RTX, Part II: The Compliance Reforms
Today we continue our look at that RTX Corp. export controls settlement announced last week, since we barely scratched the surface of the remediation measures RTX agreed to undertake. From dedicated compliance leaders to dedicated compliance spending, there’s lots more to review here.
If you missed our previous post on the case, the summary is as follows. Last week RTX Corp., one of the defense contractors in the United States, agreed to pay $200 million to settle charges that the company had improperly sent classified defense goods to foreign countries and allowed employees to bring along sensitive information while traveling overseas.
Our first post outlined the history of the misconduct, which traced back to three predecessor companies (Rockwell Collins, United Technologies, and Raytheon) in the 2010s that had failed to understand which sensitive technologies could or couldn’t be shared with overseas business partners. By 2020 those three companies had all been rolled into the blandly named RTX Corp., and violations kept happening as recently as 2023.
All of this led to last week’s settlement with the State Department, which oversees export control rules for military technologies. RTX agreed to pay $200 million in penalties, but $100 million of that sum is suspended so long as RTX spends the money on compliance improvements instead. RTX also agreed to a three-year consent decree and to hire a “special compliance officer” who will oversee a soup-to-nuts transformation of the export compliance program.
OK, that’s the backstory. Now let’s take a look at exactly what this special compliance officer is supposed to do.
Enter the Special Compliance Officer
Most notably, RTX must hire a “special compliance officer” — seriously, that’s the phrase used in the consent agreement — who will oversee export control compliance for RTX during the three-year term of the consent decree. This person will be responsible for a hurry-up review and revitalization of RTX’s export control program within nine months.
Finding that special compliance officer looks like it will be no easy task. By the end of this month, RTX must propose three candidates to the Office of Defense Trade Controls Compliance (DTCC, the specific State Department agency that manages export control issues), and the head of the DTCC will then make a final choice. The candidate must also be an outsider, who hasn’t worked for RTX or its predecessor companies for the previous five years.
Moreover, once hired, the special compliance officer must remain on the job for at least two years; only then can RTX petition to switch to an internal candidate (aptly known as “the internal special compliance officer”) if that’s something RTX wants to do.
It gets better. The special compliance officer is supposed to report directly to RTX’s CEO, although the language does include “or the CEO’s designee” so this person could still be shipped off to report to the general counsel or a chief compliance officer. At the same time, however, the special compliance officer “shall perform his or her duties in consultation with the DTCC” and “may, at his or her sole discretion, present any export compliance-related issue directly to either or both” the CEO (or the designee) and the DTCC.
In other words, this arrangement sounds like something between a compliance officer and a compliance monitor. In fact, it most sounds like those “independent compliance consultants” we read about with SEC enforcement actions over employee messaging apps: someone who technically does work for the company, but who also has wide latitude to overhaul the compliance program as he or she sees fit — and to communicate directly with regulators as they deem necessary. The consent order even says RTX “shall take no action to interfere with or impede the ability of” the special compliance officer to monitor the company’s compliance with the order and to implement its provisions.
Compliance Program Reforms
So what will this special compliance officer do once hired? The consent decree had lots to say about that, too. The compliance officer “must personally and thoroughly oversee” improvement in three principal areas:
- Policies and procedures to assure that ITAR-controlled technical data (that is, the sensitive stuff we don’t want adversaries to see) is correctly identified and protected. For example, that will include screening and controlling people who shouldn’t have access to such data, and policies and procedures for international travel with data subject to ITAR restrictions.
- Reporting, every six months, to both the RTX chief executive and to the DTCC, about the state of the company’s compliance with the consent decree.
- Integrating ITAR compliance into RTX’s management plans, such as by tracking that $100 million in compliance spending RTX is supposed to make over the next three years and otherwise monitoring the specific program improvements RTX needs to make.
The special compliance officer will need to move on all this stuff double-quick, too. The DTCC expects all new policies and procedures to be implemented within nine months (that is, by June 2025). By the end of the first year (that is, September 2025), the compliance officer must have completed all necessary training on ITAR compliance for relevant employees; and “all persons responsible for supervising those employees, including senior managers of those units, are knowledgeable about the underlying policies and principles” of export control compliance. The compliance officer will need to provide complete records of all that training to DTCC, too.
There’s still more. RTX must implement an enterprise-wide automated export compliance system, and provide progress reports every six months until that system is installed. It must undertake a detailed classification review so people understand exactly which products are subject to ITAR restrictions, and perform at least one audit sometime in the next three years. (Again, RTX must provide several plausible candidate auditors to DTCC, which will make the final decision.)
Finally, for that $100 million RTX must spend — the company must also provide an itemized accounting of that spending, certified by the CFO, every year. The accounting report “must show specifics of how money was used to strengthen compliance within the terms of the consent agreement,” the settlement added.
In short, this is an exhaustive list of compliance undertakings that RTX has promised to make, starting with the hiring of a quasi-compliance monitor who will then oversee all the other undertakings. And RTX will literally need to show the receipts to back up whatever claims of progress it makes.