Introduction
Authorised Economic Operator (AEO) is a status that a lot of UK companies want to obtain for the sake of their continued growth. AEO status is very desirable as it demonstrates that you, as a trader, are compliant to custom’s rules and regulations. It also proves that your business is secure within the supply chain. AEO is not just recognised within the EU either, it’s recognised internationally. So with an AEO certification, people know you’re trustworthy.
There’s a lot that goes into getting an AEO certification though, as you need to make sure your company meets the minimum requirements before you even start the application process. As you can probably guess, a major aspect HMRC puts emphasis on is security and safety. Risk and threat assessments are crucial to becoming an Authorised Economic Operator here in the UK. This doesn’t just mean assessing your physical security either; your digital security is also very important. Here at Sencode Cyber Security, we’ve got experience helping companies make sure their Cyber Security is strong enough to get the AEO certification they want. And we can help you too!
What is Authorised Economic Operator UK status?
As a company working in Cyber Security, we understand that those aiming to achieve Authorised Economic Operator status here in the UK need to have strong protection of sensitive data to not only protect themselves and clients but the supply chain too. AEO certification is a highly sought after status as it shows to customs, as well as to pre-existing and potential clients, that you as a company are trusted to uphold a high standard of security. You may see AEO certification as proof that your business is secure and adheres strictly to the procedures set by customs.
Having AEO status isn’t mandatory but it’s definitely beneficial to have for those interested in international trade as it can give you an edge against your competitors. Obtaining the certification you want can be a struggle however, as there is a long list of criteria to cover before HMRC will even consider you applicable. It’s a procedure that involves every department in your company too so you need to make sure that you get everything right the first time.
If you don’t and too many aspects are deemed lacking by HMRC or you have too many risks and not enough security measures implemented, you will be unable to achieve AEO status. Not to worry though, as security companies such as ours can assist you with parts of the process. As mentioned in the introduction, IT security can play a huge part in whether you are eligible or not. In fact, you may get outright rejected from not doing a risk and threat assessment at all!
In this blog, we aim to alleviate any worries you may have and assist you with understanding what you need to do for the sections pertaining to IT safety and security.
Do you have a question regarding the cyber security requirements for Authorised Economic Status?
Schedule a call with us.
Types of Authorised Economic Operator status
Before we get into the IT security portions required in order to obtain an AEO certification, we first need to talk about the different types of AEO status you can apply for. There are two options you may choose when it comes to applying for AEO and they mainly depend on what type of company you are and what goals you have. Each one has its own benefits and, depending on which one you choose, have more criteria to meet.
Authorised Economic Operator Customs Simplification
Authorised Economic Operator Customs Simplification (or simply AEOC for short) has a primary focus on the importing of goods and the use of special procedures. If you want to obtain AEOC status, you have to fulfil criteria pertaining to customs compliance, finances and the recording of documents.
AEOC status gives companies lots of different benefits such as giving the Authorised Economic Operator a faster application process for customs simplifications. Simplified Customs Declarations will allow the certified trader to speed up the process of customs clearance as some supporting documents typically looked at will be allowed to be left out. In fact, document checks at the border in general will occur fewer times than usual as customs will know you are a trusted trader. This also enables customs to effectively utilise their resources better as they won’t have to take too much of their time investigating you and your products and can instead, focus on more risky or potentially harmful trades.
Coupled with that, AEOC certified traders will also have a lower risk score which will reduce the amount of checks customs carries out on your documents and/or goods. So if you are a business who participates in international trade and has an interest in expediting your trade process, AEOC certification may be the one for you.
Authorised Economic Operator Security and Safety
This type of AEO status (abbreviated to AEOS) is mainly applicable to exporters as the focus is on the security of your goods and of the supply chain. As you can probably guess from the name, AEOS has an even bigger emphasis on all manners of security, cyber included.
Much like AEOC, custom checks will become a lot faster and a lot more simple as AEOS traders will also obtain a lower risk score. Uniquely to AEOS though, is that certain declaration requirements are excluded to make the process more efficient. This means if you are making an entry or exit summary declaration, the required criteria will be smaller which makes the process so much quicker.
Finally, another nice bonus is that any goods you have consigned will receive priority treatment when it comes to them getting inspected by customs. This will create a more streamlined process for you and your company, allowing your business to continue to grow and improve as customs-related shipments will be sent out at a record pace.
Authorised Economic Operator Full
Whilst I did say there were only two options, for interested businesses, you can actually get a certification for both of the above types of AEO. Authorised Economic Operator Full, or AEOF, is a combined status that comes with all of the above benefits in only one certification.
For further information on the Authorised Economic Operator statuses you can apply for in the UK, see the government website.
How do you get Authorised Economic Operator UK status?
To become an Authorised Economic Operator in the UK, you must first undertake the Authorised Economic Operator – Self Assessment Questionnaire (AEO-SAQ). The questionnaire contains the requirements you need to meet to obtain AEO status and is designed to provide HMRC additional information about your company. One of those factors is protection of your computer systems. Without strong Cyber Security, your business will fall prey to cyberattacks and it’ll be harder to succeed in getting AEO certified. Don’t worry however, we’ll help you. The following section will go over IT security related topics that will arise in the AEO-SAQ.
A large portion of the AEO-SAQ wants to know of the security measures you’ve put into place to protect your systems from any unauthorised intrusion and what you’ve done to secure documentation and information. This includes attaching an updated safety plan which not only covers protection of your computer system but also covers loss and destruction of data. Business continuity/disaster recovery plans and back-up routines are also beneficial to show as it proves that even if there is to be a cyber incident, the company can recover quickly and minimise damage. HMRC needs this information to know that, if you were to be a trusted trader, you wouldn’t compromise the supply chain. If they know you aren’t susceptible to breaches, they will be more confident that you are able to become AEO certified.
Alongside that, to become an Authorised Economic Operator, you must display how frequently you or a security company (such as ourselves) tests your system against unauthorised access. They will also require knowledge on the security measures you have in place regarding firewalls, anti-viruses and forms of malware. To assess this, a security company will undertake an external penetration test. This involves the tester hacking into your systems to gain access to any sensitive information they can find. Since they will be playing the part of an attacker, they will also discover any potential methods a real cyber criminal could take when hacking into your systems.
The results of the test will be sent back to you as a report. This report will breakdown the system’s vulnerabilities and give appropriate recommendations to remediate any issues that appeared during the test. When a HMRC official arrives at your company for further inspections, they will ask for evidence that details the risk and threat assessment undertaken and the results of that assessment. As detailed earlier, it is imperative you show them this as without it you may be rejected from acquiring AEO status. The results of the penetration testing will help you form an updated safety plan which can be used as evidence for this section of the inspection as by detailing the new measures you have in place, the HMRC official will trust that your company puts a strong emphasis on security.
Access rights procedures also have a high priority for this section of the AEO questionnaire. HMRC will ask you about procedures such as how authorisation for access is issued and the level of access employees have to the computer systems. This is important as access to sensitive information should be limited only to employees who are authorised to change the information stored in your databases and should only be accessible on a need to know basis. The format for setting/changing passwords is also required on the questionnaire as HMRC will need to know how frequent the password changes are and which member of staff is in charge of issuing the new passwords. Finally, another important aspect of this section is on the process of removing, maintaining and updating your user’s details. HMRC will also want to see that access rights are immediately revoked if an employee is terminated or transferred. If all of these procedures are in place and working efficiently, you will show HMRC that your company handles sensitive data appropriately and carefully, increasing your chances of becoming an Authorised Economic Operator here in the UK.
For companies seeking to obtain Authorised Economic Operator (AEO) status, partnering with experts can significantly streamline the process. Gaston Schul specialises in assisting businesses with their AEO applications (Sencode can help with the intrusion review as part of the AEO application), ensuring they meet all the requirements set by customs authorities. Sencode has worked with Customs & Trade companies that have directly benefited from Gaston Schul’s services
For more information on the requirements associated with obtaining an AEO certification, here’s the link to HMRC’s notes on the AEO – Self Assessment Questionnaire.
Conclusion
The journey towards obtaining Authorised Economic Operator status in the UK is a long and arduous one, requiring the dedication and support of all departments in your company. By putting an emphasis on IT security, you will be able to protect your company from internal and external threats and show customs that you are an organisation to be trusted. Through regular penetration testing, up-to-date security measures and well-regulated access rights procedures, the road to AEO certification will become a smoother process and your company will soon benefit from achieving that status.
If you are a company applying for AEO status and is in need of a risk and threat assessment, then contact us at Sencode Cyber Security. With a penetration test from us, your company will be well on its way to getting the certification it wants!