“We continue to count on the valuable contributions of the Arms Control Association.”

– President Joe Biden
June 2, 2022
How the Private Sector Can Do More to Prevent Illicit Trade
Share this

Latest ACA Resources

Daniel Salisbury

The nuclear and missile programs of Iran and North Korea provide a continuing reminder of the importance of preventing illicit trade in proliferation-sensitive technologies. Last month’s UN panel of experts final report on the implementation of sanctions on Iran, for example, concluded that “Iran continues to seek items for its prohibited activities from abroad by using multiple and increasingly complex procurement methods, including front companies, intermediaries, false documentation and new routes.”[1]

An extensive and growing web of trade controls—UN sanctions, embargoes, and export controls—has been put in place to impede the efforts by those countries and others to acquire unconventional weapons and embargoed military technologies.

In many cases, these controls are based on the lists and guidelines on which international export control regimes have agreed. National governments implement them through domestic legislation, an export licensing process, and enforcement actions, when necessary.

For export controls to work effectively in slowing down programs of concern, the private sector must comply with their requirements. Ensuring compliance can be a complex and labor-intensive process. It is increasingly clear, however, that even full compliance does not always prevent the transfer of goods to countries that are under sanctions. Proliferators are dynamic and responsive, reacting to the controls in place to find ways of circumventing them and duping exporters into unwittingly doing so.

Creating conditions in which each element of the supply chains that deal in proliferation-sensitive technologies and hence are most likely to be targeted by proliferators is resistant to illicit trade therefore is crucial in preventing proliferation. The creation of these conditions relies on better coordination and understanding between governments and the private sector. In the summer of 2011, Project Alpha, an initiative sponsored by the British government, was launched to instigate a dialogue between the private sector and government on nonproliferation and export-compliance issues and to find ways in which the two sides might better work together to prevent proliferation-related trade.[2] Over two years, the team has conducted discussions and worked with more than 300 firms and trade bodies in the United Kingdom and overseas, collecting data on suspicious inquiries made to these firms by potential customers, producing and disseminating guidance material, and hosting training seminars for the sectors and their supply chains that are most at risk of being the target of illicit procurement schemes. The analysis below is drawn from this experience and seeks to highlight findings and suggest ways to apply those lessons.

Illicit Trade: An Ongoing Risk

Illicit procurement in the support of nuclear and missile programs is not a new phenomenon. In fact, it has been a common response of states facing international efforts to block their access to technologies. The history of international attempts to control sensitive technologies has a cyclical quality: shocks to the system, tightening of certain controls in response, and attempts by proliferating countries and entities working on their behalf to circumvent these controls.

One historical example of this cycle of shock leading to increased efforts to control technology relates to the Nuclear Suppliers Group (NSG). The group was formed in the aftermath of the 1974 Indian nuclear test, which used plutonium produced in a Canadian-origin reactor and U.S.-supplied heavy water. The creation of a list of dual-use items to supplement the original trigger list, as it is commonly known, of more-sensitive items came in response to the discovery of Iraq’s procurement efforts following the 1991 Persian Gulf War. More recently, the framework established in 2004 by UN Security Council Resolution 1540, which legally obliges states to take measures to prevent nonstate actors from acquiring or facilitating the acquisition of weapons of mass destruction (WMD), followed the discovery of the Abdul Qadeer Khan black market network.

Illicit procurement also is responsive. A large number of states have used similar techniques in their attempts to acquire unconventional weapons and their means of delivery. According to a 2007 report, Argentina, Brazil, Egypt, India, Iraq, Israel, Libya, Pakistan, South Africa, and Syria have used illicit procurement methods to advance their nuclear programs in the past.[3] The Iranian and North Korean nuclear and missile programs of today are based significantly on goods obtained from the international marketplace in breach of national export controls or sanctions.

States have used such illicit procurement techniques to acquire goods to use in advanced military programs. The Soviet Union, for example, mounted an extensive and heavily organized effort involving multiple Warsaw Pact intelligence agencies to procure a large number of sensitive technologies of use in military programs during the Cold War, sometimes rendering the exporter in breach of existing controls.[4] More recently, Iran and North Korea have mounted similar efforts to acquire military goods, seeking to benefit from the willingness or naïveté of private firms to enable a breach of the arms embargoes put in place by Security Council Resolution 1929 in 2010 and Resolution 1718 in 2006.[5]

Thanks largely to Resolution 1540, the international community now has a more extensive legal framework in place to counter proliferation procurement. This framework includes increasingly universal export control systems and provisions to counter proliferation financing and facilitate the sharing of information between states. Nevertheless, the situation is still fraught with difficulty.

Multilateral efforts and national controls cannot prevent proliferation alone. Exporters must play a role, one that goes beyond compliance with controls and implementation of sanctions. Thanks in part to WikiLeaks, more information than ever before on illicit procurement now is publicly available. There is also a greater information base relating to business experiences of being targeted by illicit procurement in part as a result of greater interest in these issues in the media and the work of nongovernmental organizations (NGOs) to highlight them. By building on this increased information base, the private sector, governments, and NGOs can work to find new ways to assist the private sector in addressing the problem.

Going Beyond Compliance

There are clear legal, financial, and reputational risks to the private sector for being found noncompliant with export controls and sanctions. Unfortunately, ensuring compliance with the controls is not always straightforward. There are not always easy answers when it comes to determining the appropriate control level for a given technology and conducting due diligence to verify the bona fides of potential end users. Besides these difficulties, the private sector is forced, through the licensing system, to place a great deal of emphasis on the judgments and specific intelligence of governments. Without significant resources or access to the knowledge and understanding of illicit activities held by governments, firms often have no option other than to fill out a license application and rely on the national authority’s judgment regarding the risks.

It is becoming increasingly clear, however, that although industry’s compliance with export controls and sanctions is complex, labor intensive, and important, compliance alone is not sufficient to prevent illicit trade. With regard to exports of sensitive technologies, there are two main issues that compliance with the controls cannot address.

First, there is the issue of proliferators seeking noncontrolled goods. It is impractical and runs counter to the spirit of a system of international trade based on “free market” economics to control all goods that could be used to develop a WMD program. For example, it would be impractical to control certain industrial control systems used in most large factories worldwide purely because proliferators were seeking them for just a small number of facilities. There is often no obligation for a company to apply for a license to export noncontrolled goods if the potential exporter does not foresee a WMD-related end use. Without such an obligation, governments are not always given sight of such transactions before they occur. All of the nuclear-related cases investigated by the UN panel of experts on Iran sanctions in its 2013 report, including valves and industrial control systems, involved at least some items not listed in Security Council Resolution 1929.[6]

A second issue relates to the risk of diversion of controlled goods. If the national authority that is evaluating the license application is not aware of the risks posed by entities named on the license application, such a diversion can occur once an export license has been issued. As part of an export license application, an exporter often has to attach an end-user certificate, which is provided by the end user and details the intended use of the goods. End users or exporters sometimes provide falsified end-use certification to try to dupe exporters and national authorities. National governments have attempted to address the use of front companies based in major transshipment hubs, such as Hong Kong and the United Arab Emirates, designating and sanctioning entities that they believe to be involved in diverting goods to WMD programs. Proliferators, however, are adaptive, changing their names and varying their routes and methods in order to continue to divert goods.[7]

In terms of elements of the private sector that work to enable trade, such as banks and insurance and shipping companies, compliance has slightly different requirements. These types of companies frequently screen against lists provided by the U.S. Department of the Treasury and others with the purpose of avoiding proliferation financing, terrorism financing, or money laundering. Yet, entities that have been listed for their involvement in proliferation-related activities often engage in transactions by utilizing front companies that cannot be detected using lists alone. This often makes it difficult for these firms to be certain they are not facilitating illicit transactions.

To address these potential gaps in export and trade control systems, firms can take a number of measures to go beyond compliance and mitigate the risk that they are involving themselves in illicit trade. These beyond-compliance principles have been described as “anti-proliferation” principles.[8] Exporters of sensitive technologies should have in place a compliance program, the organizing principles of which relate equally to legal compliance and broader proliferation and related reputational risks. In practice, this means technical and compliance staff working to ensure that their order management system highlights proliferation-sensitive noncontrolled goods alongside controlled goods when an inquiry is received from a customer.

Exporters should also ensure that they have in place structures and processes to deal with suspicious inquiries. These are the e-mails, letters, and telephone calls that companies may receive, asking whether they are able to supply proliferation-sensitive technologies to customers whose bona fides they are unable to verify. Sometimes these are easy to identify, and sometimes they are not. Effective due-diligence processes are important here. The information contained in these inquiries can prove to be hugely valuable open-source intelligence to national governments.

The initial focus of efforts to ensure that companies put in place these beyond-compliance measures to prevent illicit procurement should be on the companies that produce the most sensitive choke-point items. These are items that proliferators would have great difficulty manufacturing themselves and that are produced by only a small number of specialty firms around the world. Examples include specialized corrosion-resistant alloys, composites with high tensile strength, vacuum components, and specialized machine tools. Taking such steps, however, should not be limited to exporters of these products, but could benefit firms throughout the defense, nuclear, and aerospace supply chains.

For each firm, taking such steps to go beyond compliance does not come without cost. One aspect of this is lost business. There also are costs associated with organizing and running a compliance program, purchasing screening software, and training staff. More broadly, a 2009 British government survey of more than 500 exporters based in the United Kingdom reported that 82 percent of firms saw this as constituting 1 to 10 percent of revenue, while 12 percent saw it as constituting more than 10 percent.[9]

Banks, insurers, and shipping companies also can take steps to go beyond compliance and prevent their involvement in illicit trade, although these steps have been more difficult for companies to identify. A starting point for these companies is to integrate nonproliferation principles into their corporate social responsibility or broader governance, risk management, and compliance frameworks.[10] More-proactive companies in these sectors may wish to get involved in efforts by NGOs and academic groups to further understand how these issues affect their industries and what steps they can take to mitigate risks.

Supply-Chain Links

The crucial challenge lies in motivating the exporters at risk of being targeted by proliferators for the most sensitive choke-point items to improve their capacity to conduct due diligence and identify suspicious inquiries before they have a bad experience and potentially make a material contribution to a program of concern. Yet, it can be difficult to reach the firms in the sectors listed above that are most at risk of being targeted by proliferators. They are often small and medium-sized enterprises with limited time and money to devote to this effort and may be located far away from key commercial hubs. The suppliers and distributors of these at-risk firms, sometimes also smaller firms, need to put these measures in place too. There is likely to be little nonproliferation benefit in a company putting in place beyond-compliance practices when its suppliers or distributors do not.

There is a real opportunity for exploiting supply chain linkages and business relationships to spread beyond-compliance practices and make supply chains resistant to illicit procurement. Generally speaking, the most robust export-compliance programs in terms of funding and human resources tend to be in large defense, nuclear, and aerospace conglomerates. The nature of their goods—large and expensive finished items as opposed to unfinished dual-use products and components—means that they are less likely to be targeted by attempts at illicit procurement. Yet, they could play a pivotal role in nonproliferation efforts.

The companies that are more likely to be targeted and produce choke-point technologies often form part of these firms’ supply chains. For example, suppliers of aerospace-grade aluminum of the type that Iran has sought for use in centrifuges, missiles, and combat aircraft likely are suppliers primarily to the civilian or military aerospace market in the United States, Europe, and Asia. A military-grade electronic manufacturer’s primary market would likely be Western defense companies.

In motivating firms to call on their business partners to take these measures, reputational risk be a driving factor. In business in the Internet age, where media relations are difficult to manage and news stories are readily accessible almost indefinitely, it is clear that reputation matters more than ever. The implication of the supplier of a large defense or aerospace firm in supplying Iran’s nuclear and missile programs could generate negative publicity for all firms involved.

More importantly, however, it would likely raise serious concerns about the continuity and reliability of supply if a supplier is to be fined or suffer damage to its reputation. The combination of the recognition of the importance of reputation and the role that these large conglomerates play as important customers of at-risk firms puts them in a perfect position to work as nonproliferation champions and spread the beyond-compliance principles.

The determination of the best way to take advantage of these linkages involving the supplier, manufacturer, distributor, and customer largely depends on the industrial sectors and, more specifically, the business relationships in question. It also depends on the cost-benefit analysis of those involved. A good starting point would be to require as a condition of business that companies that export sensitive goods have a proliferation-resistant compliance system in place and a nonproliferation statement on their website. In the United Kingdom, Project Alpha has been working to produce guidance to help firms implement such compliance systems and to disseminate that guidance. Firms with more-advanced or longer-standing business relationships may wish to be more proactive in inviting their suppliers’ or distributors’ compliance staff to train with their own. This would help to mitigate reputational risk for all firms involved and, for example, allow the distributor’s staff to better understand the sensitivity of its supplier’s products.

Going beyond compliance can be beneficial for a firm’s reputation. Perhaps that is one reason that some companies have started to put compliance statements on their websites and to talk publicly about their experiences. This has raised awareness of illicit procurement risks among industry and provided insights to governments. The compliance officers of industry have a great deal of valuable experience, often developed from cases in which goods have ended up in programs of concern. There is a lot to be gained across the board from sharing and drawing on this experience.

Practical Ways Forward

Companies can take steps individually and, crucially, in conjunction with their supply chains to prevent involvement in illicit trade. There also are a number of areas in which governments and other actors, such as NGOs and universities with knowledge and understanding of proliferation, can help the private sector to fulfill these roles. There are, however, some difficulties with governments alone seeking to provide such assistance.

Governments certainly need to be more proactive in helping industry go beyond compliance by providing free nonproliferation-focused resources, such as guidance on best practices to help companies assess the risks of potential business activities. Current government-provided resources often are focused on compliance with export-control legislation rather than a broader and more holistic mitigation of proliferation risks.

The information that the government provides to the private sector is also often limited. For example, in the United Kingdom, the only government-provided list for exporters is the so-called Iran list. This is a list of entities based in Iran that are linked to Iran’s WMD programs, present a diversion concern, or have been refused export licenses on these grounds by the British national authority in the past.[11] For political and diplomatic reasons, the government is reluctant to speak publicly about the risks associated with other countries, such as those that might pose a transshipment risk. In short, the guidance provided in this regard often relates to the obvious rather than less straightforward areas.

In the United States, the approach often seems to be heavily focused on entities that are judged to present a risk of diverting sensitive goods to programs of concern. A focus on lists of entities can be unhelpful because it can seem to imply that illicit trade is conducted only by listed entities. In reality, the first thing that an entity is likely to do when it discovers that is has been placed on a blacklist is to change its name. One notable example is the notorious Chinese supplier to Iran’s missile program, Li Fang Wei; a U.S. court’s indictment of him listed 13 company names and eight individual aliases.[12] Another example is the ongoing case of the Tsais, who are alleged to have set up and used two alternative company names after the U.S. Treasury Department placed their original company, Trans Merits, and them personally on its Specially Designated Nationals list. This is a list combining entities identified by the U.S. government for their alleged involvement in a variety of illicit activities, including WMD proliferation.

Rather than focusing on providing information on specific entities, governments, assisted by NGOs and academic institutions, should concentrate on helping exporters to put in place systems and processes to identify suspicious inquiries, to conduct due diligence more effectively, and to conduct risk assessments of prospective business with entities based in different countries. Guidance on beyond-compliance best practices should be made freely available to firms and in a user-friendly way to reduce costs and the time that it takes to read and implement the guidance. Firms that produce high-specification goods and that are prone to being targeted by illicit procurement are often small and medium-sized enterprises. Therefore, it is hugely important that any guidance ensures that costs are kept down.

Beyond this, governments need to establish mechanisms to allow companies to share the information contained in suspicious inquiries with government and among themselves. Any arrangement in this regard will have to address issues relating to commercially sensitive information. Due to fear of prosecution, there is likely to be some reluctance by firms to share information on suspicious inquiries with governments and one another, even if these inquiries went unfulfilled. Information-sharing mechanisms need to be built on the principle of trust and, most likely, anonymity. Information detailing the types of entities that are trying to obtain proliferation-sensitive goods, the products that they are seeking, and the methods they are using to obtain the products would be of great use to firms in a given sector.

There already is considerable experience in industry that could form the basis of an effort to codify best practices. There are clear benefits in having NGOs or university-affiliated organizations working to this end. Project Alpha has been seeking to draw together the best practices from different firms and packaging these practices so that they are available to others. There also are distinct advantages in using a neutral third party to gather the information and process it, in part by removing the elements that could identify the company that provided it. This could help to overcome business concerns regarding commercial sensitivities and possible prosecution as a consequence of sharing information. A neutral third party also could overcome some of the political and diplomatic sensitivities in providing exporters with valuable information for assessing the risks associated with certain counties, such as transshipment hubs.

In the United Kingdom over the past two years, Project Alpha has been working to develop a partnership initiative.[13] Companies can become “Partners Against Proliferation” by taking certain actions, such as pledging to implement best-practice beyond-compliance principles, ensuring that their business partners do the same, and sharing information relating to suspicious inquiries with the project team. There are precedents for establishing third-party organizations to assist firms with trade control compliance. One example is the Center for Information on Security Trade Controls in Japan, which was set up in the aftermath of Toshiba’s involvement in illicit machine tool procurement by the Soviet Union in the 1980s. Academic institutions in the United States and elsewhere also have been playing important roles in this regard. Increased coordination among NGOs that are working in this area would benefit broader efforts. The first steps in this direction were seen at a March conference in London attended by NGO, government-affiliated, and UN experts.[14]


It has become commonplace to describe the private sector as the first line of defense against proliferation. Nevertheless, there have been few efforts to make practical contributions to assist industry in fulfilling this role in countries around the world. Developing comprehensive and organized ways to raise companies’ awareness of illicit procurement efforts and to improve the capacity throughout supply chains to identify suspicious inquiries could be crucial in the battle to prevent the proliferation of the world’s most dangerous weapons.

Exporters and other businesses involved in trade, such as financial service providers and transportation companies, can help to prevent proliferation not only by making sure they do not supply or enable programs of concern, but also by working to share information with governments and with their competitors within industry to help prevent illicit trade. The British experience has shown that companies are often keen to do this if cost-effective and confidential ways are found. Individual companies acting alone can make a difference, but tangible nonproliferation benefit comes from involving entire supply chains.

Neutral third parties are a desirable way to organize outreach efforts to compile guidance, gather and disseminate information, and help firms throughout supply chains to better understand proliferation risks. This could mean a tangible and increasingly important role for NGOs and academic institutions. As with many aspects of nonproliferation in which such actors play a part, coordination among them to ensure the most efficient use of resources is important. There also is much to learn from previous and current efforts to engage industry in nonproliferation efforts and to facilitate firms’ beyond-compliance processes. By refining the efforts to involve industry, all the parties involved can help to slow down the development of WMD programs such as those in Iran and North Korea and buy more time for governments to pursue diplomatic solutions.

Daniel Salisbury is a researcher at the Centre for Science and Security Studies in the Department of War Studies at King’s College London. He is currently working on Project Alpha, sponsored by the British government, which seeks to build partnerships between government and the private sector to mitigate proliferation risks.


1. UN Security Council, “Note by the President of the Security Council,” S/2013/331, June 5, 2013 (containing the final report of the Resolution 1929 panel of experts) (hereinafter 2013 Resolution 1929 panel report).

2. For more information regarding the objectives and work of Project Alpha, see http://www.acsss.info.

3. International Institute for Strategic Studies, “Nuclear Black Markets: Pakistan, A.Q. Khan and the Rise of Proliferation Networks; A Net Assessment,” May 2007, p. 43.

4. Office of the Director of Central Intelligence, “The Technology Acquisition Efforts of the Soviet Intelligence Services (U),”, June 1982, http://www.foia.cia.gov/sites/default/files/document_conversions/89801/DOC_0000261337.pdf.

5. UN Security Council, S/RES/1929, June 9, 2010, para. 8; UN Security Council, S/RES/1718, October 14, 2006, para. 8.

6. 2013 Resolution 1929 panel report.

7. See Daniel Salisbury and David Lowrie, “Targeted: A Case Study in Iranian Illicit Missile Procurement,” Bulletin of the Atomic Scientists, Vol. 69, No. 3 (May/June 2013): 23-30 (oscillator example taken from U.S. State Department cables leaked by WikiLeaks).

8 Ian J. Stewart, “Anti-Proliferation: Tackling Proliferation by Engaging the Private Sector,” Project on Managing the Atom, November 2012, http://belfercenter.hks.harvard.edu/files/Antiproliferation-Layout-final.pdf.

9. UK Department for Business Innovation and Skills (BIS), “Export Control Organisation: Dual-Use Compliance Study; Summary of Results and Key Findings,” November 2009, http://www.bis.gov.uk/files/file53872.pdf.

10. Andrew Kurzrok and Gretchen Hund, “Beyond Compliance: Integrating Nonproliferation Into Corporate Sustainability,” Bulletin of the Atomic Scientists, Vol. 69, No. 31 (May/ June 2013): 31-42.

11. UK BIS, “Iran List,” August 15, 2012, http://www.bis.gov.uk/assets/BISCore/eco/docs/iran-list.pdf.

12. For the indictment, see http://graphics8.nytimes.com/packages/pdf/nyregion/08INDICT.pdf.

13. For more information about the partnership program, see http://www.acsss.info.

14. The conference was hosted by Project Alpha at King’s College London in March 2013.