Consultants Corner Archives - FD Associates, Inc.

When the Compliance Role Goes Unfilled, and Everyone Thinks They Can Manage

ByGeorge (Jorge) Cánovas, J.D. • Vice President Compliance, FD Associates

This happens constantly, across industries, geographies, and company sizes.

The compliance lead in your company leaves. The departure may be orderly or abrupt, but the organizational response is usually the same. There is no immediate fallout. No regulator calls. No customer escalations. The business keeps moving. Leadership concludes, sometimes on purpose and sometimes by inertia, that the role can remain unfilled, at least for a while. After all, nothing broke.

That initial calm is misleading, but understandably so. Compliance is one of the few functions whose success is defined almost entirely by the absence of visible events. When it works, nothing happens. No blocked transactions. No uncomfortable meetings. No late night emails to outside counsel. The system hums quietly in the background.

So when the role disappears and the system does not immediately fail, it creates a false sense of resilience and comfort.

What follows is not dramatic. It is incremental, structural, and easy to miss.

First, decision ownership begins to fragment.

Compliance decisions that once had a clear escalation point disperse across the organization. Legal weighs in on legal exposure. Operations focuses on delivery. Sales pushes for speed. Engineering frames issues as technical rather than regulatory. Everyone is acting rationally within their own incentives, but no one is responsible for synthesizing those perspectives into a defensible compliance judgment.

As a result, decisions start defaulting to consensus or momentum rather than analysis.

This is what happens when a control function designed to slow decisions just enough to test assumptions, quietly disappears. The organization still decides, but without a consistent framework for risk tolerance.

Several years after I left a company, I received a call from their newly hired CMMC lead. She was sharp, diligent, and trying to understand how the organization handled classification, escalation, and risk decisions. Her questions were basic, but telling. How were products classified? Which business units owned which decisions? What processes existed for handling gray areas?

The answer, awkwardly, was that all of this already existed.

The classification logic had been built. Risk matrices had been issued to the business units. Compliance plans had been rolled out, reviewed, and socialized. Decision trees existed for escalation and documentation. It had been implemented while I was there.

But by the time she arrived, it had all been forgotten in practice.

Not repealed. Not deleted. Just put away. The business units had been given the tools, but once “the compliance guy” was gone, the tools stopped being used. Without someone maintaining cadence, context, and judgment, the system quietly decayed.

No one had decided to abandon compliance. It simply stopped living.

That call was not about rebuilding from scratch. It was about reconstructing intent. Why those controls existed. What risks they were designed to manage. Where the organization had already learned hard lessons it was now relearning again.

That is what gets lost when compliance leadership disappears. Not rules, but reasoning.

Second, edge cases quietly become the norm.

Most compliance exposure does not arise from obvious violations. It arises from gray areas. Product modifications, new customer use cases, unusual deal structures, or cross border collaborations that do not fit neatly into prior models. A functioning compliance role is designed to live in those gray zones, to ask uncomfortable questions early, and to document why a particular path was chosen.

Without that role, gray areas are resolved ad hoc. One team treats them as low risk. Another escalates them as urgent. Precedent becomes inconsistent. Over time, the organization loses the ability to explain not just what it decided, but why it decided it.

Third, compliance quietly shifts from governance to negotiation.

Without clear authority, compliance becomes something teams work around rather than through. Questions are framed to obtain approval rather than analysis. Risk is described narrowly. Facts are simplified. This is rarely malicious. It is human behavior responding to organizational signals. If no one owns the function, the cost of slowing down feels more immediate than the cost of getting it wrong. It is over time that this becomes the norm and this is how exposure accumulates without triggering alarms.

Eventually, something happens, and the symptoms become visible.

Approvals take longer and longer. Internal emails grow more cautious. Outside counsel appears on threads where they never used to be needed. Customer diligence responses become harder to assemble. Leadership senses that decisions carry more weight and less confidence, even when no single issue appears catastrophic.

At this point, many organizations still believe they are managing. In reality, they are compensating for a missing function by absorbing cost elsewhere, and quite frankly, this is where the response from companies often goes wrong.

The answer is not always to rush into a permanent hire, especially when the organization needs immediate structure, restored judgment, and credibility with customers or regulators. This is where experienced external compliance leadership, such as FD Associates, can step in and stabilize the system while the right permanent hire is identified for the business.

The key is to getting things back in order. That means reestablishing clear escalation paths. Re-grounding classification and risk frameworks. Dusting off compliance plans and making them operational again. Recreating institutional memory before it is lost entirely. And doing so in a way that supports the business rather than slowing it to a crawl.

Just as importantly, it does not end there. Part of restoring a healthy compliance function is helping the organization decide what it actually needs long term, and helping recruit and transition to a new compliance lead who inherits a functioning system rather than a mess.

Organizations that do this early tend to recover quickly. Decisions become cleaner. Risk tolerance becomes explicit. Teams regain clarity on where compliance fits into daily operations, not as friction, but as an enabling control.

Leaving a compliance role unfilled often feels manageable because the consequences are deferred. But deferred does not mean avoided. It just means the bill arrives later.

When the Compliance Role Goes Unfilled, and Everyone Thinks They Can Manage Read More »

New Foreign UAS Systems Shutdown by the FCC

ByGeorge (Jorge) Cánovas, J.D. • Vice President Compliance, FD Associates

This article was originally posted to FD Associates’ LinkedIn page .

Read on LinkedIn

In late December 2025, the Federal Communications Commission (FCC) issued a national security determination (Pubic Notice DA-25-1086) concluding that unmanned aircraft systems and certain UAS critical components produced outside the United States pose an unacceptable risk to national security and to the safety and security of U.S. persons. The determination focused on specific risks tied to unauthorized surveillance, sensitive data collection, remote system access, and the ability to alter, degrade, or disable system functionality through software or firmware updates after deployment.

Based on that determination, the FCC placed foreign-produced UAS and UAS critical components on its Covered List, prohibiting those items from operating in the United States, unless a specific national security determination is issued by the Department of Defense or the Department of Homeland Security concluding that a particular system or component does not present those risks.

The national security are issued through an interagency national security review led by the Department of Defense or the Department of Homeland Security, typically involving intelligence, cybersecurity, and supply-chain risk offices, and focus on how a specific UAS or critical component is designed, manufactured, controlled, updated, and accessed over its lifecycle. The review examines communications architecture, component origin, firmware and software update authority, remote access capabilities, data collection and transmission pathways, and the ability to alter or disable system functionality after deployment.

If the reviewing department concludes that the system or component does not present the identified national security risks, it issues a specific determination covering that system or class of systems, which the FCC then implements ministerially by updating the Covered List, rather than through an FCC-run application, appeal, or waiver process.

The practical effect is immediate for new UAS equipment seeking authorization. Covered drones and components may not be imported into the United States unless they are first cleared through the applicable national security review process. The FCC will not grant equipment authorization for covered systems to operate in the United States, and operating such systems without authorization is unlawful.

The issue here is not flight safety or airspace regulation, but the communications systems embedded in these platforms and the national security risks they present.

FCC Covered UAS and Critical Components

Rather than publishing a finite or part-numbered list, the FCC adopted a functional approach focused on system operation, communications, and control. Any foreign-produced component that is essential to the operation of a UAS, particularly where it enables communications, navigation, control, or data transmission, may fall within scope.

Covered items include, but are not limited to:

Complete unmanned aircraft systems and associated elements required for safe and effective operation
Communications radios and radio frequency transmission equipment
Data transmission and telemetry devices
Flight controllers and integrated control units
Ground control stations and UAS controllers
Navigation systems, including GPS, GNSS, and inertial navigation units
Sensors, payload sensors, and cameras
Motors and motor controllers
Batteries and battery management systems
Associated software and firmware required for operation, control, communications, or updates

Because the scope is functional rather than categorical, a single foreign-produced communications or control component can prevent FCC authorization for an entire drone system, regardless of where final assembly occurs or how the product is marketed.

Recent FCC clarification adds a limited, temporary carve-out. In a January 7, 2026 Public Notice (See FCC DOC DA-26-22A1), the FCC announced that certain foreign-produced UAS and UAS critical components will be removed from the Covered List on a time-limited basis, including systems appearing on the “Defense Contract Management Agency Blue UAS Cleared List” (See The Blue UAS Cleared List and Blue UAS Framework) and products that qualify as domestic end products under the Buy American Standard. These removals are not permanent. They expire on January 1, 2027, after which covered foreign-produced UAS and components will again be ineligible for FCC authorization absent a new national security determination. The FCC emphasized that these temporary allowances do not reflect a change in its underlying national security assessment and should be viewed as transitional measures rather than long-term relief.

What the Rule Does and Does Not Do

The FCC is not enforcing export laws. Its action is based on communications authorization and national security risk. The consequence for drone companies is straightforward: new systems containing covered foreign-produced components will face challenges upon importation and to lawfully operated in the United States.

The rule does not turn on whether a drone is described as civil or commercial, nor does it depend on historical acceptance of a platform. The analysis focuses on foreign production and the presence of covered functionality tied to foreign communications, system control, or data transmission.

How This Plays Out in Practice

In practice, the FCC rule often surfaces earlier in the business cycle than companies expect.
A product, component, or fleet is first identified for import, sale, deployment, or continued operation in the United States. This may be tied to a new product launch, a customer procurement, or a review of systems already in use.

The system is then examined at the component level to identify foreign-produced elements tied to communications, navigation, control, data transmission, or firmware. This is frequently where issues surface, particularly with radios, GNSS modules, flight controllers, sensors, and embedded software.

If the system contains covered foreign-produced UAS or critical components, FCC equipment authorization is unavailable unless a specific national security determination applies. At that point, the question is no longer abstract compliance, but whether the product can be imported or lawfully operated at all.

For existing fleets, this risk arises primarily when systems are modified, upgraded, or otherwise require new or amended FCC authorization. For new products, it can halt sales, integration, or deployment entirely.

Companies are then forced into business decisions. Options may include redesigning systems, re-sourcing components, segmenting product lines for different markets, adopting alternative platforms, or exiting certain use cases altogether. These decisions are driven by technical feasibility, cost, and time to market, not regulatory preference.

What the FCC Actually Examines During Authorization

FCC authorization reviews are grounded in detailed technical disclosures. Companies are required to explain, with specificity:

How the drone communicates with ground control stations and other systems
Which components enable command, control, telemetry, navigation, and data transmission
Where those components are designed, manufactured, and integrated
How firmware and software updates are delivered and who controls them
Whether the system allows remote access, diagnostics, or configuration after deployment
How data is collected, stored, transmitted, and accessed

These are not peripheral details. They go directly to whether the FCC will authorize operation of the system in the United States.

Why This Is More Complicated Than It First Appears

For many drone companies, risk does not reside solely in the airframe. It resides in subsystems selected years earlier for cost, performance, or availability, long before national security screening became decisive.

Communications modules, navigation units, sensors, and firmware stacks are often globally sourced and deeply embedded in the system architecture. As a result, a drone assembled in the United States can still be disqualified because of a single foreign-produced radio, control board, or software dependency that cannot easily be replaced without redesign.

The rule also reaches beyond new sales. Fleet operators, integrators, and service providers must consider whether systems already deployed can continue operating lawfully if they rely on covered components that cannot receive authorization. Replacement parts, upgrades, firmware changes, or shifts in who controls software updates are often the trigger point. Systems that were lawfully authorized at deployment can face new scrutiny when their configuration, control pathways, or update mechanisms change over time.

What This Means for U.S. Drone Companies

U.S. manufacturers, distributors, integrators, operators and brokers must now look at end platforms and a component-level view of their products and operations.

Companies that manufacture drones domestically but rely on foreign-produced critical components face the same authorization barrier for new systems as fully foreign-manufactured systems. Companies importing foreign-produced drones for resale, integration, or specialized use must assess whether those platforms can be authorized at all.

The impact is especially acute where civil drones are being used or adapted for government, public safety, critical infrastructure inspection, or defense-adjacent missions. In those contexts, national security risk is assessed more conservatively, and tolerance for foreign control or access is lower.

Downstream activities matter as well. Software updates, configuration changes, maintenance, and technical support can all be relevant where authorization turns on who controls system behavior over time.

For some companies, compliance will require redesign, re-sourcing, or segmentation of product lines. For others, the rule may eliminate U.S. market access for certain platforms entirely.

The Bottom Line

The FCC has not issued a blanket ban on drones. It has conditioned U.S. market access on national security clearance for foreign-produced unmanned aircraft systems and critical components.

For drone companies operating in or selling into the United States, the issue is no longer abstract. Product architecture, component sourcing, system control, and lifecycle management now determine whether a drone can be imported, authorized, or lawfully operated.

This is an operational gate to the U.S. drone market, and it requires a level of technical and supply-chain scrutiny that many companies have not previously needed to apply.

Ready to strengthen your export compliance?

Speak with an expert about registrations, licensing strategies, audits, program development, and more.

Contact Our Experts Today

New Foreign UAS Systems Shutdown by the FCC Read More »

When In-Country Still Counts as an “Transfer” or “Export”, and Why Small Oversights Add Up

ByGeorge (Jorge) Cánovas, J.D. • Vice President Compliance, FD Associates

A colleague of mine, Shahab Wahdatehagh at Descartes, recently flagged something on LinkedIn that many teams still underestimate. Transferring EAR-controlled items within the same country can still require an export license. This is not a gray area, as the regulations are clear. Yet it continues to be missed, even by experienced organizations. And in my experience, these misses rarely come from bad intent. People do not wake up in the morning planning to violate export law. They happen because the rules are not consistently understood across everyone involved in the transaction. When training is uneven, outdated, or limited to a small group, gaps form. That is usually where the error starts.

The point is simple, but the consequences are certainly not.

The reflex that causes trouble: “It’s just EAR99”

EAR99 often gets treated as shorthand for low risk. No license from the USA. No issue transfer in country. Move on. That assumption is wrong and can cause many problems.

The EAR covers far more than cross-border shipments. Those in-country transfers can still trigger licensing requirements, especially where end users or end uses are restricted. The General Prohibitions apply broadly, and classification alone does not get you out of trouble.

General Prohibitions in Part 736 and the Entity List makes this pretty clear. If a party appears in Supplement No. 4 to Part 744, almost any item subject to the EAR, including EAR99, requires a license for export, reexport, or in-country transfer, and exceptions are rare. Where the item is physically located does not change the obligation, who is in possession does.

Where compliance usually breaks down

Exports from the U.S. tend to get careful review. U.S. Customs, freight forwarders, and paperwork force the issue. Once abroad, in-country movements feel routine. Internal transfers. Long-standing partners. Very familiar workflows. And that is where the attention to details drops. Assumptions are made and transactional compliance is not validated against the EAR.

In international settings, responsibility for U.S. export compliance may be passed around. Sales assumes operations handled it. Operations assumes legal reviewed it. Legal assumes compliance screened it. Compliance trusts the system. No one actually owns the call. Hence problems can arise, whether its EAR99 or an item under the EAR with an ECCN or an ITAR item. Lack of procedures and inventory management are the culprits.

At FD Associates, we see this across the board. Large primes. Mid-size manufacturers. Fast-growing companies. Scale does not protect you. In some cases, it makes things worse.

Recent BIS enforcement actions, including the Haas Automation case, show how quickly this can escalate. In-country activity tied to Entity List parties led to a civil penalty of roughly $1.5 million, even with cooperation. Voluntary self-disclosure can help reduce penalties, but it does not erase the financial hit, the reputational damage, or the internal disruption that follows.

Why practical training matters

At FD Associates, we focus on the situations that actually cause violations. In-country transfers. Known customers. Products everyone thinks they understand. We walk through how General Prohibitions, Entity List restrictions, and end-user controls intersect in real workflows, not just in theory.

I have said this many times, most violations are not intentional. They happen because people move fast on what feels routine and do not realize a control applies. The transactions that look the safest are often the riskiest, precisely because no one slows down to question them.

Compliance protects revenue

Compliance is not just a cost. It protects the bottom line, and violations mean giving back money already earned. CEO’s and Boards do not like that equation. Errors like this mean time lost to remediation, audits, and regulator follow-up. A solid compliance program with inventory controls and tracking plus regular auditing allows teams to operate with confidence instead of hesitation or guesswork.

Experience and consistency make the difference

Export compliance is not a one-time exercise. It builds through institutional knowledge, sound judgment, and steady engagement with how the rules are actually enforced.

The strongest programs are not defined by the length of their policies. They are built on experienced people, clear ownership, practical and ongoing training, and leadership that understands a simple truth. - Small oversights add up. And in export controls, they add up fast.

For organizations looking to reduce this kind of risk, consistent and practical training matters. At FD Associates, we work with companies to deliver tailored, role-specific training for the people who actually touch these decisions, from sales and operations to engineering and compliance. We also offer scheduled training courses for teams and individuals who want to strengthen their understanding without building something from scratch. The goal is simple, to help organizations catch the small issues early, before they turn into costly ones.

When In-Country Still Counts as an “Transfer” or “Export”, and Why Small Oversights Add Up Read More »

Following the 50% Rule .. BIS Adds 29 Entries to the Entity List

On October 9, 2025 via 90 Fed. Reg. 48193 (“FRN”), the Department of Commerce Bureau of Industry Security (“BIS”) added 29 entries (26 entities and 3 addresses) located in China, Hong Kong, Turkey, and the U.A.E. to the Entity List . These entities were involved in diverting U.S. origin commodities to Iran for use in Unmanned Aircraft Systems (UAS)/ Unmanned Aircraft Systems (UAVs) or aircraft in violation of the U.S. Export Administration Regulations (EAR).

Why This Matters

First Update to the Entity List since Implementation of the BIS Affiliate Rule (AKA 50% Beneficial Ownership Rule)

Under the new Affiliate Rule, implemented on September 29, 2025, companies are prohibited from engaging in a transaction without prior USG authorization with an unlisted entity that is 50% or more owned, in the aggregate, by an entity or entities identified on the BIS Entity List (EL) and the Military End User (MEU) list and the Dept. of Treasury’s Office of Foreign Asset Controls (OFAC) Specially Designated National List (SDN) List.

Companies must obtain the parent companies and owners of an entity up through to the ultimate beneficial owner and screen the entities against the EL, the MEU, and SDN for potential matches and ownership that is greater than then 50% threshold.

The requirement to screen for 50% ownership is not a new requirement – it is a requirement under the OFAC sanction programs – however under the BIS Affiliate Rule companies must review the licensing requirements or prohibitions for each owner identified on SDN, the EL, and MEU and apply the most restrictive requirement to the transaction.

Companies Must Adopt New Strategies and Tools to Comply with the Expanded Use of the 50% Beneficial Ownership Rule and Frequent Updates to the Lists

Performing 50% Beneficial Ownership screening and managing the rescreening of parties to a transaction (e.g. purchase, end user, freight forwarder, supplier, etc.) due to frequent updates to the lists will be challenging for companies with limited resources. Since September 29 when the Affiliate Rule was implemented, OFAC and BIS collectively added more than 150 entities over five different updates to the SDN and Entity list.

To manage these compliance requirements more efficiently, companies should use third-party sanctioned/restricted party ownership research services that dive deep into the Beneficial Ownership structure to augment existing sanctioned/restricted party screening tools. These tools should include persistent screening of the parties to the transaction against changes to the sanctioned/restricted party lists or a mechanism to regularly upload a list of parties for screening. Companies not using such services should supplement standard third-party services with internal sanction ownership research by utilizing publicly available information (e.g. investor reports, business documents filed with government, information from media outlets etc.) to fill potential gaps that exist between when an entity is added to a list to when the third-party service completes their research and updates their lists.

Lastly, company personnel conducting the screenings must be trained not only to use the screening tools but also to conduct sanctioned/restricted ownership research, identify and mitigate compliance risk or escalate to senior management when the risk cannot be mitigated.

On Our Radar

U.S . Origin Components Were Recovered from the UAS/UAV wreckage

The US Government stated in the FRN that it has identified the entities who diverted U.S. origin commodities to Iran from information found on the U.S. origin commodities recovered in the UAS/UAV wreckage, presumably manufacturer’s name or logo, part number serial number, etc.

The FRN does not mention the manufacturer's role in the investigation, nonetheless, this underscores the importance of screening the parties to the transaction and particularly the end use/end user of the exported commodities. Moreover, companies should keep records of their due diligence efforts, such as end use statements or other documents, if their products are later found in an unauthorized country or application, to assist the government in their investigation.

The Additions Included the China and Hong Kong Subsidiaries of Arrow Electronics, a U.S. Electronics Distributor

BIS added the China and Hong Kong subsidiaries of Arrow Electronic to the BIS EL for facilitating the purchase of U.S. origin electronics found in the wreckage of UAS operated by Iranian proxies. Arrow Electronics stated they are in discussions with BIS to resolve this issue. It will be interesting to see if the compliance actions taken by BIS are contained to the China and Hong Kong subsidiaries or if at a later date it spills over to the parent company.

Regardless of outcome, this action highlights the importance of ensuring that your foreign subsidiaries and affiliates compliance with U.S. export regulations are imperative and validating end use/end user and screening the parties to the transaction are mandatory not optional.

What’s Next?

Education - business functions, e.g. business development, purchasing, order entry/contract etc., that engage in transactions with foreign parties on the new requirements. Include foreign subsidiaries and affiliates in this process.
Discuss strategies for collecting and screening ultimate beneficial ownership information to ensure compliance.
Explore third-party screening solutions to augment and streamline your existing screening processes.

Following the 50% Rule .. BIS Adds 29 Entries to the Entity List Read More »

Out With The New, Back To The Old Ways BIS Rescinds Biden Era Firearms Restrictions On Exports

ByJohn J. Herzo, J.D. • Senior Compliance Associate

On September 29, 2025 via 90 Fed. Reg. 47170, the Department of Commerce’s Bureau of Industry and Security (“BIS”) rescinded in part Interim Final Rule, 89 Fed. Reg. 34680 (“Firearms IFR”), that imposed additional export requirements on the export of EAR regulated firearms, related ammunition and components thereof.

The Firearms IFR imposed a range of additional requirements, including:

A “presumption of denial” for exports to non-governmental user (civilian and commercial entities) to the following 36 “high-risk” countries: Bahamas, Bangladesh, Belize, Bolivia, Burkina Faso, Burundi, Chad, Colombia, Dominican Republic, Ecuador, El Salvador, Guatemala, Guyana, Honduras, Indonesia, Jamaica, Kazakhstan, Kyrgyzstan, Laos, Malaysia, Mali, Mozambique, Nepal, Niger, Nigeria, Pakistan, Panama, Papua New Guinea, Paraguay, Peru, Suriname, Tajikistan, Trinidad and Tobago, Uganda, Vietnam, and Yemen;
Export license requirements on sporting shotguns and optics to U.S. allies;
Limited the use of EAR License Exceptions BAG 15 CFR § 740.14 and LVS § 740.3;
Additional documentation requirements for license applications:

o Purchase Order for all license applications for EAR regulated firearms, related ammunition and components;

o Import Certificate or Equivalent Document for all license applications for EAR regulated firearms, related ammunition and components; and

o Passport or National ID Card for all license applications for exports of EAR regulated firearms, related ammunition and components to individuals (Natural Persons);

Shorter validity period, one (1) Year as opposed to four (4) Years for other BIS 748P licenses for all BIS 748P licenses for the permanent export of EAR regulated firearms, related ammunition and components.

The current rule, 90 Fed. Reg. 47170, revokes a majority of the changes made to the EAR by the Firearms IFR, 89 Fed. Reg. 34680, and restores a majority of the export rules for EAR regulated firearms, related ammunition and components that previously existed. However, the current rule retains the four new ECCNs (0A506, 0A507, 0A508, and 0A509) implemented by Firearms IFR, 89 Fed. Reg. 34680, and does not remove the requirements to obtain BIS 748P licenses for most exports of EAR regulated firearms, related ammunition and components.

The current rule, 90 Fed. Reg. 47170, revokes the purchase order requirements for BIS 748P license applications for EAR regulated firearms, ammunition and components and the requirement for an Import Certificate or Equivalent Document. However, an Import Certificate or Equivalent Document is still a requirement for BIS 748P license applications for exports to countries that require these documents for entry of firearms, ammunition and components into their country. It should be noted that the Import Certificate or Equivalent Document in these instances was a requirement of the EAR prior to implementation of Firearms IFR, 89 Fed. Reg. 34680.

The current rule, 90 Fed. Reg. 47170, also revokes the requirement for a Passport or National ID Card to support a BIS 748P license application for export to individuals (Natural Persons).

Lastly, the current rule, 90 Fed. Reg. 47170, reinstates the four (4) year validity period for BIS 748P licenses for firearms, ammunition and components.

What does the current rule, 90 Fed. Reg. 47170, mean for U.S. exports of EAR regulated firearms, ammunition and components:

There is a wider range of countries to which EAR regulated firearms, ammunition and components can be exported to without the BIS 748P license application being reviewed with a presumption of denial;
There are less supporting documentation requirements to obtain a BIS 748P license EAR regulated firearms, ammunition and components;
EAR License Exceptions BAG § 740.14 and LVS § 740.3 may be available for the export of EAR regulated firearms, ammunition and components;
BIS 748P licenses for the export of EAR regulated firearms, ammunition and components will now be valid for four (4) Years.

What is not clear in the current rule, 90 Fed. Reg. 47170, is whether any BIS 748P licenses that were either revoked or modified by the Firearms IFR, 89 Fed. Reg. 34680, will be reinstated or reinstated without their modifications.

FD Associates suggests that any exporter that had their BIS 748P license revoked or modified contact Benjamin Barron, Supervisory Export Policy Analyst, Bureau of Industry and Security, Department of Commerce, Phone: 202-482-4252, or Ronald Rolfe, Supervisory Export Policy Analyst, Bureau of Industry and Security, Department of Commerce, Phone: 202-482-4563 or by Firearms@bis.doc.gov to determine if their revoked or modified license(s) will be reinstated.

Out With The New, Back To The Old Ways BIS Rescinds Biden Era Firearms Restrictions On Exports Read More »

BIS50% Rule – BIS/EAR New Ownership Test

By George (Jorge) Cánovas, J.D. •Vice President Compliance ;
Creighton Chin • Senior Compliance Associate
Edited byJenny Hahn•President, FD Associates, Inc.

I. Introduction

On June 19, 2025, I wrote an article “Understanding the 50% Rule: How BIS Is Rewriting Export Control Boundaries.” I ended this article with “No drama, no panic. Just preparation. Because when this rule lands, and it will, you’ll want to be ready, not surprised.” Well, it landed on September 29, 2025 and the question of “who really owns the company you are dealing with” is now a reality. That question has now become central to compliance. On September 29, 2025, the Bureau of Industry and Security (BIS) amended 15 C.F.R. §744.11 and its Supplements 4 and 7, extending restrictions to any entity that is fifty percent or more owned, directly or indirectly, by a party on the Entity List or the Military End User (MEU) List.

The Affiliates Rule goes further than the Entity List and MEU List. BIS extended the 50 percent ownership test to affiliates of parties designated under certain OFAC Specially Designated National (SDN) programs identified in 15 C.F.R. §744.8(a). It also extends the Foreign Direct Product (FDP) rules under §734.9(e), including the Russia/Belarus MEU FDP rule, so that foreign-produced items meeting FDP criteria through the involvement of a covered affiliate are now subject to EAR license requirements.

To be clear, these companies are now automatically subject to the same restrictions as their listed entities. This significant policy shift is not an isolated change but rather the culmination of a long regulatory evolution that began with the International Traffic in Arms Regulations’ (ITAR) foreign ownership rules, matured with the Office of Foreign Assets Control’s (OFAC) 2014 50% guidance, and has now fully integrated into the Export Administration Regulations (EAR) framework, making ownership a cornerstone of export compliance that demands a thorough understanding of its history and implications to prepare for what lies ahead.

II. Executive Takeaways

Effective immediately. The BIS Affiliates Rule took effect September 29, 2025.
Short window of relief. A Temporary General License (TGL) applies only through November 28, with strict limits.
Covers Entity List, MEU List, and SDN programs. Ownership links to these parties now trigger license requirements.
Foreign Direct Product rules included. Affiliates bring foreign-produced items under EAR controls if FDP criteria are met.
Ownership is cumulative. Direct and indirect stakes are aggregated at each tier of the chain.
Cascade effect. Subsidiaries of subsidiaries are restricted once the 50% threshold is crossed.
Most restrictive rule applies. If multiple restricted owners exist, the toughest license policy governs.
Branches and divisions are covered. Even non-legally distinct operations fall under the Affiliates Rule.
EAR99 is no safe harbor. Simple, uncontrolled items still require a license when affiliates are involved.
Red Flag 29 adds a duty. Exporters must resolve ownership uncertainties or stop the transaction.
CSL is no longer sufficient. Screening lists won’t catch all covered affiliates; ownership due diligence is mandatory.
Petition process available. Non-listed affiliates can request BIS modification to exclude them if risk is low.
Savings clause. Shipments already en route on Sept. 29 can be completed by Oct. 29 without a license.
Universities and research institutions affected. Especially those with foreign partnerships or end-users tied to listed entities.
Small and mid-sized defense firms at risk. Limited compliance resources make ownership checks harder to scale.
Tech startups vulnerable. Venture funding and opaque ownership create exposure under the rule.
Multinationals with JVs hit hard. Especially in aerospace, energy, and high-tech with ties to China, Russia, or sanctioned hubs.
Financial institutions implicated. Banks, PE, and law firms must incorporate ownership into diligence and financing reviews.
Global supply chains disrupted. Transactions through Europe, the Middle East, or Asia may suddenly become restricted.
Immediate compliance upgrades needed. Companies must expand screening, enhance KYC, escalate reviews, and train staff.
FD Associates is ready. We assist with risk assessment, red flag resolution, and tailored compliance strategies to keep exporters ahead of enforcements.

III. FOCI and ITAR - The First Ownership Gatekeeper

The path to this moment is not new. The ITAR Regulations tied ownership to compliance decades ago. Under 22 C.F.R. §120.16, the definition of a “foreign person” includes entities under foreign ownership or control. For cleared contractors, the National Industrial Security Program Operating Manual (NISPOM) at 32 C.F.R. Part 117 requires mitigation of Foreign Ownership, Control, or Influence, usually through proxy boards, voting trusts, or technology control plans.

Crucially, the ITAR does not leave “ownership” and “control” undefined. 22 C.F.R. §120.65 expressly sets out what counts as ownership and control in this context, clarifying that both direct and indirect power to direct the policies of management of a company triggers ITAR coverage. Crossing the fifty percent ownership threshold has never automatically barred participation in defense contracting, but it has always presumed foreign influence and triggered mitigation. The message from ITAR was clear: ownership and control cannot be separated from compliance.

IV. OFAC and the Birth of the 50% Rule (2014)

The sharper turn came from sanctions. In August 2014, the Office of Foreign Assets Control (OFAC) issued its Revised Guidance on Entities Owned by Persons Whose Property and Interests in Property Are Blocked. This guidance, grounded in 31 C.F.R. §500.310 and elaborated in OFAC’s published FAQs (398 and 401 through 403), confirmed that any entity fifty percent or more owned by one or more blocked persons is itself treated as blocked. The rule aggregates ownership stakes, so two sanctioned parties holding twenty-five percent each are treated the same as one holding fifty percent. Indirect ownership through shell companies also counts. Once blocked under the fifty percent rule, an entity remains blocked absent specific OFAC authorization. That guidance forced a shift across industry: list screening alone was no longer sufficient, because without knowing who owned a counterparty, one could not know whether the transaction was legal.

V. EAR and BIS Expansion (2014–2020)

BIS absorbed the same logic over time. Under 15 C.F.R. §744.11, the agency has long designated parties on the Entity List when their activities are deemed contrary to U.S. security. In 2020, BIS added 15 C.F.R. §744.21, creating a framework for “military end use” and “military end users” in China, Russia, and Venezuela. The Military End User List, set out in Supplement No. 7 to Part 744, formalized this approach. These rules did not yet impose a bright-line ownership test, but they tied export controls to affiliations and relationships that often turned on state ownership. The system was moving toward a recognition that control through ownership was itself an end-use risk.

VI. The September 29, 2025 BIS Rule

On September 29, 2025, BIS announced an interim final rule that decisively aligns its regulations with OFAC’s 2014 guidance by declaring that any subsidiary or affiliate owned 50 percent or more by an Entity List or MEU List party is automatically treated as if it were listed, eliminating loopholes that allowed clean subsidiaries to act as export fronts for listed parents, accounting for indirect ownership through layered structures and offshore holding companies, flagging significant minority ownership as a red flag requiring enhanced due diligence, and providing companies with a short transition period to unwind deals, re-screen counterparties, and update contracts before enforcement begins. This rule represents a full alignment of BIS’s approach with OFAC’s sanctions framework and ITAR’s FOCI principles, closing a critical gap in export control enforcement and reshaping compliance obligations across industries.

It is important to note where ownership is shared among multiple restricted parties, for example, one on the Entity List and another on the MEU List, BIS requires that the most restrictive licensing requirements apply, even if one owner’s stake is small. This “most restrictive” standard means exporters must trace and aggregate ownership across all restricted categories to evaluate license eligibility.

The September 29, 2025 BIS Rule

VI. The September 29, 2025 BIS Rule

The reach of the rule is not theoretical. BIS illustrated in its Federal Register notice that if Company A is on the Entity List and owns 50 percent of Company B, which is not listed, then Company B is automatically subject to the Entity List restrictions. If Company B in turn owns 50 percent of Company C, then Company C is also restricted. The chain continues, even if the later-tier affiliates never appear on a BIS list. (See above)

VII. Country Risk Under the BIS 50% Rule

The September 29, 2025 BIS “50% Rule” expansion has different practical consequences depending on the country where your business or partners operate. Certain jurisdictions are far more likely to host Entity List or Military End User (MEU) parties, or to conceal beneficial ownership through state-owned enterprises (SOEs) and opaque holding structures.

High Risk (Directly Implicated)

China, Hong Kong, Macau – Largest concentration of Entity List and MEU List parties. State-owned enterprises hold controlling stakes in aerospace, AI, quantum, and semiconductor firms. Even civilian-facing firms may be majority-owned by listed parents.
Russia – Extensive Entity List coverage, particularly in aerospace, energy, and defense-industrial sectors. Sanctioned oligarch ownership structures are common.
Iran – Wide-ranging restrictions, with nearly all major industrial entities majority-owned or controlled by sanctioned parties.
Belarus – High overlap with Russian military-industrial base and sanctions.

Moderate Risk (Targeted Sectors, Regional SOEs)

Venezuela – State-owned energy, mining, and defense companies frequently appear on BIS/OFAC lists.
North Korea – Already nearly comprehensive embargo, but risk lies in indirect dealings via third countries.
United Arab Emirates (select free zones/partners) – While not sanctioned, the UAE hosts intermediaries and holding structures that can obscure Chinese, Russian, or Iranian ownership. Enhanced diligence required.
Turkey – Growing scrutiny for dual-use exports and middleman roles in Russia-related transactions.
Cyprus – Also known as a transshipment point where companies are setup to facilitate transactions with China and Russia.

Lower but Not Zero Risk

India, Malaysia, Singapore – Generally lower baseline risk, but technology hubs can attract Chinese/Russian capital or host opaque investment vehicles.
Latin America (Brazil, Mexico, Argentina) – Lower Entity List presence, but risk arises when firms are partly owned by Chinese SOEs or used as transshipment points.

NOTE: This list is not all encompassing.

EAR99 Implications are SUBSTANTIAL

EAR99/ECCN”99” in General

EAR99/ECCN “99” items are those not specifically listed on the Commerce Control List or are listed with an ECCN number with a 99 in it (i.e. 9A991- the AT controlled ECCNs). They typically don’t require a license for export to most destinations. But, and this is the critical point, they are still subject to end-use and end-user controls under Part 744 of the EAR. That means if your counterparty is restricted, EAR99/ECCN “99” status doesn’t help as it would continue to require export licensing, and because of a presumption of denial, it would likely not be approved.

How the 50% Rule Changes the Landscape

Under the new rule (amended 15 C.F.R. §744.11 and its supplements), any entity that is 50% owned by an Entity List or MEU Listed party is treated as if it were itself listed.

That means:

Even EAR99 or AT controlled items (previously no license required) require a license if they are destined to such an entity.
The presumption of denial that applies to listed entity and MEU parties applies equally to their majority-owned subsidiaries, no matter the classification of the item.
A shipment of innocuous EAR99 or AT controlled spares, software, or support materials can now be just as prohibited as a controlled ECCN 9A610 or 3B001 item if the recipient falls under the new ownership test.

Examples

Imagine a U.S. company shipping common replacement fasteners classified EAR99 to a European distributor. On the surface, the distributor looks clear, it is not a named on the Entity List. But under the new rule, because it is 55 percent owned by a Chinese aerospace conglomerate already on the Entity List, that distributor is treated as listed. Suddenly, the EAR99 fasteners require a license from BIS, and that license will likely be denied.

Or consider a university sending EAR99 lab consumables to an overseas research partner. If the partner university is majority-owned by a foreign state entity that appears on the MEU List, the transaction is restricted even though the items are not controlled.

The EAR Takeaway

The September 29, 2025 rule makes it clear that classification alone does not insulate you from ownership risk. EAR99 or AT controlled (previously no license required commodities) no longer represents a “safe harbor” when the recipient is owned by a listed entity. Screening for ownership is now as important as screening for the entity name itself. For exporters and compliance teams, the message is blunt: if you don’t know who owns your counterparty, you don’t know whether you can legally ship, even if all you are sending is EAR99.

IX. Who This Hits Hardest

The new rule falls hardest on companies that lack the resources or visibility to conduct deep ownership checks. Small and medium-sized enterprises are at the front line. Many rely on thin compliance budgets and basic screening tools, which makes them especially vulnerable when their distributors, resellers, or investors are majority-owned by listed parties. A Virginia-based commercial drone quadcopter company, for example, might sell through a European distributor that appears clean in standard screening, only to discover it is 60 percent owned by a Chinese aerospace conglomerate on the Entity List. In that situation, every shipment becomes un-licensable, enforcement risk escalates, and prime contractors disengage.

Tech startups in dual-use fields face a different but equally severe challenge. Venture funding that tips foreign ownership past fifty percent can instantly flip their licensing posture from compliant to prohibited. One financing round can jeopardize the ability to ship, partner, or even continue operations in the U.S. market.

Larger multinational firms are also caught when joint ventures with state-owned enterprises shift into restricted territory. Even if the venture itself has never appeared on a list, once majority ownership by a listed entity is established, the restrictions apply. This creates contractual uncertainty, operational disruption, and reputational risk in industries like aerospace, energy, and advanced manufacturing.

Financial institutions and professional services firms also bear new exposure. Banks, private equity funds, and law firms structuring transactions in jurisdictions such as Cyprus, the British Virgin Islands, or Hong Kong may inadvertently become conduits for restricted ownership structures if diligence stops at name screening. These sectors must now implement forensic-level beneficial ownership checks to avoid entanglement with listed parents.

X. Real World Example of Complexity

The Aviation Industry Corporation of China (AVIC) is explicitly listed on the Military End User List (MEU) under BIS’s Supplement No. 7 to Part 744744 and is also listed on the Entity List, Supplement No. 4 to Part 744 of the EAR. As a Chinese state-owned aerospace and defense conglomerate, AVIC maintains a vast portfolio of subsidiaries and equity stakes, many of which straddle civilian and military sectors.

Because AVIC is an MEU, under the September 29, 2025 “50 % Rule,” any entity that is 50 percent or more owned (directly or indirectly) by AVIC is now treated as though it were similarly restricted—even if that entity has never been named on a BIS list itself.

Several publicly reported U.S. connections illustrate how this might play out in practice:

AVIC owns Cirrus Aircraft, which is headquartered in Minnesota, making Cirrus a U.S. subsidiary of a Chinese aerospace conglomerate.
Through acquisitions, AVIC has gained control of or influence over U.S. firms in aerospace and component manufacturing, including the U.S.–based steering systems company Nexteer Automotive. In 2010, Nexteer, based in Michigan, was acquired by a subsidiary of AVIC.
AVIC has also acquired U.S. component firms and supply chain assets, such as Continental Aerospace Technologies (through which it indirectly controls Thielert, Southern Avionics, and Danbury Aerospace).
AVIC also has dozens of subsidiary companies in Europe either from U.S. owned companies or European founded companies.

Think about a U.S. company shipping basic avionics part to a domestic or a foreign subsidiary of a U.S. company in Europe. On paper, everything looks fine, the distributor isn’t on any government list and it passes routine screening. But, if that distributor is a majority owned by a U.S. company and that company is ultimately controlled by AVIC in China, the new BIS rule makes the transaction restricted.

The outcome is simple and costly as a license would be required, and it would almost certainly be denied. That means the exporter risk in losing or delaying contracts, facing compliance penalties and damaging its reputation with prime contractors.

The rule also makes clear that branches and non-legally distinct operations of listed entities are treated as affiliates, closing another common gap. The lesson is clear. It is not enough to know who you are selling to by name. You need to know who owns them.

XI. Steps to Address the New Era

The September 29 rule makes clear that traditional denied party list screening alone is not enough. To address the new ownership-based obligations under 15 C.F.R.§744.11 and it supplements companies and its employees must take the following steps:

Conduct Beneficial Ownership Checks. Move beyond surface screening. For all counterparties determine the direct and indirect owners, including through registries, corporate filings and reliable commercial databases.
Request certified ownership structure. Develop and implement a certification that requires counterparties to certify their structure.
Escalate complex structures. When ownership appears opaque or layered through offshore companies, escalate immediately to the Empowered Official or legal team. Do not proceed with the transaction until you are given the trade compliance all-clear.
Document Ownership Diligence. Documentation is your friend here, having a process can demonstrate and are following for all international transactions is imperative. Maintain records of how the ownership was determined, what sources were used and any escalation decisions. Remember that documentation is critical for demonstrating compliance in an audit.
Train Staff and Suppliers. Provide annual training on the BIS 50% rule on OFAC parallel ownership rule Make clear that EAR99 and AT controlled ECCN’s are not exempt when the counterparty is majority-owned by a listed entity.
Assume Presumption of Denial. For transactions involving majority owned affiliates of listed parties, do not rely on licensing as a fallback. BIS has indicated such licenses will face a presumption of denial.

BIS created two procedural relief mechanisms.

First, a savings clause allows shipments that were already en route on September 29 pursuant to actual orders to be completed without a license if they arrive by October 29, 2025.
Second, non-listed affiliates captured solely through ownership may petition BIS under §744.16(e) or §744.21(b)(2) to request that their parent’s entry be modified to exclude them if diversion risk is demonstrably low.

NOTE: In addition, BIS created a new Red Flag 29 in Supplement No. 3 to Part 732. If an exporter has reason to know that a counterparty may be majority-owned by a listed party but cannot determine the exact ownership, there is now an affirmative duty to resolve the question. If ownership cannot be confirmed, the transaction must be stopped unless a BIS license is obtained. Simply screening names is no longer enough.

XII. Conclusion

The rule is effective immediately as of September 29, 2025. BIS also issued a Temporary General License (TGL) that remains in effect through November 28, 2025. The TGL is narrow. It allows certain exports, reexports, and transfers involving affiliates captured only by ownership, provided either: (1) the destination is in Country Group A:5 or A:6, or (2) the affiliate is a joint venture with a U.S. or A:5/A:6 partner that is not itself majority-owned by a restricted party. The TGL does not apply if the affiliate is owned in any percentage by a Specially Designated National under a §744.8 program, and it only suspends the new ownership-based license requirement. All other EAR requirements remain in place. This change means that list screening alone is no longer enough. Exporters must be able to identify the beneficial owners of their counterparties, document how that determination was made, and escalate cases where ownership is opaque. Even shipments of EAR99 and AT controlled items will now require a license if the counterparty is majority-owned by a listed entity, and those licenses will almost always be denied.

The takeaway is clear. Ownership checks must become a standard part of every compliance program, alongside classification and licensing. Companies that do not adapt quickly will face blocked transactions, contract losses, and heightened enforcement risk once the 60-day window closes.

At FD Associates we understand that the September 29, 2025 rule doesn’t just raise the compliance bar, it fundamentally changes how business must approach ownership, risk and due diligence. Our team has decades of experience interpreting BIS and OFAC guidance, and designing compliance programs that work in the real world, not just on paper. We can discuss strategies to address these obligations.

Whether you are a startup navigating foreign investment, a smaller or mid-tier defense supplier under pressure from primes, or a multinational with joint ventures abroad, FD Associates can help you map beneficial ownership, evaluate exposure under the 50% rule, and put in place procedures and safeguards regulators expect. The rule may be blunt, but the path forward does not have to be. With the right partner, companies can protect contracts, reduce risk, and stay ahead of enforcement.

FD Associates is that partner. Please reach out to use at +1.703.847.5801 or info@fdassociates.net

By George Canovas, Vice President, Compliance; Creighton Chin, Senior Compliance Associate

Edited by Jenny Hahn, President, FD Associates

I. Introduction

II. Executive Takeaways

Effective immediately. The BIS Affiliates Rule took effect September 29, 2025.
Short window of relief. A Temporary General License (TGL) applies only through November 28, with strict limits.
Covers Entity List, MEU List, and SDN programs. Ownership links to these parties now trigger license requirements.
Foreign Direct Product rules included. Affiliates bring foreign-produced items under EAR controls if FDP criteria are met.
Ownership is cumulative. Direct and indirect stakes are aggregated at each tier of the chain.
Cascade effect. Subsidiaries of subsidiaries are restricted once the 50% threshold is crossed.
Most restrictive rule applies. If multiple restricted owners exist, the toughest license policy governs.
Branches and divisions are covered. Even non-legally distinct operations fall under the Affiliates Rule.
EAR99 is no safe harbor. Simple, uncontrolled items still require a license when affiliates are involved.
Red Flag 29 adds a duty. Exporters must resolve ownership uncertainties or stop the transaction.
CSL is no longer sufficient. Screening lists won’t catch all covered affiliates; ownership due diligence is mandatory.
Petition process available. Non-listed affiliates can request BIS modification to exclude them if risk is low.
Savings clause. Shipments already en route on Sept. 29 can be completed by Oct. 29 without a license.
Universities and research institutions affected. Especially those with foreign partnerships or end-users tied to listed entities.
Small and mid-sized defense firms at risk. Limited compliance resources make ownership checks harder to scale.
Tech startups vulnerable. Venture funding and opaque ownership create exposure under the rule.
Multinationals with JVs hit hard. Especially in aerospace, energy, and high-tech with ties to China, Russia, or sanctioned hubs.
Financial institutions implicated. Banks, PE, and law firms must incorporate ownership into diligence and financing reviews.
Global supply chains disrupted. Transactions through Europe, the Middle East, or Asia may suddenly become restricted.
Immediate compliance upgrades needed. Companies must expand screening, enhance KYC, escalate reviews, and train staff.
FD Associates is ready. We assist with risk assessment, red flag resolution, and tailored compliance strategies to keep exporters ahead of enforcements.

III. FOCI and ITAR - The First Ownership Gatekeeper

IV. OFAC and the Birth of the 50% Rule (2014)

V. EAR and BIS Expansion (2014–2020)

VI. The September 29, 2025 BIS Rule

The September 29, 2025 BIS Rule

VI. The September 29, 2025 BIS Rule

VII. Country Risk Under the BIS 50% Rule

High Risk (Directly Implicated)

China, Hong Kong, Macau – Largest concentration of Entity List and MEU List parties. State-owned enterprises hold controlling stakes in aerospace, AI, quantum, and semiconductor firms. Even civilian-facing firms may be majority-owned by listed parents.
Russia – Extensive Entity List coverage, particularly in aerospace, energy, and defense-industrial sectors. Sanctioned oligarch ownership structures are common.
Iran – Wide-ranging restrictions, with nearly all major industrial entities majority-owned or controlled by sanctioned parties.
Belarus – High overlap with Russian military-industrial base and sanctions.

Moderate Risk (Targeted Sectors, Regional SOEs)

Venezuela – State-owned energy, mining, and defense companies frequently appear on BIS/OFAC lists.
North Korea – Already nearly comprehensive embargo, but risk lies in indirect dealings via third countries.
United Arab Emirates (select free zones/partners) – While not sanctioned, the UAE hosts intermediaries and holding structures that can obscure Chinese, Russian, or Iranian ownership. Enhanced diligence required.
Turkey – Growing scrutiny for dual-use exports and middleman roles in Russia-related transactions.
Cyprus – Also known as a transshipment point where companies are setup to facilitate transactions with China and Russia.

Lower but Not Zero Risk

India, Malaysia, Singapore – Generally lower baseline risk, but technology hubs can attract Chinese/Russian capital or host opaque investment vehicles.
Latin America (Brazil, Mexico, Argentina) – Lower Entity List presence, but risk arises when firms are partly owned by Chinese SOEs or used as transshipment points.

NOTE: This list is not all encompassing.

EAR99 Implications are SUBSTANTIAL

EAR99/ECCN”99” in General

How the 50% Rule Changes the Landscape

Under the new rule (amended 15 C.F.R. §744.11 and its supplements), any entity that is 50% owned by an Entity List or MEU Listed party is treated as if it were itself listed.

That means:

Even EAR99 or AT controlled items (previously no license required) require a license if they are destined to such an entity.
The presumption of denial that applies to listed entity and MEU parties applies equally to their majority-owned subsidiaries, no matter the classification of the item.
A shipment of innocuous EAR99 or AT controlled spares, software, or support materials can now be just as prohibited as a controlled ECCN 9A610 or 3B001 item if the recipient falls under the new ownership test.

Examples

The EAR Takeaway

IX. Who This Hits Hardest

X. Real World Example of Complexity

Several publicly reported U.S. connections illustrate how this might play out in practice:

AVIC owns Cirrus Aircraft, which is headquartered in Minnesota, making Cirrus a U.S. subsidiary of a Chinese aerospace conglomerate.
Through acquisitions, AVIC has gained control of or influence over U.S. firms in aerospace and component manufacturing, including the U.S.–based steering systems company Nexteer Automotive. In 2010, Nexteer, based in Michigan, was acquired by a subsidiary of AVIC.
AVIC has also acquired U.S. component firms and supply chain assets, such as Continental Aerospace Technologies (through which it indirectly controls Thielert, Southern Avionics, and Danbury Aerospace).
AVIC also has dozens of subsidiary companies in Europe either from U.S. owned companies or European founded companies.

XI. Steps to Address the New Era

Conduct Beneficial Ownership Checks. Move beyond surface screening. For all counterparties determine the direct and indirect owners, including through registries, corporate filings and reliable commercial databases.
Request certified ownership structure. Develop and implement a certification that requires counterparties to certify their structure.
Escalate complex structures. When ownership appears opaque or layered through offshore companies, escalate immediately to the Empowered Official or legal team. Do not proceed with the transaction until you are given the trade compliance all-clear.
Document Ownership Diligence. Documentation is your friend here, having a process can demonstrate and are following for all international transactions is imperative. Maintain records of how the ownership was determined, what sources were used and any escalation decisions. Remember that documentation is critical for demonstrating compliance in an audit.
Train Staff and Suppliers. Provide annual training on the BIS 50% rule on OFAC parallel ownership rule Make clear that EAR99 and AT controlled ECCN’s are not exempt when the counterparty is majority-owned by a listed entity.
Assume Presumption of Denial. For transactions involving majority owned affiliates of listed parties, do not rely on licensing as a fallback. BIS has indicated such licenses will face a presumption of denial.

BIS created two procedural relief mechanisms.

First, a savings clause allows shipments that were already en route on September 29 pursuant to actual orders to be completed without a license if they arrive by October 29, 2025.
Second, non-listed affiliates captured solely through ownership may petition BIS under §744.16(e) or §744.21(b)(2) to request that their parent’s entry be modified to exclude them if diversion risk is demonstrably low.

XII. Conclusion

FD Associates is that partner. Please reach out to use at +1.703.847.5801 or info@fdassociates.net

BIS50% Rule – BIS/EAR New Ownership Test Read More »

What the Latest ITAR Revisions Mean for Small Businesses – September 2025

By George (Jorge) Cánovas

Vice President – Compliance

FD Associates, Inc.

When most people hear the phrase International Traffic in Arms Regulations or ITAR, they imagine crates of missiles, stealth fighters, or nuclear warheads. They do not picture an underwater robot used by a marine survey company, a high-performance antenna that can be fitted on a commercial airframe, or a piece of body armor sold through a subcontractor. Yet those are precisely the kinds of items the law can capture. Many of you are specifically aware of this and how nuances can matter to include end users and forward manufacturing.

For readers who have never worked with these rules, or work tangentially with the ITAR in a business development or management position, the ITAR is the regulatory framework administered by the U.S. Department of State (DoS) that controls exports of defense articles, services, and related technical data. The backbone of the system is the U.S. Munitions List, a dense catalog of categories ranging from firearms to avionics to chemical precursors. If your work or your businesses work appears on that list, you cannot transfer it abroad or share it with foreign persons inside the United States without approval. And “export” does not just mean shipping. Letting a foreign engineer review controlled design drawings in your office can be treated exactly the same way as sending a crate of parts across a border.

This is not an academic concern. A small business that never thought of itself as part of the defense sector can suddenly find that its products, software, or even research activities fall under ITAR, which can occur when the DoS’s Directorate of Defense Trade Controls (DDTC) modifies the rules. When that happens, the company must apply for licenses through the DDTC, keep meticulous records, and adapt to a new world of restrictions and oversight. Licenses can take weeks or months and may come with conditions that change how and when you deliver to customers. Penalties for violations are severe, running from multimillion-dollar fines to loss of export privileges. It can also go the other way, and relive companies if the items they produce, sell, etc., have been removed.

A Final Rule with Far-Reaching Impact

On August 27, 2025, the State Department published a final rule in the Federal Register amending key sections of ITAR. This rule revises the U.S. Munitions List, updates definitions, and creates a new license exemption. It builds on an interim rule issued in January 2025 and is explicitly framed as part of a broader strategy to streamline defense trade and deepen cooperation with U.S. allies and partners[1]. The timing was no accident. A few months earlier, President Biden signed Executive Order 14268, Reforming Foreign Defense Sales to Improve Speed and Accountability, which directed the Departments of State and Defense to review the U.S. Munitions List to ensure it focuses on the most sensitive technologies while clearing away unnecessary restrictions.

The rule removes several items that the government no longer believes provide a critical military advantage. Certain GNSS anti-spoofing and anti-jam systems, some controlled reception pattern antennas, airborne collision avoidance system antennas, and tungsten- or steel-based lead-free birdshot are all being shifted off the USML. Once removed, they fall under Department of Commerce jurisdiction and the Export Administration Regulations (EAR), meaning they remain regulated for export but in a less restrictive framework.

At the same time, the final rule strengthens control. It makes permanent temporary controls on items “specially designed” for the F-47 Next Generation Air Dominance Platform[2]. It clarifies definitions around advanced military aircraft. It also responds to public comments that highlighted the civil use of large autonomous underwater vehicles. Recognizing the importance of these systems to sectors like energy, telecommunications, and marine research, the rule creates a new license exemption that allows U.S. companies to participate in operations involving certain Underwater Unmanned Vehicles performing functions such as inspecting offshore pipelines, repairing telecom cables, or conducting search and rescue missions, without the full weight of ITAR licensing. This is a striking acknowledgment of the dual-use reality of twenty-first century technology.

DDTC also emphasized that these revisions are not final. The agency continues to welcome input from the public, inviting companies and researchers to identify items they believe should be revised, removed, or added in future updates. This willingness to consult is unusual in the world of arms control and underscores a trend toward more transparent, iterative management of the U.S. Munitions List.

If your company works in aerospace, maritime technology, advanced electronics, protective equipment, chemicals or any sector that develops products with potential dual-use application, we strongly suggest the you read the attached Federal Register Notice . The revision may address technology that your company handles, makes or develops. The revision reshapes what falls under the ITAR and what shifts to Commerce, falling into the EAR. These changes carry real consequences for how you classify your products, pursue contracts, and handle foreign partnerships. Even if you have never considered yourself part of the defense supply chain, these changes could quietly alter your obligations.

Overview of the Changes In-Process

Items removed from the U.S. Munitions List (now under EAR) under the new revisions[3]:

Certain Global Navigation Satellite System (GNSS) anti-spoofing systems
Certain GNSS anti-jam systems
Controlled Reception Pattern Antennas (CRPAs) for Position, Navigation, and Timing (PNT)
Airborne Collision Avoidance System (ACAS) antennas
Tungsten- and steel-based lead-free birdshot projectiles

Items added or clarified under ITAR control[4]:

Items “specially designed” for the F-47 Next Generation Air Dominance Platform (now permanently controlled) USML Category VIII(a)(7) – permanently controls items specially designed for advanced military aircraft, including the F-47.
Foreign advanced military aircraft, explicitly defined to include those with AESA (Active Electronically Scanned Array) fire-control radars, integrated electronic warfare and signature management systems, and beyond-visual-range targeting capability USML Category XI(b) – electronic systems, equipment, or software specially designed for military electronic warfare, countermeasure, and surveillance functions.
Body armor and protective equipment, revised to reflect the current National Institute of Justice performance standards (USML X)
Energetic materials and chemical precursors, including poly-NIMMO and CL-20-related compounds (USML V)
Revised definitions for certain electronic warfare equipment, excluding some civil navigation gear but tightening controls on military countermeasure, see USML Category XI(b)

New ITAR Exemption:

ITAR License Exemption ITAR §123.16(b)(15) (newly created exemption in the Final Rule) is added for Unmanned Underwater Vehicles (UUVs) under 8,000 pounds may be exported temporarily without an ITAR license when used for civil purposes such as scientific research, natural resource exploration, infrastructure inspection or repair (including oil and gas pipelines and telecom cables), and search and rescue operations.

What It Means for Small Businesses

For a small company, the consequences are immediate and tangible. A firm producing antennas or sensors may suddenly find that while many models are now subject to the EAR, certain advanced or military-configured versions remain ITAR-controlled. That reclassification affects the markets the firm can serve, the partnerships it can form with larger primes, and the way investors assess its risk profile.

Consider also the opportunities. A marine robotics startup might benefit from the new UUV exemption. Instead of months of waiting on a license, it could send a vehicle overseas for a civil infrastructure project with far fewer delays provided the company is registered with DDTC. That advantage is real, but only if the company can prove it qualifies, document the mission, and keep meticulous control of the platform.

A chemical supplier may need to revisit formulations now listed by name in the U.S. Munitions List or a software developer whose algorithms strengthen satellite navigation against spoofing may find itself removed from the ITAR and now under the EAR jurisdiction, which is less restrictive for some destinations but carries its own set of risks.

The common thread is that export classification is critical to all exporters. ITAR is not just associated with missiles, tanks and stealthy aircraft, it touches electronics, materials science, robotics, and software.

For small businesses, the difference between opportunity and liability often lies in whether leadership is paying attention to how their company products, software, technology and services are controlled and the reason that executives must clearly understand the liabilities, as well as business strategic opportunities. If your business can navigate these opportunities correctly and with foresight, you will be the company with the competitive edge, which equates to profits.

Foreign Businesses Should Take Notice

These ITAR US Munitions List revisions should also matter deeply for foreign companies. ITAR follows the item, not just the U.S. manufacturer. A distributor in Europe handling American-made products cannot re-export them freely without reexport authorization. A shipyard in Asia servicing vessels with U.S. navigation equipment must comply with U.S. licensing rules. Even a foreign research consortium that touches U.S. technical data can be pulled into the ITAR regime. Foreign companies need to be knowledgeable on specific changes to the ITAR and the EAR if they do business in the defense sector.

What may not be obvious is that compliance can be a competitive advantage. Executive Order 14268 is explicit about its intent: to streamline defense trade, facilitate cooperation with allies, and reduce unnecessary burdens. For a foreign company seeking to enter the U.S. defense supply chain, demonstrating a mature understanding of ITAR and the EAR is not a box-checking exercise it is a selling point. American primes and government customers increasingly want foreign partners who can handle controlled technology without fear of violations. Firms that invest in compliance now are better placed to win contracts, attract U.S. partners, and be viewed as credible contributors to joint defense projects.

The executive order behind this rule makes the logic plain, that is; by focusing the U.S. Munitions List on the most sensitive technologies and easing controls elsewhere, the U.S. government is trying to speed up defense trade with trusted allies. Foreign businesses that align early, adopt compliance systems, and train their staff are positioning themselves not only to stay safe but also to grow faster in a global marketplace that prizes reliability and accountability.

A Note on Research Institutions

Although this article focuses on businesses, academic research institutions are not immune to the ITAR and the evolution of changes in the regulations. University labs often work with technologies that straddle the civil–military divide. An engineering department experimenting with advanced antennas, a marine science institute operating an underwater vehicle, or a chemistry lab developing new energetic materials can all find themselves pulled into ITAR. The presence of foreign students adds further complexity, since allowing access to controlled data counts as an export under the law. U.S. institutions operating off U.S. soil can find themselves in even a more complex situation. What is clear is that institutions that fail to update their technology control plans, and their internal compliance programs risk both regulatory exposure, reputational harm and the loss of valuable grant opportunities.

Final Thoughts

The September 2025 rule is not simply a regulatory housekeeping exercise. It is part of a deliberate strategy to make the U.S. export control system more precise, more responsive, and more supportive of international cooperation. For small businesses, it is a reminder that compliance is inseparable from competitiveness. For foreign firms, it is a signal that mastering ITAR and the EAR is a way to distinguish themselves as reliable partners in the U.S. defense market. And for research institutions, it is another push to integrate export awareness into daily life.

In the end, these revisions tell a story of adaptation, as it is clear that the U.S. government wants to protect the warfighter’s edge without smothering innovation. Businesses that fully embrace and comply, whether in Virginia or Paris, will not only stay on the right side of the law but will also gain an advantage in a world where compliance is itself a mark of credibility.

Please contact FD Associates if you have any questions or our team of experts can help to position your enterprise to have a clear competitive edge and ensure profits, not liabilities end up on your P&L statement.

What the Latest ITAR Revisions Mean for Small Businesses – September 2025 Read More »

Advanced Computing IC Controls – Impacts On Company Compliance Programs

Creighton Chin – Senior Associate – Compliance

FD Associates

On May 13, 2025, the U.S. Department of Commerce, Bureau of Industry & Security (“BIS”) published a policy statement, accompanied by two guidance documents, that introduced new license requirements under the Export Administration Regulations (“EAR”) for the exports, reexports, and transfers of Advanced Computing Integrated Circuits (IC), and other commodities for use with Artificial Intelligence (AI) models that support Weapons of Mass Destruction (WMD) and military-intelligence in certain countries.

The key points of these documents are summarized below.

The BIS policy statement, Controls that May Apply to Advanced Computing Integrated Circuits (IC) and Other Commodities Used to Train AI Models, (herein after referred to May 13 AI Policy Statement) requires exporters and re-exporters to obtain a BIS license to export, reexport, or transfer a commodity classified under Export Control Classification Numbers (ECCN) 3A090.a, 4A090.a and .z items in Categories 3, 4, and 5, e.g. 5A992.z, when there is “knowledge[1]” that the commodity will be used in an AI model that will further the use of WMDs or military intelligence activities in a D:5 country, or for or on behalf of an entity headquartered in a D:5 country.This license requirement applies to U.S. persons that provide any support or performs any contract, service, or employment, when there is “knowledge” that the activities and services will be used for or may assist the training of AI models for or on behalf of parties headquartered in D:5 countries (including China) or Macau.Exporters and re-exporters should presume a policy of denial consistent with policies stated in Part 744.6 – Restriction on Specific Activities of “U.S. Persons”; Part 744.22 - Restrictions on Export, Reexports, and Transfers to certain Military-Intelligence End Users; and Part 744.23, “Supercomputer,” “Advanced - Node Integrated Circuits,” and Semiconductor Manufacturing Equipment End Use Controls, of the Export Administration Regulations (EAR) for any D:5 country.
In its guidance document, Industry Guidance to Prevent Diversion of Advanced Computing Integrated Circuits, BIS provided to exporters and reexporters AI-oriented behavioral and transactional red flags that will trigger a license under the May 13 AI Policy Statement when not mitigated. These red flags add to the “Know Your Customer” Guidance and Red Flags published in Supplement No. 3 to Part 732 of the EAR.

Included with this guidance are due diligence actions required for vetting companies involved in the use or export of AI ICs to destinations outside country Group A:1.

In the second guidance document, Guidance on Application of General Prohibition 10 (GP10) to People’s Republic of China (PRC) Advanced-Computing Integrated Circuits (ICs), BIS clarified that it is a violation of GP10 for any company, including foreign companies, to use Chinese-produced ICs that meet the Advanced IC performance criteria of ECCN 3A090. The guidance included a non-exhaustive illustrative list of three Huawei ICs (i.e. Ascend 910B, 910C, and 910D) subject to GP10 and clarified that boards, servers, or assemblies, whether or not included in the list, are subject to the prohibitions.

This latest knowledge-based end user and end use control and the related due diligence actions, such as evaluating a customer’s ownership structure, adds to the list of other knowledge-based end user and end use restrictions in Part 744 that companies must address when doing business internationally.

These requirements and those under consideration by BIS, such as implementing a 50% ownership similar to one imposed by the Office of Foreign Asset Controls (OFAC) and proposed rules that will expand the scope of intelligence gathering restrictions, require a company to continuously evaluate its compliance program to ensure that it evolves with regulatory changes, as well as those within the company, to prevent violations under the EAR.

We recommend that companies - even those that are not affected by this new requirement - review their compliance programs to ensure it includes a robust end user and end use screening process that reviews transactions against the denied and restricted party lists and the Parts 744 and 746 controls. The process should include methodologies for collecting end user and end use information, as well as for red flag identification with increasing levels of due diligence and risk mitigation that matches the identified risk level. BIS has stated recently that it expects companies to be derisking high risk transactions as described in the various guidance documents and in the EAR and will penalize companies that ignore red flags.

Companies should assess whether their screening tools used for denied and restricted party screening screens the parties to the transaction against relevant lists. The relevant list extends beyond the lists specified under the EAR and include, as stated in the guidance, the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) List, or the U.S. Department of State’s Statutorily Debarred Parties List. In practice, the screening lists should include all the lists administered by OFAC and the DoS. As part of assessment, companies should ensure their screening tools and processes rescreens entities against updates to the lists and flags to responsible employees any open transactions involving a potential match.

With the increasing likelihood that BIS will implement a 50% ownership rule, companies must now consider enhancing their screening process to include an evaluation of an entity’s ownership structure and relevant close affiliations. This is necessary to determine whether the entity is 50% or more owned by a party on the Entity List or other restricted party lists that could prohibit the transaction or trigger a license requirement under the EAR.

Evaluating a company’s ownership structure and potential connections to restricted or sanctioned parties may be supported through ownership research services provided by Kharon, Dow Jones, and Dun & Bradstreet. Additional sources include investor reports, open-sourced platforms (e.g. OpenSanctions.org, and China Defence University Tracker), and general internet searches. Each has its strengths and limitations and should be used to augment traditional screening tools.

Finally, the review should evaluate whether the compliance program provides ongoing training to the employees responsible for screening transactions. Training should include update on regulatory changes, effective use of the screening tools and techniques for researching an entity’s ownership, and changes in the company’s activities (e.g. introduction of new productions or markets) that could subject the activity under existing proposed rules.

As export control regulations continue to evolve and government regulators place greater emphasis on companies to know their customers and to mitigate risk of diversion, companies that fail to regularly review and update their compliance program expose themselves to significant penalties.

A robust end user and end use screening process is one element of a compliance program.

The article Does Your Export Compliance Program Pass Muster? highlights essential elements of an effective compliance program and challenges that companies may face when implementing a program. FD Associates has the expertise and experience to navigate these challenges and can support your company with targeted solutions, such as enhancing your end user and end use screening processes or developing a compliance program tailored to your company.

[1] Knowledge. Knowledge of a circumstance (the term may be a variant, such as "know," "reason to know," or "reason to believe") includes not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence. Such awareness is inferred from evidence of the conscious disregard of facts known to a person and is also inferred from a person's willful avoidance of facts.

Advanced Computing IC Controls – Impacts On Company Compliance Programs Read More »

Department of State Agreement Notifications – Inking the Deal

By Kenneth E. Schmidt, J.D. – Senior Associate

After fording the river and finally getting your Technical Assistance Agreement (“TAA”) or Manufacturing License Agreement (“MLA”) approved by Directorate for Defense Trade Controls (“DDTC”), it can be tempting to start firing off information to and performing defense services for authorized parties. Like cowboys and cowgirls of the past, however, we need to keep firmly in the saddle and not let the cart drift ahead of our horse.

While approval of a TAA/MLA is a good first step on the journey to share export-controlled information and begin defense services, we need to be careful to disarm those thorny administrative tasks, such as inking the TAA/MLA and providing a copy of the fully executed agreement to DDTC within 30 days of the last signature. The International Traffic in Arms Regulations (“ITAR”) Part 124.4 states:

(a) The United States party to a manufacturing license or a technical assistance agreement must file one copy of the concluded agreement with the Directorate of Defense Trade Controls not later than 30 days after it enters into force. If the agreement is not concluded within one year of the date of approval, the Directorate of Defense Trade Controls must be notified in writing and be kept informed of the status of the agreement until the requirements of this paragraph or the requirements of § 124.5 are satisfied.

Yes, DDTC wants to see dried ink on that TAA/MLA as a condition precedent to utilizing TAA/MLA authorization. And while it may seem outdated, digital signatures are still not permitted.

Now the second obligation often overlooked in the excitement and flurry of the next great adventure, is the need to let the sheriff (a/k/a DDTC) know before you set out to export technical data or perform defense services. This initial notification requirement is set forth in ITAR Part 123.22(b)(3)(ii), which states:

(ii) Manufacturing license and technical assistance agreements. Prior to the initial export of any technical data and defense services authorized in an agreement the U.S. agreement holder must electronically inform DDTC that exports have begun. In accordance with this subchapter, all subsequent exports of technical data and services are not required to be filed electronically with DDTC except when the export is done using a U.S. Port. Records of all subsequent exports of technical data shall be maintained by the exporter in accordance with this subchapter and shall be made immediately available to DDTC upon request. Exports of technical data in furtherance of an agreement using a U.S. Port shall be made in accordance with § 125.4 of this subchapter and made in accordance with the procedures in paragraph (b)(3)(iii) of this section.

Did you catch that “[p]rior to?” Yep, prior to setting out on the trail with your TAA/MLA, your TAA/MLA must be signed (fully executed), a copy of which provided to DDTC within 30 days after entering into force, and DDTC must be notified prior to the initial export of technical data and/or providing of defense services under the TAA/MLA.

So, if you need help navigating the wild west of TAA/MLA implementation or would like to know what to do if your cart got ahead of the horse, give us a call at 703-847-5801.

Department of State Agreement Notifications – Inking the Deal Read More »

The Department of State Published a Proposed Rule to Create an Exemption for Certain Exports, Reexports, Retransfers, Or Temporary Imports Of Defense Articles Or Defense Services, Or Certain Brokering Activities Between or Among Authorized Users Within Australia, The United Kingdom, And The United States (AUKUS)

By John Herzo, Senior Compliance Associate, FD Associates, Inc.

89 Fed. Reg. 35028

On April 19, 2024, FD Associates, Inc., advised its followers of the U.S. Department of Commerce, Bureau of Industry and Security’s (“BIS”) amendment to the Export Administration Regulations (“EAR”) to remove license requirements, expand the availability of license exceptions, and reduce the scope of end-use and end-user-based license requirements for exports, reexports, and transfers (in-country) to or within Australia and the United Kingdom (“UK”) to enhance technological innovation among the three countries and support the goals of the Governments of Australia, United Kingdom, United States (“AUKUS”).

The Department of State’s (“the Department”) proposed rule for exports by and between AUKUS member nations has been published. On May 1, 2024, the Department of State published a proposed rule in the Federal Register (89 Fed. Reg. 35028) that, if finalized, would create an exemption for certain exports, reexports, retransfers, or temporary imports of defense articles or defense services, or certain brokering activities between or among authorized users within Australia, the United Kingdom, and the United States. The exemption would be available for all defense articles or defense services, except for those contained within a limited excluded list. The proposed rule would also introduce a provision to allow for certain transfers of classified defense articles to certain dual nationals and would codify an expedited license review process for Australia, the United Kingdom, and Canada. Industry may submit comments regarding the proposed rule to the Department by May 31, 2024.

The Department has proposed to amend the International Traffic in Arms Regulations (ITAR) to support the goals of the AUKUS partnership, the enhanced trilateral security partnership among Australia, the United Kingdom, and the United States. This exemption is designed to foster defense trade and cooperation between and among the United States and two of its closest allies. It is reflective of the nations’ collective commitment to implement shared security standards on protecting defense technology and sensitive military know-how.

The proposed new exemption, designed to implement the provisions of new section 38(l) of the Armes Export Control Act (AECA), would be located in ITAR § 126.7 and would provide that no license or other approval is required for the export, reexport, retransfer, or temporary import of defense articles; the performance of defense services; or engagement in brokering activities between or among designated authorized users within Australia, the United Kingdom, and the United States provided certain requirements and limitations are met. These include a list of excluded defense articles and defense services not eligible for the exemption, which can be found in a proposed Supplement No. 2 to Part 126. The scope of excluded defense articles and defense services remain subject to revision and the Department welcomes comment on proposed Supplement No. 2 to Part 126.

A summary of the key details regarding the requirements and limitations of the proposed exemption are as follows:

In § 126.7(b)(1), the exemption may only be used for transfers to or within the physical territory of Australia, the United Kingdom, or the United States;
In § 126.7(b)(2), the pool of eligible members, known as authorized users, is created to facilitate secure defense trade and cooperation. Australia and the United Kingdom’s members will undergo an authorized user enrollment process, in coordination with DDTC, and those members will be listed through the DDTC website. Members located in the United States must be registered with DDTC and not debarred under ITAR § 127.7.
In § 126.7(b)(3), the defense articles and defense services listed in Supplement No. 2 to Part 126 are not eligible for this proposed exemption. These items are excluded from eligibility under the proposed exemption because (1) they are exempted from eligibility by statute, including AECA section 38(j)(1)(C)(ii), or (2) are specifically exempted by either the UK, Australia, or the United States, per AECA section 38(l)(4)(A). These items are, however, subject to the expedited licensing procedures listed in § 126.15 and may be reviewed and revised during the lifetime of the exemption.
In § 126.7(b)(4), transferors that use this proposed exemption must abide by this requirement for recordkeeping purposes, and such records must be made available to DDTC upon request.
In § 126.7(b)(5), the limitations provided exclude exemption use for transfers that would require certification to Congress pursuant to sections 36(c) and 36(d) of the AECA.
In § 126.7(b)(6) and (7), the Department is reiterating other ITAR provisions to underscore that the proposed exemption is subject to other requirements within the subchapter, and the named sections are not an exhaustive list.
In § 126.7(b)(8), the Department is establishing that classified defense articles and defense services are eligible for transfer under this exemption provided the authorized users in the United States, Australia, and the United Kingdom meet their respective industrial security requirements. For authorized users in the United States, this is the National Industrial Security Program Operating Manual (NISPOM) (32 CFR part 117) and, for Restricted Data, the Atomic Energy Act of 1954, as amended. For Australian authorized users, this is the Defence Security Principles Framework (DSPF) Principle 16 and Control 16.1, Defence Industry Security Program, and for United Kingdom authorized users this is the Government Functional Standards (GovS) 007: Security.
The Department is also proposing to add a provision to the exemption in ITAR § 126.18 to allow certain dual nationals of Australia and the United Kingdom to receive classified defense articles without a separate license from DDTC. These persons must be authorized users of the exemption in § 126.7 or regular employees of such authorized users in § 126.7, hold a security clearance approved by Australia, the United Kingdom, or the United States that is equivalent to the classification level of SECRET or above in the United States, and be located within the physical territory of Australia, the United Kingdom, or the United States or be a member of the armed forces of Australia, the United Kingdom, or the United States acting in their official capacity.
Lastly, the Department is proposing to revise § 126.15 per the provisions of section 1344 of the NDAA for Fiscal Year 2024. This revised text would note the review of license applications for exports of certain commercial, advanced-technology defense articles and defense services to or between the physical territories of Australia, the United Kingdom, or Canada, and are with government or corporate entities from such countries, shall be processed within certain timeframes. The subject export must not be eligible for transfer under an ITAR exemption. License requests related to a government-to-government agreement between Australia, the United Kingdom, or Canada and the United States must be approved, returned, or denied within 30 days of submission. For all other license applications subject to this section, any review shall be completed no later than 45 calendar days after the date of the application.

Please contact your FD Associates consultant for guidance on transactions with Australia and the UK.

The Department of State Published a Proposed Rule to Create an Exemption for Certain Exports, Reexports, Retransfers, Or Temporary Imports Of Defense Articles Or Defense Services, Or Certain Brokering Activities Between or Among Authorized Users Within Australia, The United Kingdom, And The United States (AUKUS) Read More »

Consultants Corner

First, decision ownership begins to fragment.

Second, edge cases quietly become the norm.

Third, compliance quietly shifts from governance to negotiation.

FCC Covered UAS and Critical Components

What the Rule Does and Does Not Do

How This Plays Out in Practice

What the FCC Actually Examines During Authorization

Why This Is More Complicated Than It First Appears

What This Means for U.S. Drone Companies

The Bottom Line

Ready to strengthen your export compliance?

The reflex that causes trouble: “It’s just EAR99”

Where compliance usually breaks down

Why practical training matters

Compliance protects revenue

Experience and consistency make the difference

First Update to the Entity List since Implementation of the BIS Affiliate Rule (AKA 50% Beneficial Ownership Rule)

Companies Must Adopt New Strategies and Tools to Comply with the Expanded Use of the 50% Beneficial Ownership Rule and Frequent Updates to the Lists

U.S . Origin Components Were Recovered from the UAS/UAV wreckage

The Additions Included the China and Hong Kong Subsidiaries of Arrow Electronics, a U.S. Electronics Distributor

What’s Next?

I. Introduction

II. Executive Takeaways

III. FOCI and ITAR - The First Ownership Gatekeeper

IV. OFAC and the Birth of the 50% Rule (2014)

V. EAR and BIS Expansion (2014–2020)

VI. The September 29, 2025 BIS Rule

VII. Country Risk Under the BIS 50% Rule

IX. Who This Hits Hardest

X. Real World Example of Complexity

XI. Steps to Address the New Era

XII. Conclusion

I. Introduction

II. Executive Takeaways

III. FOCI and ITAR - The First Ownership Gatekeeper

IV. OFAC and the Birth of the 50% Rule (2014)

V. EAR and BIS Expansion (2014–2020)

VI. The September 29, 2025 BIS Rule

VII. Country Risk Under the BIS 50% Rule

IX. Who This Hits Hardest

X. Real World Example of Complexity

XI. Steps to Address the New Era

XII. Conclusion

A Final Rule with Far-Reaching Impact

Overview of the Changes In-Process

Items removed from the U.S. Munitions List (now under EAR) under the new revisions[3]:

Items added or clarified under ITAR control[4]:

New ITAR Exemption:

What It Means for Small Businesses

Foreign Businesses Should Take Notice

A Note on Research Institutions

Final Thoughts

Creighton Chin – Senior Associate – Compliance