Using Technology to Enhance Your Consumer Product Safety Compliance Program

Since 2012, the Consumer Product Safety Commission (CPSC) has required companies that have entered into settlement agreements for failure to report under Section 15 of the Consumer Product Safety Act (CPSA) to develop internal compliance programs. Through these settlement agreements, it is obvious that the CPSC considers the implementation and maintenance of a compliance program to be the cornerstone of how a company ensures compliance with product safety rules and regulations enforced by the CPSC.

The difficulty is not in the development and implementation of an effective Product Safety Compliance Program, but in developing a mechanism to review, evaluate and update the compliance program.

So how do you know if your program is up-to-date and if you are using the best process and technology available today? In the early days of CPSIA, many companies built internal systems and controls to track testing and to generate certificates. Many of these systems are 4-6 years old now and were not built to send paperless certificates, as put forth in the rule on “Certificates of Compliance”, 16 CFR Part 1110 (the 1110 rule). At many companies, a review of their compliance program has not been done since 2013 when the CFR 1107 rules when into effect. Failure to regularly review and update all relevant information, which might impact the compliance of your childrens’ product, negates the effectiveness of a Consumer Product Safety Compliance Program.

Perform an Audit

To begin the review of your current product safety program, an audit must be conducted to assess your product safety readiness, including your current systems, operations and technology platforms. During the review, charting the incoming data to technology, processes and the people involved, should be conducted. Knowing where all of the compliance related data for the company is stored, and how it can be accessed, is important when information is needed quickly. In the event of an incident, the decision to report under Section 15(b) to the CPSC needs to be made quickly, so knowing where to find your data is essential.

Map Your Incoming Data to People, Process and Tools

The next step is to chart your processes so that incoming product data will be available to effectively support your Product Safety Compliance Program. This data should be collected from the design stage through final product delivery to consumers. Is there a proactive approach to compliance so that you can quickly react to incidents reported by consumers who are using your products, once you are made aware of them? You may have data residing on in-house developed systems, 3rd party applications, vendor sites or web applications like Dropbox or SharePoint. Your goal should be to maintain and enforce a system of internal controls and procedures to ensure that your company can promptly, completely, and accurately report the required product information to the CPSC if necessary.

  Incoming flow

Sources to Discover Safety Related Incidents

There are many sources to discover safety related incidents. Do you have process and technology tools in place to capture these? How are these issues escalated and what platforms do you use to review, research and document issues brought to your attention? Many companies today use online help desk platforms to log customer service inquiries and most of the top programs today have an API connection so that you can bring in items from Facebook and Twitter. Application program interface (API) is a set of routines, protocols, and tools for building software applications. An API specifies how software components should interact and APIs are used when programming graphical user interface (GUI) components. So when looking for new technology platforms, look for ones that have the ability to use an API to connect to other applications or to bring or send data to your systems or compliance program.

Escalation Policy

Your internal company communications policy should be set up to enable management to quickly be informed of any safety related incidents or quality issues.This policy should start with the appointment of a company compliance manager and notification/training to your staff on your escalation policy. Do you have your systems set up to capture safety related incidents and route them to the compliance manager/director? A lot of programs today utilize a smart rules feature so you can escalate a category type such as safety and quality so that these items can be routed directly to your compliance manager the minute they are created. It is important to note that with or without a technology solution, you must train your customer service staff  to recognize safety related issues and direct them on proper incident handling protocols and company polices so they are prepared to escalate to management when discovered.

Identify Your Training Platform

During the  review of your compliance program you should identify and document the communication platform that you will use to train your staff, contractors, stakeholders and board members on your company’s compliance policies. Will it be all-hands meetings, video conferencing or 3rd party apps, and how will you capture proof of attendance? You should embed this training for new hires if they work in an area related to purchasing, testing or customer service, and a confidential reporting process should be part of this training so you foster a proactive approach to safety.


Many companies which have been in business for some time find that their data is spread out over legacy systems, shared drives, company servers or staff computers. In your audit you should identify where all of this data is stored and how it is backed up. Cloud based applications and storage solutions are much more cost effective today and offer increased security over dedicated IP-based servers. You should have a data migration plan for migrating or storing data when systems are upgraded and know where to find archived data. If you have an IT department, make sure your document retention policy is inline with CPSC requirements, which is 5 years, and integrate your company email retention policy with your compliance program. Educate your employees on proper storage of files and documents.


Think outside the box

When developing your compliance program there is no one-size-fits-all approach. After completing an audit of your current program you can then identify possible technology solutions to adopt or to fill the gaps in your current systems. Keep in mind that your compliance program should  encompass your company’s product testing and certification program so that compliance with all applicable federal and state children’s product safety rules and regulations is ensured. The days of using Excel spreadsheets solely for the documentation and implementation of your compliance program are quickly ending, but there are many great solutions available out there today, you just need to find the one that best works for you.

For more information on a conducting compliance program audit or help with creating your CPSC Compliance program please contact us by visiting the Jacoby Solutions website.

Is Innovation Key to Compliance Best Practices?

FEBRUARY 28, 2012 BY 

innovation and compliance best practices

Can compliance be innovative? Or can innovation inform your compliance program? Can some of the techniques and strategies of the world’s most innovative companies be brought to bear in the field of anti-corruption and anti-bribery?

I thought about those questions, and perhaps some others, while reading the March issue of Fast Company that had a cover title of “The World’s 50 Most Innovative Companies.” In his column, editor Robert Safian wrote about the “The Lessons of Innovation.” He said in reviewing the Top 50 most innovative company, he drew eight key themes. As I read these I thought about them and their relationship to compliance. So with a tip of the hat to Mr. Saflan, here is my compliance spin on his eight key themes of corporate innovation.

1. Compliance should be a strategy, not a tactic. Starbucks recognized that profit alone is a “fairly shallow aspiration, and it’s not enduring.” Most people want to do business with companies that do not engage in bribery and corruption. Indeed the U.K. Bribery Act enshrines this in its Six Principles of an Adequate Procedures by stating that a company should only conduct business with other ethical companies.

2. Big companies need to be as nimble as small companies. Safian notes that the top four companies: Apple, Google, Facebook and Amazon all continue to “drive the agenda across the global economy.” This should also be true of your compliance program. You need to use the tools available to you to update your risk assessment if you move into new business lines, products or geographical areas. Similarly if one of your competitors comes under anti-corruption scrutiny, you should review any similar practices that your company might have, such as its sales model or vendors in the supply chain.

3. Technology is disruptive in unexpected places. Here Safian gives the example ofLegalZoom, which is “challenging the definition of a law practice” by providing useful legal forms and documents to consumers. In the compliance arena, the number of technological innovations is as broad as it is deep. Companies like Catelas and Visual Risk IQ have developed software products that can allow review and assessment of a large number of data points or other quantitative data. You can even get apps for smartphones that allow submission of expense requests directly to your compliance department.

4. Compliance is a competitive advantage. Apple has never been publicly reported as going through a Foreign Corrupt Practices Act (FCPA) investigation. What is their stock price today and is it still undervalued? Even when it recently received negative publicity regarding its manufacturing facilities in China, it responded quickly and brought in an outside monitor to assess and report. Apple also annually assesses its third-party vendors and makes that report public. Do you think that keeps vendors on their collective toes? You bet it does.

5. Use of social media makes compliance better. My former speaking cohort, Stephen Martin, then General Counsel for Corpedia, often spoke about Code of Conduct 3.0, which is a web-based interactive tool that helps guide employees through a code in an interesting and stimulating manner.

The same is true of training. You no longer need to simply have a video conference to deliver compliance training around the world. Companies like Click4Compliance have interactive, web-based solutions that you can utilize. I noted above about the smartphone app that allows employees from around the world to submit expense requests to the compliance department and receive an instant response back from an assigned compliance team member.

document compliance best practices

6. Data is power. If you don’t document it, you can’t measure it. If you don’t measure it, you can’t assess it. If you don’t assess it, you can’t improve it. That is how an engineer tends to look at things. In the compliance world, if you don’t document it, it never existed (Cue drum roll for: document, document and document). Both are true. You have to document things to prove that you actually did them. But if you do not have data, you cannot determine if your corporate compliance program is successful or improve it.

7. Money is flowing. Here, Safian does not mean necessarily that more funding is available. However, in the compliance world, what I believe that this means is forces, other than legal compliance.

For example: the U.S. Department of Justice (DOJ) or the U.K. Serious Fraud Office (SFO) enforcements are beginning to drive compliance. Insurance companies have developed insurance coverage for FCPA investigations; D&O insurers are requiring companies to have a compliance program to cover directors and officers sued in shareholder derivative actions based upon admitted FCPA violations; and perhaps most interestingly, banks and other financial institutions are reviewing anti-corruption compliance programs to determine if they meet minimum best practices and then writing maintenance of these programs into their loan covenants.

8. Copycats are history. Safian notes that emerging market entrepreneurs aren’t just following the successes of others, they are creating new, distinct models. In the compliance arena I believe that out-of-the-box solutions are no longer best practices. Companies need to assess their specific compliance risks and then design programs to specifically manage those compliance risks.

If your company uses a sales model of agents, one type of compliance management strategy may need to be employed. However, if your company is a manufacturing company that sells through distributors, another compliance management strategy may be required. Do not simply purchase a compliance program off the shelf. Either design it to fit the needs (and realities) of your business model or work with an expert who can do so.

The innovation angle is not one that is usually in the front of the line at compliance conferences or in thinking through compliance programs. But if you listen to Lanny Breuer, Chuck DuRoss or any other DOJ speaker, they continually talk about evolving best practices in anti-corruption compliance. Any reader of deferred prosecution agreements (DPAs) from the past 18 months is well aware of the changes in focus that the DOJ has in these documents. Certainly, many of the compliance techniques are driven by the compliance challenges in the individual companies.

But if your company has engaged in mergers and acquisitions, why would it not follow the “enhanced” compliance guidance found in the Johnson & Johnson DPA and train all high-risk employees within 12 months of acquisition and perform a full compliance audit within 18 months of acquisition? So my conclusion is that innovation in the compliance arena is key. As compliance programs mature and as companies mature in their approach to compliance, innovation will continue to lead best practices.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at © Thomas R. Fox, 2012