Export Compliance Program (ECP)
A formal set of written policies, procedures, and internal controls that a company establishes to ensure it meets all applicable U.S. export control and sanctions obligations.
Definition
An Export Compliance Program (ECP) is a formal, written framework of policies, procedures, and internal controls that a company establishes to ensure compliance with U.S. export control laws and regulations — primarily the EAR, ITAR, and OFAC sanctions programs. An ECP documents how a company screens parties, classifies products, determines license requirements, trains employees, and responds to potential violations. Regulators at BIS, DDTC, and OFAC all expect companies engaged in international trade to have an ECP in place.
Why an Export Compliance Program Matters
Beyond satisfying legal obligations, an ECP is the single most important factor in how regulators treat a company when a potential violation is discovered. BIS, DDTC, and OFAC all have published guidance stating that the existence and quality of a compliance program is a significant mitigating factor in enforcement decisions — meaning a company with a strong ECP that self-discloses a violation will face substantially lower penalties than one with no program at all.
Conversely, the absence of an ECP — or a program that exists on paper but is not followed in practice — is treated as an aggravating factor that can significantly increase penalties. For companies involved in export-sensitive sectors, the absence of a documented compliance program is itself a red flag to regulators.
Core Elements of an Export Compliance Program
While there is no single mandated format for an ECP, BIS's Export Management and Compliance Program (EMCP) guidelines and OFAC's Framework for OFAC Compliance Commitments both identify common core elements:
- Management commitment — senior leadership must visibly support and resource the compliance program
- Risk assessment — identifying which regulations apply to the company's products, markets, and transactions
- Written policies and procedures — documented processes for screening, classification, licensing, and recordkeeping
- Restricted party screening — systematic screening of all counterparties against applicable government watchlists
- Training — regular, role-appropriate training for employees involved in export transactions
- Recordkeeping — maintaining required documentation for the mandated retention period (5 years under the EAR)
- Auditing and testing — periodic internal reviews to verify the program is functioning as designed
- Violation reporting and remediation — procedures for investigating potential violations, voluntarily disclosing to regulators, and correcting root causes
Restricted Party Screening Within an ECP
Restricted party screening is one of the most operationally critical elements of an ECP. BIS, OFAC, and DDTC all expect companies to screen relevant transaction parties — customers, end users, freight forwarders, and intermediaries — against applicable government watchlists before each transaction. Screening at onboarding alone is insufficient; watchlists are updated continuously, and a party that was clean at onboarding may be added to a list before the next shipment.
The screening element of an ECP should specify which lists are checked, the frequency of screening, how potential matches are reviewed and documented, how false positives are resolved and recorded, and how long screening records are retained. Without this documentation, a company cannot demonstrate to regulators that its screening program is functioning.
How TradeLasso Helps
TradeLasso supports the restricted party screening pillar of your ECP by providing documented, timestamped screening records with PDF reports — the kind of audit trail that demonstrates an operational compliance program to regulators.
Frequently Asked Questions
Is an export compliance program legally required?
No regulation explicitly mandates that a company have a written ECP. However, the EAR, ITAR, and OFAC regulations all require companies to comply with specific obligations — and having a documented program is how you demonstrate that you are meeting those obligations. More practically, the absence of a program is treated as an aggravating factor in enforcement; BIS, DDTC, and OFAC have all published guidance making clear that a strong, operational ECP significantly reduces penalties when violations occur.
How often should an export compliance program be reviewed?
Best practice is to review the ECP at least annually and whenever significant changes occur — new product lines, new markets, significant company restructuring, or major changes to applicable regulations. Export control regulations change frequently; an ECP built on last year's requirements may already be outdated.
What is voluntary self-disclosure?
Voluntary self-disclosure (VSD) is the process of proactively reporting a potential violation to the relevant regulatory agency — BIS, DDTC, or OFAC — before they discover it independently. All three agencies treat VSD as a significant mitigating factor, often reducing penalties substantially. An ECP should include a clear procedure for investigating potential violations and making timely disclosure decisions.
Can a small company maintain a meaningful export compliance program?
Yes. An ECP does not need to be a 200-page manual. Small and mid-sized exporters can have effective programs built around clear written procedures, documented screening records, annual employee training, and a designated person responsible for compliance decisions. The key is that the program is actually followed and generates documentation — not that it is exhaustive on paper.