RTX Gets Record $200M Penalty for Unauthorized Exports, Misclassifications

The violations mostly stemmed from export control classification issues, the illegal “hand-carry” of controlled defense data to China, Russia, Iran and Lebanon, and violations of the terms of licenses issued by the State Department’s Directorate of Defense Trade Controls. They were voluntarily disclosed by RTX.

As part of a consent agreement released Aug. 30, RTX must pay $34 million to DDTC within 10 days, $33 million within one year and another $33 million within two years. The company must use the remaining $100 million to make specific improvements to its compliance procedures, including hiring a DDTC-approved special compliance officer to oversee its compliance with the International Traffic in Arms Regulations for three years, put in place a “comprehensive” automated export compliance system, conduct at least one export compliance audit, and more.

The $200 million penalty -- the biggest fine ever issued by DDTC, according to an agency spokesperson -- comes after a historic $51 million penalty against Boeing in March for also allegedly breaching U.S. defense trade controls (see 2402290078). In a July earnings release, RTX said it was awaiting the resolution of “several outstanding legal matters,” including this DDTC settlement and a case before DOJ and the SEC involving “improper payments” associated with contracts in the Middle East. The company said it had set aside about $1 billion to resolve these issues.

“Today’s action is in line with the company’s expectations, which we disclosed during the company’s second quarter earnings report on July 25, 2024," an RTX spokesperson said in an email.

DDTC said most of the alleged violations involved the “historical systemic failures” of aerospace firm Rockwell Collins, a company that RTX had acquired in 2018 and which now goes by Collins Aerospace. While all of RTX’s affiliates “committed a substantial number of violations,” DDTC said, “pervasive ITAR compliance weaknesses at Rockwell Collins resulted in many of the most egregious violations,” including illegal exports of technical data to China.

In total, RTX submitted 113 voluntary disclosures to DDTC for activities that occurred between August 2017 and September 2023.

A range of those violations were caused by export control jurisdiction and classification errors, which “reflect a clear pattern of historical systemic compliance failures in multiple of Respondent’s operating divisions,” DDTC said, adding that those divisions sometimes “failed to fully remediate these failures.” Those violations resulted in a “substantial number” of illegal defense exports to 32 countries, including to China. RTX or its foreign affiliates also retransferred misclassified defense items within foreign countries without a license and temporarily imported them into the U.S. without a license.

In at least two cases, those illegal exports led to the manufacture of “thousands” of defense items in China that were eventually imported back into the U.S. and integrated into “multiple U.S. and partner military platforms,” DDTC said. In 16 cases, RTX or its foreign affiliates illegally reexported defense items for military aircraft or missile systems programs, the agency said, adding that RTX “acknowledged that it failed to keep complete records related to the disclosed violations as required.”

DDTC said some of the violations occurred because Rockwell Collins wrongly classified the items as controlled under the Commerce Department’s Export Administration Regulations instead of the ITAR. RTX told the agency that others were caused by Rockwell Collins’ “historical misinterpretation” of the ITAR’s “specially designed” definition, which led to exports of technical data to China without a license on “numerous occasions.”

RTX “corrected this misinterpretation through integration of Rockwell Collins into its corporate ITAR compliance program,” DDTC said, but it “continued to discover and, in some cases, commit violations stemming from these historical errors.”

RTX disclosed some unauthorized exports of U.S. Munitions List Category VIII(i) technical data from its Cedar Rapids, Iowa, facility. Those exports -- which included releases of data related to the Boeing E-3 Sentry Airborne Early Warning and Control Aircraft and the Embraer KC-390 Millennium Medium Weight Transport Plane to Chinese employees -- were because of Rockwell Collins’ “general misunderstanding” of the ITAR’s specially designed definition and release criteria, the company told DDTC.

In another case, RTX said it again released USML Category VIII(i) technical data to Chinese employees at a facility in Shanghai, and it also exported the same technical data to four entities in China as part of a quote request. RTX said its employees thought the technical data was classified as EAR99 -- items that aren’t specifically controlled for export to other countries -- but they were actually controlled under the USML.

DDTC said RTX put in place a range of “corrective actions” to fix these issues, including compliance training.

Other violations stemmed from unauthorized exports of USML Category XI(d) technical data to Chinese entities, which were sent to China so RTX could procure USML-controlled printed wiring boards. DDTC said Rockwell Collins also misclassified those items, which it directly delivered to Pentagon customers for use in military planes, tankers, helicopters, fighter jets and drones, including Air Force One.

RTX didn’t tell its customers where the parts came from “until months or in some instances years following the first deliveries,” DDTC said.

The company also disclosed unauthorized exports of USML Category IV(c), IV(h), VI(f), XI(c), XI(d) and XII(e) items to Australia, Belgium, Canada, France, Germany, Greece, Israel, Japan, Mexico, the Netherlands, South Korea, Saudi Arabia, Singapore, Sweden, Turkey, the United Arab Emirates and the U.K. They mostly involved parts and data related to missiles and bombs, and they resulted partly from a misinterpretation of the ITAR’s specially designed rule.

Other violations were committed by the company’s foreign affiliates in France and Germany because of the firm’s failure, again, to correctly classify its defense exports, DDTC said. And even though RTX put in place “corrective actions” to address these issues, DDTC said “it continued to discover – and in some cases continued to commit – violations resulting from historical incorrect jurisdiction and classification determinations,” most of which were made by Rockwell Collins.

In one case, DDTC said the leadership in the global trade department of Raytheon Missile Systems (RMS) and Raytheon Company Corporate -- before United Technologies Corp. and Raytheon merged in 2020 to form RTX -- had knowledge of RMS’ ITAR failures and “did not take appropriate measures to mitigate potential violations resulting from RMS’s reliance on erroneous classifications.”

RTX also described violations involving ITAR proscribed destinations -- which are countries that are generally subject to an export license review policy of denial for defense articles and services -- in addition to China. In each case, RTX employees carried their company-issued laptops to foreign countries without a license.

In a 2022 disclosure, RTX said an employee hand-carried their RTX laptop on a personal trip to Russia in May and June of 2021, and that laptop contained ITAR-controlled data. When the employee tried to use his laptop in Russia, the RTX cybersecurity team received an alert but dismissed it as an error because they were transitioning to a new cybersecurity tool and had been experiencing false positive geolocation alerts.

The laptop had 152 files containing USML Category VIII(i), XI(d) and XII(f) technical data, including data related to F-15, F/A-18, F-22 and F-35 fighter jets as well as the U-2 Reconnaissance Aircraft. RTX later found that the employee had gone to Russia on personal travel four previous times to visit his fiancee and had taken the laptop with him at least once before.

Another similar disclosure involved exports to Iran, also a proscribed country. RTX said an employee carried their company-issued laptop to the country in March 2019, and the computer contained USML Category VIII(i) technical data related to the B-2 Spirit Bomber Aircraft and F-22 Raptor Fighter Aircraft. RTX received an alert that the employee tried to use the laptop in Iran, and it “initiated a ‘freeze’ in response, restricting access to the laptop’s hard drive.”

A separate disclosure in 2021 detailed an employee who took their RTX laptop with them to Lebanon on two personal trips. Not only did the laptop have USML Category IV data, but it was also capable of accessing the Raytheon U.S. network using a virtual private network, DDTC said.

Before the first trip, the employee submitted a request in the Raytheon Global Export Management System to bring his laptop with him, but he didn’t list Lebanon as the destination. When he returned, he updated his request to state that he had been “rerouted” to “Luban.” The RTX official who reviewed the update “failed to appreciate that ‘Luban’ was a reference to the romanized Arabic name for Lebanon,” DDTC wrote. “The U.S. government reviewed copies of the files referenced in this disclosure and determined that the unauthorized export of technical data harmed U.S. national security and adversely impacted a DoD Program of Record.”

The DDTC’s charging letter details a range of other alleged export violations, including 36 disclosures of breaches of the terms, conditions and provisos of DDTC licenses “on numerous occasions” dating back to 2019. Those alleged violations included:

• Failure to furnish or properly complete DSP-83 Nontransfer and Use Certificates
• Failure to return defense articles to the U.S. -- which were previously exported under DSP-73 temporary export licenses -- in a timely manner
• Failure to file or the filing of inaccurate annual sales reports related to manufacturing licensing agreements
• Failure to file payment-related reports in a timely manner
• Failure to notify DDTC of actions related to agency-issued authorizations in a timely manner
• Foreign manufacture of defense items worth more than what was authorized under a manufacturing licensing agreement
• Misrepresentation or omission of facts in export or temporary import control documents.

Each disclosure “included corrective actions intended to address the root causes of the disclosed violations and prevent their recurrence,” DDTC said. RTX “continued to discover, and, in at least one case continued to commit, similar violations into 2023.”

DDTC also noted that RTX has “dedicated significant resources to sustain and improve its export compliance program and has worked to integrate companies it has acquired into that program.” Those efforts have included investing “significant resources” in employees and systems responsible for monitoring and auditing ITAR compliance and disclosing potential violations. “These investments were critical in identifying and remedying the violations described herein,” DDTC said.

If not for those and other mitigating factors, the agency would have charged RTX with more violations or proposed a higher penalty. “In particular, the Department has elected to reduce the number of violations associated with the acquired company in recognition of Respondent’s role, and transparent and cooperative approach with DDTC, in identifying and reporting those violations," DDTC said.

The agency also pointed to several aggravating factors that resulted in the record fine, including the fact that some of the alleged violations harmed U.S. national security and involved proscribed destinations in the ITAR. DDTC also said some of the defense items and USML-controlled data qualified as “Significant Military Equipment,” and added that multiple violations recurred after RTX put in place “corrective measures” to address them.

As part of the settlement, RTX agreed to put in place and maintain a range of “remedial” compliance measures for three years, and the company will be subject to a DDTC monitorship. The company must hire a DDTC-approved compliance official to monitor and oversee its ITAR compliance, and that official will work “in consultation” with DDTC.

RTX must also “enhance” its compliance procedures within nine months of the order and ensure that within one year all employees working on export controlled items and activities are aware of their responsibilities. The company will also put in place a new, “comprehensive” automated export compliance system -- which will track the life cycle of an export decision process -- and RTX must send DDTC an update on the status of that system every six months.

The company also must reclassify all the defense items, data or services that RTX and its affiliates work on or furnish in order to determine their export control classification. DDTC said the company must certify to the agency that the “export control jurisdiction of certain items was previously and accurately determined and/or verified and exclude such items from the review.” This classification effort is due in 15 months.

DDTC is also requiring RTX to complete at least one audit, conducted by an outside consultant, of its export compliance program and procedures. A report about the audit must be submitted to DDTC. The agency said it may require RTX to complete another audit based on the results of the first one.

The agency said it decided not to impose a debarment against RTX -- which would have blocked the company from participating in controlled defense trade -- because the company voluntarily disclosed the violations, cooperated with DDTC and agreed to the compliance requirements outlined in the settlement. RTX may be debarred if it doesn't comply with the settlement, DDTC said.

“This settlement demonstrates the Department’s role in furthering the national security and foreign policy of the United States by controlling the export of defense articles,” the State Department said. “The settlement also highlights the importance of exporting defense articles only pursuant to appropriate authorization from the Department.”