Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
An Export Control and Trade Compliance Policy is an internal governance document that defines how an organization classifies, licenses, screens, and monitors the export of goods, software, technology, and services subject to national and international trade regulations. It translates complex regulatory obligations β including the U.S. Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR), and OFAC sanctions programs β into specific, role-assigned procedures that employees can follow on every international transaction. By establishing clear decision rules for classification, licensing, denied-party screening, and recordkeeping, the policy converts an abstract legal obligation into an operational process that reduces the risk of inadvertent violations.
Without a written export control policy, your company has no documented basis for the classification decisions, screening steps, and license determinations that regulators require β and no mitigation credit when a violation is discovered. Civil penalties under EAR can exceed $356,000 per transaction; ITAR penalties can exceed $1.39 million per violation, with criminal liability for willful breaches. Beyond penalties, export violations can result in denial of export privileges, debarment from government contracts, and reputational damage that closes international markets permanently. A documented, actively maintained compliance program is the single most important mitigating factor regulators consider when calculating penalties after a voluntary self-disclosure. This template gives you the structured starting point to build that program quickly β defining ownership, procedures, and recordkeeping requirements in a format that satisfies BIS and DDTC expectations from day one.
| If your situation is⦠| Use this template |
|---|---|
| Company exports only commercial off-the-shelf goods subject to EAR | Export Control Policy (EAR-Focused) |
| Company manufactures defense articles or services subject to ITAR | ITAR Compliance Policy |
| Company requires a standalone sanctions screening procedure | Sanctions Compliance Policy |
| Company needs employee-facing training acknowledgment on trade compliance | Trade Compliance Training Acknowledgment Form |
| Company is drafting a broader enterprise compliance framework | Corporate Compliance Policy |
| Company needs to document procedures for denied-party list screening | Restricted Party Screening Policy |
| Company requires a general import and customs compliance procedure | Import Compliance Policy |
Why it matters: EAR99 is a default designation, not an automatic safe harbor. Shipping a controlled item without a license because it was assumed to be EAR99 can result in civil penalties up to $356,579 per violation under BIS guidelines.
Fix: Require a written classification determination for every product before its first export, referencing the CCL or a qualified counsel opinion, and log it in your compliance system.
Why it matters: Sanctions designations are added to government lists continuously β a customer who passed screening at contract signing may be listed by the time the shipment occurs, making the transaction a strict-liability OFAC violation.
Fix: Implement transaction-level screening at every order and re-screen open orders on a weekly automated basis using a current-data screening tool.
Why it matters: Sharing controlled technology with a foreign national employee or visitor inside the US is treated as an export to their home country under EAR and ITAR β an omission that creates undetected violations in engineering and R&D teams.
Fix: Add explicit deemed-export procedures to the policy covering foreign national hires, lab access, and technology-sharing protocols with non-US persons.
Why it matters: BIS and DDTC both evaluate the quality of an organization's compliance program when calculating penalties β the absence of a documented red-flag escalation procedure eliminates a key mitigation factor and signals a non-functional program.
Fix: Add a red-flag checklist to the policy that employees complete for unusual transactions, with a clear instruction to pause and escalate rather than proceed with the sale.
Why it matters: Regulators require the full decision trail to assess whether a violation was willful β if classification and screening records are missing, the company cannot demonstrate it followed required procedures.
Fix: Establish a single transaction folder that keeps the shipping document, classification determination, license or exception citation, and screening log together for the required retention period.
Why it matters: A written policy with no employee training record is treated as a paper compliance program β regulators give minimal mitigation credit and courts have found it indicative of reckless disregard.
Fix: Schedule and document a training session within 30 days of policy adoption, record attendance, and build annual recertification into the compliance calendar.
Determine which regulatory regimes govern your exports β EAR for commercial and dual-use goods, ITAR for defense articles, OFAC for sanctions β based on your product categories and the countries you sell to. List each applicable regulation in the policy's regulatory framework section.
π‘ If you are unsure whether your product falls under EAR or ITAR, request a commodity jurisdiction determination from the State Department's DDTC before customizing the template.
Name a specific individual or title as Export Compliance Officer and document their responsibilities in the roles section. Identify at least one backup designee so the program continues when the primary officer is unavailable.
π‘ The ECO does not need to be a lawyer, but they must have dedicated time and authority β part-time assignments with no budget or decision-making power are the single biggest predictor of program failure.
Define step by step how your team determines the ECCN or USML category for each product, software, or technology. Include who performs the review, what resources they use (BIS CCL, manufacturer documentation, legal counsel), and where the results are logged.
π‘ Build a classification matrix listing your top 20 products with their ECCNs β this accelerates future transactions and demonstrates a proactive program to auditors.
Specify which lists you screen against (SDN, Entity List, Denied Persons List, Unverified List, and any foreign government lists), which screening tool you use, and at what points in the transaction lifecycle screening occurs.
π‘ Set your screening tool to re-screen open orders weekly β not just at order entry β since new designations are published without advance notice.
Map out the decision tree: determine jurisdiction, check the ECCN, identify the country and end-use, and determine whether a license is required or a license exception applies. Specify how each determination is documented and stored.
π‘ Create a one-page license determination checklist that employees complete for every international transaction β it takes five minutes and creates a defensible paper trail.
Fill in the roles required to complete training, the deadline for new hires, and the annual recertification date. Draft a brief training outline covering jurisdiction, classification, screening, red flags, and reporting.
π‘ Schedule the first training cycle for the same month you adopt the policy β a policy with no training record attached is treated as paper compliance.
Name the system or folder where each record type is stored and confirm the retention period meets the applicable regulatory minimum (five years for most EAR records; five years from license expiration for ITAR).
π‘ Store screening logs, classification decisions, and license documentation in a single folder structure organized by transaction date β regulators request records by date range, not by document type.
Have senior management β CEO, General Counsel, or VP Operations β formally approve the policy and record the approval date. Distribute to all in-scope employees and collect signed acknowledgment forms.
π‘ Publish the approved policy on your company intranet with a version number and date β version control demonstrates an active, living program rather than a one-time filing.
An export control and trade compliance policy is an internal governing document that defines how a company identifies controlled goods and technology, determines licensing requirements, screens transaction parties against sanctions lists, and trains employees to follow applicable trade regulations. It is the foundation of a formal export compliance program and is required or strongly recommended for any organization that exports goods, software, or technical data across international borders.
Any company that exports physical goods, transfers software or technology to foreign persons, provides services to foreign customers, or employs foreign nationals with access to controlled technology typically needs this policy. It is especially critical for manufacturers, defense contractors, technology companies, and distributors β but even companies that assume their products are low-risk benefit from having a documented program to demonstrate good-faith compliance.
EAR (Export Administration Regulations) governs commercial and dual-use goods, software, and technology administered by the Commerce Department's Bureau of Industry and Security. ITAR (International Traffic in Arms Regulations) governs defense articles, defense services, and related technical data listed on the U.S. Munitions List, administered by the State Department. ITAR is generally stricter β it requires registration with DDTC, imposes broader licensing requirements, and applies to technical data shared even within the US with foreign nationals.
A deemed export is the release of controlled technology or source code to a foreign national inside the United States, which is legally treated as an export to that person's country of citizenship. It matters because engineering teams, universities, and R&D labs frequently share controlled technology with foreign national employees and visitors without realizing the activity requires a license or falls under an exception. Failure to address deemed exports is one of the most common undetected compliance gaps.
Yes, if it exports or transfers controlled items. Export control obligations apply regardless of company size β BIS and DDTC do not provide a small-business exemption. A proportionate program for a small company may be simpler than one for a large manufacturer, but it must still include documented classification, screening, and recordkeeping procedures. The absence of any formal program is an aggravating factor in penalty calculations if a violation occurs.
At minimum, the policy should be reviewed annually and whenever there is a material change in your product lines, a new destination country, a significant regulatory amendment, or a change in ownership or corporate structure. EAR control lists and OFAC sanctions programs are updated frequently β embedding a calendar review into your compliance program ensures the policy stays current.
Civil penalties under EAR can reach $356,579 per violation or twice the transaction value, whichever is greater. ITAR civil penalties can reach $1,398,328 per violation. Criminal penalties include fines and imprisonment. Companies with a documented compliance program that make voluntary self-disclosure typically receive significantly reduced penalties compared to those where violations are discovered by regulators.
EAR requires exporters to keep records of all export transactions, including classification determinations, license applications and approvals, license exception citations, denied-party screening results, shipping documents, and end-use certificates β generally for five years from the date of export or the expiration of the applicable license. ITAR imposes similar requirements with some category-specific variations.
The template is drafted around US export control regulations (EAR, ITAR, OFAC) because they are the most broadly applicable and affect any company that exports US-origin items or technology regardless of where the exporting company is headquartered. Non-US companies should supplement the template with applicable national regulations β EU Dual-Use Regulation, UK Export Control Order, or others β and consider engaging local trade counsel to confirm the regulatory references are accurate for their jurisdiction.
A corporate compliance policy covers the full spectrum of legal and ethical obligations β anti-bribery, data privacy, conflicts of interest, and financial integrity. An export control policy is a specialized subset focused exclusively on trade regulations and cross-border transaction controls. Companies subject to EAR or ITAR need both: the corporate policy sets the governance framework; the export policy provides the operational detail regulators expect to see.
An anti-bribery policy addresses FCPA, UK Bribery Act, and related prohibitions on payments to government officials. An export control policy addresses trade regulation compliance β licensing, classification, and sanctions screening. Both apply to international business but govern different legal risks. Companies with active international operations typically need both documents in their compliance library.
A data privacy policy governs how personal data is collected, used, stored, and shared under GDPR, CCPA, and similar regimes. An export control policy governs the cross-border transfer of controlled technology, goods, and technical data under trade regulations. For technology companies, both are relevant β controlled technical data can simultaneously be subject to ITAR and privacy regulations when it includes personal information.
A vendor code of conduct sets expectations for supplier behavior across ethics, labor, environment, and compliance broadly. An export control policy focuses internally on the company's own export transactions and classification procedures. The two are complementary β the vendor code can require suppliers to maintain their own export compliance programs, but it cannot substitute for the company's own internal policy.
ITAR registration with DDTC is mandatory; USML classification applies to hardware, technical data, and defense services; foreign military sales require individual licenses with end-use monitoring.
Deemed export risk is highest in engineering teams with foreign national employees; source code and encryption software have specific EAR classification and reporting requirements under ECCNs 5D002 and 5E002.
Dual-use machinery, precision equipment, and industrial chemicals frequently carry ECCNs requiring license review; distributors and resellers must conduct pass-through compliance to avoid facilitating violations.
Certain biological agents, select agents, and advanced medical technology require BIS licensing for sensitive destinations; sanctions screening is critical for humanitarian-exemption transactions in restricted countries.
OFAC sanctions compliance is the dominant concern; banks, payment processors, and fintech companies must screen transactions, beneficiaries, and correspondent banks against the SDN and blocked-persons lists in real time.
Defense services under ITAR include technical assistance and training β consulting firms that advise on defense systems or provide controlled technical data to foreign clients need a policy even without physical exports.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Companies exporting low-ECCN commercial goods or EAR99 items to non-sanctioned destinations with straightforward transactions | Free | 2β4 hours to customize and distribute |
| Template + professional review | Companies with dual-use products, foreign national employees, or any transactions involving embargoed countries or sensitive end-users | $500β$2,500 for a trade counsel review session | 1β2 weeks |
| Custom drafted | ITAR-registered defense contractors, companies under BIS or DDTC audit, or multinationals with export activity across multiple regulatory regimes | $3,000β$15,000 for a specialized trade compliance attorney or consulting firm | 4β8 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Free Forever PlanΒ Β·Β No credit card required
