implementing the new & strengthened ctpat criteria

Implementing the New & Strengthened CTPAT Criteria

Disclaimer

All materials contained in this presentation are protected by United States copyright law

and may not be reproduced, distributed, transmitted, displayed, published or broadcast

without the prior written approval of Sandler, Travis & Rosenberg, P.A. You may not alter or

remove any trademark, copyright or other notice from copies of the content. The materials

contained in this presentation are provided for informational use only and should not be

considered legal advice. The hiring of a lawyer is an important decision that should not be

based solely on presentation materials. Please contact us and we will send you free written

information about our qualifications and experience.

© 2019 Sandler, Travis & Rosenberg, P.A. | www.strtrade.com | All rights reserved. 2

Our Speaker

© 2019 Sandler, Travis & Rosenberg, P.A. | www.strtrade.com | All rights reserved.

Lenny Feldman Esquire

Sandler, Travis & Rosenberg, P.A.

Phone: 305-894-1011Email: [email protected]

3

mailto:[email protected]

About Lenny Feldman

Lenny Feldman, a Senior Member of Sandler, Travis & Rosenberg, serves as

customs counsel and global compliance and enforcement strategist to corporate

clients around the world. While a senior attorney at CBP’s Office of Regulations

and Rulings (1991-2000) he was responsible for issuing decisions and training CBP

officials implementing and enforcing the U.S. government’s import and export

programs, relating to multiple federal agencies. Mr. Feldman currently serves as

Co-Chair of the twenty (20) members appointed nationally to serve on the 15th

Commercial Customs Operations Advisory Committee (COAC), offering strategic

direction to CBP, DHS and Treasury executives.


I. What’s New?


• Creation and innovation

• Beyond physical security

• Strengthen, add minimum security criteria

• New best practices framework.

• Meaningful benefits

• Unified cargo processing

• Mitigate threats and risks

• Robust trusted trader scheme

• Global recognition and interoperability

• E-commerce, in-bond and export strategies

Key Concepts


CTPAT By the Numbers

© 2019 Sandler, Travis & Rosenberg, P.A. | www.strtrade.com | Al l rights reserved.

MEMBERS: 11,590

IMPORTS COVERED: 53%

MUTUAL RECOGNITION AGREEMENTS:

12

VALIDATIONS (2018): 2,255

REDUCED EXAM FEES (2018): $70

MILLION

VALIDATION PASS RATE: 97%

ISA MEMBERS: 330

9

Tangible Efficiencies

• Reduced CBP exams

• Front of the line inspections

• Possible exemption from stratified exams

• Shorter wait times at the border

• Access to FAST lanes at land borders

• Business resumption priority following a natural disaster or terrorist attack

© 2019 Sandler, Travis & Rosenberg, P.A. | www.strtrade.com | Al l rights reserved. 10

Inspection Rates:Non-CTPAT 2%

CTPAT ½% (.053%)

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwjhtu-gvJnkAhVBtlkKHSx1D4UQjRx6BAgBEAQ&url=https%3A%2F%2Fcommons.wikimedia.org%2Fwiki%2FFile%3ACBP_officer_directing_a_truck.jpg&psig=AOvVaw276ml6GbYZ2dwkDyaur8aS&ust=1566666105802969

• Reduced carrier wait times at land border

• Fewer supply chain disruptions

• Improved workforce security

• More predictability in moving goods

• Ability to compete for contracts that required CTPAT membership

Long Term Benefits


New Zealand. Secure Export Scheme. June 2007

Canada. Partners in Protection. June 2008

Jordan. Golden List. June 2008

Japan. Authorized Economic Operator. June 2009 (Benefits)

Korea. Authorized Economic Operator. June 2010

EU. Authorized Economic Operator. May 2012 (Benefits)

Taiwan. Authorized Economic Operator. Nov 2012

Israel. Authorized Economic Operator. June 2014

Mexico. New Scheme of Certified Companies. October 2014

Singapore. Secure Trade Partnership. December 2014

Dominican Republic. Authorized Economic Operator. December 2015

Peru. Authorized Economic Operator. September 2018

13

CBP – Mutual Recognition Agreements


CBP recognized 81 foreign

validations. $600K savings.

II. CTPAT Minimum

Security Criteria


= Strengthened MSC = New MSC

MSC Categories


Cat

ego

ries

Corporate

Transportation

People & Physical New

Are

as

Security Vision, Responsibility

Cybersecurity

Agricultural Stre

ngt

hen

Risk Assessment

Business Partner

Cargo & Container

Conveyance

Seal

Procedural

Physical

Personnel

Training

15

16

New & Strengthened CTPAT CriteriaFocus Areas Criteria Categories

Corporate Security

Security Vision and Responsibility (New)

Risk Assessment

Business Partner Security

Cybersecurity (New)

Transportation Security

Conveyance and Instruments of International Traffic Security

Seal Security

Procedural Security

Agricultural Security (New)

People and Physical Security

Physical Access Controls

Physical Security

Personnel Security

Education, Training, and Awareness


• Environment for innovation and creativity

• FAST: Free from Anxiety Stress & Tension

• Definition: Security measure with senior management support, innovative for partner’s business model and size, verifiable through documented and observable evidence and testing

Key Concepts – The Future


Five Components


Senior Management Support

Innovative Business Process/Technology

Documented Process

Checks, Balances, Accountability & Testing

Evidence of Implementation

Innovation, Integration, Financial, Incentives

Automation, Technology, Streamlined

Policy, Procedures, Work Instructions, Checklists

Tests, Audits

Observation, Documentation

18

Corporate Security: Security Vision & Responsibility

For a CTPAT Member’s supply chainsecurity to be effective, it must becomean integral part of a company’s cultureand it must be incorporated into is corebusiness processes. This can only beaccomplished if the company’smanagement is fully engaged indeveloping and maintaining theprogram.


Security Vision & Responsibility – Key areas

General: Supply chain security must become an integral part of company’s culture, incorporated into its core business processes, by having the company’s management fully engaged in developing and maintaining the program.

Criteria: Publicize supply chain security and CTPAT program commitment through a

statement of support signed by a senior official, displayed throughout the company.

Incorporate representatives from all relevant departments into a cross-functional team.

Design and implement supply chain security program with appropriate written review component where personnel are held accountable for responsibilities.

Must have a knowledgeable CTPAT Point(s) of Contact providing regular updates regarding the progress or outcomes of audits, validations, etc.


Corporate Security: Risk AssessmentThe continued targeting of the supplychain by terrorist groups and criminalorganizations underscores the need forCTPAT Members and their businesspartners to fully assess their existingand potential exposure to theseevolving threats. Requirements in thiscategory focus on the need forMembers to conduct and update a riskassessment and the factors to considerwhen developing a risk assessment.

© 2019 Sandler, Travis & Rosenberg, P.A. | www.strtrade.com | Al l rights reserved.21

Risk Assessment & Internal and External Audits –Key Areas

• General: CTPAT members are their business partners must fully assess existing and potential exposure to evolving threats. Focus on conducting and updating risk assessment with relevant factors.

• Criteria:

Written procedures addressing crisis management, business continuity, security recovery plans, and business resumption.


Corporate Security: Business Partner SecurityCTPAT Members engage with avariety of business partners, bothdomestically and internationally.Screening business partners is awell-established criterion butMembers also must screen theirbusiness partners activity relatedto trade-based money launderingand terrorist funding.


Business Partners – Key AreasGeneral: In addition to well-established criteria, members must also screen business partners’ activity related to trade-based money laundering and terrorist funding.

Criteria:

Identified weaknesses must be addressed immediately and corrections implemented timely.

Documented social compliance program addressing forced labor.


Corporate Security: Cybersecurity

Technology has evolved dramatically since CTPAT’screation in 2001. Leading companies today arerethinking the role of information security in theirorganizations. They realize that in a digital world,cybersecurity is the key to safeguarding their mostprecious assets – intellectual property, customerinformation, financial data, and employee records,among others. Companies also understand thatcybersecurity can better position their organizationswith business partners, customers, investors, and otherstakeholders. These requirements will position CTPATMembers towards a stronger cybersecurity posture andallow them to better deter cyberattacks and preventloss of data.


Cybersecurity – Key Areas

General: Cybersecurity is the key to safeguarding precious assets - intellectual property, customer information, financial data, employee records, etc. Members must take a stronger cybersecurity posture to better deter cyberattacks and prevent data loss.

Criteria: Comprehensive written cybersecurity policies and procedures.

Adequate defense against cyber threats (e.g., malware, firewalls, current/updated security software), procedures to prevent social engineering attacks, and data recovery processes.

Regular testing of IT infrastructure.

Address how information is shared on cyber threats.

Cyber policies reviewed, updated annually.


Cybersecurity (2)

Secure technologies for remote connection.

Personal devices adhere to cyber policies and procedures.

Prevent use of counterfeit, improperly licensed technological products.

Back up data at least once a week or as appropriate; store sensitive and confidential data in encrypted format.

Account for all media, hardware or other IT equipment through regular inventories; when disposed ensure properly sanitized or destroyed.


Transportation Security: Conveyance and Instruments of International Traffic SecurityThis category covers procedures aMember must have in place toprevent, detect, or deter un-manifested material and/or usunauthorized personnel from gainingaccess to conveyances andInstruments of International Traffic(IIT). A cornerstone of the criteria inthis category is security inspections ofinstruments of international traffic(IIT). As part of these inspections, anyvisible pest contamination should beidentified and mitigated.


Container/Conveyance Security – Key AreasGeneral: Procedures must prevent, detect, or deter un-manifested material and/or unauthorized personnel from gaining access to conveyances and IIT. Security inspections of IIT must include identifying and mitigating any visible pest contamination.

Criteria:

Written inspection process addresses both security and agricultural inspections.

Prior to loading/stuffing/packing conduct CTPAT approved security and agricultural inspections as seven (or eight) point inspection.

Equip conveyances with right type of external hardware and properly inspect container’s locking mechanism.


Container/Conveyance Security (2)

Work with transportation providers to track conveyances and incorporate such requirements in service provider agreements.

Implement “no-stop” policy for land border shipments close to the U.S.

Alert, as soon as feasible, business partners and appropriate law enforcement agencies of a credible, detected security threat.


Transportation Security: Seal SecurityThe sealing of trailers andcontainers, to include continuousseal integrity, continues to be acrucial element of a securesupply chain. Requirements forwritten seal policies requireMembers to have acomprehensive written sealpolicy that addresses all aspectsof seal security.


Seal Security – Key Areas

General: It is crucial to seal trailers and containers to assure continuous seal integrity consistent with a comprehensive seal policy.

Criteria: Detailed high security seal procedures describing how seals are issued and controlled at facility and

during transit, including how to address seal discrepancies or anomalies.

If maintaining a seal inventory, conduct audits and periodic inventory of seals, including verifying seal numbers.

Utilize V (view), V (verify), T (tug) and T (twist) process to ensure seals properly affixed.


Transportation Security: Procedural SecuritySecurity measures must be inplace to ensure the integrity andsecurity of processes relevant tothe transportation, handling, andstorage of cargo in the supplychain. This category includesprocedures that address securityaudits and the staging andloading of cargo.


Procedural Security – Key Areas

General: Ensure integrity and security of processes relevant to transportation, handling and storage of cargo in supply chain.

Criteria: Inspect cargo staging and surrounding areas on regular basis to ensure free of pest contamination.

Take digital images of properly installed seal and forward to destination for verification.

Review import/export documents, such as manifests, and train personnel to identify or recognize suspicious cargo shipments.

Consider CTPAT Key Warning Indicators for Money Laundering and Terrorism Financing Activities, as applicable.

Written procedures to report incidents, including the facility’s internal escalation process.

Mechanism to report security related issues anonymously.

Initiate internal investigations of any security related incidents once aware.

Brokers:

Advise clients of obligation to report anomalies to CBP and other law enforcement agencies and advise clients to make required modifications so correct data is submitted.


Transportation Security: Agricultural Security

Agriculture is the largest industry andemployment sector in the UnitedStates, an industry threatened by theintroduction of foreign animal andplant contaminants such as soil,manure, seeds, and plant and animalmaterial which may harbor invasive anddestructive pests and diseases.Eliminating contaminants in allconveyances and all types of cargo maydecrease cargo holds, delays andcommodity returns or treatments.


Agricultural Security – Key Areas

General: The introduction of foreign animal and plant contaminants threaten the agricultural industry. Eliminating contaminants in all conveyances and all types of cargo may decrease cargo holds, delays and commodity returns or treatments.

Criteria: Written procedures must prevent pest contamination to include compliance with Wood Packaging

Materials (WPM) regulations.

Pest prevention measures must be adhered to throughout the supply chain.

WPM measures must meet the International Plant Protection Convention’s (IPPC) International Standards for Phytosanitary Measures No. 15 (ISPM 15).


People & Physical Security: Physical SecurityRequirements aligned to physicalsecurity outline the need to prevent,detect, or deter unauthorizedpersonnel from gaining access tofacilities. These are broken intoprocedures CTPAT Members mustimplement to decrease risk andtechnology guidelines they mustfollow if utilizing security technologysuch as intrusion alarms and videocamera equipment to monitorfacilities.


Physical Security – Key Areas

General: Requirements address the need to prevent, detect, or deter unauthorized personnel from gaining access to facilities, including procedures to decrease risk and include security technology guidelines.

Criteria: Written policies and procedures governing the use of security technology.

Appropriate positioning, alarm/notification, programming, reviews and recordings of camera systems.


People & Physical Security: Physical Access Controls

Access controls preventunauthorized entry to facilities,maintain control of employeesand visitors, and protect companyassets. Access controls mustinclude the positive identificationof all employees, visitors andvendors at all points of entry.


Physical Access – Key Areas General: Prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets. Include positive identification of all employees, visitors and vendors.

Criteria: Cargo pickup log to register drivers and record details of conveyances and drivers.

Periodically screen arriving packages for contraband before being admitted.

Work requirements for security guards in written policies and procedures, including periodically verifying compliance.


People & Physical Security: Personnel SecurityA Company’s human resourceforce is a critical security assetbut it can also be one of itsweakest links. These criteria dealwith issues such as employeescreening, pre-employmentverifications, background checks,and the issuance of accessdevices.


Personnel Security – Key AreasGeneral: Human resources addressing employee screening, pre-employment verification, background checks and the issuance of access devices should be a security asset, not one of the weakest links.

Criteria: Written process to screen prospective employees and periodically check current

employees.

Employee Code of Conduct including expectations and defining acceptable behaviors with penalties and disciplinary procedures acknowledged by employees and contactors.


People & Physical Security: Education, Training & AwarenessCTPAT security criteria are designed topromote a layered security system. Ifone layer of security is disabled, anotherlayer should prevent a security breach oralert a company to a breach. One of thekey aspects of a security program istraining. Employees who understandwhy security measures are in place aremore likely to adhere to them.Requirements aligned to security trainingand threat awareness identify thespecific trainings needed to ensure thatemployees are able to identify, prevent,and respond to security threats.


Education, Training & Awareness – Key Areas

General: Training is a key aspect of a layered security system. Security training and threat awareness ensures that employees are able to identify, prevent and respond to security threats.

Criteria: Train drivers and others conducting security and agricultural inspections of conveyances and IIT to

inspect for security and agricultural purposes.

Conduct refresher training periodically and as needed after an incident or breach, including relevant topics.


Education, Training & Awareness (2)

Provide additional specialized training to personnel in sensitive positions geared toward their responsibilities.

Provide specialized training annually to enable personnel to identify warning indicators of Trade Based Money Laundering and Terrorism Financing.

Provide training to all applicable personnel on preventing visible pest contamination, including relevant topics.

Provide training to personnel operating and managing security technology regarding operation and maintenance.

Provide training on how to report security incidents and suspicious activities.

Brokers: Explain CTPAT security requirements to importer clients, apprise them of critical program

developments and encourage membership.


III. Resources and Tools


Corporate Security: Security Vision & Responsibility

CTPAT meetings with executives

Draft written commitment statement/ policy

Create CTPAT committee or team

Written security program (manual) and review and accountability

POC attends conferences and obtains updates shared with company


Corporate Security: Risk Assessment• CTPAT 5 Step Risk Assessment

• FEMA Ready Business: Small Business Case Study

• FEMA Every Business Should Have a Business Continuity Plan

• FEWMA Ready Business: Business Continuity Plan

• DHS Emergency Response Plan

© 2019 Sandler, Travis & Rosenberg, P.A. | www.strtrade.com | Al l rights reserved.48

Business Continuity Plan

• Program Administration

• Business Continuity Organization

• Business Impact Analysis

• Business Continuity Strategies & Requirements

• Manual Workarounds

• Incident Management

• Training, Testing & Exercising

• Program Maintenance and Improvement

• References to Related Policies & Procedures


Corporate Security: Business Partner Security• CTPAT’s Warning Indicators for

TBML and Terrorism Financing

• Treasury National Money Laundering Risk Assessment

• Commerce Consolidated Screening List

• ICE/HSI Tip Form

• ICE Human Trafficking vs. Human Smuggling

• Forced Labor Legislation 19 USC 1307

• CBP Forced Labor Webpage


Trade Based Money Laundering


• CTPAT Key Warning Indicators• Receipt of Cash

• Incorrect Pricing

• Goods Discrepancies

• Lack of Purpose or Justification

• False Reporting

• Carousel Transactions

• Inconsistent Commodities

• Lack of Documentation

• Inconsistent Sizing

• High Risk Jurisdictions

• High Risk Commodity

CTPAT Warning Indicators for Trade Based Money Laundering & Terrorist Financing


• Inconsistent Shipping Routes

• Dual-Use Commodities

• Letter of Credit Use

• Sanctioned Individuals/ Organizations

• Suspicious Countries

• Uncharacteristic Purchases

• Identity Variations

• High Risk Jurisdiction Travel

• Proxies under Singular Control

55

• Business Partner’s Warning Indicators• Unjustified Transaction

Structure

• Deviation from Normal Trade Activities

• Suspicious Addresses

• Discrepancies Waiving

• High Fee Acceptance

• Unclear Party Identity

Trade Based Money Laundering & Terrorist Financing (2)


• Transaction Warning Indicators• Information Concealment

• Unreasonably High Percentage

• Inconsistent Good Movement

• Inconsistent Payment Method

• Unclear Shipping Mode

• Round Dollar Transactions

• Multiple Intermediaries

• Inconsistent Tenor

• Vulnerable Goods Warning Indicators• High Risk Goods

56

• Documentary Warning Indicators• Letter of Credit Inconsistencies

• Excessively Amended Terms

• Non-Standard Language

• Unauthorized Document Changes

• Refusal of Documents

• Coded/Disguised Goods

• Letter of Credit Requests

• Lack of Transport Documents

• Undocumented Cargo

Trade Based Money Laundering & Terrorist Financing (3)


• Re-use of Documents

• Unclear Charges

• Documentary Credit

• Over Shipped Goods

• Inconsistent Dating

• Resubmitted Rejected Documents

• Inconsistent Naming

• Trade-Related Claims

• Inconsistent, Modified Documentation

57

Consolidated Screening List


HSI Tip Form


Forced Labor


Forced Labor (2)


Corporate Security: Cybersecurity

• National Institute of Standards and Technology (NIST) Cybersecurity Framework

• DOJ How to Protect Networks from Ransomware

• Cybersecurity and Infrastructure Security Agency (CISA) National Cyber Awareness System Tips

• CISA National Cybersecurity Communications Integration Center (NCCIC) – ICS Cyber Security Evaluation Tool

• FBI Internet Crime Complaint Center (IC3)

• CISA NCCIC

• NIST Special Publication 800-63B: Digital Identity Guidelines

• NIST Guidelines for Media Sanitization


CBP – Enhancing Cybersecurity


FCC – Top 10 Cybersecurity Tips


NCCIC ICS Cyber Security Evaluation Tool


NIST and DHS-CISA


Ransomware


What is Ransomware? Ransomware is a form of malware that

targets your critical data and systems for

the purpose of extortion. Ransomware is

frequently delivered through spearphishing emails. After the user has

been locked out of the data or system, the

cyber actor demands a ransom payment.

After receiving payment, the cyber actor

will purportedly provide an avenue to the victim to regain access to the system or

data. Recent iterations target enterprise

end users, making awareness and

training a critical preventive measure.

FBI IC3 & CISA NCCIC


NIST Guidelines


Transportation Security: Conveyance and Instruments of International Traffic Security• CBP Carrier Conveyance Contamination

Outreach (See Agricultural Security)

• CBP 7-Point Container Inspection

• 17-Point Truck and Trailer Inspection

• CBP E-Allegations Portal

• Department of Labor Federal Railroad Safety Act (FRSA)

• EPA Hazardous Materials Transportation Act

• CBP Decal and Transportation Online Procurement System (DTOPS)



Container Inspection

Additional Criteria:• WPM Marking

Confirmed?• Visible Contaminants

Identified?• Container Cleanliness

Check?


TSA Truck Owner-Operator Guide


TSA Truck Rental Guide

Transportation Security: Seal Security• ISO 17712 Standard for High

Security Seals

• CBP Compliance with ISO’s 17712 Standards for High Security Seal


CTPAT Seal Compliance Bulletin


Transportation Security: Procedural Security• DHS Recognize the Signs of

Terrorism-Related Suspicious Activity



DHS Signs of Terrorism-

RelatedSuspicious Activity


CBP E-Allegations

Transportation Security: Agricultural Security

• USDA Sources of International Standards for Phytosanitary Measures (ISPM) 15-Compliant Wood Packing Material

• CBP FAQ’s on Wood Packaging Materials

• Food and Agriculture Organization/ International Plant Protection Convention (IPPC) Guidance on Sea Container Cleanliness (2018)

• USDA Asian Gypsy Moth Pest Resource

• Title 7 Part 330: Agriculture – Federal Plant Pest Regulations

• Title 9 Part 94: Prohibited and Restricted Importations

• USDA Plant Protection Quarantine (PPQ) Compliance Agreement (PPQ Form 519)


• What is Pest Contamination?

• What is the Impact?

• How Does it Affect You?

• How Do You Address It?

• Why are Seed Contaminants a Risk?

• Why are Snails a Risk?

• Why is Soil a Risk?

• Why are Seeds with Wood Packaging a Risk?

• Avoiding Shipment Refusals

Pest Contamination Outreach


• Store containers away from natural areas and/or reduce vegetation around cargo and container storage areas

• Inspect cargo and container (interior and exterior) prior to loading

• Store, cover, and clean pallets, dunnage, crates, etc. as needed

80

Pest Contamination


NASCI Preventing Spread of Invasive Pests


Asia Gypsy Moth


Sources of Compliant WPM


People & Physical Security: Physical Security Put security technology procedures

in writing.

If using camera systems, ensure positioning, alarm/notification, programming, reviews and recordings are required per procedures.


People & Physical Security: Physical Access Controls

Maintain cargo pickup log with details of conveyances and drivers.

If security guards are used, maintain written policies and procedures for work requirements.


People & Physical Security: Personnel Security

Maintain written process to screen employees and check current ones.

Maintain employee Code of Conduct acknowledged by employees and contactors.


People & Physical Security: Education, Training & Awareness

• CBP CTPAT Training andThreat Awareness


CBP Training


CTPAT Philosophy


Questions?


Lenny Feldman Esquire

Sandler, Travis & Rosenberg, P.A.

Phone: 305-894-1011Email: [email protected]

92

mailto:[email protected]