Customs-Trade Partnership Against Terrorism: What you Need to Know and What to Expect
June 28, 2006
By: Frederic D. Van Arnam, Jr.
This timely article summarizes the current status of the C-TPAT program, including the new mandatory portal. In addition, the article looks at the future of C-TPAT and the globalization of cargo security standards.
I. C-TPAT Now
E. FAST Program
I. C-TPAT Now
Currently, the Customs and Trade Partnership Against Terrorism (C-TPAT) is a voluntary program intended to strengthen and improve overall international supply chain and U.S. border security. C-TPAT membership is available to the following types of businesses: U.S. importers of record, U.S./Canada highway carriers, U.S./Mexico highway carriers, rail carriers, sea carriers, air carriers, U.S. Marine Port Authority/terminal operators, U.S. air freight consolidators, ocean transportation intermediaries and non-vessel operating common carriers, Mexican manufacturers, certain invited foreign manufacturers, and licensed U.S. Customs brokers.
Businesses must apply to participate in C-TPAT. Participants complete an online electronic application on www.cbp.gov, which includes submission of corporate information, a supply chain security profile, and an acknowledgement of an agreement to voluntarily participate. In completing the supply chain security profile, companies must conduct a comprehensive self-assessment of their supply chain security procedures using the C-TPAT security criteria or similar guidelines implemented by the applicant based on its specific enrollment category. the criteria or guidelines, available for review on the CBP website, encompass the following areas: Business Partner Requirements, Procedural Security, Physical Security, Personnel Security, Education and Training, Access Controls, Manifest Procedures, Information Security, and Conveyance Security.
After completion of the C-TPAT online application (see discussion of On Line Security Portal in Section B infra) and the supply chain security profilethe C-TPAT applicant is assigned a CBP C-TPAT Supply Chain Security Specialist (SCSS).
A. Benefits of Participation
In May 2005, CBP moved to a three-tiered benefits structure, where C-TPAT importers who have done more to enhance security receive more benefits. Under Tier One, certified importers receive meaningful risk score reductions, resulting in fewer cargo examinations for security concerns, a fewer random Compliance Measurement examinations, and the "negation of most trade cargo examination selectivity," meaning fewer cargo exams. Tier One importers are eligible for expedited cargo processing at the border (FAST lanes at the land borders), receive 'front of line' inspection privileges at ports of entry, are entitled to certain penalty mitigations, become eligible for the Importer Self Assessment program, and may attend Customs' sponsored C-TPAT training seminars.
A Tier One company graduates to Tier Two or Tier Three upon completion of a successful validation (validation is discussed in Section D, infra). An importer whose validation reveals that minimum security criteria have been met will receive Tier Two benefits. Tier Two benefits include all the same benefits associated with Tier One, but Tier Two importers are provided with twice the level of risk score reductions received by Tier One importers, resulting in significantly fewer examinations for security reasons than those received by Tier One importers.
Tier Three status is reserved for those importers whose security measures exceed the minimum security criteria and have adopted "security best practices." Under Tier Three, all benefits associated with Tier One and Tier Two are granted, but the importer receives the most significant risk score reductions available. Tier Three status is also the precursor for CBP's "Green Lane" which, when (and if) it comes into existence will provide Tier Three members the ability to import without inspection, except for an occasional random examination. Merchandise imported by a Tier Three importer will experience the "Green Lane" only if other requirements are met. These requirements include shipping through a Container Security Initiative (CSI) port and using container security devices. CBP intends to roll out the "Green Lane" once effective container security technology becomes available. CBP has a ‘Best Practices Manual’ available on its website intended to help participants achieve Tier Three status. The Manual is based on the C-TPAT security criteria and Customs' experience acquired through more than 1400 validations and site visits.
B. Security Link Portal
CBP made a significant change in the C-TPAT program with the Security Link Portal, participation though which is mandatory for C-TPAT participants so to improve a participant’s communication with CBP. The C-TPAT application process will become paperless and the Portal will facilitate the maintenance of the C-TPAT Supply Chain Security profile, with all participants updating and maintaining their C-TPAT information via the Portal. Participants will receive information directly from CBP, including cargo security alerts and sanitized intelligence information.
Various deadlines have been given for enrollment in the Portal, whereby C-TPAT members must access and update all C-TPAT Portal Account Information, including their Supply Chain Security Profile. This must be updated and re-certified on a yearly basis. Importers and carriers must ensure that their Security Profile is updated by August 1, 2006. The deadline for foreign manufacturers and brokers is September 1, 2006. If the C-TPAT participant fails to update this information by the date required, then the participants will be removed from the C-TPAT program.
The Portal URL is available on the cbp.gov website, and specific implementation and access information are being provided to all current C-TPAT participants. Only a C-TPAT participant’s point of contact (a company officer or employee with an email address registered with C-TPAT) may create or modify a Portal account. The primary C-TPAT point of contact will be able to add additional users for access to their company’s C-TPAT Portal account. Each user assigned by the primary C-TPAT point of contact will be required to have a valid e-mail address and create a unique password. Access to the Portal is only permitted for CBP C-TPAT program personnel, and that access to all of a company’s Portal information will be confidential. CBP will not share this information unless authorized by the primary C-TPAT point of contact or one of the participant’s designated authorized users.
C. Security Criteria or Guidelines
C-TPAT is not intended to create any new 'liabilities' for companies beyond existing trade laws and regulations. However, joining C-TPAT will commit companies to follow through on actions specified in the signed agreement, including self-assessing security systems, submitting a security profile, developing security enhancement plans, and communicating C-TPAT guidelines to companies in the supply chain. CBP has stated that retaining membership in the C-TPAT program is contingent upon a continued, demonstrated commitment to enhancing supply chain security, and on meeting the outlined minimum security criteria. Container security measures, including sealing requirements, are considered crucial aspects to supply chain security and C-TPAT members who do not adopt acceptable practices may be suspended. Since 2005, CBP has security criteria for importers, and CBP has recently come out with new Security Criteria for highway and sea carriers. None of these security criteria are mandatory regulatory requirements, but rather are required of those who are members of C-TPAT or wish to become members of C-TPAT. Other classes of C-TPAT participants do not have minimum security criteria but instead have security guidelines.
1. Importers-Minimum Security Criteria
In 2005, CBP implemented minimum security criteria for importers, including hardening of the physical supply chain (container security, physical security, physical access controls), internal supply chain management practices (personnel and procedural security, information technology security, security training and threat awareness), and business partner requirements. There was a phased implementation of these requirements in 2005, but now any new or existing importer participant must meet these standards. Importers are to conduct a comprehensive review of their supply chains based on these criteria, and must ensure business partners develop security processes and procedures consistent with the C-TPAT security criteria to enhance the integrity of the shipment at point of origin, and throughout the supply chain. The supply chain for C-TPAT purposes is defined from point of origin manufacturer/supplier/vendor through to point of distribution. Physical security standards apply to the supplier as well as to the importer. Periodic reviews of business partners' processes and facilities should be conducted based on risk. High risk supply chain components should be reviewed more frequently than low risk components.
Importers are supposed to have a documented and verifiable process for determining risk throughout their supply chains based on their business model (i.e., volume, country of origin, routing, potential terrorist threat via open source information, recognized weaknesses in the supply chain, etc.). Importers must also have written and verifiable processes for the selection of business partners including manufacturers, product suppliers and vendors. For those business partners eligible for C-TPAT certification (carriers, ports, terminals, brokers, consolidators, etc.) the importer must have documentation (e.g., C-TPAT certificate, SVI number, etc.) indicating whether these business partners are or are not C-TPAT certified. For those business partners not eligible for C-TPAT certification, importers must require their business partners to demonstrate that they are meeting C-TPAT security criteria via written/electronic confirmation (e.g., contractual obligations; via a letter from a senior business partner officer attesting to compliance; a written statement from the business partner demonstrating their compliance with C-TPAT security criteria or an equivalent WCO accredited security program administered by a foreign customs authority; or, by providing a completed importer security questionnaire). Membership in the Business Anti-Smuggling Coalition (BASC) helps to establish that the foreign business partner is meeting minimum security criteria, but a complete review would still be needed to identify any deficiencies which need to be addressed.
2. Highway Carriers-Minimum Security Criteria
As of March 13, 2006, U.S./Canada and U.S./Mexico highway carriers who wish to participate in C-TPAT must comply with new security requirements. However, current C-TPAT participants have a phased implementation. The first phase of the implementation, which was to be completed within 60 days of March 13, involves hardening of the physical supply chain (conveyance security such as seals and trailer security, physical access controls for employees and visitors, physical security such as fencing, lighting and parking). The second phase, which must be completed within 120 days of March 13, 2006, involves personnel security such as background checks, procedural security such as documentation and manifesting procedures, security training and threat awareness, less-than-truck-load security/seal requirements, and information technology security such as passwords. The third phase give highway carriers 180 days from March 13, 2006 to comply with the business partner screening requirements. To see the new requirements set out in full, click here.
Existing C-TPAT member highway carriers will not be required to provide a written certification that the security criteria have been met, nor will previously submitted and accepted security profiles need to be resubmitted. Instead, it is understood that highway carriers must meet or exceed these baseline security criteria by the end of each implementation phase. CBP will use validations to gauge whether or not highway carriers have adopted these security criteria. Those highway carriers found to be deficient may have benefits suspended, or be removed from the program entirely.
However, Customs has specified that at least on a yearly basis, or as circumstances dictate because of as a security breach or incident, highway carriers must conduct a comprehensive assessment of their international supply chain security practices based upon the following C-TPAT minimum-security criteria. Where a highway carrier does not control a specific element of their supply chain, such as a trucking yard, terminal, handling of trailers, or process subject to these criteria, the highway carrier must work with these business partners to ensure that pertinent security measures are in place and adhered to throughout their supply chain.
3. Sea Carriers-Minimum Security Criteria
As of March 1, 2006, sea carriers who wish to participate in C-TPAT must comply with new security requirements. However, current C-TPAT participants have 90 days from March 1, 2006 to implement all of the requirements: business partner requirements (security procedures), container security (seals, container inspection, etc), physical access controls (boarding - disembarking of vessels, etc), personnel security (background checks, crewmember control, etc.), procedural security (passenger and crew, manifesting procedures, etc.), security training and awareness, physical security (fencing, lighting, parking, etc.), information technology (password, accountability), and security assessments, response and improvements. To view the new requirements, click here.
Existing C-TPAT member sea carriers will not be required to provide a written certification that the security criteria have been met, nor will previously submitted and accepted security profiles need to be resubmitted. Instead, it is understood that sea carriers must meet or exceed these baseline security criteria by the end of the 90 day implementation period. CBP will use validations to gauge whether or not sea carriers have adopted these security criteria. Those sea carriers found to be deficient may have benefits suspended, or be removed from the program entirely.
As with highway carriers, sea carriers must conduct a comprehensive assessment of their security practices based upon the C-TPAT minimum-security criteria. Where a sea carrier does not control a specific element of the cargo transportation service it has contracted to provide, such as marine terminal operator or a time chartered vessel with whom it has contracted, the sea carrier must work with these business partners to seek to ensure that pertinent security measures are in place and adhered to. However, unlike for highway carriers, a minimum-yearly assessment has not been specified.
4. Other Participants-Security Guidelines
C-TPAT also has security guidelines for air carriers, air freight consolidators/ocean transportation intermediaries/non-vessel operating common carriers, Customs brokers, manufacturers, rail carriers, and U.S. marine or port terminal operators. These are outlined in detail on the CBP website.
C-TPAT requires participants to document and validate their supply chain security procedures. CBP requires that C-TPAT company participants develop an internal validation process to ensure the existence of security measures documented in their Supply Chain Security Profile and in any supplemental information provided to CBP. However, as a part of the C-TPAT process, the CBP C-TPAT Supply Chain Security Specialists (SCSS) and the C-TPAT participant will jointly conduct a external, CBP validation of the company’s supply chain security procedures. CBP plans on validating the security profiles of all C-TPAT participants. Normally, a company’s initial validation will occur within three years of becoming a certified member of C-TPAT. If the validation findings are satisfactory, the results will increase the level of benefits provided to importer participants by graduating them from Tier One. If the validation findings reveal significant weaknesses in the company’s application of C-TPAT guidelines or criteria, some or all of the participant’s C-TPAT benefits and its certification status may be suspended or removed until corrective action is implemented and verified.
E. FAST Program
Though not part of the C-TPAT program, the Free and Secure Trade Program (FAST) is a voluntary program which allows U.S./Canada and U.S./Mexico participating importers expedited release for qualifying commercial shipments. The FAST program allows known low risk participants to receive expedited border processing, enabling CBP to re-direct security efforts to higher-risk shipments.
Any truck using FAST lane processing must be a C-TPAT approved carrier, carrying qualifying goods from a C-TPAT approved importer, and the driver must be in possession of a valid FAST Commercial Driver Registration ID Card. Eligibility for the FAST program requires participants (carrier, drivers, importers, and south-of-the-border manufacturers) to submit an application, agreement, and security profile. Although FAST participation requirements along the northern and southern border are very similar, on the southern border two additional requirements exist. The manufacturer must be an approved C-TPAT participant, and they must also adhere to CBP high security seal requirements.
II. World Customs Organization Cargo Security
In June 2005, the 168 member nations of the World Customs Organizations, which together account for 99 percent of global trade, agreed to adopt the Framework of Standards to Secure and Facilitate Global Trade, a strategy aimed at securing international commerce against terrorism while allowing trade to move faster and more reliably. The Framework is not binding upon members and contains many generalities rather than specifics on how its goals are to be accomplished. It references the realities of capacity building and the promulgation of requisite legislative authority in member countries, and contains four core elements. First, standardized advance electronic cargo information is required for inbound, outbound, and transit shipments. The WCO believes that advance information allows customs administrations to identify shipments that are high-risk early in the supply chain. An importer, exporter or carrier is required to submit specific data to the customs authorities at the country of departure and arrival. Data may vary from country to country but the WCO has established a maximum set of data, known as the Kyoto ICT Guidelines. Companies that do not meet the requirements will likely face border delays, increased inspections, and, in some cases, penalties.
Second, each country that joins the Framework must commit to using a common risk management approach to address terrorism and other security threats. This means that customs administrations will focus on identifying and inspecting high-risk shipments while subjecting low-risk shipments to minimal scrutiny. Third, based on risk-targeting methodology Customs administrations will, at the request of the receiving nation, perform outbound inspections of high-risk containers using non-intrusive detection equipment like large-scale machines and radiation detectors.
Fourth, the Framework supports customs-trade partnerships (such as C-TPAT). Companies that demonstrate a high degree of security guarantees and engage in best practices will be identified as "authorized economic operators (AEO)" and will receive tangible benefits, including reduced inspections and expedited processing of goods.
The Framework establishes two ‘pillars’, the first pillar being a recitation of preferable practices as between customs administrations. Pillar 1 has technical specifications in Annex 1 and the Appendix to Annex 1 is the “Seal Integrity Programme for Secure Container Shipments”, which is of more practical value. The second pillar is a customs-to-business partnership concept (such as C-TPAT) which provides six standards (partnership, security, authorization, technology, communication and facilitation). While Annex 2 to Pillar 2 purports to give some ‘technical specifications’, these are quite general and not of much practical use.
III. Potential Changes to C-TPAT In The Near Future
Several pieces of legislation recently introduced in Congress may have significant implications for C-TPAT participants. The first bill, which is known as “The Security and Accountability for Every Port Act” and the “The SAFE Port Act” (H.R. 4954), was passed by the House of Representatives on May 4, 2006 and is before the Senate. The main provisions of The SAFE Port Act provides as follows: 1) $7.4 billion to enhance port security, including authorizing a Domestic Nuclear Detection Office and requiring nuclear and radiological detection systems at all domestic seaports; 2) enhancement of the Container Security Initiative and C-TPAT, and improved high risk cargo targeting and tracking; 3) establishment of regulatory criteria for C-TPAT including the adoption of container security devices to obtain Tier 3 green-lane benefits; 4) allows third-parties to conduct C-TPAT validations; 4) appropriates $400 million for port security grants from Customs duties, and 5) authorizes the establishment of uniform data for government-wide use. An amendment known as the Sanchez amendment would end the practice of granting Automated Targeting System score reduction benefits to Tier 1 participants in C-TPAT. The House Homeland Security Committee rejected a proposal during mark-up of the bill which would have required scanning of all containers at foreign ports before loading on U.S.-bound ships. Passage of this bill in the Senate is uncertain as it would have to be reconciled with the other bills outlined below.
The GreenLane Maritime Cargo Security Act, S. 2459, was approved by the Senate Homeland Security and Governmental Affairs Committee on May 5, 2006. It covers maritime cargo security only. In contrast to the SAFE Port Act, an amendment was adopted to this bill that would require an integrated scanning system to cover 100% of containers bound for the U.S. from three foreign ports to be in place within one year, with expansion of this program as soon as practicable. The main provisions of the bill would 1) establish a C-TPAT green lane of supply chain participants to voluntarily meet the highest security levels, providing better security devices and giving importers incentives to enhance security; 2) establish minimum security standards for all cargo containers that enter the U.S., and stronger cargo security program requirements; 3) set up an Office of Cargo Security Policy to coordinate security policies and procedures within Homeland Security and between it and other agencies; 4) establish a Joint Operations Centers to ensure coordinated response to incidents or heightened national security threat levels; and 5) authorize $835 million for port security, Container Security Initiative, and C-TPAT, from Customs duties.
In addition, Senate panel leaders have repackaged transportation and supply-chain security legislation in an apparent challenge to the GreenLane Maritime Cargo Security Act. The Maritime, Rail and Public Transportation Security Act of 2006, S. 2791 includes security provisions for railroads and public transit operations. It is a combination of separate transportation security and mass transit security bills that were originally filed in 2005. The bill's maritime provisions include: regulations for the Container Security Initiative (evaluation and screening of cargo documents prior to loading and inspection of high-risk cargo) and C-TPAT (but without any specifics having been outlined other than to ‘strengthen’ the validation process and implement a records management system). CBP would develop plans to assure that there are enough personnel to validate C-TPAT companies, importers will file entry data 24 hours before a container is loaded aboard ship at a foreign port, international negotiations are conducted with governments and the International Maritime Organization to establish cargo security standards, there are random inspection of containers based on scientific sampling methodology, port security plans will include provisions for recovery and resumption of trade after a terrorist attack, and a study of port security fees will be made. The bill's sponsors are the chairmen and leading Democrats on the Commerce and Banking Committees, Republicans Ted Stevens of Alaska and Richard Shelby of Alabama, and Democrats Daniel Inouye of Hawaii and Paul Sarbanes of Maryland. Thirty-seven senators have signed on as co-sponsors.
All three of these bills are currently before the Senate. It is unclear at this point which of these bills will ultimately become law. Senate Majority Leader Bill Frist, together with two committee chairmen, Sen. Ted Stevens of Commerce and Sen. Susan Collins of Homeland Security, is trying to work out a common approach instead of pursuing conflicting bills. It is said that Republicans will want a port security bill in place by the fifth anniverary of September 11. However, one thing that seems certain is that there will be further extensive changes to the C-TPAT program in the near future.
IV. International Organization for Standardization and C-TPAT
The International Organization for Standardization (ISO) published a new standard for security management systems in November 2005. It is designed to provide specifications for the supply chain to better monitor freight flows and combat smuggling, piracy and terrorism. Fourteen countries participated in its development, together with numerous international organizations and regional bodies. Development of such international standards for security management might ultimately mean that if the U.S. has more onerous requirements than is the international norm, the U.S. may risk being in breach of its WTO obligations. While the GATT and WTO agreements may permit a deviation for public health and safety reasons, this issue could be the genesis of future WTO challenges to C-TPAT.
ISO/PAS 28000:2005, Specification for security management systems for the supply chain, outlines the requirements to enable an organization to establish, implement, maintain and improve a security management system, including aspects ISO states are critical to security assurance of the supply chain. These aspects include, but are not limited to, financing, manufacturing, information management and the facilities for packing, storing and transferring goods between modes of transport and locations. The standard can be used by a broad range of organizations whether small or large, in the manufacturing, service, storage and transportation sectors at any stage of the production or supply chain. ISO feels that its implementation will reassure business partners that security is taken seriously within the organizations they deal with.
There are three other related ISO standards in place or upcoming, including the following. ISO/PAS 20858:2004, Ships and marine technology relates to maritime port facility security assessments and security plan development. It was published in June 2004 and is designed to assist in the implementation of the International Maritime Organization's International Ship & Port Security (ISPS) Code. ISO/PAS 28001, Best practices for custody in supply chain security, will assist industry to meet best practices as outlined in the World Customs Organization Framework. It is expected to be published in the second quarter of 2006.
ISO/PAS 28004, Security management systems for the supply chain provides general guidelines on principles, systems and supporting techniques and will assist users of ISO 28000. It will reference ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing, and the future ISO/IEC 17021, Conformity assessment – Requirements for bodies providing audit and certification of management systems. Obviously, ISO is becoming proactive in the security and supply chain management field, and that may eventually impact C-TPAT in some fashion.
 CBP has stated that all information on supply chain security submitted by companies applying for the C-TPAT program will be confidential, and that CBP will not disclose a company's participation in C-TPAT.