Hello, this is Hamamoto from TIMEWELL. Today I want to talk about something most manufacturers, trading companies, and R&D-heavy startups can no longer avoid: the Export Compliance Program (CP). I'll go through it at a granularity you can actually translate into day-to-day work.
Following the overhaul of the supplementary export control rules that took effect in October 2025, CISTEC (the Center for Information on Security Trade Control) released a revised model CP on April 1, 2026. With supplementary export controls, the catch-all regulation, and the tightening of deemed-export rules all being updated every few years, a CP that has been left untouched is a ticking time bomb that draws audit findings every single cycle. At the same time, we are seeing more inquiries from companies that want to start from a blank sheet but have no idea where to begin. This column walks through the skeleton of a CP, the requirements for the Special General Bulk License, implementation patterns by company size, the traps in the operations phase, and where AI fits in — all in one pass.
What a CP Is and the Seven Core Elements
A CP is the general term for the internal rules a company voluntarily establishes to comply with export control legislation such as FEFTA, the Export Trade Control Order, and the Foreign Exchange Order. The law itself does not explicitly say "build a CP," but the Exporter Compliance Standards (in force since April 2010) require companies that export list-controlled items to set up a framework covering a designated overall supervisor, transaction screening, training, document management, and audits. The documented version of that framework is, in practice, what we call a CP.
The structure is almost identical between the METI and CISTEC model CPs and can be organized into seven elements. First is the basic policy, which articulates top-management commitment and positions legal compliance as a core corporate value. Second is the organization and structure, appointing a representative director or other executive as overall supervisor and designating an export control officer in each division. Third is the classification (gaihi-hantei) procedure, which defines how you judge whether a good or technology falls under List Regulation Annex 1 or other annexes, and how the classification document is drafted and retained. Fourth is the transaction screening procedure, which specifies how you verify end use, customer, and end user, and sets criteria for risk assessment under the catch-all regulation. Fifth is shipment control, covering verification of license conditions, pre-shipment final checks, and the retention period for shipment records (typically seven years or more). Sixth is training, covering onboarding, periodic refreshers (usually at least once a year), and curricula by role. Seventh is audit, covering the internal audit plan, corrective action workflow, and the reporting line to management.
These seven elements map almost one-to-one onto the chapter structure of the model CPs. Put differently, if even one of them is missing, it will be flagged during an on-site inspection by the Regional Bureau. Audit and training records are the most commonly missed — the classic finding is, "you have the rules on paper, but no records of the actual work."
How to solve export compliance challenges?
Learn about TRAFEED (formerly ZEROCK ExCHECK) features and implementation benefits in our materials.
CP Requirements for the Special General Bulk License
Export licenses come in two flavors: individual licenses, which are filed per transaction, and bulk licenses, which are granted to qualified companies. Among the bulk licenses, the Special General Bulk License is a particularly powerful tool because it can cover destinations outside the Annex 3 region (roughly, everything other than the former "white country" group). For companies that need to maintain export speed, it is effectively a must-have qualification. With the October 2025 revision tightening how bulk licenses are administered, filings have been increasing steadily through 2026.
Obtaining a Special General Bulk License requires more than simply filing the CP. First, you submit your CP to the Security Export Control Inspection Office of the Regional Bureau and receive an Export Control Internal Regulation Acknowledgement Certificate. Next, you submit a checklist of FEFTA-related compliance items (the Exporter Profile and Self-Management Checklist) and receive another acknowledgement certificate. You then undergo an on-site inspection where inspectors verify that transaction screening, classification, training, and audits based on your CP are actually functioning. During the inspection, they sample past classification documents, transaction-screening records, training attendance lists, internal audit reports, and corrective action logs.
A common misunderstanding is that "once you file the CP, you automatically get to use the Special General Bulk License." In reality, you need all three: CP acknowledgement, checklist acknowledgement, and a successful on-site inspection. Only then are you eligible to apply. Even after obtaining it, you are required to file annual reports and periodic renewals, and if you miss the renewal filing every three to five years, you lose the qualification. Getting all the paperwork in order — from as-is analysis through on-site inspection — typically takes six to twelve months, which means it is realistic to start the preparation in parallel with launching the export business.
Implementation Patterns by Company Size
In practice, you have to vary the granularity of your CP based on company size. Model CPs provide a universal "base regulation" format, but forcing a mid-sized company to adopt one as-is will crush operations under its own weight; forcing it on a large corporation will fail to capture the real complexity of the business.
For large corporations, you need a governance design that spans global business units and overseas subsidiaries. The typical structure is three-layered: the trade management department at HQ holds the overall supervisor role, each business unit has its own export control officer, and each overseas subsidiary has a local officer. Research from Mizuho Research & Technologies and CISTEC indicates that many manufacturers at the one-trillion-yen revenue scale operate a global CP (a combination of an HQ CP and regional appendices), with annual internal audit workload sometimes exceeding 3,000 hours. Classification is integrated into the ERP or a dedicated system, and automated pre-shipment checks are the norm.
For mid-market companies (revenue 10 to 100 billion yen), you usually cannot afford a dedicated trade management department, so someone wears two hats. The standard pattern is to pair the main CP with three detailed rule sets — transaction screening, classification, and training — as the minimum required so operators don't get stuck. Internal audits are typically run together with external consultants (CISTEC, audit firm affiliates) at around 20 to 40 hours per year, and external partners often support on-site inspection preparation as well.
For startups (revenue of several hundred million to a few tens of billions of yen, with several dozen to around a hundred employees), a fully decked-out CP is overkill. That said, startups handling sensitive technologies — AI algorithms, biotech, semiconductors, quantum, robotics — are being asked for a CP during fundraising rounds or when opening accounts with large enterprises at a rapidly increasing rate. For this tier, a realistic approach is to start with three pieces — basic policy, organizational structure (the CEO doubles as overall supervisor), and classification — and add detailed rules as transactions arise. CISTEC distributes a simplified model CP template aimed at startups, and we're seeing more cases where companies produce a workable v1 in two to three months using it as the starting point.
Heading Off the Traps in the Operations Phase
Finishing the CP and filing it is the starting line, not the finish. In the operations phase, three traps show up repeatedly.
The first is becoming a hollow document. The CP sits in a filing cabinet while the shop floor runs on unofficial practice. A classic example: the CP says "verify end use and customer for every transaction," but in reality repeat customers get waved through. Since 2022, with the U.S. EAR revisions and the tightening of China's Export Control Law, the risk that the end user has changed even for a repeat customer has risen, and stale operating practice will reliably get flagged during an on-site inspection. Preventing hollowing-out is less about the CP itself and more about the detailed rules and checklists that answer "who, when, triggered by what, leaves which record."
The second is key-person dependency. In many mid-market companies, only one employee can actually do the classification, and the moment they leave, the whole export control function stops. The standard countermeasures are three-fold: verbalize the classification logic (template the rationale), build a second-check process (multi-person review), and retain external experts (CISTEC-certified STC Experts or STC Associates) on an advisory basis.
The third is audit going through the motions. An internal audit that finds "no issues" year after year is actually a warning sign. METI's "Points on Legal Compliance" (published September 2020) lists typical audit-relevant problems including missing classification documents, incomplete training records, and inconsistent transaction-screening criteria — and these occur at a non-trivial rate in every company. An audit that keeps coming back clean either has weak audit criteria or an auditor who is holding back. The fix is to bring in an external audit (CISTEC's audit and framework-support service, or an audit firm affiliate) every two to three years to recalibrate the internal audit's eye.
Making the CP Real with AI (TRAFEED)
Of the seven CP elements, classification, transaction screening, and shipment control are by far the heaviest in terms of day-to-day workload. Once you cross roughly ten export transactions per month, running everything by hand starts to break. Even with classification templates, the actual work — reading List Annex 1, cross-referencing spec sheets, drafting the classification document — takes an experienced staffer anywhere from 30 minutes to several hours per case.
TIMEWELL's TRAFEED (formerly ZEROCK ExCHECK) is the world's first AI export control agent, built specifically to collapse this workload. It embeds workflows aligned with METI's List Regulation and the catch-all regulation, so you can feed in a product spec, model number, or datasheet and get an initial draft classification automatically. With multi-language support (English, Chinese, Korean, and more), classification requests from overseas subsidiaries can flow through directly.
From a CP perspective, TRAFEED pays off in three places: standardizing classifications, recording the rationale, and training staff. The AI-generated draft makes the basis for each judgment explicit by citing the relevant clauses, which sharply improves the record quality of classification documents. New hires can start contributing by reviewing AI drafts rather than starting from zero, so the key-person problem and training cost shrink at the same time. In internal audits, the AI's judgment log doubles as an audit trail, making on-site inspection prep much lighter.
The design intent is important: AI assists classification, but final responsibility stays with a human. TRAFEED is built on that premise, so AI-generated drafts and the reviewer's history are recorded separately. That separation is essential to preserve the "exporter's responsibility" required under FEFTA, and it produces a workflow you can explain confidently during a METI on-site inspection.
Wrap-Up: A 90-Day Stand-Up Roadmap
To close, here is a realistic 90-day roadmap for standing up a CP from scratch. The timeline assumes a mid-market company, but you can scale the effort up or down for large corporations and startups.
Days 1 through 30 are the "baseline and high-level design" phase. List your items, map your main destinations, audit the last one to two years of transactions, and interview the relevant departments. In parallel, lock down the basic policy and organizational structure. Securing top-management commitment is the single most important task in this stage.
Days 31 through 60 are the "main regulation and detailed rules drafting" phase. Start from the CISTEC model CP and customize it for your business. Build out the classification flow, transaction screening criteria, shipment control procedures, and the required forms (classification sheet, screening sheet, shipment checklist). One thing you must not skip: review with the people who will actually do the work. When the rule authors are disconnected from the operators, the CP will rot.
Days 61 through 90 are the "training, internal audit, and filing preparation" phase. Run company-wide training and role-specific deep dives, execute the first internal audit, operate the corrective-action workflow, and hold a preliminary consultation with the Regional Bureau. If you are aiming for the Special General Bulk License, use this phase to draft the checklist and prepare the submission package.
Export control is the last line of defense for a company's trust and business continuity. Borrow external tools like TRAFEED and outside experts, but make the framework your own so it actually runs day to day. That is the prerequisite for surviving the economic security era. If you need help designing or improving a CP, feel free to reach out through the TRAFEED page.
As related reading, How to Build an Export Control System, Preparing for an Export Control Audit, and China's Export Controls on Japan and What to Do in 2026 will round out the picture.