America is the land of free trade … precisely until it is not. Through a thicket of laws and regulations, the U.S. government has broad control over what can get exported to whom, particularly in areas with sensitive technology or national security concerns. In general, those restrictions are loose, which is why startups mostly haven’t had to think about export laws.
That open world is rapidly closing though, and startups could well be the most harmed given that they have limited resources to handle these sorts of bureaucratic processes and the potential large penalty fines.
Last week, President Trump signed an executive order requiring that the Department of Commerce initiate a review of regulations and enforcement practices to ensure that U.S. entities (people and companies) don’t provide “information and communications technology or services” to a “foreign adversary.” That term was read as describing China, although nothing in the order prevents its expansion to cover other countries in the future.
Furthermore, administration officials at the once backwater Bureau of Industry and Security (BIS) placed Huawei and its global affiliates on the “Entity List,” which (aptly) is a list of entities banned from importing U.S. technologies. That announcement quickly led companies like Google and Qualcomm to announce that they will no longer export certain technologies to Huawei — including the Android smartphone operating system.
The Trump administration seems poised to continue down this trade restriction path. The determination of “foreign adversary” is going through a review process created by the executive order that will almost certainly get expanded over the coming year. Meanwhile, more entities will likely be added to the Entity List. Huawei isn’t the first company to be hit this way — last year’s ZTE crisis unfolded in much the same way.
That means startups — which almost always fall right at the heart of sensitive technology regulations — need to take a much closer look at what they are building, who their customers are, and how to manage their exports. Penalties for failing to comply with these regulations can be draconian, and certainly completely destructive for early-stage startups that lack the resources to fight a bureaucratic ruling in court.
Before we continue though, a quick reminder. Lest the word “export” causes you to dream of canvas sail ships on the high seas, the reality is that any provision of software services, including SaaS and cloud, fall under the provisions of these rules. Even just transmitting software code can trigger them. These rules and other trade laws were written, and are interpreted, very expansively.
First and foremost, as with all complicated legal situations, you should hire an attorney, particularly an expert in the areas of export controls. If you also touch on these rules regularly, BIS offers regular seminars across the country on how to follow the law.
The first thing to do is to identify who your customers are. For startups targeting large enterprises, this presumably is knowable given the value of each customer. If you target small businesses or individuals though, it might be a lot harder.
Knowing your customers allows you to do a couple of things. First, you can start to identify their nationalities, since some export controls are based on the company or individual’s origin. You can either do this directly by looking up who or what they are, or you can look at data such as billing address, bank account, etc.
There is some “best efforts” intention here. Just because a customer has a U.S.-based billing account doesn’t mean that they aren’t covered by export controls. Thanks to the rise of shell corporations, identifying the ultimate beneficial owner of a company can be dazzlingly complicated. For instance, Iran — covered by many sanctions and export restrictions by the United States — was linked to a building in Midtown Manhattan until recently thanks to the smokescreen of LLCs.
Second, once you have a list of your customers, you can screen those entities through the Department of Commerce’s Entity List, and perhaps also through the Specially Designated Nationals and Consolidated Sanctions Program lists managed by the Office of Foreign Asset Control at the Treasury Department. If you have a limited number of customers, you can manually check the latter at OFAC’s search tool hosted by Finra.
Third — and this is what might get more challenging long term — these lists get updated, which means you need some sort of audit process to ensure that a customer doesn’t suddenly get added to the list after they have purchased your product. As you scale your startup, it might make sense to write a small script that does this occasionally. And of course, if you are Google size, you have hundreds of people who do this in the compliance department.
Finally, I would identify one staff member whose responsible for complying with these rules. This isn’t a duty that should be shared unless you are at scale, since it’s low priority and almost no one is going to want to spend more than a modicum of time dealing with this whole issue.
That might all sound like a lot of hard work, but here’s the good news: a lot of this might be handled for you by your payments provider. Stripe, PayPal and other payment services are as obligated as you are to make sure that payments follow the law, and so they also have teams dedicated to protecting you (that’s also the reason why your money can suddenly get tied up for days, weeks, or months on end).
That said, while they may commit their best effort to following these laws, they also disclaim much of their liability in their service agreements. Stripe, for instance, in its agreement says that “We provide the Services from facilities in the United States. We do not claim, and we cannot guarantee that Services we provide from the United States are or will be appropriate or available for any other location or jurisdiction, comply with the Laws of any other location or jurisdiction, or comply with Laws governing export, import, or foreign use.” (Emphasis added) Ultimately, you and you alone are responsible for following the laws of the countries in which you operate in.
Free trade is still the modus operandi of the United States, but trade restrictions and export scrutiny is increasing very rapidly, particularly on sensitive technology. Taking some easy precautions can mitigate risks to your startup, and also ensure that you have contingencies in place in the event that your key revenue-generating customer just happens to be placed on a magical blacklist you probably didn’t know existed.