National Conference on SAFE TRADE &

AEO

“CTPAT Six Years on: A Review of the Private Sector”

May 13, 2008

Craig J. Pinkerton, Director – PricewaterhouseCoopers

Level of Security Prior to 9/11

The level of security for importers, carriers, truckers, etc. was determined primarily on:

– the value and nature of imported merchandise

– the level of theft and shrinkage discovered along the supply chain

– whether the product was considered sensitive by the government (e.g., tobacco; pharmaceutical drugs)

– whether the product could pose a threat to the public (e.g., firearms; chemicals; hazardous materials)

2

Threats to the Supply Chain Changed the Security Landscape

9/11 introduced tighter security into the logistics process

The flow of goods from the manufacturer to the end user is now viewed as needing protection, not just the product

People crossing borders into the U.S. are being monitored to minimize or eliminate the threat of danger

No longer is it only value or dangers intrinsic to imported product, but the logistics function itself is being viewed as a security issue

The conclusion that danger could accompany products throughout the supply chain caused a major refocus on security

3

Development of Security Initiatives

Container Security Initiative

ISO (InternationalOrganization forStandardization)

AEO (Authorized Economic Operator)

10+2 Security Filing

FAST (Free andSecure Trade)

SAFE Framework

WCO

Canadian PIP (Partners in Protection)

Customs-Trade Partnership AgainstTerrorism (C-TPAT)

4

What are Customs’ Expectations?

Through this initiative, Customs is asking companies to ensure the integrity of their security practices and communicate their security guidelines to their business partners within the supply chain (i.e., “increased vigilance”)

The primary goals of C-TPAT include:

Increasing security measures, practices and procedures throughout all sectors of the international supply chain

Protecting the public from terrorist activities

Ensuring the flow of legitimate trade Providing Customs with a means of looking into a company’s supply

chain security profile

5

WCO Standards Mirror C-TPAT

Business-Customs Cooperation

Conveyance/Container Security

ISO Security Seals Required

Physical Access Security

Personnel Security

Procedural Security

Information Systems Security

Employee Security Training

Continuous Improvement Process

Risk Assessment6

Evolution of C-TPAT

Launched in November 2001, with only seven major importers

C-TPAT currently has more than 10,000 partners, which include United States importers, customs brokers, terminal operators, carriers, truckers and some foreign manufacturers

Initially, voluntary participation and jointly developed security criteria and implementation procedures were the guiding principles

As the program grew, so did the need for more clearly-defined security criteria to establish the minimum, baseline security expectations for membership

In 2005, minimum-security criteria for importers was implemented and companies were required to meet the new criteria within certain timelines

7

C-TPAT Benefits

Beyond the essential security benefits, Customs offers the following benefits to C-TPAT members:

A reduced number of inspections (reduced border times)

Priority processing for Customs inspections (Front of the Line processing for inspections when possible)

Assignment of a C-TPAT Supply Chain Security Specialist who will work with the company to validate and enhance security throughout the company’s international supply chain

An emphasis on self-policing, not Customs verifications

8

C-TPAT Benefits

Eligible to attend C-TPAT supply chain security training seminars

Access to other C-TPAT members via the Status Verification Interface

Certified C-TPAT importers are eligible for access to the FAST lanes on the Canadian and Mexican borders

Mitigating factor in cases of fines and penalties

Demonstrates good corporate citizenship to Customs

9

Security Costs versus Benefits

There have been several logistics studies published since 9/11 that detail the costs and benefits associated with the C-TPAT program, such as:

Stanford Supply Chain Study - October 2003

MIT Supply Chain Study - May 2005

Stanford Innovation in Supply Chain Security - July 2006

University of Virginia Cost Benefit Survey - August 2007

10

Benefits from Investment in SAFE Trade

Fewer Customs Inspections (50%) Reduction in Excess Inventory (14%) Improved on-time delivery (12%) Reduction in Theft/Loss/Pilferage (38%) Access to Shipping Data (50%) Timely Shipping Data (30%) Less Customer Attrition (26%) Increase of New Customers (20%)

(Source: Stanford University Study, July 2006) 11

Benefits from Investment in SAFE Trade

The primary motivation for importers to join C-TPAT is to reduce the risk of supply chain disruptions due to a terrorist attack

Four out of every ten members did not have a formal supply chain security plan prior to joining the program

C-TPAT moved thousands of companies to give closer scrutiny to the security of the goods they handle and review the supply chain to ensure that their overseas suppliers have implemented sound security practices

Greater Supply Chain integrity (stronger seal controls)

Stronger brand equity12

Benefits from Investment in SAFE Trade

The vast majority (81.3 percent) of members indicated that their ability to assess and manage supply chain risk had been strengthened as a result of joining C-TPAT

C-TPAT certification requires that companies meet an extensive checklist of verifiable conditions. Nevertheless, minimum security criteria were generally viewed as very easy or somewhat easy to implement across the various sectors

More than half (56.8 percent) of the members indicated that C-TPAT benefits either outweighed the costs or were about the same

(Source: University of Virginia Study 2007) 13

Costs from Investment in SAFE Trade

Typical implementation costs (listed from highest to lowest):

– Improving or implementing physical security costs (doors, windows, electronic access, cameras, fences, gates, lighting, etc.)

– Salaries and expenses of personnel

– Improving IT systems and databases

– Improving cargo security

– Improving or implementing in-house education, training, and awareness

– Improving personnel security procedures

14

Example of Security Procedures to be reviewed

Physical Access Controls Employees, Visitors and Deliveries – identification and badge

process is key; and removing unauthorized individuals

Personnel Security Pre-employment verification, background checks, and

termination procedures for prospective and current employees

Procedural Security Documentation processing, shipping and receiving, and

cargo discrepancies

Container and Trailer Security Seal integrity, inspection and storage 15

Example of Security Procedures to be reviewed

Physical Security

Fencing, guardhouses, parking, locking devices, key controls, lighting, alarms, and video cameras

Information Technology Security

IT security procedures, password protection, system accountability (firewall, virus protection, monitoring service)

Security training and threat awareness

Focus on what types of training offered to employees and whether supply chain security training (C-TPAT specific) given

16

Business Partner Requirements

Importers must have written, verifiable processes for the selection of business partners including manufacturers, product suppliers, and vendors

They should also have documentation substantiating that partners throughout their supply chain are meeting C-TPAT security standards - or equivalent supply chain security program criteria

e.g., supply chain assessment questionnaire, on-site audit report, written confirmation, etc.

Where a company outsources or contracts elements of its supply chain, such as a foreign facility, warehouse, or conveyance, it must work with these business partners to ensure that pertinent security measures are in place and adhered to

17

Business Partner Requirements

Companies now leverage their business relationships and ensure that business partners develop security processes and procedures consistent with the C-TPAT criteria

Build C-TPAT/security language directly into contract

Narrowing universe of business partners

Periodic reviews of business partner’s processes and facilities should be conducted based on risk

18

Business Partner – Example of Risk

Foreign inland freight carrier - may be the weakest link in the supply chain

In certain countries, local trucking companies must be used. Additional processes may need to be set up to deal with risk

19

Common Security Shortfalls

Cargo seals not used by foreign inland carriers and policy not documented

Less than full truck load

Air shipments

No C-TPAT security-based training provided to employees, especially those with cargo handling responsibilities (warehouse, shipping, receiving, etc.)

Procedures at foreign facility are commonly “patched” together from various departments, rarely mention C-TPAT related policies and procedures, and usually consist of random screen shots and dusty binders

20

Common Security Shortfalls

Employees inconsistent in displaying badges, especially in cargo handling areas

C-TPAT web portal not updated to reflect changes in company’s program

From security standpoint, other weak areas noted included:

Mail room deliveries

Use of temporary agencies for labor

No one actually monitoring video cameras (or, for example, 32 cameras all feeding into a 13” monitor)

Collecting badges and terminating access when employees leave company

21

Common Security Shortfalls

Responses received from foreign vendor during questionnaire process do not match reality. Examples:

“fence around perimeter” vs. fence rusted and fell down in 1998

“pan and zoom cameras throughout facility” vs. inoperable cameras dangling from wires

“truck drivers sign in/out” vs. drivers waved on through because same drivers every day

Customs not asked for identification upon arrival

(Note: A company is not required to implement all best practices, however, CBP may ask why certain procedures cannot be implemented)

22

Benchmarking - Best Practices from Industry

Security measures: Exceed the C-TPAT Security Criteria Incorporate management support Have written policies and procedures that govern their use Employ a system of checks and balances

C-TPAT is an on-going program! Companies continually update their supply chain security

program (e.g., new factories, business partners) Periodic assessment is part of corporate manual Verify procedures to ensure they are being followed and

make modifications as necessary

Ownership at each entity level responsible for maintenance23

Benchmarking - Best Practices from Industry

Since C-TPAT is a Customs program, it is typically managed by a company’s global customs compliance group along with legal oversight

C-TPAT “Champion” provides oversight

Importer has sound compliance program in place

Opportunity to provide additional on-site training

Ability to tie into other security initiatives (e.g., 10+2 requirement)

Senior Management Support and Buy-in

An absolute must

Lack of support at top levels - failure is imminent!24

Benchmarking - Best Practices from Industry

Do not assume business partners will not be visited – especially foreign business partners. Example:

Tier 3 U.S.-based customs broker in Philippines is visited an average of two times per month by CBP SCSS

As a result of numerous visits, virtually every best practice has been implemented (clearly evident)

GPS on all trucks to monitor real-time movements

Security personnel accompany shipment from factory to airport (customs bonded facility)

High security seals and padlocks utilized

Comprehensive policies and procedures

25

Recommended Workplan for Security Program

Review global supply chain to verify your business partners, such as foreign manufacturers, carriers and brokers

Conduct analysis based on volume and risk

Identify which business partners are already in the C-TPAT program or other supply chain program such as AEO, and which partners have already participated in a supply chain documentation process or have undergone an on-site audit

Determine best application strategy

26

Recommended Workplan for Security Program

Conduct domestic reviews at headquarters and distribution facilities

Conduct comprehensive self-assessment of supply chain security (based on the C-TPAT/AEO security guidelines)

Document current supply chain security procedures

Develop and implement a program to enhance security throughout the supply chain in accordance with guidelines

Communicate supply chain security guidelines to other partners in supply chain

27

How has C-TPAT evolved?

Already in progress:

Detailed verifications of applications

Revalidations of certified companies

Tighter container seal control

Tighter documentation control

New security criteria - importers now seeking to join the C-TPAT program will need to meet or exceed the new security criteria before they will be certified

28

How has C-TPAT evolved?

Companies beginning to implement:

Smart containers and tracking systems

Extensive screening (initial & ongoing) of personnel. This includes both foreign and domestic locations

Security/C-TPAT requirements for their entire supplier base and logistics providers

Security audit as part of normal periodic audit of foreign entities

Best Practices to obtain Tier 3 status– As of March 2008, only 243 Tier 3 companies

29

Moving Forward: 2008 and Beyond

The SAFE Port ACT signed in 2007 has codified C-TPAT and CSI and calls for mandatory use of ISO 17712 compliant seals on all containers by October 2008

Canadian PIP program members will gain reciprocity status with C-TPAT program members

TSA will announce air cargo security guidelines deferring to many C-TPAT guidelines

WCO will expand the AEO program in the European Union, Asia and Latin America

Greater use of electronics in cargo protection

30

Moving Forward: 2008 and Beyond

More frequent reviews of company’s security procedures and policies (even after validation/revalidation)

C-TPAT members continue conducting audits of foreign vendors regardless of whether in another program

C-TPAT members are conditioning contractual business relationships with their service providers and vendors based on C-TPAT participation and/or adherence to C-TPAT security guidelines

Mutual Recognition and Reciprocity with other countries

Global buy-in to security

Additional X-ray screening and data mining31

Moving Forward: 2008 and Beyond

Congress pressuring Customs to implement 100% container screening. Customs potentially trying to counter with C-TPAT program and cargo screening software

Customs reducing timeline for validations from 3 years to 1 year, and revalidating each company every 3 years instead of the specified 4-year schedule

Third-party validations: Customs currently accepts only in China. Other AEO programs may allow selected third parties to conduct validations in any country

32

CONTACTS

Craig J. Pinkerton – PricewaterhouseCoopersLos AngelesTel: (213) 256-6037Email: craig.j.pinkerton@us.pwc.com

Dennis Caronan – PricewaterhouseCoopersManilaTel: 632 845 2728, Ext. 2118Email: dennis.anthony.p.caronan@ph.pwc.com

John S. Kwak – PricewaterhouseCoopersHong KongTel: (852) 2289 3331Email: john.sh.kwak@hk.pwc.com