Guidance

C118-6 — section 6

Updated 22 January 2024

Application for Authorised Economic Operator status

For all forms you will need your Economic Operator Registration and Identification (EORI) number that starts with GB.

To complete this form you will also need the following information.

6.1 Site and goods security, safety requirements, risk and threat assessments, external security providers

Details for the competent person responsible for safety and security, including their full name and position in the business.

Details about risk and threat assessments. Include if you have carried out a risk and threat assessment for the business.

HMRC expects you or a security company if you use one, to have carried out a documented risk and threat assessment. You must produce this assessment when we visit to avoid an automatic recommendation that your application is rejected.

The risk and threat assessment needs to:

  • cover all the premises which are used for your customs related activities
  • identify the risks and threats to the international supply chain that you are part of
  • identify risks and threats to your role in the supply chain
  • consider how you have reduced the risks and threats identified

The risks and threats assessment should also include:

  • physical threats to premises and goods
  • fiscal threats
  • contractual arrangements for business partners in your supply chain
  • the goods that you deal or trade in
  • premises and buildings for storage or manufacture
  • staff including recruitment, use of temporary staff, sub-contract labour
  • transport of goods, loading and unloading
  • computer systems, accounting records and documents
  • recently reported security incidents for any of these details

You should also provide evidence of how often the document is reviewed and updated. Procedures should include how to report incidents and the frequency of future reviews. Customs will look for evidence of how and when you tell both staff and visitors about your procedures.

Include if there is a security plan in place for each site. You must provide either a security plan or a risk and threat assessment when HMRC visit. If you do not do this, HMRC might halt their visit before it’s completed or reject the application.

Include how often you review and update the documents. You need a review programme in place for the security plan. This should include records of amendments which are signed and dated by the responsible person.

Include the security risks you have identified in relation to the Authorised Economic Operator security criteria. You must include a description of at least the top 5 risks you have identified. You should also include the likelihood, effects and any actions you have taken for 3 of these risks. Examples of possible risks are:

  • smuggling illicit goods
  • contamination of products
  • unauthorised access

Brief description of how security measures are established, implemented, monitored, reviewed and coordinated in the company. Include who is responsible for implementing and coordinating them. The responsible person should make sure there are procedures in place to establish, review and update all security measures. The responsible person should also be able to explain these procedures. If external security services are used, the responsible person should manage the contract and make sure a proper service level agreement is in place. This agreement needs to meet the Authorised Economic Operator requirements.

If your company has multiple premises give details. These should include if the security measures are applied consistently at all of these places. Although security measures are likely to be site-specific, establishing, implementing, monitoring and reviewing the measures should be consistent at all places. Where measures are not consistent, HMRC may increase the number of their site visits.

If you have any security instructions, give details about how they are documented, for example, manuals, work guidelines or information sheets. Tell us how you tell your staff, and people visiting your company premises, your security instructions.

Details about any security incidents, such as losses in warehouse, broken seals and damaged anti-tampering devices. You should include records kept of security incidents and the actions you’ve taken to stop them happening again.

Details about any already certified authorisation or approval by another public agency authority, for security purposes. Examples of another public agency authority include a transport authority or a civil aviation authority. Details should include:

  • premises or sites covered by the relevant security purposes certificate
  • a list of any independently accredited standards

If you plan to apply, or you’ve already applied, for any other certification, give details.

Examples of certifications and authorisations include:

  • Regulated Agent (certificate and assessment report)
  • Known Consignor (certificate and assessment report)
  • Transported Asset Protection Association (TAPA) (certificate and assessment report)
  • ISO (certificate and quality manual)
  • International Ship and Port Facility Security (ISPS)

Details about particular security and safety requirements for the goods you are importing or exporting, for example any safety requirements for:

  • hazardous chemicals
  • high value goods
  • excise goods

Security and safety requirements include special packaging and specific storage requirements.

Tell us if you use a security company and they’ve made a threat assessment of your business. The documents should show the dates when the assessment was made and when any recommendations were carried out. You should provide the document when HMRC visits your business.

If your customers or insurance company give you any safety and security requirements, give details. These details should include any special requirements and the goods they affect. If you have a wide range of products and requirements you can summarise them.

They will be examined in more detail when HMRC visits your business.

6.2 Building and boundary security, access to premises and parking

Brief description of how you’ve secured the external boundary of your company premises. External boundaries include visible boundaries such as fences and gates. The brief description should include:

  • how you check staff and visitors are following your security rules
  • who carries out the checks on the fences, gates and buildings, and when
  • how these checks and their results are recorded
  • how security incidents are reported and dealt with

You should secure all external and internal windows, gates and fences. Examples of security are locking devices, alternative access monitoring or control measures such as internal or external anti-burglar alarm systems or CCTV systems.

Details about the types of access to your business premises should include:

  • how they are managed
  • if access points are restricted by time or day
  • if your premises are well lit – if so, give details
  • details of any back-up generators or devices in place to power the lights if the local power supply is interrupted – also include how these are maintained

You should list all access points, preferably with reference to the site plan. Include any fire escapes and show access stairways. Make it clear which access points are for:

  • cargo loading and unloading
  • utilities
  • counters for public access
  • drivers’ rest areas

Tell us where any security guard offices or guardhouse is located. Your description of how these places are monitored should include:

  • the type of CCTV camera – static or pan, tilt and zoom
  • how the cameras are controlled
  • if the image is used proactively or reactively

In addition to external access controls you should also describe internal access controls. Include any internal access in shared premises. Confirm whether the premises have staff working there 24 hours a day, 7 days a week (shift working) or normal office hours.

Details about how you manage key access in the company, for example location access logging. Tell us about: written records for this, how keys are identified and your procedures to prevent misuse and deal with any loss.

Your procedures should allow only authorised personnel to have access to keys for locked buildings, sites, rooms, secure areas, filing cabinets, safe, vehicles and machinery.

These procedures should also cover:

  • the agreed place where the keys are kept
  • who is responsible for controlling the security of the keys
  • recording when the keys are taken, who took them, why and their return
  • dealing with losses, failures to return keys

Provide details of any procedures for locking up the premises. Include who the master key holders are who are responsible for closing down the premises at night and re-opening them on the next working day.

Provide details of other ‘key’ devices in use such as ‘radio keys’ (used for example to remotely operate a car park barrier). You must also tell us who you issued them to.

Details about the parking of private vehicles allowed on any of the premises, including:

  • how you control or record visitors with private vehicles coming to your premises
  • whether visitors’ cars are separated from staff cars
  • who is allowed to park on the premises
  • any vehicles that have temporary access to sites for example, taxis or a staff bus
  • who gives the approval for permitted parking
  • checks that parking requirements are being followed
  • tell us if there are written rules for vehicle checks
  • how often the permission is reviewed and updated to take into account changes of staff cars
  • visitors and staff assigned car park areas that are not close to secure areas (such as loading bays) to avoid the possibility of theft, obstruction or interference

Brief description about the process of access to your premises, including who checks that the procedures are followed. You should also include how it is regulated for:

  • staff visitors
  • other people
  • staff vehicles
  • goods

Your procedures should document who has access to which areas, buildings, and rooms and how this is controlled, for example, by keypads or swipe cards. Access restrictions should take into account the risk and threat assessment. Your systems should be capable of identifying attempts at unauthorised access and to monitor these. Describe the system used to identify staff and distinguish from visitors, for example, identity cards.

If you have more than one site and any of your processes are only used at some of the sites, you must make this clear. For an application that includes more than one site, it may be helpful to describe or provide an image of a general view of the sites.

Details about the procedures that are to be followed if an unauthorised person or vehicle is discovered on company premises. Include how you tell staff about these procedures.

Details of any other companies that are co-located on your premises. You should pay particular attention to any companies on your site who are tenants rather than involved in making supplies to, or for you. Tenants may pose special security issues. You should briefly describe any arrangements that cover these tenants such as their separate entry and occupancy in your area.

6.3 Cargo storage, goods sealing and marking, security checks, loading and transportation

If there are rules or restrictions for access to cargo units, give details, including how they are enforced. You should make sure cargo units are secure. You can do this by placing them under permanent monitoring or keeping them in a safe, locked area or by inspection prior to use. Only properly identified and authorised people should have access to the cargo units. Your procedures should include:

  • how access to the area where the cargo units are held is controlled – for example, restricted to staff, external truck drivers
  • that only authorised people have access
  • how monitoring of the units is maintained at all times – for example, by nominated responsible staff and deputies

Brief description of measures in place to prevent unauthorised access to and tampering with cargo units. Your procedures should include:

  • constant supervision
  • who the responsible person is to report incidents to
  • training staff and making them aware of risks, seals or instructions for procedures to follow in case of unauthorised entry
  • how incidents are reported and recorded
  • what action should be taken, including reporting to law enforcement or senior management
  • review and amending of existing procedures
  • notification of any changes to staff

Details about any seals you use to prevent unauthorised tampering with goods, including:

  • what kind of seals are used
  • what standard they satisfy
  • providing the name of the manufacturer, the procedure for issuing seals and for recording their issue, use and removal
  • documented procedures for dealing with broken and tampered seals

If you do not use seals, give details on how you make sure that goods are not tampered with, including details about the:

  • control measures you use to check cargo units, for example 7-point inspection process
  • cargo maintenance, including:
    • owner or operator of the cargo units
    • maintenance of the cargo units
    • who is responsible
    • the requirements for your staff to check the soundness of the units when they return from any external maintenance
    • regular maintenance plans
    • what checks are to be performed, when and by whom
    • how you tell your staff about your procedures
    • management checks and their frequency to make sure units are re-examined
    • explain whether you routinely check all cargo units, both before accepting any incoming load and before loading goods for despatch

Details about the means of transport normally used by your business, including:

  • external transport providers, for example, freight forwarders, carriers or agents
  • certification in place for freight forwarder or carriers to meet required security standards

Brief description about other measures you may take for outsourced transport activities to meet security standards.

Details of the procedure for guaranteeing the security and safety of incoming goods. Include how you check and make sure these procedures are followed.

Details of whether your staff are informed about security arrangements with suppliers. Include how you make sure these arrangements are followed. Your procedures should also include:

  • choosing staff responsible for receiving the driver and the goods at arrival
  • maintaining a schedule of expected arrivals
  • dealing with unexpected arrivals
  • recording the transport documents and customs papers accompanying the goods
  • comparing the goods with the accompanying transport documents and customs papers
  • checking the integrity of any seals
  • recording the end of any checks and their results
  • when the goods arrive, telling HMRC so that they can carry out the necessary controls
  • weighing or counting and tallying the goods against the picking list or purchase order
  • testing quality
  • clearly marking the goods before they go into stock to enable identification
  • identifying and reporting discrepancies or quality control failures
  • telling the purchase department and the administration of the receipt of goods

If you deal in high value or risk goods, examples of security arrangements for the goods may include that they must:

  • arrive in the same condition they left the supplier
  • be sealed at all times
  • have not breached any security or safety requirements

Your procedures should include:

  • making sure staff responsible for receiving incoming goods are aware of instructions for security arrangements particularly if an irregularity is discovered
  • reviewing and updating these procedures on a regular basis
  • management or supervisory checks to make sure staff are following these procedures

Brief description about checks on seals of incoming goods. Procedures should be in place so that when a sealed cargo unit arrives, the seal can be checked correctly. These procedures could include a visual inspection to make sure that the seal is actually intact and that there is no evidence of tampering. Once satisfied from a visual inspection, the authorised person could then physically test the seal by applying suitable pressure to make sure it is still intact.

If your business deals with goods that require specific security measures, such as air cargo or air mail, give a brief description. Include how the incoming goods are marked. Your procedures should include how you apply the procedures or check the application. For example, if you are a regulated agent, if and how you check the haulier declaration and the identity of the haulier for the transport of secure air cargo or air mail from a known consignor.

Brief description about the process for counting and weighing incoming goods, including:

  • who checks them
  • how and when the incoming goods are checked against accompanying documents and entered into your records – and who does this
  • checking the goods against loading lists and purchase orders
  • recording the goods in the stock record, as soon as possible after their arrival

Brief description about the control mechanisms for the purchase of goods, receipt of goods and general administration and how they work. For example, give details to show if and how you separate the following work areas and their responsibilities:

  • purchase of goods
  • receipt of goods (warehouse)
  • general administration including entering of the goods in the system
  • payment of the invoice

You should also give details of how the integrated internal control mechanisms between the sections work.

Details about the location of areas for the storage of goods, including:

  • how you allocate a storage position that is both safe and secure but clearly known to control staff
  • locations of outdoor storage
  • whether the storage area is only accessible to authorised staff
  • controlling incoming goods, transfers to other premises, permanent and temporary removals
  • handling and processing goods and their return to stock
  • separating different types of goods, where appropriate – for example, UK, non-UK, high value, hazardous, air cargo or air mail
  • addressing all aspects of physical security of the storage facility

Brief description about arrangements for regular stock taking and procedures for dealing with irregularities, discrepancies, losses or theft.

Details of the storage of goods with different risk levels, including:

  • criteria for separate storage
  • actions you take to make sure the goods are recorded immediately in the logistical accounts or stock records

Brief description of protection against unauthorised access to the warehouse premises and how you check compliance.

If your goods are outsourced to an external company, give details of how and where they are stored and what control measures you have in place.

Details about the locations and areas which are specifically for the production of goods, including:

  • if it’s done by a third party – for example, job processing, drop shipment
  • how the integrity of the goods is guaranteed – for example, contractual agreements
  • indicate whether staff working in the production area are permanent employees of the business or temporary staff

Brief description about how you protect goods against unauthorised access to the production zone.

Details on the procedures for packing products, including:

  • any written procedures for packing
  • guarantees of integrity of the goods if the packing is outsourced to the third party
  • any technological aids to packing integrity – for example, weight checked or CCTV surveillance
  • describe any securing process both of the individual packages and how the packages are consolidated, for example on pallets

Brief description about how loading of goods is managed in your business and if there are any written instructions on how the process should be organised. Your procedures should include:

  • allocating responsibilities for receiving the driver and loading the goods
  • assigned staff are present at all times
  • what the procedure is if assigned staff are not available, for example, appointment of deputies
  • loading taking place only in the presence of authorised staff
  • weighing, counting, tallying and marking of goods
  • dealing with discrepancies or irregularities
  • checks on goods against loading lists and selling orders
  • recording the goods out of the stock, as soon as possible after their departure
  • acknowledging receipt of the goods and any irregularities by your customers
  • applying seals and recording them on documents or records, making sure that seals have been used for appropriate goods, meet laid down standards and applied in accordance with legal requirements
  • recording the transport and customs documents accompanying the goods in your records
  • comparing the goods with the accompanying transport and customs documents
  • recording the end of the checks and their results
  • when goods leave, telling customs authorities so that they can carry out the necessary controls
  • when goods leave, telling the selling department or administration
  • how (which documents) and when are the goods loaded recorded in the stock records – and who does this
  • proof of export where appropriate

If outgoing goods or vehicles are sealed, give details of how:

  • you keep a record of seal numbers
  • the outgoing goods or vehicles are sealed – who does this and which seals they use

Details about how you guarantee customer security requirements for loading are followed. This will only apply if your customers have agreed specific requirements with you, for example, all goods must be sealed, packed and labelled in a certain way for X-ray requirements. If so, you should make staff aware of these arrangements and your procedures should include management or supervisory checks to make sure staff are following these requirements. These procedures should be reviewed and updated on a regular basis.

Brief description about the arrangements that are in place to make sure the goods are not left unsupervised during the loading process.

Details about how outgoing goods are checked for completeness and who is responsible. Include checks against orders, loading lists and stock records.

Details on any control mechanisms you have in place for detecting irregularities in the loading of goods.

6.4 Employee security and training, partners and external services

Details about the cargo units, including:

  • seals
  • maintenance

Details about security and safety, including:

  • transport
  • incoming goods
  • employees
  • seals

Details about incoming goods, including:

  • counting and weighing
  • control mechanisms

Details about the storage of goods, including:

  • different risk levels
  • protection

Details about the production of goods, including packing security.

Details about the loading of goods, including security.

Details about checking departing goods.

Details about the security requirements for business partners, including:

  • how your company verifies the identity of trade partners in order to secure the supply chain – for example, information search before accepting orders or placing orders
  • what actions you have taken to confirm that your business partners guarantee the security of their part of the international supply chain

Requirements for your suppliers could include, for example, that all goods must be marked, sealed, packed, labelled in a certain way, subject to X-ray checks and that they keep to any laid down international standards. Where such requirements exist, your procedures should include:

  • security declarations
  • contractual agreements
  • trade partners with their own Authorised Economic Operator status
  • where possible, regular visits to the supplier’s business premises to check and make sure requirements are being met
  • making your staff aware of these arrangements so that they can check compliance on arrival of the goods
  • arrangements for staff to report irregularities or incidents
  • management or supervisory checks to make sure staff are following these requirements
  • remedial action taken as a result of any identified breaches of these arrangements
  • review and update of procedures on a regular basis

Details about the security requirements for business partners should also include:

  • how you check people are following these procedures
  • what actions you have taken if your partner’s security breach was detected

Brief description about how your employment policy deals with security and safety requirements and who is responsible for this area. Your employment policy should reflect your security requirements based on your risk assessment. Your procedures should include:

  • performing background checks on your new and existing employees who will be working in, or moving to, security sensitive positions
  • seeking and taking up references on recruitment
  • identifying critical security posts and carrying out necessary checks to include both spent and unspent convictions
  • requirement for staff to notify their manager of police cautions or bail, pending court proceedings and convictions
  • removal of computer access and return of security pass when staff leave or are dismissed
  • staff need to tell you of any other employment they have

If security procedures are recorded in writing, give details about how compliance is checked.

Details about personnel security staffing checks, including:

  • to what extent new employees who will be working in security-sensitive fields are subject to security checks, for example police checks to confirm he or she has no criminal record
  • to what extent existing employees who are to be transferred into security-sensitive fields are subject to security checks
  • how you make sure that when staff leave, all their access permissions are removed including premises and data permissions

Give details if employees are given security and safety training to do with:

  • security protocols
  • detection of intrusion or tampering
  • reporting of incidents
  • the risks associated with the international supply chains

Details should include:

  • the frequency of security and safety training
  • if this training is internal or provided by an external supplier
  • if you have yearly refresher training
  • if there are written records on this training

Details about the areas where temporary employees are used, including

  • if these employees are checked regularly according to security standards
  • how temporary employees are checked against security standards and who by
  • if there are security instructions for temporary employees
  • contracts with employment agencies detailing levels of security checks to be performed on staff before and after appointment

If you use any external services under contract, for example, transport, security guards, cleaning, maintenance or supplies, give details about what services they provide.

If there are written agreements with the external service providers containing security requirements, give details on what services they provide, how compliance with the procedures included in these agreements is checked. Describe how you monitor the contract, handle any irregularities and review the procedures.