Articles Business Crime & Financial Services 24th May 2018

Hong Kong Newsflash: Trade Sanctions and Export Licensing

On 8th May 2018, the Hong Kong government issued Strategic Trade Controls Circular No. 6/2018 (‘the 2018 Circular’), Import and Export of Encryption Products, in order to “remind traders of the licensing requirements for the import and export of encryption products”.

Encryption products are commonplace – virtually all commercially available, digital telecommunications devices (the smartphone in your pocket) contain elements of cryptographic software.  Often, ingenious and successful software products are little more than a ‘wrapper’ round existing commercially available but less user friendly, or less well marketed, products that, nonetheless, contain cryptographic elements.

The 2018 Circular states that:

Encryption products are controlled under the Wassenaar Arrangement*, an international control regime overseeing the controls over the transfer of both munition items and dual-use goods and technology. Accordingly, encryption products may fall under “Category 5, Part 2 – Information Security” of the Dual-use Goods List of Schedule 1 to the Regulations. Import and export of the encryption products so specified are subject to licensing control.”

The original Wassenaar rules threatened to interfere with collaborative attempts by international security and intelligence organisations to slow down rapidly spreading malware outbreaks.  They also gave rise to considerable confusion, and a consequent administrative burden on the state and on business, in relation to the licensing of encryption products.  After four years of discussion and lobbying, Wassenaar updated its rules on 6th December 2017.  The 2018 Circular reflects and implements that update.

In Hong Kong, trade in strategic goods is controlled by the Import and Export Ordinance, Chapter 60, Laws of Hong Kong, and the Import and Export (Strategic Commodities) Regulations (Cap. 60 sub. leg. G) (‘the Regulations’).

Strategic goods are defined by inclusion in four schedules made under the Regulations.

  • Schedule 1 consists of the full list of strategic commodities subject to import and export licensing control (essentially, military and dual-use goods and associated equipment and technology) and runs to almost 600 pages
  • Schedule 2 contains products which, in addition to being subject to import and export control, are controlled even if they are in transit through Hong Kong
  • Schedule 3 lists items subject to end-use control (essentially, nuclear, chemical and biological warfare agents and related equipment and technology)
  • Schedule 4 lists activities subject to end-use control (essentially, the conduct in relation to the materiel referred to in schedule 3)

In order, lawfully, to import or export any strategic goods, a licence is required from the Director-General of Trade and Industry.

The Regulations impose control over encryption products with a symmetric key length above 56-bits, however, exemptions are granted for products, of whatever key length, provided that they fall under one of the following scenarios:

i. accompanying the user, for the user’s personal use; or

ii. meeting all of the following conditions:

 a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: 

– Over-the-counter transactions;

– Mail order transaction;

– Electronic transactions; or

– Telephone call transactions;

 b. The cryptographic functionality cannot easily be changed by the user;

c. Designed for installation by the user without further substantial support by the supplier; and

d. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs (a) to (c) above.

The factors that the licensing / enforcement authority will take into account in determining “general availability” are: quantity, price, required technical skill, existing sales channels, typical customers, and, typical use or any exclusionary practices of the supplier.

Category 5-Part 2 does not apply to items incorporating or using cryptography and meeting all of the following conditions:

 (a)      The primary function or set of functions is not any of the following:

(1)       “Information security”;

(2)       A computer, including operating systems, parts and components of the computer;

(3)       Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management);

(4)       Networking (includes operation, administration, management and provisioning);

(b)     The cryptographic functionality is limited to supporting their primary function or set of functions;

(c)     When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.

One way or another, the smartphone in your pocket satisfies the exemption test and/or falls without Category 5-Part 2.  With more esoteric and/or less commonly available products, the analysis is more nuanced and failure to obtain a licence or to satisfy an exemption gives rise to criminal liability.

Further to the Wassenaar Arrangement’s new rules, the UK government has also recently published guidance ‘to assist exporters to make their own assessment on the application of the “Cryptography Note” – Note 3 to Category 5 Part 2, Information Security as it appears in Annex I to Council Regulation (EC) No. 428/2009 (as last amended by Regulation (EU) No. 2268/2017).’

As in Hong Kong, and deploying a common language, excluded goods may be exempted from control, provided that they:

  • can be easily acquired by the general public
  • require little or no support to install
  • where the cryptographic functionality cannot be easily changed by the user

However, the UK guidance comes with a warning:

“[An] item’s control list classification cannot be worked out solely from the classifications of individual component parts. For example, a product using freely available open-source cryptographic software libraries may still be controlled. This is despite the fact that such libraries are often decontrolled in their own right.”  The same applies to freely available encryption algorithms.  “[A] product may still be controlled, and is not removed from control solely because the encryption algorithm it uses is freely available.”

So far as enforcement is concerned, the HK government publishes useful, general guidance for importers and exporters.

An internal compliance programme involves a company’s commitment that its products will not be diverted to or used in weapons of mass destruction programmes. Vast majority of traders have no desire that their products be so used and wish to avoid such a possibility as much as they can.  Implementation of an effective internal compliance programme is one way to demonstrate and ensure that this is the case.

Such guidance goes further to describe the core elements of an adequate compliance programme, including: a policy commitment to compliance; and, the integration of quality and management practices, involving,

  1. The nomination of individuals with responsibility
  2. Product screening
  3. Customer / end-user screening
  4. Destination screening
  5. End-use screening
  6. Application for licenses
  7. Shipment control
  8. Internal audits
  9. Education and training
  10. Record keeping
  11. Guidance to affiliates and subsidiaries
  12. Reporting violations

Businesses are also advised to be alive to ‘Red Flags’ – indicators that there may be end-user concerns necessitating further due diligence or a cessation of trade / suspension of relationship.  Importers and exporters should be cautious if they encounter any of the following behaviours:

  1. the customer is reluctant to offer information about the end-use of the goods
  2. the customer declines routine installation, training or maintenance services
  3. the customer’s order is considered to be inappropriate or for which the customer appears to have no legitimate need
  4. the quantity and performance capabilities of the goods significantly exceed, without satisfactory explanation, the amount or performance normally required for the stated end-use

Importers and exporters should look again at their goods, customers and consignment practices to avoid obvious pitfalls leading to criminal liability and enforcement action.

*Countries subscribed to the Wasenaar Arrangement are: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, India, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, the Netherlands, New Zealand, Norway, Poland, Portugal, the Republic of Korea, Romania, the Russian Federation, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, Ukraine, the United Kingdom and the United States.

Gavin Irwin

Categories: Articles