Bobadilla v. Export Control
You remember Legends of the Hidden Temple. The whole premise was that you couldn’t run up the crag until you’d assembled all the puzzle pieces. Export controls work the same way. You’ve got to get the pieces together before you move, and most founders are trying to run up the crag with half of them missing.
Most founders hear “export controls” and do one of two things. They assume it doesn’t apply to them, or they assume it’s so complicated that touching it will make everything worse. Both of those assumptions have a price tag.
This one isn’t as hard as it looks. It just requires the right pieces.
What Export Controls Actually Are
The Export Administration Regulations and the International Traffic in Arms Regulations, EAR and ITAR, are the two primary frameworks governing what can leave the country, where it can go, who can receive it, and what it can be used for. They apply to products, technology, software, and services. They apply to physical exports and to things transmitted electronically. They’re enforced by federal agencies with real teeth.
The central question is simple: do you need a license to export this thing, or don’t you?
If you do, you need to do everything by the book. If you don’t, you need to know exactly why you don’t and be able to explain it clearly if anyone ever asks. “We didn’t think it applied to us” isn’t an explanation. It’s an invitation to a much more uncomfortable conversation.
The Four Pieces You Need
To know whether you need a license, you need to know four things about every transaction.
What it is. Every product, technology, or piece of software has a classification, a code or number that tells you where it sits in the regulatory framework. This is your starting point. You can’t answer any of the other questions without it.
Where it’s going. Is this actually an export? Who has access to the technology, including foreign nationals inside the U.S., matters here too.
What it’s for. End use determines a lot. The same product can have different compliance requirements depending on whether it’s going into a commercial manufacturing line or something else entirely.
Who it’s going to. Know your customer rules exist for a reason. If something feels off about a transaction, a customer, or a request, you stop and ask more questions. That instinct isn’t paranoia. It’s the program working.
When you’ve got all four pieces, the puzzle comes together. When you’re missing one, you’re running up the crag blind.
The Square Peg Problem
I’ve watched companies build export compliance programs that worked fine for who they were at the time, the expertise they had access to, the questions they thought to ask. They built a program around those questions instead of the actual shape of their business.
So the program didn’t fit. They carried that mismatch for years. It was cheaper than stopping to fix it, until it wasn’t. It took major dollar signs and the very real threat of enforcement before anyone was willing to invest in building something that actually matched the company they’d become.
You can force the square peg for a long time. The hole doesn’t change shape.
What the Program Actually Looks Like
Once you know where your business fits in the framework, the program is more formulaic than people expect. The anxiety comes from not knowing where you fit, not from the framework itself.
A real program has a few core components. Documented classifications for your products and services. A policy and someone officially in charge of it. Automatic customer and third party screening tied to your accounting software, with alerts if a listed party or address shows up. Some level of transactional review. A requirements and controls inventory that makes it easy to show your work.
That last part matters more than most people realize. The most common compliance failure I see isn’t that someone did something wrong. It’s that they can’t prove they did it right. Inadequate documentation is how a company that was actually following the rules ends up in a very expensive conversation about whether they were.
A well-built program is easy to audit and easy to defend. It’s also, after implementation, usually cheaper than the patchwork it replaced.
Who Needs To Be Thinking About This
If exporting is part of how you generate revenue, you need a program. Not eventually. Now. You’d hate to make all that money just to give it right back.
If you’re not exporting yet but want to be global, this is your entry point. Understanding your classification and your framework before you start crossing borders is significantly less expensive than figuring it out after something goes wrong.
If you’re not going global yet, the next areas worth your attention are contracts and third party risk management, or employment. Those are different pieces of the same puzzle. The habit of knowing where your business fits in a regulatory framework, and being able to show your work, applies to all of them.
The Hard Part
The hard part of export controls isn’t the day-to-day program once it’s built. It’s the initial determination. Knowing what your classification is, understanding your end use exposure, building the framework around the actual shape of your business rather than the questions you thought to ask.
That’s the part you don’t have to figure out alone.
- m
Morgan Bobadilla, Esq. is the founder of Understory Advising PLLC. She spent over a decade as an in-house General Counsel and Director across aerospace, defense, manufacturing, banking, and staffing, building deep expertise in commercial contracts, regulatory compliance, export controls, employment law, and enterprise risk. She now brings that experience directly to founder-led businesses through retainer and flat-fee engagements.
