RTX Settles Huge Export Controls Mess
Anyone looking for a complicated case-study in export controls compliance, turn your eyes to RTX Corp. The defense contracting giant just agreed to pay $200 million and overhaul its export compliance function, to settle charges that the company improperly sent classified defense goods to foreign countries and allowed employees to bring along sensitive information while traveling overseas.
Compliance officers have a lot to unpack here. Broadly speaking, the misconduct fell into two categories. First, RTX and its predecessor companies (since a lot of this has to do with misconduct inherited from acquisition targets) failed to track certain defense goods properly, so those items were sent overseas to China and elsewhere when they shouldn’t have been exported at all. Second, RTX employees also had a bad habit of taking company-issued laptops and other personal equipment abroad, and then exposing sensitive data on that equipment to insecure networks in Russia and elsewhere.
The good news is that RTX did voluntarily self-disclose its misconduct, and then fully cooperated in an ensuing investigation by the State Department. The bad news is simply that there was a lot of misconduct here, stretching back years — and RTX and its predecessor companies had prior run-ins with regulators over poor export control practices. So as we examine the details of the case, you’re gonna wince.
Anyway, RTX and the State Department announced their settlement last week. RTX agreed to pay $200 million in penalties, but $100 million of that sum will be suspended so long as RTX spends the money on compliance improvements instead. RTX also agreed to a three-year consent decree, during which time the company will employ a “special compliance officer” to oversee a soup-to-nuts transformation of the export compliance program.
There’s a lot to cover, so today let’s start with the actual offenses. In future posts we’ll take a closer look at the remediation efforts RTX needs to take.
An Inherited History of Misconduct
RTX is the result of several defense contractor mergers over the years. Most recently, in 2020 Raytheon and United Technologies Corp. merged to form RTX as it exists today. Prior to that, however, United Technologies acquired Rockwell Collins in 2018, and rebranded that business as Collins Aerospace.
The history is important because, as described in the State Department’s charging letter, a majority of the violations resulted from “historical systemic failures” in Rockwell Collins’ export control compliance program. So right away we know that pre-acquisition due diligence will be one lesson from this analysis, although we have more ground to cover before we get there. Plus, the charging letter also stressed that “all of [RTX]’s affiliates committed a substantial number of violations.” Ouch.
Anyway, the misconduct from Rockwell Collins goes back at least to 2014. The misconduct stemmed from the company’s poor understanding of ITAR, the State Department’s (admitted convoluted) rule for classifying and categorizing certain defense products. That led Rockwell employees to misunderstand which goods or technical data could be shipped overseas. So for example, Rockwell decided to outsource assembly of jet fighter components to China, and sent its Chinese suppliers technical information they were not allowed to see. Rockwell didn’t inform the Defense Department about the Chinese-supplied defense equipment until months or years later.
What’s interesting here is that Rockwell seems to have suffered systemic failures of export control compliance — meaning, the company misunderstood what its compliance obligations were, so the program it built was both insufficient and misfocused. For example, the State Department said Rockwell had “systemic failures to establish proper jurisdiction and classification of defense articles within certain operating divisions.”
Even worse…
In multiple cases, [RTX] acknowledged that it failed to keep complete records related to the disclosed violations… This occurred because Respondent had incorrectly established that the relevant defense articles were controlled under the Export Administration Regulations (EAR), thus potentially resulting in additional undisclosed ITAR violations. The majority of these voluntary disclosures and violations arose out of jurisdiction and classification errors made by Rockwell Collins prior to its acquisition by UTC.
In other words, Rockwell’s export control compliance program was focused on the wrong regulation. Defense-related items are governed by ITAR, enforced by the State Department. Rockwell assumed its items were governed by the Export Administration Regulations, which are rules for commercial (rather than military) goods, and are enforced by the Commerce Department.
Pause here for a moment to wonder, “Why didn’t United Technologies catch that during pre-acquisition due diligence?”
Other Violations in Other Divisions
UTC, Raytheon, and the combined RTX all had their own issues too. For example, Raytheon exported numerous components and technical data to friendly countries such as Canada, Japan, Mexico, Singapore, Sweden, and elsewhere. That’s not as bad as sending items to China, but it ain’t good either. The State Department said those errors arose from Raytheon misapplying ITAR rules and not providing enough guidance to Raytheon hardware engineers performing classification assessments.
The charging letter also documented numerous instances of employees taking company-issued laptops on personal trips overseas and exposing protected technical data to insecure networks.
For example, one employee took his laptop on two personal trips to Lebanon (“a proscribed destination”) in 2020 and 2021. Employees traveling overseas with sensitive data were supposed to submit a request to Raytheon’s export management system. Both times, however, this employee omitted Lebanon from his itinerary before he left; and then upon his return amended his travel itinerary and identified the country first as “Luban” (an Arabic version of “Lebanon”) or “Liban” (a French spelling). The compliance team “failed to identify and escalate the deviation for investigation,” the charging letter said.
In another incident, an employee in 2021 took his work laptop on a personal trip to St. Petersburg in Russia. RTX’s cybersecurity team back home did receive an alert about a possible breach, but dismissed it because the company was in the midst of adopting a new cybersecurity tool and “experienced a temporary increase in false positive geolocation alerts.” The employee didn’t have his access blocked for another nine days.
So for the cybersecurity stuff, we can flag issues such as poor employee training, poor IT risk management, and poor cybersecurity controls, all adding up to multiple instances of sensitive defense data sitting on insecure IT networks in adversary countries.
Previous History of Compliance Trouble
To make matters worse, both Raytheon and UTC also had prior charging letters from the State Department in the early 2010s, identifying numerous serious compliance program shortcomings in each business.
Let’s start with Raytheon. In 2013 the State Department issued a charging letter flagging several systemic issues that should raise the eyebrows of any self-respecting compliance professional.. For example, regulators found “a corporate-wide weakness in … investigating and correcting errors that require[d] immediate, comprehensive, effective remedial action across [Raytheon’s] many operating units and subsidiaries.” Worse, regulators also found instances wherein Raytheon had implemented corrective actions for one business unit, “but did not prescribe corrective actions for other business units that may have similar pervasive issues.”
United Technologies received a charging letter in 2012 that faulted the business for failing to “establish jurisdiction” over defense goods and technical data, which is essentially the same offense that Rockwell Collins was making when UTC acquired Rockwell six years later. So again, how did UTC miss that bad compliance practice during due diligence, when UTC itself had been faulted for the same error?
That 2012 charging letter also cited UTC for failing to exercise internal controls over technical data, and noted that UTC subsidiaries “repeatedly discovered and disclosed violations to the Department, in some cases finding that reported remedial measures failed to prevent or detect additional similar violations.” Which raises questions about control monitoring, testing, and remediation.
In other words, we have a long history of compliance failures here, spanning multiple corporations and multiple issues. Worse, the violations stem from systemic weaknesses in the compliance programs; and so the various companies involved just couldn’t stop making mistakes.
So what does RTX need to do now to fix this mess? We’ll explore that in a post later this week.