Compliance in Plain English: A Field Guide to the Terms That Trip People Up
Most people don't get into compliance — they get handed it. Here are seven terms that quietly cause the most trouble, explained without the jargon, plus a free resource that covers the rest.
There is a moment that happens in a lot of organizations. Someone on the team — the office manager, the business officer, a project lead, the founder — is told they now own “compliance.” No course, no handbook, just a new responsibility and a vague sense that getting it wrong is expensive. Then the acronyms start.
The hardest part of sanctions and export-control compliance, for most people, isn't the work. It's the language. The rules are written for agencies and lawyers, and the vocabulary assumes you already know the vocabulary. So we wrote the thing we wish existed for the person who just got handed this: the SecurePoint Compliance Academy — a free, plain-English glossary of the terms that actually come up, each with a beginner explanation, an advanced one, and links to the regulation itself.
The short version
The Compliance Academy is a free, no-login glossary of 30+ compliance and export-control terms — beginner and advanced depth, with primary-source citations. The same explanations are built into the SecurePoint product as in-context help. Below are seven of the terms that trip people up most.
Seven terms that cause the most confusion
None of these are obscure. They are everyday terms in this work — which is exactly why a shaky understanding of them is so costly. Each links to its full Academy entry if you want the deeper version.
The OFAC 50% Rule
A company can be off-limits even when its own name appears on no list — if blocked parties own 50% or more of it, directly or in aggregate.
Where it trips people: People screen the name, it comes back clean, and they assume the counterparty is fine. Ownership is the part the name check never sees.
Deemed export
Releasing controlled technology or technical data to a foreign person — even inside the United States — counts as an export to that person’s country. No shipment required.
Where it trips people: A lab tour, a shared drive, or a screen-share can be an "export." The front desk and the IT permissions list are both export-control surfaces.
Restricted party
An umbrella term for the many separate lists — OFAC SDN, the BIS Entity List, Denied Persons, and more — that can bar you from dealing with a person or company.
Where it trips people: "Did you check the list?" hides the real question: which list? They are maintained by different agencies for different reasons.
Adjudication
The human decision to clear or block a potential match — the step that turns a raw screening hit into a defensible, recorded outcome.
Where it trips people: Screening produces alerts; adjudication produces decisions. Auditors care about the decision, who made it, and why.
False positive
A name that looks like a list hit but isn’t actually your person or company — the volume problem every screening program has to manage.
Where it trips people: Too many and people start rubber-stamping "clear." The discipline is dispositioning each one with a recorded reason, not ignoring them.
CUI vs. FCI
Two tiers of government information — Controlled Unclassified Information and Federal Contract Information — with different protection duties under the contract.
Where it trips people: Mixing them up is a common way a CMMC effort goes sideways, because the level you need (and the controls) depends on which you handle.
U.S. person vs. foreign national
A legal distinction that decides who can access controlled technology and who triggers deemed-export rules — and it isn’t the same as citizenship alone.
Where it trips people: Get it wrong and you can create export liability on one side and anti-discrimination liability on the other. It pays to know the definition cold.
That's seven. The Academy currently covers more than thirty — from embargoes and ITAR to fuzzy-logic matching, visitor escort and monitoring, and the audit trail that ties it all together.
Two ways to use it — and why the second one is the point
A glossary you have to remember to visit is a glossary you stop visiting. So the Academy exists in two places.
The full glossary is public, free, and needs no login. Search a term at 11pm before a meeting, send a colleague a single clean link, or read it start to finish. Every entry cites the primary source so you can verify it yourself.
The same plain-English help is built into SecurePoint, surfacing right next to the decision you're making — when you're adjudicating a potential match or reviewing access, the definition is one click away, in context. Learning happens where the work happens.
That second part is the difference. Plenty of vendors publish a glossary. Far fewer put the explanation inside the workflow, at the moment a non-expert has to make a call they can defend later. That is the whole philosophy: make the right thing the easy thing, and make the jargon stop being a barrier to doing the work correctly.
If you just inherited compliance, start here
Bookmark the Academy and skim the seven terms above — they cover the OFAC, EAR, ITAR, and CMMC corners you’ll meet first.
When an acronym shows up in a policy or a contract clause, look it up before you act on it — the beginner depth takes a minute.
Learn the difference between a screen and a decision: screening finds potential matches; adjudication is the recorded human call that makes them defensible.
Follow every term to its cited primary source when the stakes are real, and loop in counsel for any live license, classification, or possible-violation question.
Frequently asked questions
Sources & further reading
- SecurePoint Compliance Academy (free glossary)
- OFAC — Entities Owned by Blocked Persons (the 50% Rule)
- EAR — Deemed exports (15 CFR 734.13, eCFR)
- NIST SP 800-171 (protecting CUI)
The Compliance Academy is provided for educational purposes only and is not legal advice. SecurePoint USA is not a law firm. Regulations change — confirm current requirements against the cited primary sources and with qualified counsel before acting.
Read the full Compliance Academy
Thirty-plus terms, plain English, beginner and advanced depth, primary sources — free and no login. And if you want the same help built into how your team screens visitors, vendors, and parties, see the platform.
