Rental Vehicle Security Scheme guidance and code of practice
Published 6 December 2018
Introduction
The Department for Transport has been taking forward a programme of work to mitigate the risk of vehicles being used in terrorist attacks. We have worked with other Government Departments, the police and industry stakeholders to develop this guidance.
The guidance is designed to support the Code of Practice (CoP) which sets out the requirements that Department for Transport (DfT) expect those wishing to join the approved Rental Vehicle Security Scheme (RVSS) should meet/achieve.
Registration is conditional on completing and submitting the online application form and an electronically signed security declaration (examples of which can be found at Annex A and B of this guidance). You will also need to complete the pro-forma at Annex C (please note this form does not need to be submitted to the DfT at time of application but may be subject to a quality assurance check at a later date).
The DfT RVSS scheme is only applicable to those vehicle rental companies which engage in short-term vehicle rental transactions to consumers. Typically, the period of rental or hire will be calibrated on an hourly, daily, weekly etc. basis. The agreement is typically unregulated and is not capable of lasting more than 3 months.
Background
DfT sets and enforces counter terrorism security standards and regulations for a number of transport modes including Aviation, Maritime, the National Rail Network and London Underground. DfT does not currently regulate the vehicle rental industry for counter terrorism security purposes but in conjunction with industry, and trade associations formulate and disseminate best practice guidance for the industry.
The CoP supporting guidance has been developed in collaboration with a range of stakeholders including the British Vehicle Rental Leasing Association (BVRLA), United Rental System (URS), Vehicle Rental Companies, Fleet Operators Registration Scheme (FORS), National Counter Terrorism Policing Headquarters (NCTPHQ), Office of Security & Counter Terrorism (OSCT), as well as others.
Guiding Principles
The RVSS aim is to promote a proactive security culture within the vehicle rental industry and individual companies. Through the RVSS Government and Industry will work collaboratively to deter the use of rental vehicles as weapons.
The Register will be operated and administered by the DfT, utilising a database model which is already used to record rail and maritime companies and their Nominated Security contact details.
DfT will set the scheme’s high level objectives, outputs & requirements. The Rental Vehicle Industry Security Advisory Group will be responsible for monitoring the Rental Vehicle Security Scheme.
DfT, in conjunction with industry, and trade associations will formulate and disseminate best practice guidance.
The guidance is designed to support the Code of Practice (CoP) which sets out the requirements that DfT expect those wishing to join the RVSS should meet/achieve. Organisations wishing to join the scheme must commit to meeting the requirements of the CoP and have in place a security plan demonstrating how this has or will been achieved.
The Scheme will deliver wider benefits for industry and the general public.
Benefits to Industry
An organisation’s Corporate Social Responsibility (CSR) duties will include; protecting the public, its customers and assets. By joining the RVSS an organisation will be demonstrating that it takes security and its CSR responsibilities seriously.
Benefits of RVSS membership include:
Helping to keep the public safe from vehicle attacks
- deterrence of would be attackers from using your fleet
Protecting the Organisations reputation
- corporate Social Responsibility
- competitive advantage
Improved security culture within the business
- the scheme will help organisations assess their security risks and take appropriate actions
- crime reduction
- access to HMG security advice
- enhanced Staff training
- professional image
How to get registered
RVSS Code of Practice (CoP)
DfT has been working with a number of stakeholders within Government and the vehicle rental sector to develop a 10 point Code of Practice. Organisations wishing to join the scheme must commit to meeting the requirements of the CoP and have in place a security plan demonstrating how this has been achieved. The 10 requirements are:
- Appoint a Recognised Security Contact (RSC) and (where practical) a deputy
- Payment Handling: Only accept electronic forms of payment
- When ‘handing over’ vehicles to customers undertake driver licence verification checks
- Train staff to identify and report suspicious behaviours
- Support law enforcement counter terrorism and communications campaigns
- Share data and information with law enforcement agencies where it can be done so lawfully and consistent with data protection requirements
- Based on assessment of risk and available vehicle technologies, the company should ensure that appropriate security equipment is fitted to vehicles
- Hiring of commercial vehicles: When ‘handing over’ commercial vehicles to customers additional security checks should be undertaken
- Vehicle liveries: The code recommends that company liveries are removed prior to onwards sale of vehicles
- Data Protection Act (DPA) and the General Data Protection Regulation (GDPR) 2018. The company will ensure staff have sufficient training in regard to the DPA and GDPR
Supporting Guidance - Completing a Security Plan
As part of the application process (see Annex A) you need to confirm that you have completed the Security Plan Proforma that can be found at Annex C.
The pro-forma (which you should retain) is intended to demonstrate how the company has (or will) meet the requirements of the CoP. The pro-forma should form the basis of a security plan which you should develop and which may in due course may be subject to assurance checking by DfT.
DfT can assist in the development of the security plan and additional guidance can be found on the Centre for the Protection of the National Infrastructure (CPNI) website.
Guidance for completing the security Plan is outlined below:
- Appointment of a Recognised Security Contact (RSC)
- the Registered Company (RC) will appoint a Recognised Security Contact (RSC) and, where practical, a deputy within the organisation. These persons will act as the focal point for the dissemination of counter terrorism security advice and procedures on the company’s behalf
- the RSC will actively utilise and share National Counter Terrorism Security Office (NaCTSO) and Centre for Protection of National Infrastructure (CPNI) online material and engage with National Counter Terrorism Police Headquarters (NCTPHQ)/DfT on any relevant law enforcement related activities
- the RSC will ensure that they are up to date with security training supplied by their organisation and, where appropriate, that supplied by other sources such as CPNI
- the RSC (or a nominated person) should ensure that all staff receive the required levels of security training to enable them to fulfil their roles
- the RSC will act as the point of contact between the organisation and DfT/Law Enforcement agencies and will be the person that receives security related communications
- the RSC should ensure that, on an as appropriate basis, security related messaging is displayed at the place of business
- the RSC should ensure that when fleet vehicles are disposed of that any liveries are removed
- the RSC should ensure that staff are undertaking the necessary checks (as outlined in the Code of Practice).
Payment handling
The RC should ensure that it only accepts electronic methods of payment when renting vehicles for all or part of the rental costs.
The RC should electronically record details of the driver’s payment card and ask for the PIN number to be input into the card reader for all cards that accept this function.
Where payment is made by a third party, the RC will work towards adapting company procedures to require a card for verification.
Driver licence verification
The RC will undertake standard drivers licence checks in accordance with company & industry best practice to identify potentially fraudulent documents. The driving licence photo should be checked to ensure it facial matches the renter and the driving licence number is accurately recorded.
Where on line booking procedures do not require face to face contact with the customer, RC’s should ensure digitised procedures maximise identity and security checks, including reconciling licence and credit card information provided as part of the booking process.
Training staff to identify and report suspicious behaviours
The RC should ensure that counter-terrorism guidance is available to staff and ensure they trained in customer verification procedures to help build a culture of vigilance.
The RC will have in place a mechanism for reporting suspicious behaviours to the relevant law enforcement authorities and ensure that company procedures and management processes incorporate the use of this mechanism where appropriate.
The RC will also train staff to ensure that customers are provided with the most suitable vehicle to meet their requirements (this may offer an opportunity for identifying suspicious behaviours).
Support law enforcement reporting and communications campaigns
The RC will agree to support Government counter terrorism reporting and communications campaigns where the material is relevant and suitable, one example of this being the current Action Counters Terrorism (ACT) campaign.
Where practical the RC will support the campaign by displaying the logo on the company fleet, website and at place of business.
Data and information sharing
The RC will agree to share rental, loyalty, corporate and trusted customer scheme data and information on individual vehicle rentals, with law enforcement agencies on request where it can be done so lawfully and consistent with data protection requirements.
Vehicle Technologies
When renewing vehicle fleets, based on risk assessment the organisation will ensure security equipment is fitted as appropriate.
Upon official request, RC’s will co-operate with law enforcement agencies in the activation and use of vehicle security technologies in support of active investigations.
Hiring of commercial vehicles - specific requirements
-
when hiring out commercial vehicles to private customers without an Operator’s Licence, customers should be asked security questions in accordance with the RC procedures. The information should be documented on occasions where a customer attends a rental branch/location (see Annex D)
-
before hiring out large commercial vehicles, companies should provide details of their Operator Licence to the rental company. These can be checked at Find lorry bus operators.
-
a number of recent attacks have featured the use of light commercial vehicles (i.e. vans, typically those up to 7.5 tonnes). When renting vehicles of this sort it is good practice to question the renter on the purpose for the hire
-
completion of the pro-forma at Annex D will assist with this process
-
consideration should be given to using the DVLA Share Code process
Removing vehicle liveries
It is recommended that all company liveries and decals are removed prior to the onward sale of vehicles previously available for rental.
Where a third party undertakes this work is carried out by a 3rd party the RC should ensure the work has been completed.
Data Protection Act and the General Data Protection Regulation.
-
the RC will also ensure staff have sufficient training in regard to the Data Protection Act and the General Data Protection Regulation (GDPR) 2016/679 so that in the event of a law enforcement request, staff understand the overall obligations and whether they are able to share data when requested
-
it should be noted that failure to demonstrate that you have met the requirements of this code could invalidate your application or registration
Embedding a security culture in the organisation
Staff Training
As part of the organisations recruitment and retention process, staff should be trained to enable them to undertake their role. Part of this training should include, where appropriate, recognising suspicious behaviours and awareness of the company reporting process. Further helpful guidance can be found in the BVRLA ‘Counter Terrorism Awareness for Rental Firms’ webinar.
CPNI Security Systems Management and Risk Assessment Advice
The Centre for the Protection of National Infrastructure (CPNI) is the Government authority for protective security advice to the UK national infrastructure. Its’ role is to protect national security by helping reduce the vulnerability of the national infrastructure to terrorism and other threats.
CPNI produce a number of guidance documents which can assist organisations in drawing up security plans. These are available free of charge on the CPNI website.
The following products may be of particular assistance:
Provides guidance on the principals of risk assessment
Provides guidance on how to mitigate risks that may affect you organisation
Outlines why it is important to get a security culture right
Personal security risk assessment
Provides guidance on personal security risk assessment
Outlines the need for effective security planning
Level 1 operational requirements process
Provides guidance on security risk management and developing a strategic security plan
Suspicious Activity and Behaviour Reporting Procedures
Your organisation may already have in place procedures to identify and report suspicious activities/behaviours. However, DfT, along with CPNI and a number of industry partners, are working to develop a bespoke training package for the rental sector which can be used by members of the RVSS. Although not available at present DfT will provide a link to the product once it becomes available. In the interim you may wish to view the existing CPNI guidance on increasing employee vigilance this can be found at Employee vigilance.
Annex A: Rental Vehicle Security Scheme: Code of Practice Declaration
In order to be included on the Rental Vehicle Security Scheme register the Vehicle Rental Company should complete the declaration.
An example of the declaration can be found below.
We (insert company name) agree to adhere to the requirements set out in the Code of Practice set out above.
Signed*
(Company Proprietor, Partner or Director) (Please indicate)
Date:
- Note: by signing this declaration you agreed that you have completed and retained the Security Plan Proforma (Annex C) and to have your security measures audited/assured by DfT.
Annex B: Rental Vehicle Security Scheme: Registration
In order to be included on the Rental Vehicle Security Scheme register the registered Vehicle Rental Company should complete the application.
An example of the application can be found below.
1 Applicant details:
2 Business name:
3 Principal place of business:
4 Website:
5 Nature of business (a brief description of the main activities of your business):
6 Contact details
7 Proprietor/Partner/Director (please indicate)
Forename
Surname
Direct email
Direct telephone
8 Recognised Security Contact (if different from above)
Forename
Surname
Direct email
Direct telephone
9.Deputy Recognised Security Contact (if different from above)
Forename
Surname
Direct email
Direct telephone
10.Are you a member of the following organisations?
BVRLA
United Rental System
FORS
FTA
RHA
N/A
This form can be completed on-line using the following hyperlink
Annex C: RVSS Security Plan - Proforma
Please complete the proforma below outlining how you meet [or intend to meet] the requirements of code (please refer to the Code of Practice and supporting guidance when completing this form):
CoP Ref | Gaps identified? | Actions taken | Sign off/date |
---|---|---|---|
1. Appointment of a Recognised Security Contact and Deputy | |||
2. Payment Handling: the Code requires you to demonstrate that you are only accepting electronic forms of payment when renting vehicles for all or part of the rental costs | |||
3.Driver Licence verification: what checks do you intend having in place to ensure that licence checks are undertaken in accordance with company supplied training? | |||
4.Training staff to identify and report suspicious behaviours: what measures do will/you have in place to ensure that counter-terrorism guidance is available and that staff are trained in customer qualification procedures? | |||
5.Support law enforcement counter-terrorism reporting and communications campaigns: have you signed up to the ACT campaign? | |||
6.Data and information sharing: will you agree to share rental, loyalty, corporate, and trusted customer scheme data and information on individual vehicle rentals, with law enforcement agencies on request where it can be done so lawfully and consistent with data protection requirements? | |||
7. Vehicle technologies: do you ensure that your vehicles are equipped with the latest security technologies? | |||
8. Hiring commercial vehicles: do you ensure that you ask additional questions to customers seeking to hire commercial vehicles without an operator’s licence? | |||
9.Removing liveries: do you ensure that liveries are removed prior to the onward sale of vehicles? | |||
10.Data Protection Act and the General Data Protection Regulation(GDPR): how will you ensure that your staff have sufficient training to understand the principals and their ability to share data when requested? |