IBMers have been animated by an enduring Purpose - to be essential. The goal of this learning activity is to "share expertise" on how IBM complies with Export Regulations. IBM has a global export compliance program, which includes: - corporate export regulation office.
IBMers have been animated by an enduring Purpose - to be essential. The goal of this learning activity is to "share expertise" on how IBM complies with Export Regulations. IBM has a global export compliance program, which includes: - corporate export regulation office.
IBMers have been animated by an enduring Purpose - to be essential. The goal of this learning activity is to "share expertise" on how IBM complies with Export Regulations. IBM has a global export compliance program, which includes: - corporate export regulation office.
Complying with Export Regulations 2013 International Business Machines Corporation For more than a century - as products, technologies and eras have come and gone - IBMers have been animated by an enduring Purpose - to be essential. We have been defined by a core of shared Values. And now we have come together to determine how we will put that Purpose and those Values into practice. -- Ginni Rometty, Chairman, President and Chief Executive Officer 2013 International Business Machines Corporation The goal of this learning activity is to share expertise on how IBM complies with export regulations so that you may go forward with knowledge on how these regulations may impact your day to day activities. At the conclusion, you will understand how you are essential to IBMs compliance posture around the world. Keep our expertise vital IBMers constantly learn, develop skills and contribute to the advancement of their fields, professions and disciplines. Bring expertise to the client We draw on the skills of our colleagues, partners, clients and academic peers, bringing our clients the most relevant experts and expertise. Give the gift of knowledge Our goal is not to impress others with what we know; but to add to their own knowledge, to make them smarter. The practice of Sharing Expertise 2013 International Business Machines Corporation Complying with export regulations relates directly to IBMs core value of Trust and personal responsibility in all relationships. Unite across IBM, and beyond We are at our best when we work together in borderless collaboration. Get it done We are thorough, always keeping our promises and delivering on our commitments. Work with thoughtful urgency We put a premium on speed. We do not confuse activity with results. The practice of Uniting to Get it Done Now 2013 International Business Machines Corporation Unite across IBM, and beyond IBM has a global export compliance program, which includes: Corporate Export Regulation Office (ERO) Define Export Regulation Requirements Interprets the US Government regulations Acts as interface with US Government for securing export authorizations Conducts compliance reviews and advises management of potential gaps Provides guidance to IBM's export network Oversight of non-US export regulation compliance programs Decentralized Global IBM Export Regulation Network Implements requirements, including the following: designing and overseeing local ICP (Internal Control Program) establishing procedures and ensuring compliance Provides local education, advice and guidance ERO Website : w3.ibm.com/chq/ero 2013 International Business Machines Corporation Give the gift of knowledge The Policy Because IBM is a US Company, IBM, including all of its subsidiaries, must act in accordance with the laws of the United States. Those laws are dictated by the following agencies: Department of Commerce Export Administration Regulations (EAR) Dual use products and technology and restrictive trade practices (boycotts) Department of State International Traffic in Arms Regulations (ITAR) Military, Intelligence, Police and Space technology, including commercial satellites Department of The Treasury - Office of Foreign Assets Control (OFAC) Embargoes, trade sanctions, and narcotics kingpin sanctions For IBM subsidiaries located outside of the United States, there may be additional local export regulation laws which would also apply. Your Export Regulation Coordinator will be able to assist you with making this determination. 2013 International Business Machines Corporation Keep our expertise vital Export Defined The transfer of anything to a "Foreign Person" by any means, anywhere, anytime or the knowledge that what you are transferring to a "US Person", will be further transferred to a "Foreign Person" A "US Person" is defined as: A US citizen or permanent resident A "Foreign Person" (or foreign national) is defined as: A non-US citizen, who is not a permanent resident of the US Applying the Definition: The following would all be considered subject to US export regulations: Technical data and source code transfers to a non resident within any country (deemed export), e.g. a Russian national working in Ireland Exports to another IBM subsidiary, e.g. IBM Singapore exporting to IBM US Exports to an IBM Customer, Partner or Supplier located outside your country, e.g. Export of a SWG products binary code from IBM Hungary to Flextronics in Canada Deliveries of technical data to an external partner within your country with a remote headquarters team involved in the engagement, e.g. Delivery to a customer in California with headquarters located in China 2013 International Business Machines Corporation Exporting is a PRIVILEGE, not a right! Every IBM employee is responsible for ensuring IBM remains in compliance. Violation of the US export regulations is subject to penalties, including: Monetary fines Denial or suspension of export privileges Possible imprisonment Knowledge of an actual or potential export violation needs to be reported immediately to your local Export Regulation Coordinator. 2013 International Business Machines Corporation Dont let this happen to IBM! October 18, 2012: Mohammad Reza Hajian, RH International & P and P Computers were convicted for exporting computers and equipment to Iran via the United Arab Emirates. Haijan is spending 48 months in prison and the companies are on 12 months probation. Resulted in a $10,000,000 USD forfeiture. Export privileges were denied until 2022. April 24, 2013: Computerlinks FZCO took actions to evade the Regulations in connection with the unlawful export and reexport to Syria of encryption items designed for use in monitoring and controlling Web traffic valued at approximately $1,400,000 USD. The Settlement Agreement included a civil penalty of $2,800,000 USD and required three external audits of its export control compliance program. June 12, 2013: Baker Eastern, SA Tripoli, Libya complied with multiple requests to furnish information about business relationships with or in a boycotted country which is in direct violation of the US anti-boycott laws. The company was fined $182,325 USD. March 5, 2014: The State Department issued an order imposing a $20 million USD fine and extensive remedial measures against a Washington-based aerospace and defense manufacturing company to settle a total of 282 charges for violations of the ITAR and the Arms Export Control Act. The violations included improper classification of goods, failure to properly administer licenses and agreements, and incomplete or poor recordkeeping. 2013 International Business Machines Corporation Unite across IBM, and beyond How do these regulations impact your daily activities? Customer facing organizations such as Sales & Delivery, Software Group Services EXPORT OBLIGATION: Know Your Customer Denied Parties List Involved in Proliferation Activities Embargoed / Terrorist Countries Anti-boycott Diversion Risk EXPORT OBLIGATION: Military & ITAR Concerns ACTION REQUIRED: Contact your ERC or ERO 2013 International Business Machines Corporation Know Your Customer Denied Parties List Various Government agencies maintains listings of individuals and corporations with whom IBM generally may not do business. The ERO has compiled these various lists into one, The Denied Parties List (DPL). In the past, the DPL was focused on only lists maintained by the US Government; however, the tool is being expanded to include the listings provided by the following countries: If a customer or supplier is being established in one of these countries/regions, IBM must screen against the applicable list, as well as the US Denied Parties List. It is NOT required to screen against ALL list for every customer or supplier being established. A customer being established in Australia would be screened against the US and Australia lists; whereas, a supplier being established in Japan would be screened against the Japanese list as well as the US list. Access instructions for the DPL and detailed screening instructions are provided on the ERO web site. Malaysia Japan Germany United Nations European Union United Kingdom Canada Switzerland Australia 2013 International Business Machines Corporation Know Your Customer Proliferation Activities Under US Regulations, certain countries are prohibited from participating in the following types of activities: Nuclear Weapons Chemical & Biological Weapons (CBW) Missiles and/or unmanned air vehicles Military Applications Countries subject to these restrictions have additional screening requirements as part of the customer or supplier set-up process; however, if your customer or supplier is known to be involved in any of the activities listed above, or you have a reason to believe so, be aware the transaction may be subject to very restrictive export controls or prohibited. 2013 International Business Machines Corporation Know Your Customer Embargoed / Terrorist Countries The US Government has identified certain countries as embargoed or terrorist-supporting, in which a US company can not do business: The level of sanctions may vary between these countries, but in general, IBM may not do business with these countries, including their embassies or entities controlled by these countries. This prohibition includes providing services which could potentially be used by our customers customers, suppliers or even employees who operate in these countries. If your customer or supplier is known to do business in any of the countries listed above, or you have a reason to believe so, be aware the transaction may be prohibited. Countries with additional screening requirements Myanmar (Burma) and Iraq are not embargoed /terrorist countries; however, due to additional Government requirements with these countries, it is necessary for all potential transactions to be reviewed by the Export Regulation Office (ERO). Syria Sudan Iran North Korea Cuba NOTE: The ERO continuously monitors world events which may impact where IBM is able to do business. Updates are provided via notification to the ERC community and are also made available on the ERO web site. 2013 International Business Machines Corporation Know Your Customer Anti-Boycott IBM is prohibited from accepting, cooperating, or participating in restrictive trade practices and state-sponsored boycotts. Boycott requests can occur worldwide, not just in the Arab League Nations Boycott requests are typically included in contract language, request for proposals (RFP). requests for quotes (RFQ), statement of work, or general law compliance clauses but they may also come via verbal requests or other forms of documentation. Examples of prohibited conduct include: Agreeing not to do business with Israel, refusing goods of Israeli origin, or complying with blacklists Discriminating, or agreeing to discriminate, against any person based on race, religion, sex, national origin or nationality Creating clean lists of companies that are not Israeli based, owned, or managed Agreeing with local country law that restricts business with Israel or any other nation the U.S. Government deems "friendly Furnishing information about IBM's (or affiliates) business relations with boycotted countries or companies US Government Reporting Required In all cases, IBM must report requests to participate in boycott activities. 2013 International Business Machines Corporation Know Your Customer Diversion Risk As you are actively listening to your clients needs, you are responsible for understanding your customers needs and identifying any unusual requests or circumstances. These unusual requests may be indicators, or Red Flags, that an unauthorized transaction may occur. Listen actively We work to understand our clients challenges. We also listen for the hopes and dreams they do not yet know how to describe. The practice of Listen for need, envision the future Red Flag Examples: The customer or agent is reluctant to offer information about the end-use of the item. The product's capabilities do not fit the buyer's line of business. A freight forwarding firm is listed as the product's final destination. Routine installation, training, or maintenance services are declined by the customer. 2013 International Business Machines Corporation Unite across IBM, and beyond How do these regulations impact your daily activities? Engagements with Public Sector, Military, or Aerospace and Defense Customers EXPORT OBLIGATION: Know Your Customer Denied Parties List Involved in Proliferation Activities Embargoed / Terrorist Countries Diversion Risk EXPORT OBLIGATION: Military & ITAR Concerns ACTION REQUIRED: Contact your ERC or ERO 2013 International Business Machines Corporation Know Your Customer Military & ITAR Concerns Providing commercial off-the-shelf (COTS) products to a military department, or within a defense contract is allowed: Announced hardware e.g. DataPower, Guardium, Netezza Announced software e.g. WebSphere Application Server, Rational Doors However, the following may be highly regulated: Assisting with the development, production or use of an item which will be incorporated into a military or defense item, e.g. customized software for integration into a military platform Providing technical data associated with these items, e.g. blueprints, architecture Providing services to these agencies including maintenance of COTS items which have since been incorporated into a defense items, e.g. a server which has been ruggedized and placed into a submarine These regulations may apply if youre engaged with any the following types of agencies: National armed services (Army, Navy, National Guard, etc.) Ministry of Defense Police Government intelligence or reconnaissance orgs Government research agencies 2013 International Business Machines Corporation Unite across IBM, and beyond How do these regulations impact your daily activities? EXPORT OBLIGATION: Know Your Customer Denied Parties List Involved in Proliferation Activities Embargoed / Terrorist Countries Diversion Risk EXPORT OBLIGATION: Military & ITAR Concerns ACTION REQUIRED: Contact your ERC or ERO 2013 International Business Machines Corporation Know Your Customer Action Required: Contact your local Export Regulation Coordinator or the ERO for all of the following: Potential match on the DPL Suspicion of proliferation activities Engagements involving military or defense customers Engagements involving Huawei or ZTE Red Flag Indicators are present in the customer engagement process Requests to comply with a boycott activity For proliferation activity concerns and red flag indicators: Do Not obstruct the normal flow of information Do Not ignore Red Flags or intentionally cut off the flow of information that comes to IBM in the normal course of business For boycott concerns: Boycott incidents must be reported immediately after identification and refusal via EROs Boycott Reporting Tool. This tool will facilitation the required review by the Export Regulation Executive (ERE), regional legal counsel and the ERO. Do not proceed until ALL issues are resolved and you have received documented approval and instructions. Ensure you maintain documentation supporting the issue resolution in accordance with records retention requirements. 2013 International Business Machines Corporation Unite across IBM, and beyond How do these regulations impact your daily activities? Business units who are responsible for designing or delivering customer solutions, including SWG Services, Global Business Services (GBS), Global Technology Services (GTS), Global Process Services (GPS), and their respective delivery organizations, i.e. Services Delivery (GTS Services Delivery and GPS Solutions and Delivery) and GBS Globally Integrated Delivery (GID) EXPORT OBLIGATION: Know Your Product Services & Solutions Research, Development & Production Activities Announcing an IBM product Delivery of Controlled Products ACTION REQUIRED: Contact your ERC or ERO 2013 International Business Machines Corporation Know Your Product Services & Solution Designs IBMs customer solutions are subject to US export regulations. The regulations apply in all cases, even when IBMs customers are located outside of the US and have no US presence, IBM providing a solution to a company headquartered in Germany with operations solely in the European Union would still be required to comply with US regulations. The IBM Client Services Evaluation Guide (CSEG) or its exact content equivalent is the appropriate tool to determine if the proposed solution has any export concerns. A new evaluation would be required for any significant changes, i.e. including an additional delivery center within the delivery activities. Examples of solutions subject to export regulations: Processing any portion of financial transactions for a customer Customizing items or services for use in any defense, military, space (including commercial satellites), government intelligence gathering, or weapons detection capacity Delivering items which are intended for surveillance purposes at any level of government Designing customized software with encryption capabilities Hosting or delivery of cloud computing services Use of global resources, i.e. offshore delivery centers or persons who are not citizens or permanent residents of the local country Intentional or incidental access to customers source code or technology 2013 International Business Machines Corporation Unite across IBM, and beyond How do these regulations impact your daily activities? Organizations involved in research, development, manufacturing, or engineering. EXPORT OBLIGATION: Know Your Product Services & Solutions Global Delivery Research, Development & Production Activities Announcing an IBM Product Delivery of Controlled Products ACTION REQUIRED: Contact your ERC or ERO 2013 International Business Machines Corporation Know Your Product Encryption Defined A product is considered to be an encryption product if: It directly contains encryption algorithms proprietary or open source AES, 3DES, OpenSSH, SSL, etc It can call/access encryption algorithms from another source Use of encryption libraries, e.g. GSKit Calls to security functions, e.g. JVM.Security Invoking secure communications, e.g. https, TLS It can direct encryption functions in another product Products which rely on WebSphere Application Server and use WAS APIs to create an encrypted channel to send information. Encryption Classifications US export regulations divides encryption products into categories: Limited Encryption: Password, digital signature, authentication functions only Full Function Encryption Mass Market Determination based on marketing information and price Restricted Encryption Determination based on specifically defined criteria, e.g. network infrastructure products, proprietary encryption source code, products which have an Open Cryptographic Interface Encryption which is not Mass Market or Restricted typically described as Unrestricted 2013 International Business Machines Corporation Know Your Product Research & Development Activities Groups involved in the exchange of technical data, technical assistance or source code within IBM or with external customers and suppliers have additional requirements. Transfers within IBM US export regulations allow for the transfer of encryption source code and technology through all IBM subsidiaries around the world, with only one exception: Embargoed / terrorist countries and their nationals are not eligible When transferring encryption source code or technology outside of the United States, local export regulations may apply. In some cases, additional permits and authorizations are required. Transfers outside of IBM All transfers of encryption source code and technology outside of IBM requires review and approval. Transfers to development partners or certification agencies Classification Requirements: Technology and Source Code Export Evaluations To determine any export restrictions associated with your source code or technology, export classification is required: Export classification of encryption technology and source code may be done using IBMs Internal Project Classification and Guidance Form. This form will either allow you to self-classify your project or point you to the appropriate classification resources. Alternatively, you may schedule a meeting with your local Export Regulation Coordinator or ERO. Ensuring any required export authorizations are obtained prior to transfer. Ensure access controls are implemented according to the classification obtained. 2013 International Business Machines Corporation Know Your Product Announcing an IBM product All IBM announced products are required to be classified for export. The classification determines any delivery restrictions or requirements. Export classifications must be obtained no later than 30 days prior to first release. 45 days is required for products which contain encryption capabilities. Products requiring classification via the Export Regulation Office Hardware: all Machine Types and Models Software: all code delivered outside IBM Generally Available, Beta, Stand alone components New Releases: Version change (e.g. V1 to V2) Point releases (e.g. V1.1 to V1.2) where encryption has been added or changed Obtaining export classifications Export classifications may be obtained by submitting a product classification form in EROs Classification Questionnaire database. Full function encryption products will require a white paper. Non-encryption and limited encryption assets being released without a PID or Part Number may be self classified by development teams using the Software Classification Guidance and Questionnaire form on the ERO web site. 2013 International Business Machines Corporation Know Your Product Encryption Product Classifications and End User Eligibility The export categorization determines how a product classification is completed and where the item may be delivered. All ** Varies by item type USG: Chips, toolkits, crypto libraries, network forensics, non-standard encryption, and encryption enabling products ERO: All others Unrestricted Supplement 3 Countries Non-Government end users outside of Supplement 3 Classified by US Government (USG) Restricted All** Classified by ERO Mass Market End User Eligibility Classification Category ** Delivery to embargoed / terrorist countries always prohibited! Government End Users Defined: Any foreign central, regional or local government department, agency, or other entity performing governmental functions; including governmental research institutions, governmental corporations or their separate business units which are engaged in the manufacture or distribution of items or services controlled on the Wassenaar Munitions List, and international government organizations 2013 International Business Machines Corporation Know Your Product Supplement 3 Countries Austria Australia Belgium Bulgaria Canada Cyprus Czech Republic Estonia Denmark Finland France Germany Greece Hungary Iceland Ireland Italy Japan Latvia Lithuania Luxembourg Malta Netherlands New Zealand Norway Poland Portugal Romania Slovakia Slovenia Spain Sweden Switzerland Turkey United Kingdom 2013 International Business Machines Corporation Unite across IBM, and beyond How do these regulations impact your daily activities? Organizations involved in delivery of hardware or software EXPORT OBLIGATION: Know Your Product Services & Solutions Global Delivery Research, Development & Production Activities Announcing an IBM product Delivery of Controlled Products ACTION REQUIRED: Contact your ERC or ERO 2013 International Business Machines Corporation Know Your Product Delivery of Encryption Products Most of IBMs products are eligible for delivery to all IBM customers in all countries except the embargoed / terrorist countries; however, there are some products which require additional controls, including: Encryption products classified as Restricted, typically network infrastructure products such as ISS Proventia Network Multi-function Security Appliances, or encryption toolkits Products primarily useful in law enforcement or cyber security, e.g. i2 Coplink, QRadar Forensics Products provided by third parties may also require additional controls, e.g.: Priority 5 TACCS Situational Awareness software Cisco or Juniper Network Infrastructure products Some Intel microprocessors Determining if there are additional Controls: IBM publishes the export classification of its products on IBMs Export Compliance web page. Delivery restrictions are identified with ERO Identifiers. Export classifications of products provided by third parties must be obtained from the supplier of the product. Work with your procurement representative to obtain this information. Alternatively, contact the supplier directly for classification information. The ERO provides links to the most common non-IBM products. Ensure export authorizations are obtained when required. 2013 International Business Machines Corporation Unite across IBM, and beyond How do these regulations impact your daily activities? EXPORT OBLIGATION: Know Your Product Services & Solutions Global Delivery Research, Development & Production Activities Announcing an IBM product Delivery of Controlled Products ACTION REQUIRED: Contact your ERC or ERO 2013 International Business Machines Corporation Know Your Product Action Required: Contact your local Export Regulation Coordinator or the ERO for all of the following: Assistance with SWG Services CSEG evaluations Obtaining export classifications Determining appropriate access controls Obtaining export authorizations Do not proceed until ALL issues are resolved and you have received documented approval and instructions. Ensure you maintain documentation supporting the issue resolution in accordance with records retention requirements. 2013 International Business Machines Corporation Export Regulation University University Link: http://lt.be.ibm.com/exre Detailed export education on all topics mentioned in this module can be found in the Global Trade University under the Export section. We encourage you to expand your knowledge in the areas pertinent to your line of business! 2013 International Business Machines Corporation Reminders: Exporting is a PRIVILEGE, not a right! Every IBM employee is responsible for ensuring IBM remains in compliance. ALL of our deliveries are subject to US export regulations. Violations of these regulations jeopardize IBM's good reputation, and put our exporting privilege at serious risk! In addition, it can cause countless ramifications such as revenue loss for IBM, employee terminations, etc. Export compliance is the responsibility of every employee. You are supporting IBMs Purpose, Values & Practices by complying with Export Regulations 2013 International Business Machines Corporation Completion You have now completed this course. Please mark the completion box to indicate you have completed this activity.