bmad-plus 0.4.4 → 0.5.0

package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md

@@ -0,0 +1,280 @@
+# EAR Export Compliance Programme, Enforcement, and Special Rules
+
+## Export Compliance Programme (ECP) — BIS Seven Elements
+
+BIS has identified seven elements of an effective Export Compliance Programme. Companies with strong ECPs receive significant penalty mitigation in enforcement actions.
+
+### Element 1 — Management Commitment
+
+- Senior leadership (CEO/CISO/CCO level) must visibly champion export compliance
+- Written, board-approved export compliance policy signed by senior officer
+- Compliance resources: dedicated ECP staff, compliance counsel, budget
+- Export Control Officer (ECO) or Export Compliance Manager designated in writing
+- Annual certification to the board that the ECP is operating effectively
+
+**Best practice:** Quarterly compliance reporting to senior leadership; annual ECP review with documented findings
+
+### Element 2 — Risk Assessment
+
+- Identify all products, software, and technology subject to EAR
+- Classify each item: ECCN or EAR99 (document the classification rationale)
+- Identify all business units, geographies, and transaction types
+- Assess risks: customers in D/E country groups, distributors with high-risk channels, end-use certificates accuracy
+- Maintain a classification database tied to product lifecycle (new products re-classified before launch)
+
+**ECCN classification log fields:** Item description, part number, technical parameters reviewed, ECCN assigned, RFC codes, date of classification, classifier name, review date
+
+### Element 3 — Written Policies and Procedures
+
+- Written, procedure-level guidance for each process that touches exports:
+  - Customer onboarding and restricted party screening
+  - Order acceptance and fulfilment (sales, finance, logistics)
+  - ECCN classification and update trigger
+  - Licence application and management
+  - Employee travel with controlled items/technology
+  - Hiring of foreign nationals (deemed export screening)
+  - Distributor/reseller programme requirements
+- Procedures must address digital transactions (cloud, SaaS, APIs) and source code repositories
+
+### Element 4 — Training and Awareness
+
+- Mandatory training for all employees who may touch controlled transactions: sales, engineering, operations, HR (foreign national hiring), finance, legal
+- Role-based training depth: frontline sales (awareness); ECO/lawyers (deep dive)
+- Annual refresher training with sign-off acknowledgement
+- Training records retained for 5 years
+- Training content must cover: EAR basics, ECCN/EAR99, restricted parties, red flag recognition, deemed exports, reporting obligations
+
+**Topics for engineers and developers:**
+- Deemed exports: sharing controlled source code with foreign national colleagues
+- Cloud platforms and access controls for controlled technology
+- Open-source publication — fundamental research exemption vs. EAR controls on software
+
+### Element 5 — Restricted Party Screening
+
+- Screen **all parties** to every transaction: buyer, end-user, intermediate consignee, freight forwarder, bank, broker
+- Minimum lists to screen against:
+  - BIS Denied Persons List
+  - BIS Entity List
+  - BIS Unverified List
+  - BIS Military End-User (MEU) List
+  - State Department Debarred List (DDTC)
+  - OFAC SDN List
+  - OFAC Consolidated Sanctions List
+- **Consolidated Screening List (CSL):** trade.gov/consolidated-screening-list — single search covers BIS + State + Treasury
+- Screen at time of: quote/order acceptance, before each shipment, and when parties change
+
+**Screening cadence for ongoing relationships:**
+- Re-screen existing distributors and customers at minimum **monthly** (list updates are continuous)
+- Automate screening via ERP integration (SAP GTS, Oracle AGIS, Visual Compliance, Restricted Party Screening tools)
+
+**Handling a match:**
+1. Do not ship or service the order
+2. Escalate to ECO/legal immediately
+3. Determine if the match is a true hit or false positive (similar name, different entity)
+4. If true hit: refuse the transaction; do not tip off the customer (no "tipping off" problem under EAR as severe as OFAC, but standard practice)
+5. Document the match, review, and outcome
+
+### Element 6 — Due Diligence (Know Your Customer)
+
+- Know-Your-Customer (KYC) process for new distributors, resellers, and high-risk end-users
+- For high-risk transactions, obtain:
+  - **End-User Statement (EUS):** Certified statement of intended end-use, end-user identity, and location of end-use
+  - **Importer Safety Zone (ISZ) Statement** for certain dual-use items
+  - **Distributor Management: assurances that downstream sales comply with EAR**
+- Red flag investigation: BIS publishes 15 "red flags" in Supplement 3 to Part 732; document your review and conclusions
+- **Distributors in high-risk territories (D:1 countries):** Site visits, supply chain audits, enhanced due diligence on sub-distributors
+
+### Element 7 — Recordkeeping and Audits
+
+- Retain all export-related records for **5 years** from the date of export (§ 762.6)
+- Records include: orders, invoices, bills of lading, Shipper's Export Declarations, EEI filings, classification records, screening records, licence applications and approvals, end-user statements, licence exception documentation
+- Records accessible to BIS within a **reasonable time** (generally within 5 business days of OEE request)
+- Annual internal ECP audit or review
+- Periodic third-party ECP assessment recommended for high-volume or high-risk exporters
+
+---
+
+## Enforcement Regime
+
+### Office of Export Enforcement (OEE)
+
+BIS's enforcement arm investigates violations through:
+- **Special Agents** conducting criminal investigations
+- **End-Use Checks (EUC):** Pre-licence checks (PLC) and post-shipment verifications (PSV) conducted by US Commercial Service officers and BIS agents overseas
+- **Administrative investigations** by the Office of Chief Counsel (OCC)
+
+### Civil Penalties (§ 764.3, Part 766)
+
+| Violation Type | Maximum Penalty |
+|---------------|----------------|
+| Per civil violation | Greater of $374,474 per violation (adjusted annually for inflation) OR **2× the value of the transaction** |
+| Egregious violations | Higher penalties; may approach statutory maximum |
+| Denial of export privileges | Temporary or permanent denial of all export privileges |
+
+**Penalty determination factors (Part 766, Supplement 1):**
+- Willfulness (did the violator know it was a violation?)
+- Nature of the item (weapons-relevant, dual-use, EAR99)
+- Harm to US national security or foreign policy interests
+- Compliance programme quality (strong ECP = significant mitigation)
+- Remedial action taken
+- Cooperation with OEE
+
+**Base penalty matrix** (post-September 2024 rule change):
+- BIS removed caps that previously limited penalties below statutory maximums
+- Penalties now more directly reflect transaction value, particularly for egregious cases
+- Multiple violations per shipment (wrong ECCN, wrong destination, wrong exception = 3 violations from 1 shipment)
+
+### Criminal Penalties (§ 764.2)
+
+Willful violations of the EAR may be referred to the Department of Justice for criminal prosecution:
+- **Individuals:** Up to **20 years** imprisonment + fines up to $1 million per violation
+- **Corporations:** Fines up to $1 million per violation (per count)
+- Criminal cases are reserved for deliberate, knowing, or willful violations — particularly those involving proliferation, sanctions evasion, or schemes to evade Entity List restrictions
+
+### Export Denial Orders (EDOs)
+
+BIS issues Export Denial Orders (EDOs) against individuals and companies found to have violated the EAR:
+- EDOs are published in the Federal Register and placed on the Denied Persons List
+- Third parties are prohibited from participating in any transaction involving a denied person
+- Scope: US persons everywhere in the world; any person regarding items subject to EAR
+
+---
+
+## Voluntary Self-Disclosure (VSD) Process (§ 764.5)
+
+### What is a VSD?
+
+A Voluntary Self-Disclosure (VSD) is a self-initiated notification to OEE of an **apparent violation** of the EAR, license conditions, or orders. BIS strongly encourages VSDs.
+
+### When to File
+
+File a VSD when you discover:
+- Items shipped without a required licence
+- Items shipped to an Entity List, Denied Persons List, or Unverified List party
+- Incorrect ECCN used that resulted in an unlicensed shipment
+- SNAP-R licence conditions violated
+- Prohibited end-use found post-shipment
+
+### VSD Process
+
+1. **Preliminary Inquiry (PI):** Review the facts; if a likely violation is found, stop any ongoing transactions
+2. **Initial Notification:** File a brief initial notification to OEE (letter or email) — as soon as a likely violation is discovered; preserves the VSD date
+3. **Full VSD Submission (within 180 days of initial notification):** Complete written VSD including:
+   - Detailed narrative of the facts
+   - All transactions identified (shipper, consignee, item, ECCN, value, date, exception claimed)
+   - Root cause analysis
+   - Remedial actions already taken
+   - Proposed corrective actions
+4. **OEE Review:** May request additional information; may conduct End-Use Checks
+5. **Resolution:** Warning Letter, No-Action Letter, or administrative penalty with significant reduction for VSD
+
+### VSD Penalty Mitigation
+
+- VSD is considered a **strong mitigating factor** under the 2024 revised penalty guidelines
+- Deliberate decision **not to disclose** significant apparent violations is an **aggravating factor**
+- Combined with robust ECP, remediation, and full cooperation → may result in warning letter only for non-egregious cases
+
+---
+
+## Foreign Direct Product Rule (FDPR) — Deep Dive
+
+### General FDPR (§ 736.2(b)(3))
+
+Foreign-made items are subject to EAR if they are the **direct product** of US-origin technology or software that is controlled for NS or CB reasons AND the foreign item is to be shipped to a Country Group D:1 or E:1/E:2 country.
+
+**Test:** Two-prong test:
+1. **Technology/software prong:** Was the item produced using US-origin technology or software controlled for NS or CB reasons under the CCL?
+2. **Destination prong:** Is the item destined for a D:1 or E:1/E:2 country?
+
+### Entity List FDPR (2020 — Huawei Rule)
+
+Extended the FDPR to capture foreign-made items when:
+1. The foreign item is produced using equipment or technology that is the direct product of **specific US technology/software** (tooling, wafer fab equipment under 3B001/3B002)
+2. AND the item is destined for a party on the Entity List
+
+Designed to prevent circumvention of Entity List restrictions through foreign-chip supply chains.
+
+### Advanced Computing FDPR (October 2022 / October 2023)
+
+Captures items produced with US wafer fabrication equipment destined for:
+- China or Macau for use in advanced computing applications above threshold
+- Any Entity List party
+
+### Russia/Belarus FDPR (March 2022)
+
+Captures virtually all items produced anywhere with **any** US technology, software, or equipment, destined for Russia or Belarus — with extremely limited exceptions.
+
+---
+
+## Deemed Export Rules — Compliance Programme Implications
+
+### What Constitutes a Deemed Export
+
+Under § 734.13, the **release** of controlled technology or software to a **foreign national** in the US is a deemed export to their home country. "Release" includes:
+- Visual inspection of controlled hardware
+- Providing access to controlled equipment
+- Oral, written, or electronic transmission of controlled technical data
+- Demonstration of controlled software
+
+### Nationality Rule
+
+BIS applies the **"most restrictive" nationality rule** for dual nationals or persons with multiple citizenships:
+- Apply the nationality that requires the most restrictive licensing treatment
+- Example: A Chinese/Canadian dual national in the US is treated as a Chinese national for deemed export licensing purposes
+
+### Practical Compliance Steps
+
+1. **HR Screening:** When hiring foreign nationals for roles touching controlled technology, conduct pre-employment deemed export screening
+2. **Classification Review:** Determine which technologies the employee will access; classify each
+3. **Access Controls:** Limit access to controlled technology to employees with appropriate authorizations
+4. **Deemed Export Licence Applications:** For employees who need access to NS-controlled technology from D:1 countries, apply for a deemed export licence via SNAP-R
+5. **Source Code Repositories:** Restrict access to controlled source code on GitHub/GitLab/Bitbucket using role-based access; foreign nationals from D:1 countries require deemed export licences or exception applicability review
+6. **Cloud and SaaS Environments:** Access to controlled technology via cloud platforms can constitute a deemed export; apply IP controls, authentication, and access auditing
+
+---
+
+## SNAP-R — Licensing Portal Guidance
+
+**URL:** snap-r.bis.doc.gov (requires free BIS account)
+
+**Forms filed through SNAP-R:**
+- BIS-748P: Multipurpose Application Form (export licence, CCATS, Advisory Opinion)
+- BIS-748P-A: Supplement for encryption review notifications (ENC exception)
+- BIS-748P-B: Supplement for end-user statement attachments
+- BIS-711: Statement by Ultimate Consignee and Purchaser
+
+**SNAP-R Best Practices:**
+- Submit complete applications — missing technical data is the #1 cause of delay
+- Include end-use statements and supporting technical documentation proactively
+- Track licence expiration dates and re-apply at least 60 days before expiry
+- For time-sensitive transactions: contact the relevant BIS division directly after submission
+- Use the "Licensing at a Glance" tool on bis.gov to estimate processing times by category
+
+---
+
+## EAR Recordkeeping Quick Reference
+
+| Document Type | Retention Period | Format |
+|---------------|-----------------|--------|
+| Commercial invoices, purchase orders | 5 years from export date | Any readable format |
+| Bills of lading, air waybills | 5 years | Any |
+| EEI/AES filings | 5 years | Any |
+| Licence applications and approvals | 5 years from expiry/completion | Any |
+| Licence exception documentation | 5 years from export | Any |
+| Restricted party screening records | 5 years | Recommended: dated screenshots |
+| End-user statements and certifications | 5 years | Any |
+| ECCN classification records | 5 years from last export of item | Any |
+| VSD submissions and correspondence | Permanently | Any |
+
+---
+
+## Compliance Programme Maturity Assessment
+
+| Level | Characteristics |
+|-------|----------------|
+| **Basic** | Written policy exists; some screening; training ad hoc; no formal audit |
+| **Developing** | Formal ECCN classification; screening tool in place; annual training; no automated integration |
+| **Proficient** | ERP-integrated screening; annual audits; full classification database; documented due diligence |
+| **Advanced** | Real-time automated screening; ECCN lifecycle management; pre-shipment compliance review; regular third-party assessments; VSD process documented |
+
+BIS rewards **Advanced** programmes with maximum penalty mitigation; **Basic** programmes may receive minimal credit even for VSDs.

package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md

@@ -0,0 +1,207 @@
+# EAR License Exceptions — Complete Reference (15 CFR Part 740)
+
+## How License Exceptions Work
+
+A license exception is an authorization in the EAR that allows you to export, reexport, or transfer (in-country) items subject to the EAR **without a license** when the conditions of the exception are met. Using a license exception:
+- Certifies that all terms and conditions of the exception have been met
+- Does **not** apply when: (a) BIS has issued a denial order, (b) the destination is embargoed, (c) a WMD end-use is involved, (d) the party is on the Entity List (unless the exception is expressly permitted)
+
+**Global restrictions on all license exceptions (§ 740.2):**
+- Cannot be used to supply weapons of mass destruction programmes
+- Cannot be used by or to Denied Persons List parties
+- Cannot be used for prohibited end-uses under Part 744
+- Cannot override UN Security Council arms embargoes (Part 746)
+
+---
+
+## List-Based License Exceptions
+
+These exceptions are only available when the CCL entry for the specific ECCN expressly authorizes them. Check the CCL entry column "License Exceptions" to see which are available.
+
+### LVS — Shipments of Limited Value (§ 740.3)
+
+**Scope:** Low-value shipments of eligible commodities and software  
+**Condition:** The value of the shipment must not exceed the per-shipment dollar threshold listed in the ECCN entry (typically $500–$5,000 depending on ECCN)  
+**Restrictions:**
+- Not available for items requiring review for nuclear, missile, chemical/biological, or crime control reasons
+- Not available for exports to Country Groups D or E
+- Aggregate annual reporting requirement for some items (§ 743.1)  
+**Recordkeeping:** Retain documentation of the value and ECCN for 5 years  
+**Tip:** The LVS threshold is per-shipment, not per-year. Cannot split shipments to stay under threshold.
+
+---
+
+### GBS — Group B Shipments (§ 740.4)
+
+**Scope:** Items controlled **for national security (NS) reasons only** exported to Country Group B countries  
+**Key identifier:** The CCL entry must say "GBS—Yes" in the License Exceptions column  
+**Conditions:**
+- Destination must be Country Group B (listed in Supplement 1, Part 740)
+- Only applies when NS is the **sole** reason for control — if CB, MT, NP, or other reasons also apply, GBS is unavailable
+- Item cannot be destined for a prohibited end-use or restricted party  
+**Common uses:** Dual-use electronics, test equipment, and materials destined for commercial use in allied countries
+
+---
+
+### CIV — Civil End-Users (§ 740.5)
+
+**Scope:** NS-only controlled items exported for **civil end-use** to Country Group D:1 countries  
+**Key identifier:** CCL entry must say "CIV—Yes"  
+**Conditions:**
+- End-use must be strictly civil (not military, intelligence, or security services)
+- Exporter must obtain a **written end-user/end-use statement** from the buyer certifying civil use
+- Enhanced due diligence required — actual knowledge or reason to know of military diversion triggers denial  
+**High-risk alert:** China and Russia are Country Group D:1; this exception is narrow and heavily scrutinised by BIS
+
+---
+
+### APP — Adjusted Peak Performance Computers (§ 740.7)
+
+**Scope:** Certain computer items (ECCN 4A003) at specified performance levels  
+**Conditions:** Performance (APP, measured in TP) must not exceed the thresholds set in the CCL entry for the destination country group  
+**Tiered thresholds:** APP thresholds differ for Country Groups A, B, and D destinations  
+**Not available for:** Embargoed countries or military end-users
+
+---
+
+### TSR — Technology and Software under Restriction (§ 740.6)
+
+**Scope:** Technology and software controlled **for NS reasons only** to Country Group B  
+**Key identifier:** CCL entry must say "TSR—Yes"  
+**Conditions:**
+- Destination is Country Group B
+- Item is technology or software (Product Group D or E)
+- NS is the sole RFC  
+**Common uses:** Exporting software documentation, operating manuals, or technical data to allies/partners in Country Group B
+
+---
+
+## Non-List-Based License Exceptions
+
+These exceptions authorize exports **regardless** of whether the CCL entry lists them. They override the CCL for specific categories of transactions.
+
+---
+
+### TMP — Temporary Imports/Exports (§ 740.9)
+
+**Scope:** Items exported temporarily from the US and returned without transfer of title or ownership  
+**Conditions:**
+- Item must be returned to the US within **12 months** (or the period specified by BIS)
+- No permanent transfer of the item to the foreign consignee
+- Cannot be used for embargoed countries or restricted parties
+- Covers: trade show demonstrations, testing abroad, tools/equipment used on a project  
+**Documentation required:** Statement that the item is being exported temporarily and will return; must track item and maintain records  
+**Common uses:** R&D equipment for offshore testing, display units at international trade fairs, laptops/equipment carried by travelling employees
+
+---
+
+### RPL — Servicing and Replacement Parts (§ 740.10)
+
+**Scope:** Replacement parts, components, and assemblies for items previously legally exported  
+**Conditions:**
+- Original export must have been licensed or authorized
+- One-for-one replacement — the old part must be returned or certified as destroyed
+- Cannot be used for embargoed countries or denied parties
+- Not available for items with proliferation controls (CB, MT, NP) without checking CCL  
+**Common uses:** Exporting replacement circuit boards or components to repair previously exported equipment
+
+---
+
+### GOV — Governments (§ 740.11)
+
+**Scope:** Exports to US government agencies, cooperating governments, and certain international organisations  
+**Four paragraphs:**
+- **(a)** Exports for US government agencies (military, intelligence, diplomatic) — broad coverage
+- **(b)** Exports to cooperating governments for legitimate government use — requires government-to-government verification
+- **(c)** Exports for international inspections (Chemical Weapons Convention verification missions)
+- **(d)** Exports for the International Space Station programme  
+**Restrictions:** Must verify the end-user is an actual government entity; diversion to commercial entities voids the exception  
+**High-value exception:** Frequently used by defence contractors and government-facing technology suppliers
+
+---
+
+### TSU — Technology and Software Unrestricted (§ 740.13)
+
+**Scope:** Publicly available technology and software  
+**Three paragraphs:**
+- **(a) Mass-market software:** Software available to anyone without restriction (retail/internet)
+- **(b) Publicly available technology:** Information in the public domain — published research, textbooks, technical manuals freely available
+- **(c) Pre-release software:** Beta/evaluation software distributed to developers for feedback  
+**Key rule:** The **fundamental research exclusion** (§ 734.8) removes most university research from EAR jurisdiction entirely — TSU covers the remainder  
+**Important:** Technology that is NOT publicly available cannot use TSU, even if widely shared within a company
+
+---
+
+### ENC — Encryption Items (§ 740.17)
+
+**Scope:** Encryption commodities, software, and technology (primarily ECCN 5E002 and 5D002)  
+**Structure:** Three tiers based on encryption strength and market availability:
+- **Tier 1 (§ 740.17(a)):** Mass market encryption (AES-256, standard protocols) — eligible after one-time BIS notification; reexportable to most Country Group B
+- **Tier 2 (§ 740.17(b)(1)):** Source code for mass-market products — one-time BIS notification
+- **Tier 3 (§ 740.17(b)(3)):** Non-standard or proprietary encryption — annual self-classification report  
+**Prior notification required:** File Form BIS-748P-A via SNAP-R before first use  
+**NOT available for:** Cuba, North Korea, Iran, Syria (E:1 countries) for most encryption items  
+**Common uses:** Exporting commercial VPN software, SSL/TLS libraries, encrypted mobile apps, and security products
+
+---
+
+### BAG — Baggage (§ 740.14)
+
+**Scope:** Personal items in traveller's baggage or household effects  
+**Conditions:**
+- Items must be for personal use, not for resale or transfer
+- Computer performance limitations apply (laptops within APP thresholds)
+- Personal defence items (shotguns, ammunition) have specific limitations
+- Not available for embargoed countries  
+**Practical note:** Employees travelling with company laptops containing controlled technical data should confirm the laptop falls within BAG conditions; country-specific controls may still apply
+
+---
+
+### AVS — Aircraft and Vessels (§ 740.15)
+
+**Scope:** Items exported on aircraft or vessels of non-US registry for use on that aircraft or vessel  
+**Conditions:**
+- Items must be for use aboard the aircraft or vessel (fuel, spare parts, equipment)
+- The vessel/aircraft must be legal and not destined for prohibited parties
+- Specific rules apply for aircraft flying into embargoed country airspace  
+**Common uses:** Aviation parts, marine equipment, aircraft repair kits exported on the vessel they will service
+
+---
+
+### ACE — Additional Permissive Reexports (§ 740.16)
+
+**Scope:** Reexports of certain controlled items from Country Group A or B countries  
+**Conditions:** The original export from the US must have been authorized; subsequent reexports within specified country groups may use ACE  
+**Limitation:** Only available for items with NS or AT controls; not for items with proliferation controls
+
+---
+
+### GFT — Gift Parcels (§ 740.12)
+
+**Scope:** Gifts sent by individual US citizens/residents to individuals in embargoed countries  
+**Conditions:** Strict value and content limits; not for commercial shipments; recipient must be an individual (not an entity)  
+**Primarily used for:** Cuba — specific limits on food, medicine, personal items
+
+---
+
+## License Exception Recordkeeping (§ 762.2)
+
+When using any license exception, retain:
+1. The invoice or order showing the ECCN, description, and value
+2. The license exception symbol used (e.g., "LVS", "ENC")
+3. Any required end-user statement or certification
+4. EEI filing (if required under § 758.1)
+5. Denied party screening records and date of screening
+
+Retention period: **5 years** from date of export (§ 762.6)
+
+---
+
+## AES/EEI Filing Requirements (Part 758)
+
+Electronic Export Information (EEI) filing via AES (Automated Export System) is required when:
+- The value of the shipment exceeds **$2,500** per Schedule B number and the destination is outside Canada
+- A BIS license is used (always file regardless of value)
+- Certain license exceptions require filing (check § 758.1 and the specific exception)
+
+Cite the license exception symbol or license number in the EEI filing under the license code field.