Assessing Risk and Ensuring Compliance with the Consumer Product Safety Improvement Act
The Consumer Product Safety Improvement Act of 2008 (CPSIA) became law in August of 2008. The CPSIA dramatically alters the original Consumer Product Safety Act (CPSA) which was first enacted in 1972. The CPSIA greatly expands both the authority and the resources of the Consumer Product Safety Commission (the Commission) so that virtually all consumer products made, sold, or imported into the United States are regulated by the amended CPSA. (In this article, the CPSA, as amended by the CPSIA, will be referred to as the “Amended CPSA.”) The Amended CPSA’s provisions apply to foreign and domestic manufacturers, importers, distributors, and retailers of “consumer products.”1 The Amended CPSA significantly increases both civil and criminal penalties for violations, allows for seizure and destruction of imported non-compliant products, and authorizes state attorneys general to file civil actions to stop the sale of products that violate the Amended CPSA. The law thus places new and significant regulatory compliance burdens on all businesses involved with the commerce of consumer products in the United States.
Assessing the risk of non-compliance with the requirements of the Amended CPSA, and the development of a comprehensive program for compliance with the Amended CPSA, are necessities for companies large and small. An effective compliance program can protect businesses against risks arising out of the Amended CPSA’s extensive regulatory regime. This article first discusses threats to companies doing business in the United States and then presents a program for risk assessment and compliance with the Amended CPSA.
Amended CPSA Risk Exposure
Businesses that do not comply with the Amended CPSA’s mandates are exposed to a number of significant risks. These include the following:
- Civil Penalties – The maximum penalty for individual violations of the Amended CPSA is increased from $8,000 to $100,000. The ceiling on civil penalties for a related series of violations is also increased from $1.825 million to $15 million.2
- Criminal Penalties – Directors, officers and agents of businesses dealing in consumer goods face personal criminal prosecution for knowing and willful violations of the Amended CPSA.
- Criminal penalties are increased from a maximum of one year of imprisonment to five years of imprisonment. (Elevating criminal penalties from misdemeanors to felonies also makes it more likely that the Department of Justice will prosecute violations of the Amended CPSA.)
- The Amended CPSA no longer requires that directors, officers, or agents have knowledge of a non-compliance notice sent from the Commission to the business before these individuals may be subjected to criminal penalties. (Under the original CPSA, corporations, as well as their individual directors and officers, could only be held criminally liable if they had first received notice from the Commission of a violation.)
Business Interruption – Failure to comply with the Amended CPSA may result in costly business interruption.
- No business in the chain of distribution may legally sell or distribute in commerce a consumer product that is non-compliant. The Commission can stop the distribution of non-compliant consumer products and, under appropriate circumstances, order the recall of a consumer product and refund of its cost to consumers.
- Imported products that fail to comply with the Amended CPSA must be destroyed at the border unless, by special application, the Secretary of Treasury permits export in lieu of destruction.
- State Attorneys General and Whistleblowers – The state attorneys general in all 50 states are now authorized to initiate civil actions and seek injunctive relief against businesses that violate the Amended CPSA. Further, the Amended CPSA gives expanded “whistleblower” protection to employees who report employer violations. This is in keeping with numerous other federal statutes which protect whistleblowers from retaliation.
Compliance with consumer product safety laws is not optional. The civil and criminal penalties referenced above place a vast number of companies and individuals at risk if they violate the provisions of the Amended CPSA. In order to protect against these civil and criminal penalties, companies should institute a formal compliance program beginning with a company-wide Risk Assessment.
The purpose of a Risk Assessment is multifold: (1) it identifies business operations and consumer products that are at risk of being non-compliant with the provisions of the Amended CPSA; (2) it evaluates the likelihood of specific violations and the harm compliance violations would cause to the company; and (3) it prioritizes the risks in terms of severity and helps to focus the company’s compliance efforts so as to protect against the most significant risks first.
When a company conducts a Risk Assessment, it should seriously consider doing so with the assistance of someone experienced in Risk Assessments and doing it under the direction and oversight of a lawyer – be it in-house or outside counsel. This is particularly important during the initial Risk Assessment process. Current problems and past violations may be discovered, and the company may need time and privacy to design and implement an appropriate response. This is best done with the protection of the attorney-client privilege and attorney work product doctrine. If the company determines that a violation has occurred, counsel can provide valuable assistance with the timing and circumstances of any disclosures.
An organized process is necessary for an effective Risk Assessment and compliance program. A Risk Assessment program typically involves three steps: (1) information gathering; (2) categorizing risk; and (3) analysis, documentation and setting of priorities.
Step One: Information Gathering
The first step in an effective Risk Assessment program is the identification of the Amended CPSA requirements that affect the company and an assessment of existing company procedures for ensuring compliance with those requirements. This begins by gathering the information necessary to understand the products and operations that expose the business to potential violations. This process is designed to achieve a thorough understanding of the company’s products and to identify all risk areas. For Amended CPSA compliance purposes, this begins with the identification of all consumer products with which the business is involved. Once that is known, the company can identify and evaluate its existing procedures for compliance (if any).
There are typically three separate but overlapping aspects of information gathering: (1) an initial consultation; (2) collection and review of relevant company documentation and data; and (3) interviews/surveys of appropriate personnel.
Information gathering should begin with a consultation between the personnel responsible for conducting the Risk Assessment and knowledgeable individuals at the company. The designated company individuals should have (or should be able to promptly arrange) consultations with the persons who have a thorough knowledge of the company’s products and operations.
- For product manufacturers, this may include information from design engineers, operations managers, quality assurance managers, logistics supervisors, and other individuals with knowledge of the product’s design and manufacture.
- Importers and distributors should make available those individuals with upstream supply chain knowledge as well as marketing and sales personnel.
- Retailers will need to make available individuals with similar knowledge of their products and operations.
The different kinds of companies (manufacturers, importers, distributors and retailers) each have varying kinds of regulatory risk exposure. The process for conducting the risk assessment should be designed with knowledge of the company’s products and business operations.
Documentation and Data Collection
The second part of the process involves gathering and evaluating relevant documents and other data. The Risk Assessment should compile supporting materials organized by product and related regulatory requirements. Existing product specifications, design documentation, materials performance testing, quality assurance documentation, customer complaints, product claims, marketing materials, existing compliance procedures and documentation, and other relevant documents should be compiled and organized for later product evaluation. In addition, public information about regulatory and enforcement agency actions relevant to the company’s business should be identified. Knowing where the government is focusing its resources can help a company in prioritizing compliance activities.
Based on the first two steps, the third part of the information gathering process involves interviewing and/or surveying personnel with information about the critical areas of the company’s structure and operations. (See earlier listings of relevant categories and personnel.) These interviews/surveys are intended to clarify the company’s business operations and how they intersect with regulatory requirements, and also to identify potential violations that may be taking place. They should also include a candid assessment of the existence and/or effectiveness of the company’s existing compliance processes. Finally, they should inquire into the potential impact of compliance violations. In order to collect information consistently, a standard interview or survey form should be developed for use during this process.
When gathering information for use in assessing compliance risks under the Amended CPSA, several critical issues should be kept in mind.
- A company’s obligations under the Amended CPSA are defined by its role in the chain of commerce. The Amended CPSA regulates foreign and domestic manufacturers, importers, private labelers, distributors and retailers. The Amended CPSA mandates differ depending on the company’s place in the chain of commerce. For example, importers and domestic manufacturers must meet certification requirements that are not required of foreign manufacturers or retailers. Many, but certainly not all, Amended CPSA provisions are role specific.
- The age of the product’s user is a critical factor in the Amended CPSA’s application. Very important, and often burdensome provisions of the Amended CPSA apply to “Children’s Products,” but not to versions of the same product intended for use by the general population. The Amended CPSA defines a Children’s Product as a consumer product designed or intended primarily for children 12 years of age or younger. The Commission uses multiple factors in deciding whether a product is a Children’s Product.3 It is, however, often difficult to determine if a particular consumer product will be regulated as a Children’s Product or not. Thus, special care is needed to gather all relevant information that will determine whether a particular product is a Children’s Product.
- The Amended CPSA’s scope includes other acts that are also enforced by the Commission. The Amended CPSA expands the Commission’s authority to include all bans, rules, standards and regulations under, not only the Consumer Product Safety Act, but also under the Federal Hazardous Substances Act, the Flammable Fabrics Act, the Poison Prevention Packaging Act, the Refrigerator Safety Act, the Children’s Gasoline Burn Prevention Act, and the Virginia Graeme Baker Pool and Spa Safety Act.
- The Amended CPSA mandates a general conformity certification for manufacturers, private labelers and importers of consumer products.4 Each manufacturer, private labeler or importer of a consumer product covered by this section must certify that the product has been tested, or is subject to a reasonable testing program and complies with all applicable consumer product safety rules.5 There is a partial stay of enforcement for certain certification requirements until February 10, 2010.
Violations of the Amended CPSA fall into two broad categories: (1) Regulated Product Violations; and (2) Product Hazard Defect cases. Information should be collected on potential violations in both categories.
- Under the first category, consumer products must comply with various enumerated standards. They are specific to products or classes of products. Children’s toys, for example, are subject to specific limits as to the levels of lead that are allowed in the lead paint on the toy, or in the actual content of any part of the toy. Similarly, wearing apparel is subject to specific regulations under the Flammable Fabrics Act.
- The second category encompasses more generic defects. Products may violate the Amended CPSA if they contain a “Substantial Product Hazard” – that is a product defect, which because of the defect’s pattern, number or severity of risk, creates a substantial risk of injury to the public.
Step Two: Evaluation of Risk Categories and Level of Risk
Using the information gathered in step one, the next step is to evaluate the risks that a product may violate the Amended CPSA. In a Risk Assessment, the risks of non-compliance should be categorized for individual products or groups of products. They should be ranked and categorized using designations such as “high,” “moderate,” or “low,” or a numerical designation such as “1 to 5.” The risk levels should include an evaluation of the likelihood of a violation of the Amended CPSA and an assessment of the level and type of damage a violation could cause.
Evaluation of Risk
Risk evaluation can be especially difficult due to the complex and often confusing provisions of the Amended CPSA. The application and enforcement of the law has changed since its inception in several key areas, as the Commission has sought to “reasonably” interpret and enforce a law that is complex and often vague and confusing. Companies and their counsel are thus forced to make judgments about how their products are regulated under a law that is anything but clear.
Mechanically, companies should do the following in evaluating the risk of whether their regulated products may be in violation of the Amended CPSA:
- Identify what products are subject to Amended CPSA regulation. Not all products are “consumer products” regulated under the jurisdiction of the Commission. (See end note 1).
- Identify what standards apply to each product. This is a difficult task that requires a complete understanding of both a company’s product and the Amended CPSA itself.
- Identify applicable test methods. This will vary depending on the nature of the product involved. Children’s Products for example, require independent third-party testing that general use products do not. Note that a testing program for general use products must still be a “reasonable” testing program as defined by the Commission.
- Review completed testing. Information should be gathered on all applicable testing. This should include test methodologies, entities performing the tests, date and location of tests, and all actual test data, including results. The absence of any relevant test results must be carefully determined and cured as needed.
- Evaluate results. Once the appropriate standards have been applied to the regulated products, and the testing completed and reviewed, a company will be able to determine the likelihood that a product meets Amended CPSA requirements. Compliance may be difficult to determine for certain products, either because it is unclear what category the products fall into (i.e., Children’s Product or general use) or the product’s use history. In certain situations, appropriate consultation with Commission staff may be useful.
Products not subject to specific standards may still violate the Amended CPSA if they are defective and constitute a Substantial Product Hazard. The nature of the possible product defect, any pattern of product defect, and the number and severity of injuries or other incidents involving consumers, must all be evaluated.
At this point, the company must evaluate the seriousness of the potential violations and the harm to the company that may be caused by any potential violations identified. Based on the likelihood of violation and the potential harm caused, the particular risks can be ranked in appropriate categories which define the level of risk, i.e., high, moderate, low.
Step Three: Analysis, Documentation and Setting of Priorities
The third step in the process is to prepare a written Risk Assessment based on steps one and two. This includes two things. First, a written analysis of identified risks, presented in a concise manner so as to provide clear guidance to the company in identifying risk profiles and in tailoring and prioritizing its compliance activities accordingly. Second, a chart of risk areas together with their level of risk and a brief explanation. The aim is to present the Risk Assessment as clearly as possible so that it can be easily used and efficiently referred to by the company’s senior management and supervisory personnel.6
Finally, the Risk Assessment should make recommendations on the priorities for compliance program activities in the coming year, or quarter. High priority risks concerning violations of the Amended CPSA should be addressed first, followed by moderate and low risks. Recommendations should state the actions that might be required. Depending on the nature and priority of the particular risk, a company may have to take action ranging from further investigation and testing, to modification of current procedures; to training of employees, to self-reporting a potential violation to the Commission, or even the recall of a product.
As a best practice, the Risk Assessments’ recommendations should be presented to and ratified or approved by management, the board or both. In all circumstances, however, the Risk Assessment should be in writing. Documentation of each step of the assessment process is key. The amount of documentation will depend on the size and complexity of the company and its business operations. The larger and more complex the company’s operations, the greater will be the processes that must be documented. For smaller companies, the process can be much simpler. In any event, the Risk Assessment process is a crucial first step in the development of a compliance program.
Compliance and Ethics Program
Due to the complexity of the Amended CPSA and the substantial increase in potential penalties, companies involved in any aspect of the consumer product business should have a comprehensive compliance and ethics program that includes an emphasis on the Amended CPSA. The United States Sentencing Commission has established criteria for evaluating the effectiveness of a compliance and ethics program.7 Those standards are used by most federal enforcement agencies, including the Department of Justice in assessing the programs of companies which come under investigation for regulatory violations. Among other things, an effective compliance and ethics program can demonstrate a company’s good faith effort to comply with a regulatory scheme, thus negating any criminal intent, or disregard of compliance obligations. This can help to reduce or eliminate criminal, civil and/or administrative penalties under the Amended CPSA. In order to get this benefit, a compliance and ethics program must be truly implemented and integrated into the company’s business operations. It cannot be a “paper” program with written standards that are ignored or never implemented.
The Sentencing Commission has established two primary criteria for compliance and ethics programs that apply to any program developed under the Amended CPSA: 1) they must exercise due diligence to prevent and detect criminal conduct; and 2) they must promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. The exercise of “due diligence,” in turn, requires at a minimum that the program include the following:
- written standards and procedures
- involvement by the governing authority and high level officials
- employment and advancement practices that are consistent with the compliance and ethics program and promote an organizational culture that encourages ethical conduct and compliance with the law
- training and regular dissemination of information relevant to the compliance program and its objectives
- monitoring, auditing and periodic evaluation of program effectiveness
- enforcement of the compliance and ethics program throughout the organization, using incentives to encourage employees to perform in accordance with the program and the use of appropriate disciplinary measures for engaging in misconduct
- implementation of appropriate remedial actions to respond to violations and prevent further improper conduct, including modifying the compliance and ethics program
- periodic assessment of the risk of compliance and ethical violations, along with appropriate modification of the program to effectively address changing compliance risks
The Consumer Product Safety Improvement Act of 2008 introduced a broad new array of consumer product regulations. Companies that make, import, distribute, buy or sell consumer products must recognize the risks they face under this complex regulatory regime. A well developed Risk Assessment and related compliance and ethics program can help ensure proper compliance with the new consumer product safety laws, and protect businesses from potentially devastating penalties.
1 “Consumer products” are defined in the Amended CPSA as any article or component part which is produced or distributed for sale to a consumer for use in or around a household, residence, school, in recreation or otherwise. Consumer products do not include tobacco products, motor vehicles or motor vehicle equipment, pesticides, firearms and ammunition, aircraft, boats, drugs, medical devices, cosmetics, or food. 15 U.S.C. 2052.
2 The increases in civil penalties are effective the earlier of August 14, 2009, or when the Commission issues final regulations regarding its interpretation of the factors used in assessing civil penalties. CPSIA, §217.
3 These factors include the age of the consumer that the manufacturer intends the product to be used by, the age of the consumer the product is marketed to, the ordinary consumer understanding of the product’s intended age use, and the voluminous Age Determination Guidelines used by the Commission staff.
4 The Amended CPSA defines “manufacturer” to include any person who manufactures or imports a consumer product. 15 U.S.C. 2052
5 The certification must specify each rule, ban, standard, or regulation applicable to the product. It is not sufficient to use generic language such as “all applicable standards.”
6 A company’s board of directors must also be provided sufficient information to exercise reasonable oversight over and understand the company’s compliance efforts. It is a good practice to present risk assessment information to the board on a periodic basis, so that the board can understand how and why management has established the compliance program requirements it has.
7 These criteria are set forth in the United States Sentencing Commission, Guidelines Manual, §8B2.1 (Nov. 2006).