use of License Exception ICT. As part of the biennial audit, BIS may request that an approved eligible applicant and its approved eligible users and/or eligible recipient entities submit all or part of their records described in paragraph (h) of this section. (2) Discretionary audit. BIS may conduct special unannounced system reviews if BIS has reason to believe an approved eligible applicant or one of its approved eligible users and/or eligible recipients has improperly used or failed to comply with the terms and conditions of License Exception ICT. (j) Revision, Suspension, and Revocation of License Exception ICT. Consistent with § 740.2(b), BIS may revise, suspend, or revoke authorization to use License Exception ICT in whole or in part, without notice. Factors that might warrant such action may include, but are not limited to, the following: use of ICT for other than internal company use, release of controlled items to unauthorized entities or destinations, failure to maintain the ICT control plan initially submitted to BIS as part of the application, and failure to comply with reporting and recordkeeping requirements. (k) Recordkeeping requirements. In addition to the recordkeeping requirements set forth in part 762 of the EAR, entities that are approved eligible applicants, eligible users, and/or eligible recipients of this license exception, as described in paragraphs (b)(1), (b)(2), and (b)(3)(i) of this section respectively, must retain copies of their ICT control VerDate Aug<31>2005 18:05 Oct 02, 2008 Jkt 217001 plan and associated materials, including signed non-disclosure agreements. Entities that are approved eligible applicants, eligible users, and/or eligible recipients must also maintain records, by ECCN, of the items on the Commerce Control List that have been exported, reexported, or transferred within country under the authority of this license exception. For foreign national employees receiving technology or source code under ICT, approved eligible applicants, eligible users, and eligible recipient entities are required to record only the initial release of such technology or source code to a given foreign national employee; subsequent release of the same technology or source code to that same foreign national employee does not require additional recordkeeping. However, if a foreign national receives technology or source code under ICT that is controlled under a different ECCN, then the initial receipt of the different technology or source code must also be recorded. Such records must be made available to BIS on request. 3. Supplement No. 4 to part 740 is added to read as follows: Supplement No. 4 to Part 740— Countries in Which Eligible Applicants Must Be Incorporated In or Have Their Principal Place of Business in For License Exception Intra-Company Transfer (ICT) Eligibility Argentina Australia Austria Belgium Bulgaria Canada Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary Iceland Ireland Italy Japan Korea, South Latvia Lithuania Luxembourg Malta Netherlands New Zealand Norway Poland Portugal Romania Slovakia Slovenia Spain Sweden Switzerland PO 00000 Frm 00010 Fmt 4702 Sfmt 4702 57563 Turkey United Kingdom United States PART 772—[AMENDED] 4. The authority citation for part 772 is revised to read as follows: Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of July 23, 2008, 73 FR 43603 (July 25, 2008). 5. Section 772.1 is amended: a. By amending the definition of ‘‘Controlled in fact’’ as set forth below; and b. By adding, in alphabetical order, the definitions of ‘‘Employee’’ and ‘‘Parent company’’, as follows: § 772.1 Definitions of Terms as Used in the Export Administration Regulations (EAR). * * * * * Controlled in fact. For purposes of License Exception ICT only (see § 740.19 of the EAR), the term ‘‘controlled in fact’’ means the authority or ability of an entity, which has been routinely exercised in the past, to establish the general policies or day-today operations of a different organization, such as a subsidiary, branch, or office. An entity will be presumed to have control over a different organization when: (a) The entity beneficially owns or controls (whether directly or indirectly) more than 50 percent of the outstanding voting securities of the different organization; (b) The entity operates the different organization pursuant to the provisions of an exclusive management contract; or (c) Members of the entity’s governing body (i.e., board of directors) comprise a majority of the comparable governing body of the different organization. For purposes of the Special Comprehensive License (part 752 of the EAR), controlled in fact is defined as it is under the Restrictive Trade Practices or Boycotts (§ 760.1(c) of the EAR). * * * * * Employee. For purposes of License Exception ICT only (see § 740.19 of the EAR), ‘‘employee’’ means any person who works, with or without compensation, in the interest of an entity that is an approved eligible user (see § 740.19(b)(2)) or an entity that is an approved eligible recipient (see § 740.19(b)(3)(i)). The person must work at the approved eligible entity’s locations or at locations assigned by the approved eligible entity, such as at remote sites or on business trips. This definition may include permanent employees, contractors, and interns. * * * * * E:\FR\FM\03OCP1.SGM 03OCP1 57564 Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / Proposed Rules Parent company. For purposes of License Exception ICT only (see § 740.19 of the EAR), ‘‘parent company’’ means any entity that wholly-owns or controls in fact a different entity, such as a subsidiary or branch. The parent company may be incorporated in and conduct its principal place of business inside the United States or outside of the United States, but certain location restrictions apply (see § 740.19(b)(1) and Supplement No. 4 to part 740). The parent company itself may also have an ultimate parent company, meaning the parent company is wholly-owned or controlled in fact by another entity or other entities. See also the definition of ‘‘controlled in fact’’ in this section for further information. * * * * * Dated: September 29, 2008. Christopher R. Wall, Assistant Secretary for Export Administration. [FR Doc. E8–23506 Filed 10–2–08; 8:45 am] BILLING CODE 3510–33–P DEPARTMENT OF THE INTERIOR Bureau of Land Management 43 CFR Part 8360 [WO–250–1220–PM–24 1A] RIN 1004–AD96 Visitor Services Bureau of Land Management, Interior. ACTION: Proposed rule. AGENCY: The Bureau of Land Management (BLM) proposes to amend its regulations to remove the Land and Water Conservation Fund Act (LWCFA) as one of the authorities of our Recreation regulations, in accordance with the Federal Lands Recreation Enhancement Act of 2004 (REA). The rule will also amend and reorder the prohibitions to separate those that apply specifically to campgrounds and picnic areas from those with more general applications. The reordering is necessary to broaden the scope to include all areas where standard amenity, expanded amenity, and special recreation permit fees are charged under REA. The proposed rule would remove an unnecessary provision that has been interpreted to require the BLM to publish supplementary rules concerning failure to pay fees established by the recreation regulations, thus relieving the BLM from publishing such separate specific supplementary rules for each jlentini on PROD1PC65 with PROPOSALS SUMMARY: VerDate Aug<31>2005 18:05 Oct 02, 2008 Jkt 217001 area. Finally, it will make technical changes to maintain consistency with other BLM regulations. DATES: We will accept comments and suggestions on the proposed rule until December 2, 2008. The BLM will not necessarily consider any comments received after the above date in making its decision on the final rule. ADDRESSES: You may submit comments by any of the following methods listed below: Mail: U.S. Department of the Interior, Director (630), Bureau of Land Management, Mail Stop 401 LS, 1849 C St., NW., Attention: [RIN: 1004–AD96] Washington, DC 20240. Personal or messenger delivery: 1620 L Street, NW., Room 401, Washington, DC 20036. Federal eRulemaking Portal: www.regulations.gov. For information on the substance of the proposed rule, please contact Hal Hallett at (202) 452–7794 or Anthony Bobo Jr. at (202) 452–0333. For information on procedural matters, please contact Chandra Little at (202) 452–5030. Persons who use a telecommunications device for the deaf (TDD) may call the Federal Information Relay Service (FIRS) at 1–800–877–8339 to contact the above individuals during normal business hours. FIRS is available twenty-four hours a day, seven days a week, to leave a message or question with the above individuals. You will receive a reply during normal business hours. SUPPLEMENTARY INFORMATION: FOR FURTHER INFORMATION CONTACT: I. Public Comment Procedures II. Background III. Discussion of Proposed Rule IV. Procedural Matters I. Public Comment Procedures Electronic Access and Filing Address You may view an electronic version of this proposed rule at the BLM’s Internet home page at www.blm.gov or at https://www.regulations.gov. You may comment via the Internet to: https:// www.regulations.gov. If you submit your comments electronically, please include your name and return address in your Internet message. Written Comments Confine written comments on the proposed rule to issues pertinent to the proposed rule and explain the reason for any recommended changes. Where possible, reference the specific section or paragraph of the proposal which you are addressing. The BLM need not consider or include in the PO 00000 Frm 00011 Fmt 4702 Sfmt 4702 Administrative Record for the final rule comments which it receives after the comment period close (see DATES), or comments delivered to an address other than those listed above (see ADDRESSES). Before including your address, phone number, e-mail address, or other personal identifying information in your comment, you should be aware that your entire comment, including your personal identifying information, may be made publicly available at any time. While you can ask us in your comment to withhold your personal identifying information from public review, we cannot guarantee that we will be able to do so. Reviewing Comments Submitted by Others Comments, including the names and street addresses, and other contact information, will be available for public review at the address listed under ADDRESSES during regular business hours (7:45 am to 4:15 pm), Monday through Friday, except holidays. II. Background The passage of the REA, 16 U.S.C. 6801 et seq., required the BLM to change its fee management regulations, policies, and procedures to bring them into compliance with this law. The BLM has already accomplished this by including in part 2930 all recreation fee management regulations including the requirement that visitors pay fees before occupying a campground or picnic area. The BLM is now amending part 8360 to complete the regulatory changes made necessary by the law, including removal of any language pertaining to recreation fees. In addition, the section dealing with the collection of fossils was modified to include common plant fossils, reflecting long established BLM policies. Other changes were made to group related regulations in the same section to simplify language and clarify the intent, and to resolve inconsistencies between existing provisions. III. Discussion of Proposed Rule Section 8360.0–3 Authority The proposed rule removes the Land and Water Conservation Fund Act (LWCFA) (16 U.S.C. 460l–6a) as an authority for the regulations. The enactment of the REA changed the BLM’s authority to collect recreation fees. Recreation fees that were previously authorized under the LWCFA are now included under REA. The BLM’s policies and procedures have also been revised to reflect this new and revised authority. E:\FR\FM\03OCP1.SGM 03OCP1

Agencies

[Federal Register Volume 73, Number 193 (Friday, October 3, 2008)]
[Proposed Rules]
[Pages 57554-57564]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-23506]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 73, No. 193 / Friday, October 3, 2008 / 
Proposed Rules

[[Page 57554]]



DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR Parts 740 and 772

[Docket No. 071213838-81132-01]
RIN 0694-AE21


Export Administration Regulations: Establishment of License 
Exception Intra-Company Transfer (ICT)

AGENCY: Bureau of Industry and Security, Commerce.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This proposed rule would amend the Export Administration 
Regulations (EAR) to establish a new license exception entitled 
``Intra-Company Transfer (ICT).'' This license exception would allow an 
approved parent company and its approved wholly-owned or controlled in 
fact entities to export, reexport, or transfer (in-country) many items 
on the Commerce Control List (CCL) among themselves for internal 
company use. Prior authorization from the Bureau of Industry and 
Security (BIS) would be required to use this license exception. This 
rule describes the criteria pursuant to which entities would be 
eligible to use License Exception ICT and the procedure by which they 
must apply for such authorization. This proposed rule is one of the 
initiatives in the export control directive announced by the President 
on January 22, 2008.

DATES: Comments must be received by November 17, 2008.

ADDRESSES: You may submit comments, identified by RIN 0694-AE21, by any 
of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: rpd2@bis.doc.gov. Include ``RIN 0694-AE21'' in the 
subject line of the message.
     Fax: 202-482-3355
     Mail/Hand Delivery: Steven Emme, U.S. Department of 
Commerce, Bureau of Industry and Security, Regulatory Policy Division, 
14th & Pennsylvania Avenue, NW., Room 2705, Washington, DC 20230, ATTN: 
RIN 0694-AE21.

FOR FURTHER INFORMATION CONTACT: Steven Emme, Regulatory Policy 
Division; Telephone: 202-482-2440; E-mail: semme@bis.doc.gov.

SUPPLEMENTARY INFORMATION: 

Background

Presidential Directives on U.S. Export Control Reform and Deemed Export 
Advisory Committee

    On January 22, 2008, the President announced a package of 
directives to ensure that the export control policies and practices of 
the United States support the National Security Strategy of 2006, while 
facilitating the United States' continued international economic and 
technological leadership. These directives focus the export control 
system to meet the unprecedented security challenges as well as the 
economic challenges faced by the United States, due to the increasing 
worldwide diffusion of high technology and impact of global markets.
    The directives recognize that the economic and technological 
competitiveness of the United States is essential to meet long-term 
national security interests. Export controls must, therefore, cover the 
export and reexport of sensitive items without unduly burdening U.S. 
economic competitiveness and innovation. This is particularly critical 
in light of the current and increasing globalization of research, 
development, and production, as well as the rise of new economic 
competitors and the diffusion of global supply networks that challenge 
U.S. economic and technological competitiveness.
    Shortly before the President announced the package of directives on 
U.S. export control reforms, the Deemed Export Advisory Committee 
(DEAC) presented its findings to the Secretary of Commerce on deemed 
export controls. The DEAC, a federal advisory committee established by 
the Secretary, undertook a comprehensive examination of the national 
security, technology, and competitiveness aspects of the deemed export 
rule. A deemed export is the release of technology and source code 
subject to the EAR to foreign nationals in the United States that is 
``deemed'' to be an export to the home country or countries of the 
foreign national. In its final report, which was issued in December 
2007, the DEAC concluded that the deemed export rule ``no longer 
effectively serves its intended purpose and should be replaced with an 
approach that better reflects the realities of today's national 
security needs and global economy.'' In order to address this concern, 
the DEAC made several recommendations, including creating a category of 
``Trusted Entities'' that voluntarily elect to qualify for streamlined 
treatment after meeting certain criteria. Further, the DEAC recommended 
that these ``Trusted Entities'' include subsidiaries abroad so that 
individuals and ideas could move within the company structure without 
the need for separate deemed export licenses.
    It is in the context of the President's directives on U.S. export 
control reforms and with respect to the DEAC's recommendations on 
deemed export controls that BIS is proposing this rule creating a 
license exception for intra-company transfers.

The Impact of U.S. Export Controls on Intra-Company Transfers

    As global markets and manufacturing continue to evolve, many parent 
companies have numerous operations in multiple countries for 
distribution, service and repair, manufacturing and development, 
product testing, and other uses. In this environment, parent companies 
increasingly export commodities, software, and technology to their 
foreign branches, subsidiaries, and/or ultimate foreign parent 
companies around the world. Consequently, many companies may need 
multiple export licenses from BIS under a variety of scenarios for 
their own internal operations. For example, to conduct day-to-day 
operations, many companies in the United States must export 
commodities, software, and technology to their foreign branches and 
subsidiaries, resulting in the need for export licenses. In addition, 
companies may also require reexport licenses to transfer items among 
their foreign branches, foreign subsidiaries, and/or their ultimate 
foreign parent companies, located in multiple countries. On occasion, a 
company will have several branches or subsidiaries within the same 
foreign country and must then seek authorization to make in-country

[[Page 57555]]

transfers of technology and other items between those entities. 
Finally, releasing technology and source code subject to the EAR to 
foreign national employees at locations of the company in the United 
States or at the location of another foreign branch or subsidiary could 
generate the need for deemed export or deemed reexport licenses.
    Generally, obtaining these licenses for intra-company transfers can 
negatively impact transactions due to the delay involved in waiting for 
a licensing decision. Moreover, obtaining licenses for intra-company 
transfers can hinder more than just individual transactions; they can 
also hinder product development and the ability to be first to market--
activities key to the competitiveness of U.S. companies. For many 
companies, product development entails large capital investments, 
compressed product cycles, and intensive coordination of research and 
development. With the current licensing requirements in place, however, 
many companies with U.S. operations may be forced to segregate their 
research and development activities. For instance, while waiting for 
the approval of a deemed export license, U.S. employees and certain 
foreign national employees would be precluded from collaborating 
together on projects. Furthermore, once the license is approved, 
companies may still need to segregate their research and development 
activities in the future because product breakthroughs could exceed the 
licensing parameters and require a new round of export licensing.

Establishment of License Exception ICT

    In order to facilitate secure exports, reexports, and in-country 
transfers to, from, and among a parent company and its wholly-owned or 
controlled in fact entities, the Bureau of Industry and Security is 
proposing to amend the Export Administration Regulations (EAR) to 
create License Exception Intra-Company Transfer (ICT). License 
Exception ICT, which would be set forth in new Sec.  740.19 of the EAR, 
would provide companies a process for intra-company exports, reexports, 
and in-country transfers without individual licenses. This license 
exception would allow parent companies and the entities that the parent 
company wholly owns or controls in fact to export, reexport, and 
transfer (in-country) many items on the Commerce Control List (CCL) 
among themselves for internal company use. The grant of ICT would be 
restricted to those approved companies and those Export Control 
Classification Numbers (ECCNs) that are authorized by BIS.
    Companies authorized to use License Exception ICT would benefit 
because it would relieve them of some of the administrative 
requirements of obtaining, tracking, and reporting on individual 
licenses and would reduce the lag time, expense, and uncertainty in the 
licensing process. This license exception would also improve research 
and development and other internal company activities, thus leading to 
improved competitiveness and innovation for companies with operations 
in the United States.
    In proposing this license exception for intra-company exports, 
reexports, and in-country transfers, BIS recognizes that industry and 
government share the goal of protecting controlled commodities, 
software, and technology, since these often represent proprietary 
information and property. Moreover, BIS also recognizes that many 
companies devote considerable financial and workforce resources to 
ensuring compliance with export controls. BIS would authorize License 
Exception ICT for those companies that demonstrate effective internal 
control plans, submit annual reports on their use of ICT, and agree to 
audits by BIS officials as requested.
    By authorizing this license exception for companies that have 
effective internal control plans and have agreed to audits, BIS can 
focus its resources on evaluating transactions involving lesser-known 
items and entities to better prevent exports to persons who may act 
contrary to U.S. national security and foreign policy interests. 
Greater focus on such transactions would increase the national security 
value of the remaining reviews of individual license applications.

Definitions

    For purposes of this rule, BIS is defining multiple terms used with 
respect to License Exception ICT. These terms are ``controlled in 
fact,'' ``employee,'' and ``parent company.'' This rule would amend 
Sec.  772.1 of the EAR to include these new definitions as described 
below.
    First, BIS is amending the definition of ``controlled in fact'' in 
Sec.  772.1 by applying aspects of the definition of the same term set 
forth in Sec.  760.1(c) of the EAR to specify the circumstances in 
which one entity will be presumed to have control over another entity 
for purposes of License Exception ICT. In order to include any entity 
in its application to use License Exception ICT, the parent company 
must either wholly own or control in fact that individual entity.
    Next, BIS is amending Sec.  772.1 to add the term ``employee,'' for 
purposes of License Exception ICT, to refer to persons who work, with 
or without compensation, in the interest of an entity that is an 
approved eligible user or an approved eligible recipient of ICT. Such 
persons must work at the approved eligible entity's locations, 
including overseas locations, or at locations assigned by the approved 
eligible entity, such as at remote sites or on business trips. This 
definition may include permanent employees, contractors, and interns.
    Finally, BIS is amending Sec.  772.1 to add the term ``parent 
company,'' which will be defined for purposes of License Exception ICT, 
to mean any entity that wholly owns or controls in fact a different 
entity, such as a subsidiary or branch. The parent company does not 
have to be an ultimate parent company, as that term is referred to in 
the definition of parent company; it may be wholly-owned or controlled 
by another entity or other entities. Also, the parent company does not 
need to be incorporated in or have its principal place of business in 
the United States. However, in order to be eligible for and use License 
Exception ICT, the parent company must be incorporated in or have its 
principal place of business in a country listed in Supplement No. 4 to 
part 740 (see new Sec.  740.19(b)(1)). This definition does not include 
colleges and universities. Thus, the research conducted by colleges and 
universities that is not fundamental research (see Sec.  734.8(a) of 
the EAR) and that requires a license would not qualify for License 
Exception ICT. However, a university professor who enters into a 
contractual relationship with a company to conduct proprietary research 
could qualify as an ``employee'' if all conditions in that definition 
are met.

Information Required for Submission to BIS for Review to Use License 
Exception ICT

    In order to avail themselves of License Exception ICT, a ``parent 
company'' and the entities that it wholly owns or ``controls in fact'' 
must maintain an internal control plan, hereinafter referred to as an 
ICT control plan. Upon implementation of the ICT control plan, the 
parent company, as the eligible applicant under new Sec.  740.19(b)(1), 
must submit the plan to BIS for review pursuant to new Sec.  740.19(e). 
Additionally, the eligible applicant must submit documentation showing 
that the ICT control plan has been implemented. Such documentation 
should include a representative sample of records showing effective 
compliance with the screening, training, and self-evaluation elements 
of the ICT control plan, as described below in further detail.

[[Page 57556]]

    Along with the ICT control plan and supporting documentation, the 
eligible applicant parent company must list the wholly-owned entities 
and controlled in fact entities that the applicant parent company 
intends to be eligible users (see new Sec.  740.19(b)(2)) or eligible 
recipients (see new Sec.  740.19(b)(3)(i)) of this license exception. 
It is possible for an entity to be both an eligible user and an 
eligible recipient. For itself, and for each eligible user and eligible 
recipient entity, the eligible applicant parent company must list any 
individual or group that has at least a 10% ownership interest. 
Finally, the eligible applicant parent company must list the ECCNs of 
the items it plans to export, reexport, or transfer (in-country) under 
ICT; provide a narrative describing the purpose for which the requested 
ECCNs will be used and the anticipated resulting commodities, if 
applicable; disclose its relationship with each entity that is intended 
to be an eligible user and/or eligible recipient; and provide a signed 
statement by a company officer of the eligible applicant parent company 
stating that each entity will allow BIS to conduct audits on the use of 
License Exception ICT.

ICT Control Plan

    An ICT control plan seeks to ensure that items on the Commerce 
Control List will not be exported, reexported, or transferred in 
violation of this license exception. As this license exception may be 
used for commodities, software, and technology, the ICT control plan 
must address how the parent company and the entities that it wholly 
owns or controls in fact, as eligible users and eligible recipients, 
will maintain items authorized for export, reexport, or transfer by 
this license exception within the company structure, as authorized by 
BIS.
    Within the ICT control plan, eligible applicants must describe how 
certain mandatory elements will be met. These mandatory elements, which 
are listed in new Sec.  740.19(d)(1), include corporate commitment to 
export compliance, a physical security plan, an information security 
plan, personnel screening procedures, a training and awareness program, 
a self-evaluation program, a letter of assurance for software and 
technology, non-disclosure agreements, and end-user list reviews. All 
of these elements are aspects of export control compliance programs 
that establish effective internal control plans. In turn, these 
internal control plans generate an increased level of awareness of 
export control compliance issues among employees and help secure a 
company's proprietary information.
    For the required ICT control plan elements in paragraphs (d)(1)(i) 
through (d)(1)(vi) of new Sec.  740.19, BIS is not specifying how each 
company must achieve them due to the varying characteristics of 
companies. However, paragraphs (d)(1)(i) through (d)(1)(vi) do contain 
illustrative examples of evidence that a company may use in its 
descriptions detailing how it will implement those mandatory elements. 
While companies may include additional elements in their ICT control 
plan, they must, at a minimum, describe how the minimum mandatory 
elements set forth in Sec.  740.19(d)(1) will be met. One mandatory 
element--the self-evaluation program in paragraph (d)(1)(vi)--requires 
the creation and performance of regular internal self-audits, creation 
of a checklist of critical areas and items to review, and development 
of corrective procedures or measures implemented to correct identified 
deficiencies. If any identified deficiencies rise to the level of a 
violation of the EAR, the company should make a voluntary self-
disclosure pursuant to Sec.  764.5.
    If a company plans to use this license exception for commodities 
only, then the company may state in the ICT control plan that the 
mandatory elements of the ICT control plan set forth in paragraphs 
(d)(1)(iii) (information security plan), (d)(1)(iv) (personnel 
screening procedures), (d)(1)(vii) (letter of assurance for software 
and technology), (d)(1)(viii) (signing of non-disclosure agreements), 
and (d)(1)(ix) (review of end-user lists) are not applicable because 
the license exception will be used for commodities only and not used 
for software or technology. Similarly, if a company plans to use this 
license exception for software (excluding source code) only, or if a 
company plans to use this license exception for commodities and 
software (excluding source code) only, then the company may state in 
the ICT control plan that the mandatory elements found in paragraphs 
(d)(1)(iv) (personnel screening procedures), (d)(1)(viii) (signing of 
non-disclosure agreements), and (d)(1)(ix) (review of end-user lists) 
are not applicable because the license exception will be used for 
software (excluding source code) only, or, if appropriate, for software 
(excluding source code) and commodities only, and not used for 
technology or source code.

Mandatory Requirements for Technology and Source Code Under an ICT 
Control Plan

    Entities that seek to be approved eligible users and/or eligible 
recipients of this license exception must ensure that non-U.S. national 
employees, wherever located, sign non-disclosure agreements before 
receiving technology or source code under this license exception. Such 
non-disclosure agreements must state that the employee agrees not to 
release any technology or source code in violation of the EAR, and such 
agreements must be binding as long as the technology or source code 
remains subject to export controls, regardless of the signatory's 
employment relationship with the employer. In other words, even if the 
signatory's employment relationship with the employer were severed, the 
signatory would remain prohibited from releasing any technology or 
source code received under License Exception ICT while employed. The 
non-disclosure agreement must also specify that the prohibition would 
remain in effect until the technology or source code no longer required 
a license to any destination under the EAR.
    In addition, entities that seek to be approved eligible users and/
or eligible recipients of ICT must screen non-U.S. national employees 
who are also foreign national employees in the country in which they 
are working against lists of end-user concern. This screening 
requirement applies if such individuals are to receive technology or 
source code under ICT. The lists of end-users of concern are compiled 
by the U.S. government and may be accessed at the BIS Web site at 
https://www.bis.doc.gov. Upon publication of a final rule, BIS plans to 
provide guidance on its website with respect to screening such 
employees for purposes of ICT.
    Non-U.S. national employees are those employees who are not U.S. 
citizens, U.S. permanent residents, or protected individuals under the 
Immigration and Naturalization Act (8 U.S.C. 1324b(a)(3)). Foreign 
national employees are those non-U.S. national employees, wherever 
located, who are not citizens or legal permanent residents of the 
country in which they work. For instance, a German national working in 
the United States and a German national working in France are both 
considered foreign national employees for purposes of this rule (and 
more generally for purposes of the EAR). However, a French national 
working in France is not a foreign national employee from the 
perspective of BIS. Therefore, all foreign national employees are non-
U.S. national employees, but not all non-U.S. national employees are 
foreign national employees. This distinction is important because the 
non-disclosure agreement element in an ICT control plan applies to the 
German national working in France as well as to the French national

[[Page 57557]]

working in France. Thus, it applies to non-U.S. national employees who 
would otherwise be permitted to receive technology or source code 
subject to the EAR, if not for the grant of ICT, under a deemed export 
license, deemed reexport license, license to a facility where the 
employee works, or other license exception.
    Unlike the non-disclosure agreement requirement, the screening 
element applies only to foreign national employees. Hence, it would 
apply to a German national working in France but not to a French 
national working in France. The release of technology or source code 
subject to the EAR to a foreign national employee may occur under a 
deemed export or deemed reexport license or by operation of a license 
exception, but it may also occur under a license that has been issued 
to a facility. For example, a technology license approved for a French 
facility may have a condition allowing all EU nationals to receive the 
technology as well as the French employees. The screening requirement 
is intended to apply to all foreign national employees receiving 
technology or source code under ICT that would otherwise require a 
license, whether it be through a license for a deemed export or deemed 
reexport, a license issued to a facility, or other license exception.
    Additionally, foreign national employees of companies located in 
the United States must comply with U.S. immigration laws and maintain 
current and valid visa authorization.

Authorization From BIS to Use License Exception ICT

    Following receipt of the ICT control plan and all information 
required under new Sec.  740.19(e)(1), BIS will review and refer the 
submission to the reviewing agencies consistent with Sec. Sec.  750.3 
and 750.4 of the EAR and Executive Order 12981, as amended by Executive 
Orders 13020, 13026, and 13117. In order to determine ICT eligibility, 
BIS will consider prior licensing history of the eligible applicant 
parent company and its wholly-owned or controlled in fact entities that 
are part of the authorization request, demonstration of an effective 
ICT control plan, need for this license exception within the company 
structure as articulated by the applicant parent company, and 
relationship of the wholly-owned or controlled in fact entities to the 
eligible applicant parent company.
    Upon reaching a decision, BIS will inform the eligible applicant 
parent company in writing if it may use this license exception pursuant 
to new Sec.  740.19(f). BIS will specify the terms of the ICT 
authorization, including identifying the wholly-owned or controlled in 
fact entities of the eligible applicant parent company that may use ICT 
and the ECCNs of the items that may be exported, reexported, or 
transferred (in-country) for internal company use under ICT. After 
receiving authorization, approved parent companies and their approved 
wholly-owned or controlled in fact entities, if covered under the ICT 
control plan, may use this license exception to export, reexport, or 
transfer (in-country) approved commodities, software, and/or technology 
among themselves for internal company use only. Any entity that seeks 
to become an eligible user and/or eligible recipient, as described in 
new Sec. Sec.  740.19(b)(2) and 740.19(b)(3)(i), must be specifically 
covered by the ICT control plan submitted to BIS and maintain the ICT 
control plan of the eligible applicant parent company.
    Exports, reexports, and in-country transfers for any purpose other 
than internal company use are not authorized under License Exception 
ICT. With respect to an item that has been exported, reexported, or 
transferred (in-country) pursuant to License Exception ICT, the entity 
must submit a license application if required under the EAR before 
using the item for a purpose other than that covered by this license 
exception. Also, should control of the approved eligible applicant 
parent company change, then use of License Exception ICT is no longer 
valid. The newly-controlled eligible applicant parent company must re-
submit the information required for ICT authorization, as described in 
new Sec.  740.19(g)(3).

Annual Reporting Requirements

    After submitting a request for authorization to use License 
Exception ICT pursuant to new Sec.  740.19(e) and after receiving 
approval from BIS, approved eligible applicant parent companies must 
submit an annual report to BIS on the use of this license exception by 
itself and by its approved wholly-owned or controlled in fact entities. 
Specifically, approved eligible applicant parent companies must list 
the name, nationality, and date of birth of each foreign national 
employee, as described in note 2 to new Sec.  740.19(b)(3)(ii), who has 
received technology or source code under this license exception. The 
requirement is limited to those employees, who would have required a 
license to receive technology or source code if not for ICT, and who 
are not citizens or legal permanent residents of the country in which 
they are employed. Therefore, it applies to foreign national employees 
working in the United States and to foreign national employees working 
outside of the United States.
    Also, approved eligible applicant parent companies must submit the 
names of those foreign national employees, as described in note 2 to 
new Sec.  740.19(b)(3)(ii), who previously received technology or 
source code under this license exception and have ended their 
employment. This requirement does not apply to those who have merely 
switched positions within the company structure of the parent company, 
so long as the new employer is an approved eligible entity under the 
same parent company. BIS is requesting this information in order to 
examine the use of License Exception ICT and measure its effectiveness. 
Further, a company officer must certify to BIS that the approved 
eligible applicant parent company and its approved eligible users and 
eligible recipient entities are in compliance with the terms and 
conditions of ICT. This certification should include the results of the 
self-evaluation described in paragraph (d)(1)(vi) of this section.

Auditing Use of License Exception ICT

    BIS will conduct audits of approved eligible applicant parent 
companies and their approved wholly-owned or controlled in fact 
entities to ensure proper compliance with License Exception ICT. These 
reviews will take place approximately once every two years. Generally, 
BIS will give notice to the relevant parties before conducting an 
audit. However, if BIS has reason to believe that an entity is 
improperly using ICT, BIS may conduct an unannounced audit at its 
discretion that is separate from the biennial audit.

Restrictions on the Use of License Exception ICT and the Direct Product 
Rule

    Consistent with other license exceptions, License Exception ICT is 
subject to the restrictions on the use of all license exceptions, which 
are set forth in Sec.  740.2 of the EAR. Therefore, ICT cannot be used 
for certain items, such as items controlled for missile technology 
reasons or certain items that are ``space qualified.'' Moreover, ICT is 
subject to revision, suspension, or revocation, in whole or in part, 
without notice.
    Also, new Sec.  740.19(c) lists restrictions on using ICT. For 
instance, items controlled for Encryption Items (EI) reasons and items 
controlled for Significant Items (SI) reasons are ineligible for 
export, reexport, or transfer (in-country) under ICT. At this

[[Page 57558]]

time, License Exception ENC will remain the primary resource for 
providing the authorization necessary for many intra-company transfers 
of encryption items. Further, no items exported, reexported, or 
transferred within country under this license exception may be 
subsequently exported, reexported, or transferred for purposes other 
than internal company use, unless done so in accordance with the EAR. 
However, items that have been exported, reexported, or transferred (in-
country) under License Exception ICT may not be subsequently exported, 
reexported, or transferred (in-country) under License Exception APR 
(see Sec.  740.16).
    Finally, note that whether the foreign direct product of U.S. 
software or technology exported from abroad, reexported, or transferred 
under License Exception ICT is subject to the EAR is determined under 
Sec.  736.2(b)(3) of the EAR, when the foreign direct product is 
exported from abroad, reexported, or transferred (in-country) for other 
than internal use within a Country Group D:1 country or Cuba.
    Although the Export Administration Act expired on August 20, 2001, 
the President, through Executive Order 13222 of August 17, 2001, 3 CFR, 
2001 Comp., p. 783 (2002), as extended by the Notice of July 23, 2008, 
73 FR 43603 (July 25, 2008), has continued the Export Administration 
Regulations in effect under the International Emergency Economic Powers 
Act.

Rulemaking Requirements

    1. This proposed rule has been determined to be significant for 
purposes of Executive Order 12866.
    2. Notwithstanding any other provision of law, no person is 
required to respond to nor be subject to a penalty for failure to 
comply with a collection of information, subject to the requirements of 
the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA), 
unless that collection of information displays a currently valid Office 
of Management and Budget (OMB) Control Number. This proposed rule 
contains a collection previously approved by the OMB under control 
numbers 0694-0088, ``Multi-Purpose Application,'' which carries a 
burden hour estimate of 58 minutes to prepare and submit form BIS-748. 
Miscellaneous and recordkeeping activities account for 12 minutes per 
submission. In addition, this proposed rule contains a new collection 
for reporting, recordkeeping, and auditing requirements, which would be 
submitted for approval to use License Exception ICT, carries an 
estimated burden of 19.6 hours for companies having an existing 
internal control plan and 265.6 hours for companies not having an 
existing internal control plan in place. A request for new collection 
authority will be submitted to OMB for approval. Public comment will be 
sought regarding the burden of the collection of information associated 
with preparation and submission of these proposed voluntary 
requirements. BIS estimates that this rule will reduce the number of 
multi-purpose application forms that must be filed by 582 annually. 
Send comments regarding this burden estimate or any other aspect of 
this collection information, including suggestions for reducing the 
burden, to Jasmeet K. Seehra, Office of Management and Budget (OMB), 
and to the Regulatory Policy Division, Bureau of Industry and Security, 
Department of Commerce, as indicated in the Addresses section of this 
proposed rule.
    3. This rule does not contain policies with Federalism implications 
as that term is defined in Executive Order 13132.
    4. The Regulatory Flexibility Act (RFA), as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), 5 U.S.C. 
601 et seq., generally requires an agency to prepare a regulatory 
flexibility analysis of any rule subject to the notice and comment 
rulemaking requirements under the Administrative Procedure Act (5 
U.S.C. 553) or any other statute, unless the agency certifies that the 
rule will not have a significant economic impact on a substantial 
number of small entities. Under section 605(b) of the RFA, however, if 
the head of an agency certifies that a rule will not have a significant 
economic impact on a substantial number of small entities, the statute 
does not require the agency to prepare a regulatory flexibility 
analysis. Pursuant to section 605(b), the Chief Counsel for 
Regulations, Department of Commerce, certified to the Chief Counsel for 
Advocacy, Small Business Administration, that this proposed rule, if 
promulgated, will not have a significant economic impact on a 
substantial number of small entities for the reasons explained below. 
Consequently, BIS has not prepared a regulatory flexibility analysis.
    The EAR applies to all entities that export, reexport, or transfer 
commodities, software, and technology that are subject to the EAR. The 
EAR potentially affects any entity in any sector that chooses to 
export, reexport, or transfer items subject to the EAR. Thus, while 
this proposed rule could potentially have a significant economic impact 
on small entities, BIS believes that this proposed rule will not impact 
a substantial number of small entities.
    BIS does not have data on the total number of small entities that 
are potentially impacted by the requirements of the EAR, but BIS does 
maintain data on actual licenses applied for by entities of all sizes. 
In order to examine the number of small entities that would be impacted 
by this proposed rule, BIS examined the licensing data to find approved 
licenses that would potentially qualify as an intra-company transfer. 
Using this data as well as using estimated burden hours in gaining ICT 
authorization, BIS conducted a cost-benefit analysis to see which 
entities would likely choose to apply for authorization. BIS also 
examined all approved licenses that could qualify as intra-company 
transfers to determine whether any entities were small entities.
    Upon initial examination of licensing data from 2004 to 2006, BIS 
found that approximately 200 companies had licenses approved that could 
potentially qualify as an intra-company transfer. Of those companies, 
the vast majority consisted of large parent companies, medium-sized 
companies, or companies that were owned by larger domestic or foreign 
companies. This result supports the premise that entities that would 
avail themselves of ICT must be large enough to have subsidiaries or 
branches located in different countries that the entities control in 
fact.
    To look at which of those approximately 200 companies would most 
likely choose to apply for ICT authorization, BIS conducted a cost-
benefit analysis by estimating the burden hours involved in gaining ICT 
authorization as well as with complying with recordkeeping and 
reporting requirements under ICT. BIS determined that over a three-year 
period it would take 280.8 hours (or 16,848 minutes) for a company 
without an internal control program to seek ICT authorization and 34.8 
hours (or 2088 minutes) for a company with an existing internal control 
program to seek ICT authorization. The threshold by which companies 
would likely be inclined to apply for authorization to use ICT is the 
point at which the burden of applying for licenses over a three-year 
period (at 70 minutes per license) exceeds the total ICT burden hours 
over three years (at 16,848 minutes for companies without an existing 
internal control program or at 2088 minutes for companies with an 
internal control program). In order to meet that threshold, companies 
without an internal control program would have to apply for about 241 
licenses over a three-year period, and companies with

[[Page 57559]]

an existing internal control program would have to apply for about 30 
licenses per year over a three-year period. Only two companies meet the 
241 license threshold, and those companies are not small entities under 
the North American Industry Classification System (NAICS) standards. 
Sixteen companies meet the 30 license threshold or come close (within 
five licenses) of meeting the threshold, and none of those companies is 
a small entity under the NAICS standards. In addition to burden hours, 
companies without an existing internal compliance program may be less 
likely to choose to seek ICT authorization because additional 
investments would likely need to be made to implement an internal 
control program. While these upfront investments could greatly vary 
depending on company size as well as the type and number of items in 
the company portfolio, it is likely that companies would need to invest 
in physical and information security as well as incur travel expenses 
to visit overseas facilities to ensure that the internal compliance 
program is operating effectively. All of these additional costs would 
likely increase the burden in any cost-benefit analysis and would 
likely make an entity of any size that does not have an internal 
compliance program less likely to seek ICT authorization and thus not 
be impacted by this proposed rule.
    Even if an entity without an internal compliance program utilizes a 
different cost-benefit analysis and decides to apply for ICT 
authorization, BIS licensing data shows that the potential ICT 
candidate would not be a small entity. Only four companies, for which 
public information was available, were found to qualify as small 
entities under the NAICS. However, the potential intra-company licenses 
approved for these four entities would all be ineligible under License 
Exception ICT. The items approved for export were all items listed 
under Sec.  740.2 that are restricted for export, reexport, or in-
country transfer under all license exceptions. Therefore, no small 
entity was found to have licenses that were approved by BIS over a 
three-year period that would qualify under ICT. Consequently, this 
proposed rule would not affect a significant number of small entities.
    This proposed rule was mandated by the President in National 
Security Presidential Directive (NSPD) 55. While this proposed rule 
will increase burden hours for those entities choosing to seek 
authorization for License Exception ICT, BIS licensing data and 
publicly available information show that no small entities in the 
period of review received approved licenses for intra-company transfers 
that would be eligible for License Exception ICT. Thus, a substantial 
number of small entities will not be impacted by this proposed rule.

List of Subjects

15 CFR Part 740

    Administrative practice and procedure, Exports, Reporting and 
recordkeeping requirements.

15 CFR Part 772

    Exports.

    For the reasons set forth in the preamble, parts 740 and 772 of the 
Export Administration Regulations (15 CFR 730-774) are amended as 
follows:

PART 740--[AMENDED]

    1. The authority citation for 15 CFR part 740 is revised to read as 
follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 
22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., 
p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice 
of July 23, 2008, 73 FR 43603 (July 25, 2008).

    2. Section 740.19 is added to read as follows:


Sec.  740.19  Intra-Company Transfer (ICT).

    (a) Scope. This license exception authorizes exports, reexports, 
and in-country transfers of items on the Commerce Control List for 
internal company use among approved eligible applicants, eligible 
users, and eligible recipients, as described in paragraphs (b)(1), 
(b)(2), and (b)(3) respectively, of this section. Use of License 
Exception ICT is limited to those entities and those ECCNs that are 
authorized by BIS, pursuant to paragraph (f) of this section.
    (b) Eligibility.
    (1) Eligible applicant. The eligible applicant is the ``parent 
company,'' as that term is defined in section 772.1, that institutes an 
ICT control plan, as described in paragraph (d) of this section, and 
that applies for authorization from BIS to use this license exception. 
The eligible applicant must be incorporated in or have its principal 
place of business in any country listed in Supplement No. 4 to part 
740. In addition, the eligible applicant may be, but is not required to 
be, the ultimate parent company, as that term is referred to in the 
definition of ``parent company'' set forth in section 772.1; hence the 
eligible applicant may be owned or controlled by other entities. 
However, the ultimate parent company cannot be an eligible user under 
this license exception unless it is also the eligible applicant. 
Application requirements are set forth in paragraph (e) of this 
section.
    (2) Eligible users. Eligible users may be eligible applicants, as 
described in paragraph (b)(1) of this section, and their wholly-owned 
or ``controlled in fact'' entities that implement and maintain the ICT 
control plan of the eligible applicant and that are included in the 
applications submitted by eligible applicants pursuant to paragraph (e) 
of this section. Eligible applicants must ensure that each eligible 
user implements the eligible applicant's ICT control plan, including 
the use of non-disclosure agreements as described in paragraph 
(d)(1)(viii) of this section.
    (3) Eligible recipients.
    (i) Entities. Eligible recipients of items under this license 
exception may be eligible applicants as described in paragraph (b)(1) 
of this section, eligible users as described in paragraph (b)(2) of 
this section, and eligible applicants' other wholly-owned or controlled 
in fact companies that implement and maintain the ICT control plan of 
the eligible applicant and that are named in the applications submitted 
by the eligible applicant pursuant to paragraph (e) of this section. 
Eligible applicants must ensure that each eligible recipient, as 
described in this paragraph, implements the eligible applicant's ICT 
control plan, including the use of non-disclosure agreements as 
described in paragraph (d)(1)(viii) of this section.
    (ii) Non-U.S. national employees receiving technology or source 
code. Non-U.S. national employees (wherever located) of entities that 
are eligible applicants, eligible users, and/or eligible recipients of 
this license exception may be eligible recipients of technology and 
source code under this license exception provided the non-U.S. national 
employees sign non-disclosure agreements with their employer in which 
the non-U.S. national employees agree not to release any technology or 
source code in violation of the EAR. Additionally, if non-U.S. national 
employees are also foreign national employees in their country of 
employment, then such non-U.S. national employees must also be screened 
by the appropriate eligible user against end-user lists compiled by the 
U.S. government. For further information on employees, non-disclosure 
agreements, and screening requirements, see Sec. Sec.  772.1, 
740.19(d)(1)(viii), and 740.19(d)(1)(ix) respectively.

    Note 1 to Paragraph (B)(3)(II) of this Section: Non-U.S. 
national employees are those employees who are not U.S. citizens, 
lawful permanent residents of the United

[[Page 57560]]

States, or individuals protected under the Immigration and 
Naturalization Act (8 U.S.C. 1324b(a)(3)). Non-U.S. national 
employees include those working in the United States and outside of 
the United States. Furthermore, non-U.S. national employees include 
those employees who would otherwise be permitted to receive 
technology or source code only under: (1) A deemed export or deemed 
reexport license; (2) a license issued to a facility, and the 
employee is a citizen or legal permanent resident of the same 
country where the facility is located; and (3) a license issued to a 
facility, but the employee is not a citizen or legal permanent 
resident of the country where the facility is located; (4) another 
authorization such as a license exception other than ICT.


    Note 2 to Paragraph (B)(3)(II) of this Section: Foreign national 
employees are those non-U.S. national employees who are not citizens 
or legal permanent residents of the country in which they are 
employed. Foreign national employees include those employees who 
would otherwise receive technology or source code under: (1) A 
deemed export or deemed reexport license; or (2) a license to a 
facility, but the employee is not a citizen or legal permanent 
resident of the country where the facility is located; or (3) 
another authorization such as a license exception other than ICT.

    (4) Eligible uses. Items exported, reexported, or transferred 
within country under this license exception may be exported, 
reexported, or transferred only for purposes of the internal company 
use by approved eligible applicants and approved eligible users of this 
license exception, as described in paragraphs (b)(1) and (b)(2) 
respectively, of this section.
    (c) Restrictions.
    (1) No item may be exported, reexported, or transferred within 
country under this license exception to destinations in or nationals of 
Country Group E or North Korea.
    (2) No item exported, reexported, or transferred within country 
under this license exception may be subsequently exported, reexported, 
or transferred for purposes other than the internal company use of 
approved eligible applicants, eligible users, and eligible recipients, 
as described in paragraphs (b)(1), (b)(2), and (b)(3)(i) respectively, 
of this section, unless done so in accordance with the EAR. See 
paragraph (c)(3) of this section for further restrictions.
    (3) No items that have been exported, reexported, or transferred 
(in-country) under License Exception ICT may be subsequently exported, 
reexported, or transferred (in-country) under License Exception APR 
(see Sec.  740.16).
    (4) No release of technology or source code is authorized under 
this license exception to foreign national employees whose visa or 
authority to work has been revoked, denied, or is otherwise not valid. 
It is the responsibility of the exporter to ensure that foreign 
national employees working in the United States maintain a valid U.S. 
visa if they are required to hold a visa from the United States.
    (5) No release of technology or source code is authorized under 
this license exception to a foreign national employee, as described in 
note 2 to paragraph (b)(3)(ii), if that employee or a prior employer of 
that employee is listed on any of the end-user lists of concern 
compiled by the U.S. government. In such instances, eligible applicants 
(or eligible users, as appropriate) should obtain the appropriate 
authorization required under the EAR.
    (6) No items controlled for Encryption Items (EI) reasons under 
ECCNs 5A002, 5D002, or 5E002 may be exported, reexported, or 
transferred (in-country) under this license exception.
    (7) No items controlled for Significant Items (SI) reasons may be 
exported, reexported, or transferred (in-country) under this license 
exception.
    (d) ICT control plan. Prior to submitting an application to BIS 
under paragraph (e) of this section, and before making any exports, 
reexports, or in-country transfers under this license exception, 
eligible applicants must implement an ICT control plan that is designed 
to ensure compliance with this license exception and the EAR. In 
addition, eligible users and eligible recipient entities must implement 
the ICT control plan of the eligible applicant. Under an ICT control 
plan, which may be a component of a more comprehensive export 
compliance program, all entities that seek to use this license 
exception must ensure that commodities, software, and technology, where 
applicable, will not be exported, reexported, or transferred in 
violation of this license exception. With their application for 
authorization (as described in paragraph (e) of this section) to use 
this license exception, eligible applicants must submit a copy of the 
ICT control plan and must specifically note which of their wholly-owned 
or controlled in fact entities are covered by the plan. BIS may require 
the eligible applicant to modify the ICT control plan before 
authorizing use of this license exception. Paragraph (d)(1) of this 
section lists the mandatory elements of an ICT control plan. Paragraph 
(d)(2) of this section lists exceptions to addressing certain mandatory 
elements in paragraph (d)(1) in the ICT control plan.
    (1) Mandatory elements of an ICT control plan. The following 
elements are mandatory, subject to the exceptions in paragraph (d)(2) 
of this section. The ICT control plan must describe how each mandatory 
element will be implemented. In order to provide guidance, the 
mandatory elements described in paragraphs (d)(1)(i) through (d)(1)(v) 
include illustrative examples of evidence demonstrating how the element 
may be addressed. Note that these illustrative examples are guidelines 
only; satisfying the five required elements in paragraphs (d)(1)(i) 
through (d)(1)(v) of this section is dependent upon the nature and 
complexity of company activities, the type of items that will be 
exported, reexported, or transferred under this license exception 
(i.e., commodities, software, and/or technology), the countries 
involved, and the relationship between the eligible users and eligible 
recipients of this license exception, as described in paragraphs (b)(2) 
and (b)(3)(i) respectively of this section. With respect to the other 
four elements of the ICT control plan, eligible applicants must fulfill 
certain specified requirements. For paragraphs (d)(1)(vi), (d)(1)(vii), 
(d)(1)(viii), and (d)(1)(ix) of this section, no illustrative examples 
are included. Note, however, that to satisfy the self-evaluation 
element in paragraph (d)(1)(vi) of this section, establishing self-
audits, creating a checklist, and developing corrective measures are 
required, but the self-audits may be structured in a manner that works 
best for the eligible applicant and its wholly-owned or controlled in 
fact entities. In order to use this license exception for technology or 
software, a letter of assurance, consistent with Sec. Sec.  740.19(c) 
and 740.6, must be provided by a company officer of the eligible 
applicant. Additionally, in order to use this license exception for 
non-U.S. national employees, wherever located, to receive technology or 
source code under this license exception, submitting a template or 
sample of the non-disclosure agreement to be used is a mandatory 
element. Also, in order to use this license exception for non-U.S. 
national employees who are also foreign national employees, reviewing 
lists of end-users of concern compiled by the U.S. government is a 
mandatory element.
    (i) Corporate commitment to export compliance. Evidence of a 
corporate commitment to export compliance may include: An 
organizational chain of command for export controls compliance issues 
and related issues of concern; senior management member(s) responsible 
for export controls compliance, who are able to

[[Page 57561]]

demonstrate how compliance issues are resolved; internal recordkeeping 
requirements in accordance with the EAR; maintenance of a sound 
commodity classification methodology; and commitment of resources to 
implement and maintain an ICT control plan.
    (ii) Physical security plan. Evidence of a physical security plan 
may include: Methods of physical security that prevent the transfer of 
commodities, software, and technology on the Commerce Control List 
outside of the internal company structure; and organization and 
maintenance of up-to-date building layouts, including a description of 
physical security measures, such as secured doors and badges as well as 
biometric, guard, and perimeter controls.
    (iii) Information security plan. Evidence of an information 
security plan may include: Organization and maintenance of up-to-date 
virtual security layouts and descriptions of what information security 
methods are in place, such as password protection, firewalls, 
segregated servers, non-network computers, and intranet security.
    (iv) Personnel screening procedures. Evidence of personnel 
screening procedures may include: Thorough pre-screening analysis of 
new foreign national employees, as described in note 2 to paragraph 
(b)(3)(ii), which includes, but is not limited to, criminal background, 
driver's license, and credit history, before allowing them to receive 
technology or source code through a license or license exception.
    (v) Training and awareness program. Evidence of a training and 
awareness program may include: Creation, scheduling, and performance of 
regular training programs (for all employees working in areas relevant 
to export controls) to inform employees about export controls and 
limits on their access to technology or source code.
    (vi) Self-evaluation program. Evidence of a self-evaluation program 
must include the following three components: Creation and performance 
of regular internal self-audits, which may be conducted through the use 
of internal and/or external resources depending upon the needs and 
demands of the organization; creation of a checklist of critical areas 
and items to review, including identification of any deficiencies; and 
development of corrective procedures or measures implemented to correct 
identified deficiencies. Note: Disclosure of identified deficiencies 
and corrective actions will be considered when evaluating effective ICT 
control plans under paragraph (f)(2). Failure to disclose this 
information could result in revocation, as noted in paragraph (j). Any 
violations of the EAR that are uncovered in the process of conducting 
this self-evaluation should be disclosed to BIS in accordance with the 
voluntary self-disclosure procedures found in section 764.5.
    (vii) Letter of assurance for software and technology. A company 
officer of the eligible applicant must submit a signed statement on 
company letterhead stating that under this license exception, the 
eligible applicant and each eligible user and/or eligible recipient 
entity will not export, reexport, or transfer (in-country) software 
(including the source code for the software) and technology, consistent 
with paragraph (c)(1) of this section and consistent with paragraphs 
(a)(1) and (a)(2) of Sec.  740.6.
    (viii) Signing of non-disclosure agreements. Non-disclosure 
agreements not to release any technology or source code must be binding 
with respect to any technology or source code that has been released or 
otherwise provided to any non-U.S. national employee, wherever located, 
on the basis of this license exception, until such technology or source 
code no longer requires a license to any destination under the EAR, 
regardless of whether the non-U.S. national's employment relationship 
with the company remains in effect. Non-disclosure agreements should be 
completed in both English and the non-U.S. national employee's native 
language.
    (ix) Review of end-user lists. Foreign national employees, as 
described in note 2 to paragraph (b)(3)(ii), who are eligible to 
receive technology or source code under this license exception, must be 
screened against all lists of end-users of concern compiled by the U.S. 
government. In addition, prior employers of the foreign national 
employees must also be screened. These lists can be accessed at https://
www.bis.doc.gov. See paragraph (c)(5) of this section for specific 
restrictions.
    (2) Exceptions to certain mandatory elements of an ICT control 
plan.
    (i) If this license exception will be used only for commodities, 
then the ICT control plan elements described in paragraphs (d)(1)(iii), 
(d)(1)(iv), (d)(1)(vii), (d)(1)(viii), and (d)(1)(ix) are not 
mandatory. In this situation, the ICT control plan must state that this 
license exception will be used for commodities only and not used for 
software or technology.
    (ii) If this license exception will be used only for software 
(excluding source code), or if this license exception will be used only 
for commodities and software (excluding source code), then the ICT 
control plan elements described in paragraphs (d)(1)(iv), (d)(1)(viii), 
and (d)(1)(ix) are not mandatory. In this situation, the ICT control 
plan must state that this license exception will be used for software 
(excluding source code) only, or will be used for commodities and 
software (excluding source code) only, and not used for technology or 
source code.
    (e) Information required for grant of ICT authorization.
    (1) Prior to the export, reexport, or in-country transfer of items 
on the Commerce Control List under this license exception, an eligible 
applicant, as described in paragraph (b)(1) of this section, must 
submit the following information to BIS:
    (i) For the eligible applicant: Full name of company; location of 
company headquarters; location of principal place of business; complete 
physical addresses (listing a post office box is insufficient) of 
company's headquarters and principal place of business; post office box 
if used as an alternate address; location of registration or 
incorporation; ownership of company, including listing all individuals 
or groups that have at least a 10% ownership interest; and need for 
License Exception ICT, including listing the ECCNs of the items that 
will be exported, reexported, or transferred (in-country) under this 
license exception and a detailed narrative describing the intended use 
of the items covered by the listed ECCNs and the anticipated resulting 
commodities, where relevant;
    (ii) For each company, separate from the eligible applicant, that 
is intended to be an eligible user or eligible recipient that will 
export, reexport, transfer (in-country), or receive items under this 
license exception: Full name of entity; location of entity's principal 
place of business; complete physical address (listing a post office box 
is insufficient) of entity's principal place of business; post office 
box if used as an alternate address; location of entity's registration 
or incorporation; relationship of the entity to the eligible applicant; 
and ownership of company, including listing all individuals or groups 
that have at least a 10% ownership interest, where relevant;
    (iii) Name and contact information of the employee(s) responsible 
for implementing the ICT control plan of the eligible applicant and its 
wholly-owned or controlled in fact entities that are eligible users 
and/or eligible recipients;
    (iv) A full copy of the ICT control plan, as described in paragraph 
(d) of this section, covering the eligible

[[Page 57562]]

applicant and its wholly-owned or controlled in fact entities that are 
eligible users and/or eligible recipients;
    (v) Documentation showing implementation of screening, training, 
and self-evaluation elements in the ICT control plan, as described in 
paragraphs (d)(1)(iv), (d)(1)(v), (d)(1)(vi), and (d)(1)(ix), where 
applicable; and
    (vi) A signed statement, on company letterhead, by a company 
officer of the eligible applicant that states each eligible user and/or 
eligible recipient entity will allow BIS, at the agency's discretion, 
to conduct audits to ensure compliance with this license exception.
    (2) Submit all required information to: Bureau of Industry and 
Security, Attn: License Exception ICT, HCHB Room 2705, 14th Street & 
Pennsylvania Ave., NW., Washington, DC 20230.
    (f) Review of License Exception ICT submissions. Upon receipt of 
completed information required under paragraph (e)(1) of this section, 
BIS will conduct a review described in paragraph (f)(1) of this 
section. During the review, BIS will use the factors described in 
paragraph (f)(2) of this section to determine authorization. In 
addition to informing the eligible applicant whether it may use this 
license exception, BIS will provide the terms of the ICT authorization 
including which wholly-owned or controlled in fact entities may use 
this license exception and the ECCNs of the items that may be exported, 
reexported, or transferred under this license exception. BIS will 
respond in writing to the eligible applicant once a decision is 
reached.
    (1) Processing procedures. For purposes of review only, License 
Exception ICT submissions will be reviewed in the manner that license 
applications are reviewed pursuant to Sec. Sec.  750.3 and 750.4 of the 
EAR and Executive Order 12981, as amended by Executive Orders 13020, 
13026, and 13117.
    (2) Review factors. The following factors will be considered in 
determining License Exception ICT authorization: Prior licensing 
history; demonstration of an effective ICT control plan; and need for 
the license exception, as expressed in the submission for ICT 
authorization, including the requested ECCNs and the relationship of 
the wholly-owned or controlled in fact entities to the parent company 
or other entities of national security or foreign policy concern. BIS 
will also consider any deficiencies, including violations of the EAR, 
that are uncovered as part of the self-evaluation element of the 
eligible applicant's ICT control plan described in (d)(vi) of this 
part, and, if appropriate, disclosed to BIS in accordance with section 
764.5, as well as any corrective action that was subsequently taken.
    (g) Changes to Submitted Information Following Receipt of 
Authorization.
    (1) Before an entity not previously identified in an approved 
eligible applicant's initial submission under paragraph (e) of this 
section may use this license exception, the approved eligible applicant 
must submit the information regarding the new entity in accordance with 
paragraph (e)(1)(ii) of this section to BIS at the address listed in 
paragraph (e)(2) of this section. This submission will undergo the same 
process of review as the initial submission, which is described in 
paragraph (f)(1) of this section.
    (2) After obtaining authorization to use this license exception, an 
approved eligible applicant may request License Exception ICT 
eligibility for additional ECCNs that were not previously identified in 
its initial submission. To make such a request, the approved eligible 
applicant must submit the necessary information required under 
paragraph (e)(1)(i) regarding the additional ECCNs to BIS at the 
address listed in paragraph (e)(2) of this section. This submission 
will undergo the same process of review as the initial submission, 
which is described in paragraph (f)(1) of this section.
    (3) If control of an approved eligible applicant changes after 
obtaining prior authorization to use this license exception (e.g., 
through change of ownership, acquisition, or merger), authorization to 
use this license exception will no longer be valid. Under such 
circumstances, the new eligible applicant must submit all information 
required under paragraph (e)(1) of this section to obtain new 
authorization to use this license exception. This submission will 
undergo
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.