Export permits for cryptographic items

Financial institutions cryptography export permit

Summary: This type of permit allows exports of hardware, executable software, and associated information and enhancements to financial institutions in a number of countries that have enacted legislation to counter money laundering. There are no reporting requirements.

Coverage

Financial institutions permits allow exports only to the following countries, which have enacted anti-money laundering laws:

Anguilla
Antigua
Argentina
Aruba
Australia
Austria
Bahamas
Barbados
Belgium
Brazil
British Virgin Islands
Croatia
Denmark
Dominica
Ecuador
Finland
France
Germany
Greece
Hong Kong
Hungary
IcelandIreland
Italy

Japan
Kenya
Luxembourg
Monaco
Netherlands
New Zealand
Netherlands
Antilles
Norway
Poland
Portugal
St. Kitts & Nevis
St. Vincent/Grenadines
Seychelles
Singapore
Spain
Sweden
Switzerland
Trinidad & Tobago
Turkey
United Kingdom
[United StatesNote * ]
Uruguay


Notes

Note *

Permits are not required to export cryptography and information security goods or technology from Canada to the United States.

Return to footnote * referrer

Financial institutions permits allow the export to financial institutions in the above-listed destination countries by any means of the following:

  • Goods that incorporate cryptography that is controlled in Category 5, Part 2 of Group 1 of the Export Control List;
  • Executable code (object code) of those cryptographic goods;
  • Technical information which is the minimum necessary for the installation and operation of those cryptographic goods;
  • Maintenance releases and product upgrades which do not contain:
    • enhancements to the cryptographic component(s), module(s) or interface(s) or change the cryptographic functionality of those cryptographic goods; or
    • source code or pseudo-code of the cryptographic component(s), module(s) or interface(s).

Prohibitions

Financial institutions permits explicitly exclude, in the terms and conditions stated on each permit, exports:

  • to central banks;
  • for end-use that is directly or indirectly related to research, development or production of chemical, biological or nuclear weapons, or any missile programmes for such weapons;
  • of technical information related to design, development or implementation of the crypto; and
  • of source code or pseudo-code, in any form, of the crypto.

Applications

Please contact the Export Controls Division if you wish to submit an application for a multidestination permit using EXCOL and have not done so before. You should send an email to tie.reception@international.gc.ca and request that your EXCOL profile to be set to enable applications for multidestination cryptography permits.

Applications for financial institutions permits must include the following:

  • complete application form (generally done through our online system EXCOL)
  • a completed cryptography and information security product questionnaire
  • technical description of the goods/technology. The Export Controls Division undertakes a technical assessment of the goods or technology listed in the export permit application to determine under which Export Control List Item(s) they fall. For this purpose, technical specifications of the export must be detailed and adequately describe the characteristics of the goods and services. Enough details must be provided to establish the true nature of the items. These could be provided in the form of drawings, data sheets, manuals, component lists, block diagrams, exploded view drawings, and so on. Marketing brochures may also provide useful additional information. The information that is submitted should make clear the type and function of the goods and provide key technical parameters.
  • cover letter using the template provided and confirming the exporter agrees to abide by the terms and conditions of the permit
  • evidence that the exporter has incorporated the four prohibitions listed above into any applicable distributor, re-seller or vendor agreements (a copy of such documents should be attached with the application).

Exporters of information securitygoods/technology and goods/technology employing cryptography should note the following guidelines on identifying items in an export permit application:

  • Descriptions of finished products should use the following format: [brand name or name of manufacturer] [model name] [part number]. This information should be consistent with packaging labels, invoices, and shipping documents.
  • Descriptions of software should use the following format: [software developer or publisher name] [software name] [version number x.x] [means of export – eg, on CD or by FTP]. This format assumes that, in the version number, changes to the right of the decimal (eg, from version 3.0 to 3.1) will only be updates, patches, or fixes with no change to the cryptographic functionality, and that any other change to the software, including a change to the cryptographic functionality, will result in a change from version 3 to version 4.
  • Item descriptions should not describe the purpose, use, or physical appearance of the product (this should be provided instead in the field “Overall Description of Goods and End-Use” in the EXCOL application form) nor include references to the Export Control List (self-assessments should be provided in the field “ECL No.” in the EXCOL application form).
  • The Description is how the goods or technology will be identified on the export permit, which will also be verified against the Export Declaration submitted to the Canada Border Services Agency at the time of export.

An export permit issued for software will generally include the version number, as noted above (eg, version 1.x). Changes to the version number to the left of the decimal (ie, from version 1.x to version 2.x) require a new permit to be issued. In other words, if a permit is issued for version 1.1, the exporter may also use that permit to export versions 1.2 and 1.3 (assuming there has been no change to the cryptographic functionality). However, that permit may not be used to export version 2.1 of the same software. A new permit application should be submitted.

Compliance

After issuance of a financial institutions permit, the exporter must:

  • comply with other terms and conditions that may be stated on an export permit. Exporters are obliged to comply with these conditions when they export under the authority of the permit. Exporters must review the terms and conditions upon receipt of the export permit and prior to exporting, and may contact the Export Controls Division (email tie.reception@international.gc.ca) for more information.
  • comply with provisions of the Export and Import Permits Act which require, inter alia, the keeping of records for at least six years after the end of the year to which they relate and that such records be provided upon demand to an officer of the Export Controls Division. Exporters using this permit must retain documentation, which may include contracts, invoices, requests for products, statements of work, specific correspondence, (if applicable) vendor/reseller/distributor agreements, an end-use statement (following the template provided for individual permits), and bills of lading, which demonstrate that the exporter has undertaken due diligence. The purpose of due diligence is to verify that the transaction adheres to the permit and its specific terms and conditions.