The U.S. State Department’s Directorate of Defense Trade Controls (DDTC) recently imposed a $36 million penalty on General Electric (GE) for widespread violations of the International Traffic in Arms Regulations (ITAR). The enforcement action highlights persistent compliance failures across multiple dimensions — including technical data exports, licensing errors, and internal control breakdowns — and serves as a critical reminder of the risks companies face in managing export-controlled information.

Scope and Nature of the Violations

According to DDTC, GE committed 116 ITAR violations between 2018 and 2024, many involving the unauthorized export of highly sensitive technical data related to military aircraft engines.

The most concerning violations included:

• Unauthorized export of technical data to China, including information related to F-35, F110, F118, and F414 military engines
• Improper handling of export licenses and confusion between ITAR and Export Administration Regulations (EAR)
• Failure to control transshipment routes, allowing ITAR-controlled data to pass through restricted jurisdictions
• Misclassification of controlled items and misuse of license exemptions
• Failure to update internal procedures and report required changes to DDTC registration

These failures were not isolated incidents — they reflected systemic weaknesses in GE’s export compliance program.

Human Error and Training Failures

A striking aspect of the enforcement action is the role of employee misunderstanding. In one case, an employee incorrectly selected a Commerce Department license for ITAR-controlled data, demonstrating a fundamental failure to distinguish between ITAR and EAR regimes.

In another incident, an employee traveled to China with a laptop containing sensitive technical data and left it unattended at a university — exposing controlled information to potential unauthorized access.

These examples underscore a core lesson:
Export compliance failures are often driven by inadequate training and weak internal controls — not just intentional misconduct.

Breakdowns in Systems and Procedures

DDTC also cited GE for:

• Outdated procedures that had not been revised in over a decade
• Lack of automated compliance systems
• Inadequate oversight of freight forwarders and shipping routes
• Weak governance over licensing provisos and sublicensing arrangements

Notably, GE failed to configure its logistics systems to prevent ITAR-controlled shipments from transiting through restricted countries like China — a basic compliance expectation in today’s risk environment.

National Security Implications

DDTC emphasized that the violations caused harm to U.S. national security, as the exported data provided foreign parties with insights into the design, manufacturing, and testing of advanced military engines.

This reinforces the broader point:
Export controls are not merely regulatory obligations — they are national security safeguards.

Resolution and Remediation Requirements

Under the consent agreement:

• GE will pay a $36 million penalty, with $18 million suspended if it invests in compliance improvements
• The company must:
  • Implement an automated export compliance system
  • Conduct comprehensive classification reviews
  • Hire a DDTC-approved compliance officer
  • Engage an independent auditor
  • Strengthen internal controls and governance

DDTC declined to impose debarment due to GE’s voluntary disclosure, cooperation, and remedial efforts.

Key Compliance Takeaways

This enforcement action offers several important lessons for companies operating in regulated industries:

1. Distinguish ITAR vs. EAR — Clearly and Consistently

Confusion between regulatory regimes remains a major risk area. Companies must ensure employees understand classification, licensing, and jurisdictional differences.

2. Control Technical Data — Especially in Digital Form

Laptops, cloud systems, and data transfer tools present significant exposure risks if not properly secured and monitored.

3. Manage Third Parties and Logistics

Freight forwarders and international routing must be tightly controlled to prevent unauthorized transshipment through restricted jurisdictions.

4. Update Policies and Procedures Regularly

Outdated compliance programs are a red flag for regulators. Continuous improvement is essential.

5. Invest in Automation and Oversight

Manual processes are insufficient for complex export control environments. Automated systems and independent monitoring are now baseline expectations.

Conclusion

The GE enforcement action demonstrates how systemic compliance failures — even in sophisticated organizations — can lead to significant penalties and national security risks.

For compliance professionals, the message is clear:
A “paper program” is not enough. Companies must build dynamic, technology-enabled, and well-governed export compliance systems that can adapt to evolving regulatory and geopolitical risks.