U.S. Customs Releases C-TPAT Best Practices Catalog
Last week, U.S. Customs and Border Protection (CBP) issued what is arguably the most significant document related to the Customs- Trade Partnership Against Terrorism (C-TPAT) program in almost a year -- the Supply Chain Security Best Practices Catalog. The Catalog contains hundreds of practical examples of the types of security processes and enhancements that CBP will expect of C-TPAT participants who wish to receive the highest level of C-TPAT benefits the so-called “Tier Three” status.
The Best Practices Catalog is an extremely useful tool for companies that are developing, or that have already implemented, supply chain security programs. In it, CBP reaffirms its commitment to applying a risk-based approach to supply chain security that allows companies to make security-related investments where they are most needed and avoids unnecessary expenditures. Thus, while adherence to C-TPAT Best Practices is a prerequisite to Tier Three status, the determination of what a “best practice” is for a particular company will vary with the circumstances. CBP states:
The Best Practices Catalog is not designed as a master check list of security practices which must be adopted in order to receive Tier Three Benefits. The C-TPAT program from its inception has taken a flexible approach, where it is recognized that “one size does not fit all,” and that customized security measures must be developed and implemented in accordance with the risk present. . . . A determination of Tier Three eligibility is thus based on the totality of the security measures employed, not on any specific practice(s), and whether or not the overall security environment effectively addresses the risk adherent to that specific international supply chain.
Additionally, the Best Practices Catalog “recognizes the diverse size and financial abilities of C-TPAT members, and . . . attempts to provide examples of not only advanced security technologies, but of lower cost security practices as well. . . .” CBP’s acknowledgment of the role that financial resource constraints can play in shaping security policies is welcome.
In many respects, the Catalog simply memorializes rational and effective processes and procedures that many C-TPAT members are already undertaking to ensure supply chain security. For example, the Catalog states that high-level management support for security practices is an important best practice. Obtaining such support is something that most companies have already done. The Catalog also offers some concrete solutions for improving supply chain security. For example, it describes various alternative approaches to qualifying business partners (e.g., establishing internal teams from a company’s import compliance, logistics, purchasing and finance departments to consider potential new business partners), and to ensuring full cooperation from business partners (e.g., including a security component in foreign factory certifications, or requiring periodic updates from business partners regarding changes in sourcing, operations, etc.). The Catalog also contains examples of contractual obligations and textual provisions that can be inserted into purchase orders, contracts, and standard operating procedures.
In some areas especially in the physical security area the Best Practices Catalog describes extensive security infrastructure enhancements that many companies would likely find to be extremely costly. Although the inclusion of these examples might justifiably raise concerns about potentially escalating C-TPAT expectations, the Catalog indicates that these enhancements are only intended as illustrative examples of what might be appropriate, depending upon a company’s import supply chain activity and risk profile.
Nevertheless, concerns that CBP could use the Best Practices Catalog to ratchet up C-TPAT expectations are not entirely misplaced. For example, in the context of a company’s C-TPAT validation, much will depend upon the manner in which individual CBP validation officials known as “Supply Chain Security Specialists” evaluate a company’s security controls in light of applicable best practices. In short, because the 48-page Best Practices Catalog describes many costly procedural and physical security enhancements, there is some attendant risk that individual Supply Chain Security Specialists may regard these specific enhancements as new C-TPAT benchmarks, even if they would in fact be unnecessary or ineffective when applied to a specific company’s situation.
Companies seeking to maintain “state of the art” supply chain security programs should review the Catalog carefully to evaluate whether any of the suggested procedural or physical enhancements could be used to improve their own security programs. Moreover, companies facing upcoming C-TPAT validations should also review the Catalog to identify any areas in their security programs that CBP would likely deem to fall short of the “Best Practices” standards. The Best Practices Catalog gives these companies an opportunity to anticipate the specific types of measures that Supply Chain Security Specialists will consider to be “state of the art,” and to assess the suitability of their own current procedures as compared with those recommended in the Catalog.
For further information, please contact:
Richard Abbey, firstname.lastname@example.org, 202-626-5901
The information contained in this newsletter is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information about these issues, please contact the author(s) of this newsletter or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.
This newsletter is protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this newsletter without prior written consent of the copyright holder.