Emergency Landing: Inside Boeing’s multi-million dollar ITAR fine

Adding to a list of seemingly never-ending problems, the Boeing Company recently agreed to pay a $51 million civil penalty for violating U.S. export regulations, specifically the International Traffic in Arms Regulations (ITAR) and Arms Export Control Act (AECA).  The company also agreed to remedial compliance measures and entered into a Consent Agreement with the U.S. Department of State.  This penalty is one of the highest to-date imposed by the U.S. Government for ITAR and AECA violations.

Boeing is a multi-billion-dollar company with hundreds of full-time trade compliance personnel.  So, what happened?  And what can we learn?  This case is important and can serve as a cautionary tale for all of industry.  Despite its resources and history, the company was still charged with almost 200 export violations.

What did Boeing do?

According to the State Department’s Directorate of Defense Trade Controls (DDTC), Boeing allegedly committed a variety of violations.  A summary of these include:

•  Unauthorized exports and transfers of controlled technical data to foreign-person employees and contractors
• Unauthorized exports to the People’s Republic of China
• Violation of export license terms, conditions and provisos present on DDTC export authorizations
• Failure to implement promised corrective actions

What are the details?

DDTC has uncovered several different areas where the company may have violated ITAR regulations.  Specifically:

•  It appears that Boeing employees from China downloaded technical data from the company’s library 25 times in 4 years;
• The information pertained to ITAR controlled technical data for the F-18, F-15 and F-22 fighter jets, AH-64 Apache helicopter, AGM-84E Standoff Land Attach Missile and the AGM-131 Short Range Attack Missile II;
• DDTC also alleges additional unauthorized access of ITAR controlled technical data 80 times by foreign employees and contractors in 18 other countries (including Russia);
• They also accuse Boeing of creating 5 fake permanent export licenses for ITAR-controlled hardware to Portugal and Turkey; (Pro Compliance Tip: If you cannot obtain real export licenses, then please, please do not create fake ones.)
• Boeing is also accused of not adhering to export license provisos by allowing the release of ITAR-controlled technical data to Lebanese Armed Forces pilots despite the provisos specifically educating Boeing that this was not authorized

 Failure to launch:  Boeing’s promised corrective actions

Adding fuel to DDTC’s fire, Boeing also apparently failed to implement corrective actions it had promised to the agency in other areas of its compliance program.  These include:

• Subcontractors of Boeing Australia retransferred ITAR controlled technical data without the required US Government authorizations
• Failure to provide training to prevent repeat occurrences of unauthorized technical data to Foreign Nationals specific to Air Force One (originally disclosed in 2019 but then had a repeat incident in 2020)

Are there any mitigating factors?

We are looking at a huge penalty here — $51 million to be exact.  So, the natural question is, were there any mitigating factors or circumstances that brought this penalty down?

Believe it or not, DDTC did list a few mitigating factors that make this penalty lower than it could be.  These include the fact that Boeing voluntarily disclosed the violations to the U.S. Government and cooperated fully with DDTC on additional information requests and follow-ups to understand the true nature of the activities in question.

Consent Agreement

Boeing and the Department of State entered into a Consent Agreement which holds Boeing accountable for all the remedial measures set forth in the Agreement.  If Boeing does not enact those measures, they are at risk of an administrative disbarment which would result in Boeing not being able to operate internationally.  Examples of those measures are below:

• Boeing must appoint a Designated Official in the form of a Special Compliance Officer (SCO) who has been approved in advance by DDTC and must report directly to Boeing’s CEO
• The SCO is responsible to oversee/implement all export control polices/procedures including enhancement of them to address past violations to reoccurrence
• Implementation of a cradle-to-grave export compliance system throughout all business units and subsidiaries
• Global training on electronic exports of technical data in-line with their revamped export compliance policies/procedures
• All hardware and software must be reviewed and verified for export control jurisdiction accuracy globally and prior to export
• Two audits must be performed during the term of the Consent Agreement

Although it may be hard to find a silver lining to all of this, the civil penalty of $51 million allows Boeing to apply $24 million towards the remedial compliance measures outlined above.

Conclusion

Exports, Re-exports, Transfers, Re-Transfers, whether physically or electronically of U.S. origin items (including controlled technical data) or items that export from the U.S. must be evaluated and controlled throughout the entire export process.  ITAR technical data must always be protected with authorization access procedures which should include approval from multiple sources including the access requestors manager, SCO or designee as well as IT.

Companies need to know what their subsidiaries and contractors have in their control and who has access to that information.  The arms of U.S. export controls extend past U.S. soil.  This means parent companies should take extra care in evaluating the compliance programs in foreign countries just as they do in the United States.  Holding international locations to the same standard as the U.S. entity is vital to preventing these types of violations.