This is Hamamoto from TIMEWELL.
"Our overseas transactions have been growing, but our export control framework is completely undeveloped." "We were advised to build a framework during a METI outreach event, but we don't know where to start." "We've been told to create internal regulations, but there are no templates to work from." These are complaints I hear frequently from management departments at small and medium-sized enterprises.
METI provides free advisor dispatch and briefing sessions for SMEs. Yet the question of "what order should we tackle things in" — not having visibility into the overall picture — never goes away. Honestly, while government resources are comprehensive, their prioritization can be hard to discern.
This article explains the 10 steps for building an export control framework from scratch, with a checklist of elements for internal compliance programs and references to METI guidelines.
What You Will Learn from This Article
- The overall picture of export control framework-building and how to progress through the 10 steps
- A checklist of elements to include in an internal compliance program (CP)
- How to use the official support resources provided by METI and CISTEC
- The 9 items in the "Exporter Compliance Standards" that SMEs must grasp at a minimum
- The operational cycle of running and improving the framework after it is built
Why SMEs Also Need an Export Control Framework
"We don't deal in weapons or military goods, so it doesn't apply to us." This assumption is dangerous.
FEFTA regulates not only weapons themselves, but also dual-use items that could be diverted to develop weapons of mass destruction or conventional weapons. High-precision machine tools, specific chemical substances, electronic components, software — products that appear to be purely civilian goods are not uncommonly subject to regulation.
The October 2025 regulatory revision expanded catch-all controls to include conventional weapons-related items. An approach that designates specific items by HS code has been introduced, creating verification obligations for product categories where verification was not previously required.
A word on penalties as well. FEFTA violations carry imprisonment of up to 10 years or fines of up to 30 million yen for individuals, and fines of up to 1 billion yen for corporations. In addition, administrative sanctions including an export ban of up to 3 years may be imposed. This is at a level that affects business continuity itself.
How to solve export compliance challenges?
Learn about TRAFEED (formerly ZEROCK ExCHECK) features and implementation benefits in our materials.
Understanding the Exporter Compliance Standards
Before beginning to build your framework, familiarize yourself with the "Exporter Compliance Standards." These are the minimum standards that all exporters must comply with under FEFTA.
| Item | Standard content | Category |
|---|---|---|
| 1 | Designate the organization's representative as the highest-level responsible officer for export control | Mandatory |
| 2 | Define the internal export control framework (division of duties and lines of responsibility) | Mandatory |
| 3 | Define the export classification verification procedure | Mandatory |
| 4 | Define the procedure for verifying intended use and end-user | Mandatory |
| 5 | Verify at the time of shipment that the product matches what was export-classified | Mandatory |
| 6 | Define and conduct internal export control audit procedures | Best effort |
| 7 | Define guidance frameworks and procedures for subsidiaries; provide guidance periodically | Best effort |
| 8 | Retain export-related documents for the appropriate period | Best effort |
| 9 | In the event of a legal violation, promptly report to the Minister of Economy, Trade and Industry and implement recurrence prevention measures | Mandatory |
Items 1–5 and 9 are legal obligations; Items 6–8 are best-effort obligations. However, METI on-site inspections also verify the best-effort items. It is unwise to think "it's just best-effort, so we don't have to do it."
The 10 Steps for Building an Export Control Framework
Step 1: Understand Your Current State and Inventory Your Company's Risk
The first thing to do is understand your company's actual export practices. What types of goods and technology are you exporting, and in what volumes? What countries and regions are the main export destinations? What are the industries and intended uses of your counterparties? Is there a current management workflow?
Perfection is not the goal at this stage. The objective is to make visible "what is being managed and what is not."
Step 2: Obtain Commitment from Management
An export control framework cannot function without the commitment of top management. The first item in the Compliance Standards explicitly states: "Designate the organization's representative as the highest-level responsible officer."
The most effective way to motivate management is to convey the specific risks of regulatory violations.
| Type of risk | Specific content | Examples |
|---|---|---|
| Criminal penalties | Individuals: imprisonment up to 10 years or fines up to 30 million yen | Cases of export prohibition orders against precision instrument manufacturers |
| Administrative sanctions | Export ban of up to 3 years | Processing equipment manufacturer received 3-month export ban for unauthorized exports to Iran, etc. |
| Reputational damage | Public disclosure of company name, loss of trust from business partners | METI publishes names of violating companies on its website |
| Transaction termination | Exclusion from supply chain by major counterparties | Reviews of transactions with companies found to have inadequate management frameworks |
In my experience, specifically communicating "the 1-billion-yen fine" and "the export ban" are the two items that most often shift management's response.
Step 3: Appoint an Export Control Officer and Staff
A dedicated person is ideal, but in SMEs, concurrent roles are the reality. Even so, clearly define the roles. The minimum required roles are four: an overall responsible officer (president or senior executive), an export control manager (head of the management department), an export classification staff member (an employee with deep technical knowledge), and a counterparty screening staff member (an employee in sales or legal).
If it is difficult to have four separate people in an SME, concurrent roles are acceptable. However, operating without clarity on "who makes which decision" will result in issues during inspections and ambiguous accountability in an emergency.
Step 4: Formulate an Internal Compliance Program (CP)
It is efficient to use CISTEC's publicly available "Model CP" as a base, adapted to your company's actual circumstances. Multiple patterns are available and can be selected based on company size and industry.
The elements to include in the CP are as follows:
| Chapter | Program element | Content to specify |
|---|---|---|
| Chapter 1 | Purpose and scope | Purpose of the program, scope of covered operations |
| Chapter 2 | Management framework | Roles and authority of responsible officers and staff, organizational chart |
| Chapter 3 | Export classification procedure | Classification flow, format of classification certificates, approval process |
| Chapter 4 | Counterparty screening procedure | Intended use verification, end-user verification, screening criteria |
| Chapter 5 | License application procedure | Application flow to METI, supporting documents |
| Chapter 6 | Shipment management | Pre-shipment verification check, customs clearance procedures |
| Chapter 7 | Internal audit | Frequency, method, records |
| Chapter 8 | Education and training | Target personnel, frequency, content |
| Chapter 9 | Document management | Retention period, storage method, disposal rules |
| Chapter 10 | Violation response | Reporting route, reporting procedures to METI, recurrence prevention measures |
The Model CP provides only the skeleton. For practical operation, supplementary operating rules that specifically define "who does what and how" are also needed. Many companies skip this and assume "we have a CP, so we're covered" — but on-site inspections examine actual operations at the operating-rule level rather than the CP itself.
Step 5: Establish Operating Rules for Export Classification
Export classification is the core of the framework. Four rules must be documented: when to conduct the classification (when new products are developed, when an export transaction arises, when regulations change); what materials to use (specification sheets, measured data, regulatory matrix tables); the approval flow for classification results (from the classifier to the reviewer to the approver); and how and for how long to retain classification records.
Step 6: Build a Counterparty Screening Workflow
Establish the counterparty verification procedure. Lists to cross-reference against include: METI's Foreign User List, the U.S. BIS Entity List and SDN List, EU regulatory lists, and UN Security Council sanctions lists.
What to verify: the country where the counterparty is located and the destination country, the intended final use and end-user, whether there are any irregularities in the circumstances of the transaction, and the presence and role of intermediaries.
Step 7: Plan Education and Training Programs
Even if the framework is established, it will not function if the staff members who operate it in the field do not understand it.
| Target | Frequency | Content |
|---|---|---|
| Management | Once a year | Legal violation risks, latest regulatory trends |
| Export control department | At least twice a year | Practical export classification, practical counterparty screening |
| Sales department | Once a year | Items to verify at order intake, signs of risk |
| Technical department | Once a year | Technology transfer risks, deemed export |
| New employees | Upon joining | Overview of export control, internal rules |
METI's free briefing sessions (commissioned projects) and CISTEC's various training courses are useful means of incorporating external expertise at low cost.
Step 8: Build Document Management and Record-Keeping Systems
Export-related documents are legally required to be retained for 5 years. All of the following are subject to retention: export classification certificates, counterparty screening records, export licenses, contracts and invoices, end-use certificates, shipment records, internal audit reports, and records of education and training sessions.
Physical paper storage takes up space and has poor searchability, so consider digitization. For electronic data, measures to prevent tampering — such as timestamp management and access log management — are also necessary.
Step 9: Plan and Conduct Internal Audits
Conduct internal audits at least once a year. Japan Customs' "Internal Audit Checklist" and CISTEC's "Exporter Overview and Self-Management Checklist (CL)" are useful references.
Key points to examine in audits: Are operations being conducted in accordance with the CP? Are export classification records being properly maintained? Are there any cases where counterparty screening is being skipped? Are education and training being conducted as planned? Is document storage in appropriate condition?
The 2025 CL revision now requires documentation of the frequency and methods of audits. If conducting audits by your own internal audit department is difficult, cross-audits within the same department, audits by group companies, or outsourcing to external specialists are also acceptable.
Step 10: Continuously Improve Through a PDCA Cycle
Building the framework is the start, not the finish. Laws are frequently amended, and your company's products and counterparties also change.
Here is an example annual schedule:
| Month | Activities |
|---|---|
| April | Formulate annual plan; review previous year |
| May | Education and training (1st session) |
| July | Submit self-management checklist (CL) |
| September | Verify legal amendments and review internal regulations |
| October | Conduct internal audit |
| November | Education and training (2nd session) |
| December | Formulate improvement plan based on audit results |
| January | Verify updates to Foreign User List |
| March | Compile improvement measures for the coming year |
Official Support Resources from METI and CISTEC
Here is a summary of the official resources available to SMEs — all either free or low-cost.
| Provider | Resource | Content | Cost |
|---|---|---|---|
| METI | Security Trade Control Guidance (Introductory Edition) | Guide covering framework-building through procedures | Free |
| METI | Outreach program | Advisor dispatch, individual consultation | Free |
| METI | Briefing materials (introductory to intermediate level) | Explanations of legal overview and amendment content | Free |
| CISTEC | Model CP | Template for internal regulations (multiple patterns) | Free for CISTEC members |
| CISTEC | Guide to Export Classification | Explanation of classification procedures and case studies | Free for CISTEC members |
| Tokyo Chamber of Commerce and Industry | Export control framework-building support | Seminars, individual consultation | Free |
| JETRO | Security Trade Control Quick Reference Guide | Overview explanation for beginners | Free |
Accelerating Framework-Building with TRAFEED (formerly ZEROCK ExCHECK)
It is possible to work through the 10 steps on your own. However, for SMEs that say "we don't have enough people" or "we don't have employees with specialized knowledge," building everything in-house is sometimes not realistic.
TIMEWELL's export control AI agent "TRAFEED (formerly ZEROCK ExCHECK)" (worried.jp) is one means of reducing the burden of framework-building.
Because AI presents classification results and their basis from product information, even staff with limited specialist knowledge can begin export classification work. While the final determination remains with a human, the time required for classification and the psychological barrier are substantially reduced.
Cross-referencing against the Foreign User List and various countries' sanctions lists is conducted automatically by the system. It also handles name variations (in English, Chinese, Arabic script, and more), reducing the risk of missed matches in manual checks.
Classification history and screening history are automatically accumulated in the system, enabling immediate reference during internal audits or METI on-site inspections. This prevents the problems of "there are no records" or "the previous person in charge left and we don't know the history."
Implementation can begin as early as the next business day, with contained initial costs. For SMEs without the budget for expensive ERP systems, this is a realistic option.
Summary
Building an export control framework does not require completing everything at once. A phased approach is realistic.
The first priorities: securing management commitment, appointing responsible officers and staff, and formulating basic workflows for export classification and counterparty screening. These are the areas directly tied to mandatory obligations.
The next phase: formally formulating internal regulations (CP), starting the education and training program, digitizing document management, and conducting the first internal audit.
After that: staying current with regulatory amendments, running a PDCA improvement cycle, and continuing to conduct audits regularly.
By leveraging METI's outreach program and CISTEC's Model CP, and using the power of available tools, a genuinely effective framework can be built even with limited resources. Rather than aiming for perfection and being paralyzed, taking the first step is the best strategy.
For those struggling with how to build an export control framework, please visit TRAFEED (formerly ZEROCK ExCHECK) (worried.jp). We recommend starting with screening your existing counterparties.
References
- METI, "Security Trade Control Guidance (Introductory Edition), Edition 2.4" (January 2025)
- METI, "Promotion of Voluntary Management by Companies"
- METI, "Support for Small and Medium-Sized Enterprises (Outreach Program)"
- METI, "Exporter Compliance Standards"
- CISTEC, "Introduction to the Model CP"
- CISTEC, "Exporter Compliance Standards — Your First Step!"
- CISTEC, "For Small and Medium-Sized Enterprises"
- Tokyo Chamber of Commerce and Industry, "Export Control Framework-Building Support"
- JETRO, "Security Trade Control Quick Reference Guide"