Most national governments require traders to maintain complete and accurate records of their strategic trade-related activities for a specified period of time and when requested, commit to allowing designated, national authorities inspect these records. In many countries, the failure to maintain or produce STC-related records can result in penalties being imposed upon an enterprise and its employees by the national authorities.
Establishing a thorough and traceable recordkeeping system of activities involving strategic items is therefore critical to your enterprise’s STC compliance efforts. The purpose of the recordkeeping element is to ensure STC-related documents (administrative and transaction records) are maintained in a consistent manner and can be made available to your government or other external parties for inspections or audits.
Enterprises that maintain complete records of STC-related transactions enjoy benefits that extend well beyond trade compliance. Effective recordkeeping mitigates risk by allowing employees and compliance personnel to analyze trends in strategic item-related orders over a specified time period. A thorough review of your enterprise’s records could help you to recognize patterns in customers, products, end-uses, end-users, and destinations in order to gain greater insight into potentially suspicious order inquiries.
In addition, a comprehensive recordkeeping system can enable compliance officials to detect accidental STC violations during the course of audits and can facilitate cooperation with law enforcement authorities in the event of an STC-related investigation.
To implement the recordkeeping element of your ICP, your enterprise must identify what, when, by whom, and where STC-related records must be kept, so that the information is accessible and can be easily retrieved when necessary.
Implementing the recordkeeping element of your ICP requires three essential tasks:
- Identify the individuals responsible for maintaining STC-related records;
- Determine what administrative and transaction records must be kept and the required period of retention; and
- Create a filing and retrieval system and preferred format for maintaining and preserving STC-related records.
- Get Implementation Aids >
Task 1: Assign Recordkeeping Responsibilities
First, your enterprise must publicly identify the individual(s) or department(s) tasked with STC-related recordkeeping responsibilities. Senior management will usually issue a policy statement that defines employee recordkeeping responsibilities and emphasizes that records should be treated as an enterprise asset. At a minimum, your enterprise’s policies and procedures should seek to resolve the following:
- Identify the individual(s) responsible for determining the records to be maintained, the record format, and the period of retention
Your enterprise’s CCO, often in coordination with senior management, will determine the format (hard-copy or electronic), the duration (at a minimum the legally required time period), and the location (centralized records depository for hard-copy records and/or an electronic records database) for maintaining STC-related documentation.
- Designate the individuals responsible for maintaining and managing STC-related records
To ensure consistent recordkeeping practices, your enterprise should designate an individual(s) or department with primary responsibility for managing STC-related documentation.
Your enterprise must then determine:
- Who has access to STC-related records?
- Individual(s) responsible for the operation, use, and maintenance of the recordkeeping system might include employees from in line-business units, records management, IT systems administration, and elsewhere.
- How are STC-related records to be transferred / transmitted from employees to the individual(s) or entity responsible for managing STC-related records (recordkeeping chain of command)?
- Who is responsible for providing STC-related records to internal or external auditors?
- Who is responsible for providing national authorities with STC-related records for inspection (usually the CCO or legal counsel)?
- Who is responsible for ensuring the accuracy and integrity of STC-related records?
- Who is responsible for backing-up individual(s) with STC-related recordkeeping responsibilities?
- If the primary responsible person is unable to perform their recordkeeping obligations, there should be a secondary person authorized to perform their recordkeeping duties.
Note: If for whatever reason a back-up person is unavailable, there should be procedures in place to prevent untrained and unauthorized personnel from taking action.
- Determine who is responsible for communicating recordkeeping requirements to relevant personnel
Empowered STC compliance personnel should provide employees with written guidance on recordkeeping procedures, including a description of the recordkeeping procedures, a comprehensive listing of all administrative and transaction records to be maintained, the location of STC-related records, a listing of all personnel with recordkeeping responsibilities, and simple job aids outlining approved practices for capturing and storing essential STC-related records. Employees should also be alerted to any updates to the enterprise’s recordkeeping requirements. Similarly, ICP-related training activities should stress the importance of accurate recordkeeping and seek to reacquaint employees with STC-related recordkeeping requirements, processes, and procedures.
Task 2: Determine What Records Must be Retained and the Period of Retention
The records to be maintained will depend on the nature of your enterprise's activities and the STC laws and regulations in your country. First, it is advisable to examine your enterprise’s current recordkeeping measures, and determine whether existing recordkeeping procedures meet the criteria stipulated in your country’s STC legislation.
The recommended retention period for STC-related records is five years from the date in which the transaction occurs, but your enterprise should again consult your national legislation and relevant licensing authorities to determine the required period of retention in your country.
There are essentially two types of records that your enterprise should preserve:
- Administrative records; and
The administrative records your enterprise should retain may include some or all of the following:
- A current copy of your enterprise's written ICP Manual (and Technology Control Plan (TCP), if applicable);
- A current copy of all applicable STC-related laws, regulations and policies;
- The enterprise's written, STC compliance policy statement;
- Any orders that were denied internally, include all details related to the order inquiry and the reason for denial;
- A commodity classification/identification listing for your enterprise’s products (as well as any documentation generated by your compliance personnel or others (e.g. external trade compliance consultants) that contributed to the determination that a specific item or transaction was not subject to licensing requirements);
- Formal advisory opinions regarding commodity classifications provided by your national authorities (if applicable in your country);
- Training log documenting all formal employee training provided on STC-related issues and copies of personnel files;
- Internal review/audit reports of your enterprise’s ICP including recommendations and proposed follow-up or corrective actions; and
- STC checklist documentation and any completed implementation aids.
- Transaction records.
The transaction records your enterprise should retain may include some or all of the following:
- Air waybill, bill of lading, dock receipts, or any other clearance documents;
- Export Declaration;
- Purchase orders;
- Letters of Credit;
- Certificates of Origin;
- Commercial Invoices;
- Pro forma invoices;
- Packing list;
- Contracts;
- Proof of Insurance;
- Financial and accounting records;
- Invitations to bid;
- Memos, notes, minutes, or internal correspondence related to controlled transactions;
- License application forms;
- All supporting documentation accompanying license applications;
- “Red flag checklist” documentation, including screening records;
- Approved licenses involving controlled items;
- Formal license denials issued by the national authorities;
- Records of transactions involving exports conducted under any license exemptions;
- International Import Certificates (IIC) or End User Certificates (EUC) (should include foreign authorizations from foreign customers such as import permits and EUCs);
- Written acceptance of license conditions by the end-user, when a license is required;
- Delivery Verification Certificate (DVC) or similar evidence of delivery;
- Statement by ultimate consignee and purchaser;
- Accompanying attachments, riders, or conditions;
- Application for International Import Certificate;
- Power of attorney or other written authorization for an agent to perform certain specified acts on behalf of the exporter, principal party, or foreign principal party;
- Documentation on route and mode of transport of the controlled goods from your premises to transporters / distributors / brokers / end-user; (including all ports of transit or transshipment);
- All information or documentation transmitted or sent to clients, agents, and distributors related to the strategic trade control requirements associated with a particular item;
- Voluntary self-disclosure (VSD) statements (if applicable in your country);
- Records of electronic transfers involving strategic-related technical data;* and
- Certain communications with foreign nationals.*
*Please refer to the “Industry Sector-Specific Tools” section, “Technology Best Practices” sub-section of the ICP Guide for more information on recordkeeping related to intangible transfers of technology (ITT) and information exchanges involving foreign nationals.
Your enterprise may also consider developing and implementing a system to document all communications with government authorities. Retaining relevant legal interpretations or other guidance/advice (e.g. pre-license commodity classification assistance) provided on STC issues can provide clarity and continuity in performing future compliance functions (commodity classification, transaction screening, etc.), and can assist your enterprise in defending its previous actions and decisions, if necessary.
Copies of all STC-related records should be provided to and maintained by the appropriate empowered compliance official and any inquiries or communications with the national authorities should always be undertaken by your enterprise’s Chief Compliance Officer (CCO).
Task 3: Create and Maintain a Filing System and Record Format
Finally, your enterprise must establish an adequate and effective filing system for STC-related records. An effective record filing system helps to ensure that all STC records are properly captured, protected, retrieved, and shared and enables your enterprise to more easily provide STC-related records to external parties in the event of an audit or inspection. While the nature of the filing system may vary depending upon the size and operations of the enterprise, at a minimum, all enterprises should seek to address the following:
- Decide on the format in which STC-related records are to be maintained
- Your enterprise must determine which specific administrative and transaction records should be maintained in hard-copy and which records should be retained in electronic format. Regardless of the format of the record filing system, original records should always be preserved in the format in which they were created or received. Similarly, all records (whether stored on paper, microfilm, or electronic / digital storage devices) should be capable of being produced (or reproduced, as the case may be) in hard-copy format.
- Strategic trade-related records can be retained in several different formats. Your enterprise may choose to utilize a paper-based, hard-copy/manual filing system; an electronic filing system that relies on a network of software, web or cloud-based systems and computers; or some combination of these recordkeeping methods. Due to the fact that many enterprises face increasing volumes of business data and information, hard-copy methods have become somewhat obsolete and most enterprises now choose to store most of their information and records on computers using electronic storage techniques.
- Define security and safeguard requirements for STC-related records
Enterprises must establish secure, physical and/or electronic storage locations for STC-related records.
- STC-related records in electronic format must also be adequately safeguarded. If your enterprise retains records electronically, access to electronic-based records should be limited and protected by utilizing techniques such as encryption, log-in, password protection and other access controls, as well as cybersecurity defenses on enterprise computers, networks, and servers.
- Your enterprise should develop rules and procedures that govern the disposal of STC-related records (both hard-copy and electronic). The disposal of records should be undertaken in accordance with relevant laws and conducted with care to avoid the inadvertent disclosure of sensitive information. Hard-copy records should be shredded or incinerated. For electronic records, your enterprise should consult with IT specialists to determine the most appropriate course of action. Computer hard drives and other electronic storage devices (scanners, copiers, flash drives, etc.) containing STC-related records should be sanitized / purged prior to sale or disposal. An inventory of all disposed records should be maintained, certifying that the records have been properly destroyed.
- If your enterprise maintains a manual filing system, hard-copy records should be stored in a centralized record depository or off-site record center, at a designated location, that has adequate physical security - so as to prevent these records from being misplaced, destroyed, or stolen. Access to the physical storage site should be monitored and there should be security measures in place that are designed to prevent unauthorized access to your enterprise’s records (e.g. CCTV, badge access controls, locked consoles, doors, and cabinets).
- Establish how STC-related records are linked and integrated with other business records
Your enterprise’s filing system, whether STC-related records are stored electronically or in hard-copy, should be indexed in such a way that records can be expediently accessed from a variety of search fields. The filing system should allow easy matching, for any particular transaction, of invoices, shippers export declarations, delivery notes, air waybills, bills of lading, packing slips, and other transactional records.
- Determine whether and how STC-related records will be integrated with your enterprise’s IT systems
In order to effectively maintain and manage STC-related records, your enterprise must employ an approach that effectively integrates records management and information technology (IT) processes. For many enterprises, IT goes well beyond data management to also include, document management and data warehousing. Your information management system must have sufficient capacity to support effective records management. Electronic records should be easily retrievable and adequately secured as part of your enterprise’s overall information management system. In order to determine the capabilities of your enterprise’s information management systems:
- Determine whether recordkeeping is already a pillar of your Enterprise Resource Planning (ERP) system (if applicable).
- When developing new or enhancing existing IT systems, your enterprise should verify that all relevant electronic records will be retained and the changes in technology will not compromise the integrity or preservation of these records.
- Enterprises must ensure that potential or proposed changes to the enterprise’s operating software or information management systems will not render STC-related records inaccessible, unreadable, or lost.
- Consult with your enterprise’s IT specialists to determine how information and data are currently maintained, managed, and secured within your organization.
- Determine whether your enterprise currently employs an Electronic Document and Records Management System (ERDMS).
- Institute methods to confirm compliance with STC-related recordkeeping requirements
Your enterprise should conduct periodic audits of the recordkeeping system to ensure that all required records are captured and are being stored in full compliance with relevant STC legislation and that records are organized in a logical and traceable sequence that allows for efficient search and retrieval. An audit/internal review of records can enable your enterprise to detect accidental STC violations and will assist with recognizing patterns in customers, products, end-uses, end-users, and destinations - which can lend greater insight into potentially suspicious order inquiries.
- Develop a back-up system for all electronic files
Maintain a back-up system for files that are preserved using electronic storage techniques and implement measures that will assist with the recovery of information and other electronic communications on your enterprise’s computer and information management systems, should there be a failure in the main electronic record storage system.