When was the last time you bought diverted product?
Illicit Trade and diversion is a problem which keeps growing. Have you ever purchased a counterfeit product? Would you know if you did?
If you’re a regular online shopper the chancers are good that you’ve come across illicit product, possibly without knowing it.
I was recently at my local barbers getting a haircut when I noticed the container of a popular brand of talcum powder.
Only the logo and product name was in english – everything else was in Indonesian.
My barber mentioned he hadn’t noticed, but bought it because it was being sold cheaply online. This is an example of product diversion.
To highlight the risks of diverted or counterfeit product, there are many articles online about the link between talcum powder and cancer. By purchasing talcum powder on the illicit market you may unknowingly be exposed to asbestos, which causes lung cancer.
Most people know what counterfeits are, but diversion is less well known. Diverted product is authentic product sourced at a discount (or stolen) in one market, and then resold in another market. The diverter pockets the price differential between bought and sold, and the manufacturer (and their authorised distributors) lose out.
Mechanisms that provide track and trace functionality, such as serialisation, are essential for the detection and investigation of illicit trade.
Serialisation can help improve supply chain integrity and counterdiversion
When we talk about serialisation in a supply chain context, it refers to the process where a unique identifier – usually a serial number or barcode – to individual items or products in the supply chain.
In combination with data management, analytics, and a well-developed program, serialisation is a way to realise the tracking and tracing of products as they move through the supply chain and circulate in the market.
Supply Chain Integrity can be defined as providing an “indication of the conformance of the supply chain to good practices and specifications associated with its operations”
European Union Agency for Network and information security (2015)
Serialisation offers benefits to Supply Chain Integrity:
Traceability – Serialisation is the traceability mechanism by which manufacturers can track the movement of their product through the supply chain
Provenance – Serialisation itself will not establish provenance (unless serialisation is uses blockchain), but data related to provenance could be linked with the serial number to indirectly establish provenance
Authenticity – Serial numbers should be unique and be matched to specific product versions or models, making it possible to identify counterfeit and diverted product through test purchases, ‘mystery shopping’, or seizures by police or customs
Given the safety risks associated with illicit product, its no wonder the pharmaceutical industry is a leading adopter of serialisation:
The US Drug Supply Chain Security Act (DSCSA) requires serialisation, track and trace capabilities in the pharmaceutical supply chain, from manufacturers to retail pharmacies.
The 2019 European Union Falsified Medicines Directive (FMD) applies only to presciption medicines produced, imported or distributed in the EU.
The Chinese National Medical Products Administration (NMPA) has been managing serialisation since it was first introduced in 2013.
India commenced the serialisation journey in 2019, through its Drugs Technical Advisory Board (DTAB).
Australia is late to the party on serialisation in the pharmaceutical industry, with the Therapeutic Goods (Medicines—Standard for Serialisation and Data Matrix Codes) (TGO 106) being mandatory from 1 January 2023.
How does serialisation work?
Serialisation is the unique identification of each unit of a product, allowing a unit to be identified distinctly within its batch. Serialisation can be applied at multiple levels in any shipment:
Pallet
Consignment
Packaging (item and carton levels)
Labelling
Item
To maximise efficiency, Serialisation markings must be machine-readable and are typically applied via three techniques:
Barcodes
QR codes
Data Matrices
According to the Therapeutic Goods Administration (TGA), a Data Matrix contains various beneficial features not associated with the other methods, including:
A large data carrying capacity
Built-in error correction providing reliability and readability in situations where the label is damaged or if the pack is irregularly shaped
The ability to be easily printed at high production speeds, such as those found in medicine manufacturing environments.
How can small-medium businesses access the benefits of serialisation?
It used to be that product serialisation was an expensive endeavour, but a number of recent articles online suggest serialisation is becoming much cheaper. The costs of serialisation can be quite substantial if not managed properly, but product serialisation can also add value to your supply chain and inventory management practices beyond mitigating illicit trade.
As the technology becomes more common and compliance programs mature, SMBs will be able to leverage their existing systems with serial number generation and management tools and labelling or printing tools to access the benefits of product serialisation.
European Union Agency For Network And Information Security [ENISA], (2015). Supply Chain Integrity: An overview of the ICT supply chain risks and challenges, and vision for the way forward, Version 1.1, August, https://www.enisa.europa.eu/publications/sci-2015
Therapeutic Goods Administration (2021). Serialisation and data matrix codes on medicines, www.tga.gov.au
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
How counterfeiting threatens Supply Chain Integrity
Counterfeiting has been prevalent throughout the global industrial era, and given its profitability and the low risk of conviction for offenders it is not going away anytime soon. Unfortunately, there have been numerous examples of public and private organisations which unknowingly procure counterfeit, fraudulent, substituted or substandard products in their supply chain – two such examples include:
June 2020: U.S. Air Force pilot 1st Lt. David Schmitz died when his parachute didn’t deploy from a malfunctioning ejection seat, which the US Air Force later found may have contained up to ten counterfeit and faulting resistors and semiconductor chips
March 2021: Police in China and South Africa seized thousands of fake doses of Covid-19 vaccine, with Interpol warning this represented only the “tip of the iceberg” globally. Police raided the manufacturing premises, arresting ~80 suspects and seizing over 3,000 fake vaccines
As the above examples show, it is all too easy for counterfeit materials to enter the supply chain of even the world’s largest organisations. Critical Infrastructure operators, such as those falling under the purview of Australia’s Security of Critical Infrastructure Act 2018, have a requirement to use high quality parts and components produced by reputable manufacturers to an engineer’s specifications, whilst in life sciences, fraudulent or substandard medicines frequently cause premature death or serious injury.
Before we explore this further, we need to remember there are two perspectives here: (1) what a manufacturer can do to ensure their products are not counterfeited or compromised between the factory and the end user, and (2) what end users can do to ensure they do not introduce compromised product into their inventory or operations. The second option is the focus of this post.
Sub-standard, counterfeit or fraudulent parts / components / products (also referred to as ‘non-conforming‘ materials) can enter the supply chain in at least four ways, including:
Supplier intentionally introduces non-conforming material, perhaps for profit or because they are unable to obtain the conforming item and do not want to risk their relationship with the buyer
Supplier unintentionally introduces non-conforming material as a result of inadequate or complacent internal practices and procedures
Corrupt or malicious insider compromises the supply chain for gain or profit, or,
As a result of foreign interference by a nation state actor against an adversary
Given these vectors for introducing non-conforming materials, how can organisations protect their supply chain integrity? The answer is developing an Anti-Counterfeit Management Plan, otherwise known as a Material Authenticity Assurance Plan (MAAP), which based on AS6174 published by SAE International can be developed in five main steps.
Step 1 – Assess the risk posed by sourcing counterfeit product
I have previously written about the concept of security risk management and the fact that we can’t treat all problems to the same standard: Risk management decisions must be based on risk appetite and focused on using a business’s limited resources to protect the most critical assets.
For a buyer, the risk of counterfeit parts is largely a quality control issue as long as there are multiple qualified suppliers in a given market. However, for products requiring specific know-how or capability, or where Intellectual Property licensing applies, different sourcing considerations are required.
The first step in managing supply chain integrity issues arising from counterfeits involves identifying those areas where the business impact of compromise is greatest. This allows sourcing managers to modify their approach and policies to compensate for potential risks. One example of criticality tiering by product can be found below:
Impact / Criticality
Type of product
HIGH
LIfe dependent applications
Safety critical applications
Mission critical applications
Applications where field work / repair is impossible
Step 2 – Identify which sources provide the greatest assurance
Budget is always a finite issue in any organisation, and it is not always possible (or necessary) to buy the best of everything. Where multiple suppliers exist it makes good business sense to buy the highest quality items (typically the most expensive) for those areas which are the most critical either to your business’ operations or to life and safety.
So how do you determine this? SAE International provides useful guidance here, ranking the main types of ‘source’ in order of those which provide the greatest level of confidence that their materials will be high quality (and therefore the lowest risk of non-conformance):
ConfidenceLevel (non-conformance risk)
Product / Component Source
HIGH (LOW risk)
OEM or Certified Manufacturer
Authorised Distributor
Original Manufacturer or Contract Manufacturer
MEDIUM
Vetted or pre-qualified Independent Distributor (e.g. verified quality, reputation)
Unknown Independent Distributor (e.g. quality, reputation not asessed)
Unknown source
LOW (VERY HIGH risk)
Vendor is subject to adverse reporting from industry participants (i.e. other buyers have reported purchasing non-confirming product from this seller)
Step 3 – Develop your organisation’s product assurance processes
The risk of sourcing non-conforming material is omnipresent for any critical industry or life sciences organisation, so undertaking assurance on your suppliers and any parts / components / software purchased from them is an ongoing activity for the life of your operations.
For physical products, there are four ways to obtain this assurance which can be used in isolation or in combination depending on the risk profile:
Document and packaging inspection – before opening the package, inspect for obvious tampering, spelling errors, typographic issues, missing or damaged holograms, peeling labels, amended dates, etc.
Visual Inspection – remove the product / part / component from the packaging. Does it match the expected style, form and quality of what was ordered?
Non-Destructive Testing – involves radiological, acoustic, thermographic and optical techniques to verify conformance without damaging the component / part / product.
Destructive Testing – usually used as a last resort these options involve analytical chemistry, deformation and metallurgical tests, exposure tests, and functional tests which will likely damage the component / part / product.
Further information can be found here. Irrespective of whether fraudulent, substandard or counterfeit, non-conforming materials identified should always be removed from circulation within the organisation’s inventory or operations, and either retained as evidence for legal and associated purposes, securely destroyed or returned to the supplier (depending on your policies and obligations).
It is a fact of life that manufacturers stop producing products / components due to factors such as shortages in raw materials, financial solvency, or simply product strategy decisions. Buyers who require parts or components to support an extended operational life of say two to three decades need to implement plans to mitigate these risks.
Contingencies include purchasing additional inventory, regular engagement with manufacturers to obtain advanced notice of production changes, finding contract manufacturers, or sourcing alternative components.
Step 5 – Document your Product Assurance Framework
To ensure consistency and proper governance some sort of framework is required to set out your organisation’s policies, risk appetite, roles and responsibilities, regulatory compliance obligations, key risks and controls, staff awareness training and product assurance program.
A documented provides a mechanism to ensure consistent implementation throughout the organisation, and a mechanism to continuously improve as well as benchmark historical performance.
Further Reading
Agence France-Presse (2021). Interpol warns fake vaccines seized in China and South Africa are ‘tip of iceberg’, The Guardian.
Curwell, P. (2021). Unpacking AS6174 in relation to Supply Chain Integrity, www.forewarnedblog.com
SAE International (2014). AS6174 Counterfeit Material; Assuring Acquisition of Authentic and Conforming Material, Rev. A, Aerospace Standard, www.sae.org.
U.S. Department of Commerce (2010). Defence Industrial Base Assessment: Counterfeit Electronics, Bureau of Industry and Security, https://www.bis.doc.gov, p.ii, accessed 19/5/2019.
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
State of art – managing fraud and security risk in relation to products
It makes sense that out of the universe of products on the market globally some products are more attractive to thieves and criminals, including trusted insiders, than others. Whilst working through my holiday reading I came across some research undertaken in 1999 by Ronald Clarke, a leading criminologist.
I’ve been interested in what makes a product vulnerable to security and fraud risks for at least ten years. Take a moment to think about what we do with products: whether a passport or airplane part, we manufacture them before ultimately selling them to consumers, most of whom are free to use them and resell them at will on the secondary market. This means they need some protection against fraud and security threats, especially if your reputation or commercial revenue model is linked to the product’s ongoing integrity.
Whilst working in banking my team would undertake product fraud and security threat and risk assessments, at that stage primarily on the bank’s new fleet of Automatic Teller Machines (ATMs). ATMs are targeted in a number of ways, both physically and virtually, through attack vectors such as ram raids, Plofkraak attacks, and cyber hacking to ultimately access the cash contained inside. More recently, I provided expert review of threat and risk assessments for a suite of financial services and identification products (including digital identities) for another client.
To my knowledge, there is no formal threat and risk assessment methodology for products per se, but Clarke’s methodology seems a good starting point.
What satisifies a criminals cravings?
In his research, Clarke found that products commonly targeted by shop lifters in a retail exhibited six attributes which spell the acronym CRAVED, as follows:
Concealable – this is relative to the situation. Shoplifters might target small items they can easily conceal in clothing (eg watches) over a large TV, but sometimes it’s easier to walk out with something large. I previously did some work with a client involved in international air freight, and one of their risks was that trusted insiders could smuggle large items concealed in something else out of the airport through a legitimate freight shipment.
Removable – to target a product, you need to be able to pick it up and move it. Unlike services, products are generally transportable.
Available – there are two elements to this – products that are widely available, and those that are readily accessible (i.e. not kept in a locked cabinet with inventory or stock in store). Audit logs and access control measures, amongst others, should protect more valuable items.
Valuable – whether trusted insiders or organised fraud rings, criminals generally don’t steal things which are not of value to them. Value is also contextual – whilst a high demand product such as consumer electronics is seen as valuable to a large potential market, some products might be valuable to an individual for a specific purpose. We can reasonably expect the former might be targeted multiple times by one or more actors, whilst the latter category might be targeted only once.
Enjoyable – Clarke’s work looked at products most commonly associated with shoplifting, so there is an element of consumer desire (i.e wants & needs) here. But if our COVID crisis has taught us anything about supply chains, its that Maslow’s hierarchy of needs also plays a role (the repeated hoarding of toilet paper by consumers comes to mind).
Disposable – attractive products are those easily sold, or resold, either for cash or another form of value transfer. There is more demand, hence more of a market, for some products than others. Think of how easy it is to dispose of a second hand (or stolen) fridge over a passport.
Readers will note that CRAVED really applies to security related threats, such as theft, much more than fraud. I’m not aware of any formal product fraud risk assessment methodology.
How can we apply the CRAVED construct to manage product risk?
Clarke’s research was performed in 1999, so it is somewhat dated but the principles likely remain valid. Also, the research focused on retail and is not representative of other industries. Nevertheless, we can use the principles outlined by Clarke to inform the design of any product specific risk assessment methodology: CRAVED provides a starting point.
Based on my experience assessing product risk for fraud and security threats, I offer three tips to consider when designing and / or executing a product risk assessment to address fraud and security threats:
Tip 1: Analyse your historical incidents
Collecting detailed incident data is a foundational element of any fraud, security or risk function. Ideally, you want to capture as much detail as you can at the time of the incident, even if it may not seem relevant now. It may be much harder, or even impossible, to capture some data in the future.
TIP: If you are not doing this already, you should start. Ideally, try to collect as much historical data for say the past 12-24 months as you can, even if it is not complete, and put in place processes and tools to collect rich incident data going forward.
As you start to analyse your historical incident data, ask yourself the following questions:
Which product(s) are most commonly targeted? Assuming the Pareto Principle (’80:20 rule’) applies, a small number of your product models will be targeted more commonly than others. You need to identify these and assign a higher likelihood score during your risk assessment.
Are there any geographical aspects to these incidents? E.g. do they commonly occur in specific locations? This might indicate that some products are more likely to be stolen or attacked in a specific geographical area. The logical follow up question here is why…
Are there specific dates or times when most incidents occurred? In some forms of fraud, it is common to see spikes in fraud incidents in summer and a significant decline in winter. Additionally, some forms of crime are more likely to happen at night. Perhaps you might identify an unusual pattern, such as high rates of theft on a weekend when your business is closed, suggesting a potential insider threat.
How do these incidents occur? You need to get a good understanding of the criminal’s business process, particularly if there is a specific pattern or series of steps that are commonly undertaken which you might be able to disrupt using internal controls (mitigations). You can use a variety of analytical methods here including business process mapping, red teaming and analysis of competing hypothesis to achieve this.
Who is the perpetrator? Even if you can’t identify the perpetrator by name (which is unlikely), try to categorise perpetrators into groups such as opportunistic individuals, organised criminals, organised crime (eg mafia), trusted insiders etc. Over time, as you develop richer data sources and a deeper understanding of your data, you might be able to distinguish groups or sub-categories based on the groups specific behaviours (i.e. their Modus Operandi [MO] or Tactics, Techniques and Procedures [TTPs], such as a specific organised fraud ring.
Why do you think specific products are being targeted? You may need to do some critical thinking here, or alternately comparative case analysis methods would be helpful. You need to understand whether the products that are mainly being targeted (e.g. the 20% – assuming the 80:20 rule applies to your data) are being targeted for a reason. Ask yourself, do they share common attributes (such as the CRAVED attributes identified by Clarke)?
Tip 2: Identify any design attributes which could be modified to reduce the product’s attractiveness to criminals
Sometimes there are design attributes to a product, or even a service (e.g. a business process) that makes one manufacturer’s product more likely to be targeted than a competitor. Additionally, sometimes the design of a product makes it more likely to be targeted – an example could be not having branding or a serial number readily visible, which might allow criminals to ‘rebadge’ it as it is being sold. Repackaging is another area of risk here. Understanding these factors means you can work with product managers and design engineers to modify your product and make it less attractive to criminals, which means it is less likely to be targeted.
Ultimately, your goals here are revenue and brand protection. If you can design your product to be a ‘harder target’ (i.e. less attractive), you might save on downstream fraud and security costs. Alternately, some products are readily counterfeited, with sometimes lethal consequences for unsuspecting consumers. Aside from potentially tragic impacts to consumer’s lives, your organisation’s brand and reputation might be adversely impacted simply because your product design was easy to counterfeit and commercially attractive to counterfeiters.
In this case, the cost of the reputatation or brand damage (such as by consumer boycotts, lost sales) may far exceed the costs of product redesign or implementing additional security measures. Product managers need to know if anything specific makes their product overly attractive to criminals, and if so, do something about it in the design phase.
Tip 3: Understand where the product is most likely to be attacked or compromised
For example, if a product is more at risk during shipment, can better cargo security measures be implemented? If a product is at risk of counterfeiting, product authentication measures such as security packaging and traceability programs could be the solution.
It is very uncommon to encounter situations where managers have unlimited resources – a well-designed product risk assessment methodology can be used to identify those products requiring increased protection based on likelihood and consequence, and those requiring less protection. These insights can be used to efficiently allocate your limited risk management resources, as well as helping product managers understand why their product is at risk.
Clarke, Ronald. 1999. Hot Products: Understanding, anticipating and reducing demand for stolen goods. No. 112 in Police Research Series. London: Home Office. www.popcenter.org
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
Product counterfeiting is a global fraud problem that has been steadily evolving for decades, with no product or industry being immune. In 2015, Frontier Economics estimated “the value of international and domestic trade in counterfeit and pirated goods in 2013 was $710 -$ 917 Billion” (2015). The magnitude of this problem is also reflected in US and EU Customs seizures, which continue to grow (Smith, 2016). Unfortunately, Customs agencies can only seize what they know about, placing the onus on the purchaser to exercise adequate due diligence and supply chain risk management practices.
In 2007, the US Department of the Navy tasked the US Department of Commerce’ Bureau of Industry & Security to conduct an assessment of counterfeit electronics across the US defence industrial base, concluding “all elements of the supply chain have been directly impacted by counterfeit electronics” (2010). Similar findings across other branches of the US Government have triggered a range of Supply Chain Integrity and Security initiatives, one of which is Supply Chain Integrity.
The concept of Supply Chain Traceability
Supply Chain Traceability is critically important as a control to achieve Supply Chain Integrity in safety or high-reliability industries such as Aviation or Healthcare, where the introduction of sub-standard products / components / raw materials (referred to in the standard as ‘materiel’) can ultimately lead to death. Supply Chain Traceability is defined in AS6174 as “having documented history of material’s supply chain history. This refers to documentation of all supply chain intermediaries and significant handling transactions, such as from original manufacturer to distributor” (SAE International, p9), with ‘materiel’ being defined as “material, parts, assemblies and other procured items” (SAE International, p6).
This concept of Supply Chain Traceability presented in AS6174 appears akin to the concept of Supply Chain Integrity introduced by the World Economic Forum in 2012, which identified “four key questions that must be answered at the product level as part of Supply Chain Integrity (Pickard & Alvarenga, 2012):
Integrity of Source – did this product come from where I think it did?
Integrity of Content – is the product made the way I think it is?
Integrity of Purpose – is the product going to do what I think it will do?
Integrity of Channel – did this product travel the way I think it did?”
The difference between the approach adopted by AS6174 and that of the WEF report is that the standard is, unexpectedly, much more forensic in the way it approaches the concept. Where the WEF principles differ are in their application, which is broader than anti-counterfeiting, and could easily incorporate Environmental / Social / Governance (ESG) and other Sustainability Risk considerations such as Modern Slavery and Illegal Logging as part of a broader focus on Supply Chain Integrity (World Economic Forum, 2015).
Within AS6174, Supply Chain Traceability aims to address the introduction of Suspect, Fraudulent or Counterfeit materiel into the Supply Chain (SAE International, p6). Before proceeding further, it is worth exploring exactly how the introduction of Suspect, Fraudulent or Counterfeit material into the Supply Chain is possible. From my perspective, there are two starting points to this discussion:
Genuine Materials
Genuine materials are used or supplied by the manufacturer, which are subsequently adulterated or compromised, meaning that a legitimate product (referred to in AS6174 as a ‘conforming product’) is transformed into a ‘non-conforming’ (illegitimate) product at some point in the supply chain before it reaches the end user. The transformation from genuine to non-conforming materiel can occur in the supply chain via at least two methods:
Product Diversion – where legitimate product is diverted from the authorised supply chain (Bandler & Burke 2009, Datz 2005), impacting the ability of a consumer to rely on a vendors’ warranties around Authenticity and Conformance (SAE International, pp7-10). This can be through theft, but it can also be as a result of sales to seemingly legitimate customers (e.g. OEMs) where that product is then re-sold or passed to a third party, such as a gray marketer (Shulman, 2012)
Product Substitution – where a product, or part of a legitimate product, is substituted with non-conforming material (Guide to…2019). The concept of product substitution can be illustrated with a can of house paint. Imagine a paint can with the uppermost quarter consisting of real paint (i.e. conforming materiel). The remaining three-quarters of the paint can is filled with a substitute, or non-conforming materiel, which does not mix with the real paint and is heavier so it stays at the bottom of the can. When a customer receives the paint and looks inside, or perhaps performs testing on the product, they will likely only see the uppermost layer. Provided a sample is taken from this layer, the sample will test positive (i.e. conform with manufacturer’s specifications) and not be detected. Meanwhile, the fraudster who substituted the original for fraudulent product has the opportunity to sell three other cans of paint to unsuspecting consumers for the price of one, less the cost of labeling three unmarked paint cans, pocketing the difference.
Both of the above examples fit the definition of “fraudulent material” under AS6174, which is defined as “suspect material represented to the customer as meeting the customers’ requirements” (SAE International, p6).
Non-Genuine Materials
In the second method, non-genuine materials are used throughout the manufacturing process, resulting in a product that in no way conforms to the specifications or authenticity of the original product itself, other than the application of the victim manufacturers’ Trademarks or branding on the packaging. This is commonly referred to as a counterfeit, or ‘fake’. AS6174 defines counterfeit material as “fraudulent material that has been confirmed to be a copy, imitation or substitute that has been represented, identified, or noted as genuine, and / or altered by a source without legal rights with the intent to mislead, deceive or defraud” (SAE International, p6).
Managing the risks – what does AS6174 suggest?
AS6174 provides guidance across 7 main areas to manage the risks of Suspected, Fraudulent or Counterfeit materiel entering the supply chain. These areas include Product Assurance, Risk Assessments, Contractual Obligations, Purchasing Practices, Traceability Guidance and Reporting / Information Sharing arrangements. The following sections focus in more detail on Product Assurance and the Counterfeiting Risk Assessment. Other elements, such as purchasing and supplier due diligence, will be covered in future posts.
Product Assurance
The purpose of Product Assurance, which effectively involves “confirming the authenticity of materiel or its compliance with manufacturer’s specifications” (SAE International, p27), is minimising the likelihood of non-conforming materiel entering the supply chain. Where it does enter the supply chain, Product Assurance and other elements of AS6174 are designed to facilitate early detection. The standard proposes four elements of any Product Assurance process (SAE International, p27):
Documentation & Packaging Inspection – effectively a review of supplier documentation to trace the history of the product and to review the packaging to confirm it meets expectations around conformance with manufacturer’s specifications. As with all fraud prevention processes, the suggestion of verifying the received documents against the source through means such as confirming the accuracy of serial and batch numbers, is raised.
Visual Inspection – this involves examining the product using various scientific techniques and conditions for the presence of identification markings or traceability indicators.
Non-Destructive Testing (NDT) – involves a variety of tests including radiological, acoustic, thermographic and optical techniques to check the product confirms to specifications without actually destroying or using the materiel itself.
Destructive Testing (DT) – involves analytical chemistry techniques, deformation and metallurgical tests, exposure tests, and functional tests.
Obviously, the performance of some of the above requires access to specialist equipment and / or knowledge (such as details of manufacturer’s markings applied to help prove the authenticity of a product), which may be beyond the reach of some consumers. In this case, businesses in Australia may consider it worthwhile engaging a NATA Accredited laboratory to perform such testing on their behalf. One key principle of AS6174 is that the design of any framework to minimise and / or detect non-conforming parts be risk-based, informed by the likelihood and consequence of a non-conforming part being introduced into the organisation’s supply chain.
Determining Counterfeit Risk
AS6174 suggests that the steps taken to minimise counterfeits in the supply chain, including the extent to which Product Assurance is undertaken, should be driven by both the likelihood and consequence of any “non-mitigated counterfeit item” (SAE International, p13). This means, for example, that greater steps should be taken to prevent counterfeiting in relation to a helicopter engine part than say a ream of paper in the office. The risk rating from this exercise dictates the “degree of traceability required” for that part in the supply chain.
The first element of any counterfeit risk assessment should involve considering the Likelihood, or probability of counterfeiting in that product, industry or market. The guidance provided in AS6174 on how to do this is scant, and does not consider the nature of the counterfeiting threat and the attractiveness of counterfeiting a specific part or materiel to fraudsters or organised crime. In a typical security or fraud management context, the risk assessment is preceded by a Threat Assessment, which identifies potential threat actors (e.g. insiders, organised crime), and determines both their Capability to counterfeit the product or materiel and their Intent. This step, which is missing from AS6174, is in my opinion critical to the risk assessment process for any case where the risk is caused by criminality of a human.
In the absence of performing a threat assessment, it may be possible to rely on informal feedback from others, such as industry groups, competitors or customers, but the quality of their advice is reliant on the processes and tools available to those parties to identify and understand the threat. Given that fraudsters and criminals are financially incentivised to engage in counterfeiting due to the low likelihood of being caught, yet alone detected, it is important to remember that history is not a reliable predictor of the future, and that just because something hasn’t happened before does not mean it will in the future. In my experience, all to often these less mature, ad-hoc approaches to understanding threat provide a false sense of security and may mean risks such as counterfeit parts in a supply chain are not detected because people aren’t looking for them, as opposed to them not being there at all.
One other interesting part of the risk assessment relates to “long term materiel availability” (SAE International, p15) or steps to be taken when a manufacturer stops making something. As part of any Anti-Counterfeiting & Product Protection strategy, manufacturers or Intellectual Property Rights (IPR) Holders will typically perform some degree of market surveillance, to understand where their products are being sold, who the vendor is, and for how much. Market surveillance enables early identification of counterfeit and unlicensed product (e.g. parallel imports) and a facilitates a timely legal response. As products become ‘obsolete’, manufacturers often re-allocate market surveillance and IPR enforcement capabilities towards new products. However, this creates opportunities for sub-standard materiel to enter circulation. Products deemed obsolete by the IPR Holder but which retain their after-market value or are subject to consumer demand in a particular region (e.g. developed versus developing markets) can still be subject to counterfeiting, meaning in these cases market surveillance programs may need to become more targeted rather than ceased completely.
Sources
Bandler, J., and Burke, D. (2009). The shadowy business of diversion, August 4, 2009, www.fortune.com, accessed 19/5/2019.
SAE International (2014). AS6174 Counterfeit Material; Assuring Acquisition of Authentic and Conforming Material, Rev. A, Aerospace Standard, www.sae.org.
Smith, C. J. (2016). Ensuring Supply Chain Security: The role of anti-counterfeiting technologies, United Nations Interregional Crime and Justice Research Institute, http://www.unicri.it, p14, accessed 19/5/2019.
U.S. Department of Commerce (2010). “Defence Industrial Base Assessment: Counterfeit Electronics, Bureau of Industry and Security, https://www.bis.doc.gov, p.ii, accessed 19/5/2019.
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
You must be logged in to post a comment.