Authorised Economic Operator Criteria - Security and Safety - AEOS Only
Information on Authorised Economic Operator Criteria - Security and Safety - AEOS Only.
This section tells applicants about the conditions they must meet and the tests that HMRC will carry out to ensure that they comply with the security and safety criteria of Authorised Economic Operator (AEO). This section is only relevant to those applying for an Authorised Economic Operator Security and Safety (AEOS) authorisation.
HMRC will consider the applicants internal controls and measures in place to secure the safety of the business and the supply chain. Businesses should demonstrate a high-level of awareness on security and safety measures, internally and in their business activities with clients, suppliers and external service providers, considering their role in the international supply chain.
All procedures should be documented and made available for HMRC during the audit of the AEO criteria and will always be checked on site.
These controls and measures are in addition to legal health and safety requirements as well as any specific legal requirements that may be applicable to the business.
Businesses will need to show they have carried out a security and safety risk assessment of their business.
A self-assessment should be carried out by a person with extensive knowledge of the risks and threats applicable to the type of business. This may be an independent third party or someone within the business.
The assessment will result in a detailed report with all risks and threats highlighted. The content of the report will vary from business to business, but it will be expected to contain details of the appropriate areas identified and the measures taken to address the identified risks.
The risk and threat assessment shall cover all the premises which are relevant to your customs related activities. The purpose of the assessment is to identify the risks and threats which might occur in that part of the international supply chain in which you operate, and to look into the measures in place to minimise the risks and threats
Failure to produce the risk and threat assessment or a security plan during the customs authorities visit may result in an automatic recommendation that the application be rejected.
The risk and threat assessment should cover all the risks to the security of the businesses’ role in the international supply chain and should include, for example:
- physical threats to premises and goods
- fiscal threats
- contractual arrangements for business partners in the supply chain
Such an assessment should address:
- the goods in which the business deal/ trade
- premises and buildings, for storage, manufacture
- staff including recruitment, use of temporary staff, sub-contract labour
- transport of goods, loading and unloading
- computer system, accounting records and documents
- recently reported security incidents in any of the areas above
In order to satisfy the requirements businesses will need to evidence:
- the external boundaries (walls, fences, etc) of the business are appropriately secure and there are documented procedures to control access to the premises for authorised persons while at the same time having procedures for dealing with unauthorised access including appropriate physical separation for shared premises
- measures are in place to protect your cargo units and to prevent the introduction, exchange or loss of any material or tampering with those units
- appropriate access controls are in place to prevent unauthorised access to shipping areas, loading docks and cargo areas both on arrival and despatch
- appropriate procedures to secure the safety of the goods during storage or manufacture
- there are appropriate procedures in place to ensure the security and safety of the goods during transport, including where transport is sub-contracted to a third party
- agreed appropriate security and safety measures with suppliers
- procedures are in place to carry out security screening on prospective employees working in security sensitive positions and appropriate security procedures are in place for any contracted parties that have access to the premises
- provide staff with training on security and safety requirements
Businesses must be able to produce documentation showing the measures and controls put in place and this documentation will be verified during the course of the AEO audit. This should include a risk and security and safety assessment which should be available and understood by all relevant staff.
In addition to documentary evidence, the visiting audit officer will need to see practical examples of the systems working.
Examples of security incidents include losses in warehouse, broken seals and damaged anti-tampering devices.
If there have been any security incidents the customs authorities will expect the security procedures to have been reviewed and amended to take on board any remedial action. Evidence will also be required of how these changes were subsequently communicated to staff and visitors. If following any review of the security and safety procedures, any amendments are made these should be recorded as a revision with a record of the date and the part(s) revised.
HMRC would expect all external and internal windows, gates and fences to be secured with for example locking devices, alternative access monitoring or control measures such as internal/external anti-burglar alarm systems or CCTV (Closed Circuit TV systems). This includes all access points to your business premises.
The process of access to business premises (buildings, production areas, warehouses, and so on) should be regulated for staff, visitors, other persons, vehicles and goods. Procedures should document who has access to which areas, buildings, and rooms and how this is controlled, for example, by keypads or swipe cards. Access restrictions should take into account the risk and threat assessment.
Systems should be capable of identifying attempts at unauthorised access and to monitor these.
All staff that work in sensitive areas within a business should be subject to some form of pre-employment screening to provide assurance as to their trustworthiness, integrity, and reliability.
The methods of screening may vary according to the level of risk, but they should as a minimum:
- verify identity
- confirm the right to work in the UK
- confirm the employee has declared any unspent criminal records
- check previous employment history
All AEO applicants and businesses that hold AEO status should have a documented employment history of their staff. This history should cover the previous 5 years, but this period is not mandatory. A Regulated Agent or Known Consignor should have a 5-year employment history check. In addition to this, the AEO applicant should have all the employment contracts, including for temporary personnel and outsourcing contracts, available to present to the visiting officer.
Businesses are not required to screen their staff if they use an employment agency, but they should only use agencies that abide by The Conduct of Employment Agencies and Employment Businesses Regulations 2003 (Statutory Instrument 2003 No 3319).
Any agency used should be aware of the security and safety policy and, where appropriate, carry out any additional checks the business require considering the sensitive nature of the post being filled.
If, exceptionally, there is a need to employ temporary staff and they are not screened, there must be measures in place (body searches, supervision, restricted access, for example) to manage the risk.
HMRC will want to know how the external boundary of the premises is secured. External boundaries include visible boundaries such as fences and gates. This will include:
- how the business check staff and visitors are following the security rules
- when and who carries out the checks on the fences, gates and buildings
- how these checks and their results are recorded
- how security incidents are reported and dealt with
Businesses should secure all external and internal windows, gates and fences. Examples of security are locking devices, alternative access monitoring or control measures such as internal or external anti-burglar alarm systems or CCTV systems.
Access to the premises (buildings, production areas, warehouses, and so on) should be regulated for staff, visitors, vehicles and goods. The procedures should document who has access to which areas, buildings, and rooms and how this is controlled, for example, by keypads or swipe cards. Access restrictions should take into account the risk and threat assessment.
The systems should be capable of identifying attempts at unauthorised access and to monitor these.
HMRC will ask about the types of access to the business premises including:
- how they are managed
- if access points are restricted by time or day
- if the premises are well lit – if so, give details
- details of any back-up generators or devices in place to power the lights if the local power supply is interrupted – also include how these are maintained
HMRC will require a list of all access points, preferably with reference to the site plan. Include any fire escapes and show access stairways. Make it clear which access points are for:
- cargo loading and unloading
- utilities
- counters for public access
- drivers’ rest areas
Procedures should exist for only authorised personnel to have access to keys to locked buildings, sites, rooms, secure areas, filing cabinets, safe, vehicles and machinery.
Procedures should also include:
- the specially appointed place where the keys are kept
- the person responsible for controlling the security of the keys
- the recording of when the keys are taken, by whom, why and their return
- dealing with losses, failures to return keys
Procedures should include:
- how visitors with private vehicles are controlled and recorded when attending the premises
- how staff vehicles are controlled at the premises
- specially designated car park areas for visitors and staff which are not close to secure areas, for example, loading bays to avoid the possibility of theft, obstruction or interference
- checks that parking requirements are being adhered to
Cargo units (containers, swap bodies, transport boxes)
Measures should be in place for the handling of goods which include protecting them from the unauthorised introduction, exchange, mishandling and tampering with cargo. Cargo units include containers, tankers, vans, lorries, vehicles, pipelines which transport the goods. Procedures should be in place to examine the integrity of the cargo unit before loading.
The integrity of cargo units should be ensured, for example, by placing them under permanent monitoring or keeping them in a safe, locked area or by inspection prior to use. Only properly identified and authorised persons should have access to the cargo units.
Procedures should include:
- how access to the area where the cargo units are held is controlled (for example, staff, external truck drivers, etc)
- that only authorised persons have access
- how monitoring of the units is maintained at all times, for example, nominated responsible staff and deputies
- who is the responsible person to whom incidents are reported
- how incidents are reported and recorded
- what action should be taken, including reporting to law enforcement/senior management
- review and amending of existing procedures
- notification of any changes to staff
There should be control measures for checking cargo units in place. For example, depending on the cargo unit used, a 7-point inspection process should be carried out (to include the tractor unit as well): front wall, left side, right side, floor, covering/roof, inside/outside of doors, outside/undercarriage.
Maintenance should be done routinely, not just in cases of damage or incidents. If the maintenance is done externally or outside the supervision of your staff, the cargo unit’s integrity should be inspected when returning to the premises.
After maintenance, the following procedures should be in place for:
- the requirements for staff to check the integrity of the units on their return
- what checks are to be performed, when and by whom
- how procedures are communicated to staff
- management checks and their frequency to make sure units are re-examined
Businesses should provide their business partners some assurance that the standards of security and safety of the AEO system will be adhered to and AEO authorisation holders should actively seek these assurances from non-AEO business partners.
Applicants may have contracts with external service providers for example, cleaners, caterers, software providers, external security companies or short-term contractors.
Where third parties have access to business premises, it is important to ensure that there are procedures in place to either limit the level of access (for example, cleaners are not required to carry out their jobs in sensitive areas) or that full security checks are carried out by the third-party employers. This is particularly relevant for security guards employed at night or weekends who will have control over access to the premises.
The business’s’ requirements should be clearly stated in any contracts together with agreed verification procedures that enable applicants to verify that the conditions of the contract are being adhered to.
Although the external providers do not have a direct role in the international supply chain for AEO purposes, these parties are referred to as service providers. Whilst external service providers are not directly involved in the international supply chain, they may have a critical impact on the security and customs systems of the applicant. Therefore, in terms of security and safety appropriate measures should apply to them just as they should for their business partners. Where some of the AEO security and safety conditions are fulfilled by the service provider on behalf of an AEO applicant, this will be verified in the HMRC audit.
For example, where the applicant has contracted a security company to fulfil its obligations in this area. HMRC will assess the access control by looking at the way the service provider fulfils this on behalf of the AEO. Although the AEO may outsource these activities to a third party, it is the AEO who remains responsible for compliance with the AEO criterion and ensuring the service provider complies with the requirements.
To meet the AEOS authorisation criteria applicants are required to provide their staff with training on security and safety.
All staff must be aware of the security and safety procedures in place. This can be either in the form of a personal or easily accessible handbook or by regular updates given through some other media (training events, newsletters or electronic format).
Businesses will need to show that they comply with existing legislation and requirements for both the physical security of business premises as well as those safety requirements under the Health & Safety Executive legislation that are relevant to the businesses activities.
They are required to have a record of safety incidents and record how these were addressed to prevent repetition.
Temporary staff must also be given guidance on the security and safety policy of the business. Ideally, temporary staff will not be employed in sensitive areas so a general knowledge and appreciation of security and safety issues will probably be sufficient.
The responsible person should hold a specific position that is responsible for supply chain security within the organisation. The position requires clearly defined and documented responsibilities.
The person should hold such a position within the structure of the company that their requirements and stipulations with regards to security and safety will be effectively carried out.
During the audit visit it is essential that the responsible person is available.
If you hold:
- an internationally recognised security and/or safety certificate issued on the basis of international conventions
- a relevant International Standard of the international Organisation for standardisation, in particular ISO 28000, 22301 and 9001 (although others may also apply)
- a European Standard of the European Standards Organisations
- other internationally recognised security and/or safety certificates issued by organisations such as the Transported Asset Protection Association (TAPA)
The criteria laid down in these certificates and standards are taken into account to the extent that the criteria for issuing these certificates are identical or correspond to those for issuing AEO authorisations.
Businesses will be asked to produce the relevant certificate during the pre-authorisation audit together with the associated report made by the independent assessor who approved the certificate. HMRC will take this into account in determining what further checks need to be carried out to verify they meet the AEO criteria.