If this is your first export shipment — or your first few — you are entering a regulated activity with real liability. The U.S. export control regime is administered by three separate agencies — the Commerce Department's Bureau of Industry and Security (BIS), the State Department's Directorate of Defense Trade Controls (DDTC), and the Treasury Department's Office of Foreign Assets Control (OFAC) — and each operates under its own set of regulations with independent enforcement authority.
The most important thing to understand before you start: ignorance is not a defense under U.S. export law. BIS and OFAC both operate under strict liability standards for certain violations. A company that ships to a sanctioned party without knowing the party was sanctioned still faces civil penalties. The compliance obligation is to build a program that would catch the violation — not merely to avoid intentional misconduct.
OFAC alone assessed more than $1.5 billion in civil penalties in 2023, in cases spanning industries from logistics to cryptocurrency to consumer goods. The common thread in every enforcement case is not malice — it is a gap in someone's compliance process.
This checklist walks through the ten steps every first-time U.S. exporter should complete before goods leave the dock. Work through them in order. The steps are interdependent — skipping one is where violations originate.
Step 1: Classify Your Product
Every item you export must be classified under either the Export Administration Regulations (EAR) or the International Traffic in Arms Regulations (ITAR). These two regimes are mutually exclusive — a product is subject to one or the other, not both.
- ITAR-controlled items are defense articles and defense services. They are listed on the U.S. Munitions List (USML) and administered by the State Department's DDTC. If you are unsure whether your product is ITAR-controlled, request a Commodity Jurisdiction (CJ) determination from DDTC before proceeding.
- EAR-controlled items are commercial and dual-use products classified by an Export Control Classification Number (ECCN) on the Commerce Control List (CCL), administered by BIS. Most commercial products fall under the EAR.
Items not subject to either regime are generally considered EAR99 — the default classification for low-risk commercial goods. EAR99 is not a free pass. EAR99 items can still be prohibited from export to certain destinations, to certain parties, or for certain end uses.
To look up your ECCN: consult the CCL in Supplement 1 to Part 774 of the EAR. Each ECCN has a "reasons for control" field that tells you which destinations and end uses require a license. If you cannot determine the classification with confidence, submit a Commodity Classification Request (CCATS) to BIS for a formal determination.
Common mistake: Misclassifying an ITAR-controlled item as EAR. If your product has any defense application — even an incidental one — verify the USML categories before assuming it falls under EAR. Misclassification is itself a violation.
Deliverable from this step: a written classification for your product, with reasoning and citation to the specific ECCN or USML category.
Step 2: Identify the Destination Country
Different countries are subject to different levels of export restriction under both EAR and OFAC sanctions programs. The key categories:
- Comprehensively sanctioned countries: Cuba, Iran, North Korea, Syria, and (in most commercial sectors) Russia and Belarus. Transactions with these countries are generally prohibited absent a specific license.
- Arms embargoed countries: A broader list including most of the above plus Venezuela, Zimbabwe, and others where defense-related transactions are prohibited.
- BIS Country Group E:1 and E:2 — the highest-risk classifications under the EAR, triggering broad license requirements even for commercial goods.
- Other destinations: Most require no specific license for EAR99 goods but will require one for controlled ECCN items depending on the reason for control.
Destination matters even when the buyer is in a different country. If goods transit through or are ultimately re-exported to a sanctioned destination, the original exporter can be held liable. Always verify the ultimate destination, not just the named shipping address.
Deliverable from this step: a written record of the destination country and its BIS Country Group classification relevant to your product.
Step 3: Screen the Buyer
Run the buyer's legal name and all principals against U.S. government sanctions and export control lists before accepting any order. At minimum, screen against:
Screening the company name alone is not sufficient. Under OFAC's 50% rule, any entity owned 50% or more — directly or indirectly — by a sanctioned party is itself treated as sanctioned, even if it does not appear on any list by name. You must screen beneficial owners and controlling persons, not just the contracting entity.
Screen every name variant you have for the buyer — trade names, parent company, principals who will sign the contract. Use fuzzy matching to catch transliteration variations, especially for names from Arabic, Farsi, Russian, or Chinese. A miss on a name variant is treated the same as no screening at all.
A detailed walkthrough of this step is available in our guide on how to screen a new customer before onboarding.
Common mistake: Screening once at onboarding and never again. Lists update daily — a clean counterparty today can be designated tomorrow.
Deliverable from this step: a timestamped screening record showing which lists were searched, the names searched, the results, and the disposition.
Step 4: Identify the End User and End Use
The buyer is not always the end user. If your buyer is a distributor, reseller, or intermediary, you must also identify who will ultimately receive and use the product. Export regulations prohibit transactions where the end use is prohibited — including support for weapons of mass destruction development, certain military end uses in designated countries, and activities that would violate U.S. foreign policy objectives.
Ask the buyer directly: who will ultimately use this product, and for what purpose? Get the answer in writing. Then evaluate it against what you know about the buyer's business, the product's typical applications, and the destination country's risk profile.
Red flags requiring additional due diligence:
- The buyer cannot or will not identify the end user
- The stated end use is inconsistent with the buyer's known business
- The product is more capable than the stated application requires
- The buyer requests removal of markings, user manuals, or model numbers
- Payment routing is indirect or through a third country with no apparent business reason
Any of these alone is sufficient to pause the transaction. Document your evaluation and the steps you took to investigate.
Deliverable from this step: a written record of the end user and intended end use, with supporting documentation from the buyer.
Step 5: Determine License Requirements
With the product classification, destination, and parties identified, you can determine whether a license is required. The key questions:
- Is the product controlled for the destination under its ECCN? (Check the Country Chart in Supplement 1 to Part 738 of the EAR)
- Is the destination subject to comprehensive sanctions requiring an OFAC license?
- Is the buyer or end user on a list that triggers additional requirements (e.g., Entity List, which requires a license for all items, not just controlled ones)?
- Is the end use prohibited (e.g., WMD proliferation, military end use in Country Group D:5)?
If the answer to any of these is yes, you need a license — from BIS for EAR items, DDTC for ITAR items, or OFAC for sanctions-related transactions. Do not ship until the license is approved and in hand.
If no license is required, determine which license exception applies (for EAR items) and document it. Common exceptions include NLR (No License Required) for EAR99 items to non-restricted destinations, and specific exceptions like LVS (Low Value Shipment) or TMP (Temporary). Each exception has specific eligibility conditions — verify them, don't assume.
Deliverable from this step: a written license determination, citing the specific basis (license required and application filed, or license exception and the applicable exception code).
Step 6: Obtain Required Licenses
License processing times vary significantly. BIS license applications typically take 30 to 60 days for routine cases; complex cases or those referred to other agencies take longer. DDTC applications can take several months, particularly for technical assistance agreements. OFAC licenses for sanctioned-country transactions can take six months or more.
Plan your export timeline around the licensing process — a commercial deadline does not override regulatory requirements. Building a buffer into your sales contracts for licensed goods is standard practice.
While the application is pending, do not ship. Exporting without a required license is a separate violation, even if the license would eventually have been approved. The fact that you applied is not permission to proceed.
When the license is received, review the conditions. Most export licenses include specific conditions — quantity limits, end-use restrictions, reporting obligations, or requirements to notify the issuing agency of specific events. Violating a license condition is itself a violation of the regulation.
Deliverable from this step: the approved license document, which must be referenced on the EEI filing and retained in the transaction record.
Step 7: Prepare Correct Shipping Documentation
Export documentation is a compliance issue, not just an administrative one. Required documents typically include:
- Commercial invoice with accurate product description, value, and country of origin
- Electronic Export Information (EEI) filing confirmation (ITN from AES)
- Packing list
- Bill of lading or airway bill
- Export license (if required) — the license number must appear on the EEI filing
- Destination Control Statement (DCS) on the commercial invoice and bill of lading for all EAR- and ITAR-controlled items
The DCS is a specific, required statement notifying the recipient that the items are subject to U.S. export controls and may not be re-exported, transferred, or diverted contrary to those controls. The required wording is specified in EAR Part 758.6. Missing the DCS is a documentation violation.
False or misleading documentation — including value understatement, generic product descriptions that obscure the actual item, or destination concealment — carries criminal exposure independent of the underlying export violation.
Deliverable from this step: complete, accurate export documentation including DCS where required.
Step 8: File the Electronic Export Information (EEI)
Most exports valued over $2,500 (or any controlled item regardless of value) require an EEI filing via the Automated Export System (AES) before the shipment departs the U.S. The filing must include the ECCN or EAR99 designation, the applicable license exception or license number, all parties to the transaction, and the transaction value.
Errors in the EEI are independently actionable violations. The most common errors:
- Incorrect or missing ECCN
- Wrong license exception code
- Missing or incorrect Schedule B number
- Using the wrong exporter of record
- Failing to file at all for a controlled item under $2,500
Your freight forwarder may file the EEI on your behalf, but as the exporter of record, you remain responsible for its accuracy. Do not sign off on a filing without reviewing the ECCN, license, and party information.
Deliverable from this step: the AES Internal Transaction Number (ITN) — retain this with your export record.
Step 9: Retain Records for Five Years
BIS, OFAC, and DDTC all require exporters to retain complete export records for at least five years from the date of export. "Complete" means the entire transaction file:
- Purchase order and commercial invoice
- Classification documentation with reasoning
- Screening records with timestamps
- License determination and any approved license
- Shipping documentation and EEI confirmation
- All correspondence related to the transaction (including emails)
These records are what you produce if audited or investigated. Incomplete records are treated as no records. The absence of a screening record, for example, is treated by OFAC as equivalent to not having screened — there is no way to reconstruct that you did the screening if the documentation does not exist.
Records must be accessible to regulators on request. Storing records in personal email inboxes, on departing employees' computers, or in systems without a retention policy creates recoverable gaps. Use a centralized document management system and define a retention policy before your first shipment goes out.
Deliverable from this step: a complete transaction file in a centralized retention system with at least five years of storage and access controls.
Step 10: Re-screen for Repeat Transactions
For every subsequent shipment to the same buyer, re-screen before shipping. The SDN List, Entity List, and other U.S. government watchlists are updated multiple times per week. A counterparty clean today may be designated next week, and the obligation to catch that designation falls on your compliance process — not on the counterparty to inform you.
Re-screening is also required when:
- A significant amount of time has passed since the last screen (more than 30 days is generally too long for active trading relationships)
- The transaction involves a new transaction party — a new intermediary, bank, or freight forwarder not screened before
- The destination, product, or end use changes from prior shipments
This is where automation produces its clearest value. Manual re-screening of a customer roster on each shipment cycle does not scale. Re-screening saved counterparty profiles against updated list data takes seconds and generates automatic documentation.
Common mistake: Treating "trusted" long-term customers as exempt from re-screening. Apple's $466,912 OFAC settlement involved a developer who had been on the SDN List for 2.5 years — because the re-screening process used a stale copy of the list.
Deliverable from this step: a re-screening log tied to each shipment, with dated records showing list versions checked.
Building a Minimal Compliance Program
For a small or first-time exporter, a compliance program does not need to be elaborate. It needs to exist in writing, be followed consistently, and produce documentation. The core components:
Written policy: A one-to-two page document stating that the company conducts export compliance screening, who is responsible for it, and what steps are followed for each transaction. This is the baseline document BIS and OFAC look for when assessing whether a company had a compliance program at all.
Screening procedure: Define which lists are screened, at what points in the transaction cycle, and what happens when a potential match is found. The procedure should specify that screening is required before accepting an order, before each shipment, and before any payment to a new third party.
Recordkeeping procedure: Define where records are stored, how long they are retained, and who is responsible for maintaining them. At a minimum, all ten deliverables from this checklist should be captured in the transaction file.
Training: Every person who touches an export transaction — sales, operations, finance — should receive basic export compliance awareness training annually. OFAC and BIS both offer free training materials on their websites.
A compliance program of this scope is achievable for any company, regardless of size, and the documentation it produces is the primary factor in OFAC's penalty mitigation analysis if a violation occurs.
Common Mistakes That Trigger Violations
Avoiding these specific failures accounts for the majority of enforcement risk for new exporters:
- Shipping before the license is in hand
- Skipping screening on repeat orders from "trusted" customers
- Misclassifying an ITAR item as EAR-controlled
- Accepting a buyer's end-use statement at face value when the product/use combination raises flags
- Retaining records in personal inboxes or departing employees' computers rather than a centralized system
- Treating EAR99 as "not regulated" — it is still subject to destination and party restrictions
- Relying on the freight forwarder to handle compliance — the exporter of record is responsible regardless
Frequently Asked Questions
Do I need an export compliance program if I'm a small company? Yes. Export regulations apply equally to small and large companies. BIS and OFAC do not distinguish based on company size. The $950,000 Nordgas settlement involved a mid-sized Italian manufacturer. A compliance program for a small exporter can be lightweight — a written procedure, consistent screening, and proper recordkeeping — but it must exist and be followed.
What is the difference between ITAR and EAR? ITAR controls defense articles and services under the State Department's DDTC. EAR controls commercial and dual-use items under the Commerce Department's BIS. A product is subject to one regime or the other, not both. If your product has any defense application, verify the USML categories before assuming EAR applies. Full comparison here.
How do I classify my product? Start with the ECCN descriptions in the Commerce Control List (CCL) in Supplement 1 to Part 774 of the EAR. For potential ITAR items, consult the USML in Part 121 of the ITAR. If the classification is unclear, request a formal determination — a CCATS from BIS or a CJ from DDTC. Do not guess on a classification that could be ITAR; the consequences of misclassification are severe.
What is EAR99 and does it mean no license is required? EAR99 is the default classification for commercial goods not specifically listed on the CCL. It does not mean unregulated. EAR99 items still require a license for export to comprehensively sanctioned countries, to parties on the Entity List or SDN List, or for prohibited end uses. Always complete the party screening and destination check even for EAR99 items.
Do I need to screen repeat customers? Yes. Watchlists update multiple times per week. A customer clean at onboarding can be sanctioned in a subsequent update. Apple's OFAC settlement occurred because re-screening used a stale copy of the SDN List. Re-screen before every shipment or on a documented regular cycle.
What happens if I ship without the required license? Shipping without a required license is an independent violation of the underlying regulation — EAR, ITAR, or OFAC — regardless of whether the underlying transaction was otherwise permissible. Civil penalties can reach hundreds of thousands of dollars per violation, and willful violations carry criminal penalties including imprisonment for responsible individuals.
Can I use a freight forwarder to handle export compliance? Freight forwarders can assist with logistics and documentation, but they do not assume your compliance liability. The exporter of record retains legal responsibility regardless of who prepares the paperwork. Review any EEI or export documentation your forwarder prepares before it is filed — errors in that filing are your liability.
What is a Destination Control Statement and when is it required? A Destination Control Statement (DCS) is a mandatory notice placed on the commercial invoice and bill of lading for all EAR- and ITAR-controlled exports. It notifies the consignee that the items are subject to U.S. export controls and may not be re-exported or transferred in violation of those controls. The specific required language is in EAR Part 758.6. Missing it is a documentation violation even if the underlying export was otherwise lawful.