Scott Rafferty Comments


SUMMARY: ACUS should conduct further research on third-party certification, especially if the current draft study can only support a consensus around recommendations that are qualified and incomplete. Most critically, ACUS needs to include views from the private sector, including companies that have made third-party certification succeed – often prior to any regulatory mandate. Further research may also show that, contrary to the apparent skepticism of public servants interviewed for this study, third-party certification can both “leverage government resources” and improve regulatory effectiveness. The study’s limited discussion of transparency does not explain or resolve this conflict complete public disclosure and the confidentiality that privately-funded safety inspections have traditionally enjoyed. Research should also support more specific recommendations to address public participation in rulemaking, which can be seriously impeded by the complexity of the relevant standards and their copyrighted status. The limitations of current programs often reflect inconsistent or inadequate statutory authority, so ACUS should make recommendations to Congress, such as models for statutory language enabling this collaborative approach to regulatory enforcement. The Conference should conduct empirical research into certifications that have required by consent decrees, which are typically backed by judicial supervision. These are models for preventive certification programs. Clearer statutory authority is necessary to empower agencies to provide incentives for compliance equivalent to judicial enforcement of a consent decree.1

The new draft recommendation (at 1) identifies “shifting [costs] to regulated entities” and “extending the reach of regulators” as the only “two broad reasons” to support growing use of third-party programs. See also Report at 3, 51, 54; Rec. Nos. 2(d) & (e). For Congress, such an “endorsement” is a kiss of death.
1 Since revisions dated October 5, 2012 to the draft report are not redlined, I have not been able to update these comments to reflect all relevant changes. I have, however, reviewed the draft recommendation dated October 5, 2012.
Dear Chairman Nisbet:
Thank you for the opportunity to comment on Professor McAllister’s draft report of September 12, 2012 and the draft recommendations dated October 5, 2012. In order to make these comments timely for consideration by the Committee, I have dispensed with the level of citation that I would normally supply. I have refrained from identifying specific individuals or companies upon whose views I have relied. I also want to stress my high regard for Professor McAllister’s scholarship, particularly her excellent prior article. My concerns relate primarily to the terms of reference that the Conference has given her, which appear to have led to weak and sometimes erroneous conclusions. Any implied criticism of Professor McAllister is unintentional.
Third-party certification promotes a more collaborative approach to risk management, which appeared to be why this project was assigned to the Collaborative Governance Committee. However, the background to the request for proposals began by describing “third-party certification” as “a way of leveraging government resources while still achieving regulatory objectives.” Government audits and inspections funded by congressional appropriations cost too much and often deliver insufficient assurances that regulated parties are in full compliance. It is undoubtedly the case that a government agency may often use third-party certifications to lower its costs of ensuring compliance with its requirements, whether they relate to procurement or regulation. The recommendation preamble (at 1) suggests that these programs may “shift[] costs … to regulated entities and thereby conserve government resources.” But merely shifting costs is not collaborative governance; nor – unless the shift reduces or more efficiently distributes these costs – is it sound economics.
The request for proposals asserts that Congress is “enthusiastic” about third-party programs. But in 2011, Congress substantially retrenched the CPSIA, largely in response to complaints from industry. This was less than four years after its enactment in the wake of deaths from Chinese melamine. To suggest that these programs merely shift regulatory costs to the private sector could lead to further congressional opposition. Indeed, third-party programs may be more vulnerable to congressional intervention than direct inspection programs staffed with appropriated funds.
Branding third-party certification as simply an attempt to shift costs out of government is also inaccurate. The draft report and recommendations ignore the reality that private firms, some with great commitment and success, already use third-party inspectors to manage risks to the safety and quality of their products. In a few
Rafferty Comments on Third-Party Programs, page 3.
dramatic cases, such as the consent decree that resulted from the 1974 Kepone contamination of the James River, government originated these certification requirements. In that case, Allied Chemical soon embraced the controls in its corporate culture, and never experienced another large-scale environmental catastrophe.
Standardized quality management usually relies on the principles of ISO 9000 (and its many derivatives). Third-party certification is often a central element in these systems. These methods originated as a U.S. Government specification (MIL-Q-9858) designed in part to shift the costs of proving the quality of munitions onto the producers. As also expected, this increased reliability. In the past 50 years, adoption of ISO 9000-based systems has spread globally – almost always to protect private stakeholders. Regulatory compliance is seldom the only, or even the primary, benefit of either quality control or risk management. Of course, industry can also benefit when it obtains a measure of flexibility in determining how to prove its own compliance with governmental requirements. To the extent that industry can find ways to be more efficient than government in conducting inspections, collaborative risk management reduces total social costs. It may also be possible to design collaborative, but rigorous, approaches to regulatory enforcement that can respond more quickly to technological and economic change than can inspections that are funded and conducted solely by government. As important, an inspection regime funded by the regulated parties increases allocative efficiencies. The marketplace allows these regulated parties to pass their costs of assuring safety and quality on to the affected consumers. By contrast, funding from general revenues spreads regulatory costs without full regard for the distribution of benefits. In a time of fiscal austerity, which affects both government and the private sector, these increases to both productive and distributive efficiency are critically important to the competitiveness of the American economy.
This gap in the study design is puzzling, because Chairman Verkuil has expressed, in strong terms, his personal belief that the collaboration of regulatory compliance with private risk management could be as significant an innovation to the administrative process as negotiated rulemaking or alternative dispute resolution. ADR and reg neg are among the greatest legacies of the Administrative Conference, but these recommendations did not emerge instantly. Unfortunately, given the state of the supporting research and draft recommendations, any consensus at the December plenary is likely to be guarded and qualified -- if not unduly pessimistic -- about the benefits of third-party certification. The Conference simply does not yet have bases in fact and legal analysis to support the strong recommendations that this topic requires if agencies are to realize its full potential. As Professor Lubbers’ question in committee made clear, there is no basis to make recommendations to Congress. Yet limited or uncertain statutory authority may be the largest obstacle to successful third-party
Rafferty Comments on Third-Party Programs, page 4.
programs. Agencies need stronger, clearer authority to delegate to private auditors and to create the essential incentives and penalties for regulated parties.
Professional Leslie McAllister is a pre-eminent expert on this emerging subject. Her prior article on the topic, 53 B.C. L. Rev. 1 (2012), is at least as informative to this project as the study that the Conference later commissioned. The earlier article emphasized that “greater governmental reliance on private auditors [can] enhance the achievement of regulatory objectives,” that it is “a form of public-private governance, and that it has the potential to cost-effectively improve the implementation of … regulation.” Yet, the current study ignores private benefits and emphasizes regulatory risks, as if cost-shifting is the primary effect. This new conclusion acutely prejudices Congressional interest in providing the new statutory authorities that agencies need to make this innovation work.
The draft of her current paper is beautifully written. It hews faithfully to each of the formal requirements in the scope of work in the request for proposals. Unfortun-ately, the design that the Conference gave her has some very significant limitations and biases. Most importantly, it does not include any input from the private sector, even though leading-edge companies had previously made themselves available to the Conference on this very subject. The scope of work fails to ask when and why third-party certification is more appropriate than other forms of self-regulation, or to provide context by describing other alternatives to direct auditing by federal employees.2 It excludes state experience, even though Professor McAllister’s prior article focused on a California program. (Indeed, this state program was her most compelling evidence that third-party certification can increase both economic efficiency and regulatory effectiveness.) The project design does not inquire into the important role of liability rules, which give some producers an interest that complements, rather than conflicts, with regulatory effectiveness. The scope of work proposes a “representative sample” of federal programs. This ignores their small number and great diversity. Most existing programs – whether initiated by agencies or by industry -- have learned lessons of potential value to new efforts. But complex variations in their objectives (and great differences in their scale) make prevent any meaningful tabulation of answers to each of the enumerated questions presented in the scope of work.
Given the limitations of the project design, it is not entirely surprising that the new research does not fully reflect Professor McAllister’s prior enthusiasm for third-party certification. She now concludes that these programs “add complexity and principal-agent problems to the regulatory process” (at 63) may impede “consistency”
2 She discusses self-declaration at page 61, but not more complex forms of collective self-regulation, such as those implemented with the nuclear, health care, and financial industries.
Rafferty Comments on Third-Party Programs, page 5.
(42. 45) and are “costly and slow” to set up (62). These issues may arise in specific programs, due either to flaws in their design or challenges that are intrinsic to their objectives. But generalized, these pessimistic assessments lead Professor McAllister to a very negative overall conclusion: “When noncompliance … involves significant risks to health, safety, and other interests, a third-party program may be … less suitable.” (52)
In reality, a program based on standardized third-party certifications can be designed to be more rigorous, more consistent, less costly, and more responsive than government inspection. Professor McAllister accurately reports a view within the public interest community that any state or foreign government employee is a better food inspector than any private third-party, because of increased expertise and accountability. (51 & fn.357) There is another view. An auditor that Costco has chosen and can fire may well be more reliable than a Chinese government official. For reasons that the Conference needs to research, Costco’s safety standards are far higher than those required by the FDA, to which it opens all its records. Anyone who has viewed the Georgia state inspections of Peanut Corp. of America may well ask why the FDA continued to rely on this state “partner.” For state programs, the answer may be political. Diplomatic constraints may make it even more difficult to influence (or reject) inspection regimes run by a foreign government.3
The final paragraph of the preamble advises agencies to “incorporate existing standards” “when possible.” Recommendation 5(c) suggests that an agency “can supplement those standards with program-specific rules,” giving the example of additional “accreditation rules.” Any preference should be reserved for consensus standards, developed with due process, not standards created by individual companies or consortia. The Conference should also advise agency not hesitate to supplement or alter the substance of the certification. An existing conformity assessment may not be designed to meet regulatory needs. Efficiencies are realized whenever the agency uses the consensus standard as the basis and framework for its regulatory certification, even if it requires additional attestations or greater rigor in testing. The CPSC routinely modifies industry standards or accepts them only in part; it is anticipated that FDA will also increase substantive requirements.
The Conference has sponsored a great deal of research in this area, including Rec. 78-04 (“Interaction with NGOs in Developing Health and Safety Regulation”), Rec. 94-01 (“Audited Self-Regulation”), Rec. 89-01 (“Medicare Peer Review Organizations”), “Cooperative Implementation of Federal Regulations,” “Self-Implementation as an
3 State and foreign governmental “partners” have diplomatic and political defenses to discipline or withdrawal of recognition, notwithstanding the formal provisions of FSMA noted in the draft (fn. 67).
Rafferty Comments on Third-Party Programs, page 6.
Alternative to Direct Enforcement,” “Innovative Techniques in Regulation” (1980), “Performance Standards,” and the Colloquium on Regulatory Design. The Conference is free to disregard these studies as precedents, but a better course would be to explain, revise, or distinguish its prior work. The Conference should make these documents, many of which are out-of-print, available to the public during the comment period.
The Conference should also place this approach toward regulatory enforcement in the context of its broad historic commitment to collaborative governance. It is a fallacy to argue that government inspections are always more rigorous and more reliable than private risk management. USDA and DoD have long submitted their own food safety laboratories to private4 accreditation. Two years ago, FDA’s 13 labs joined them, concluding that independent accreditation “provides additional transparency and acknowledgement.” Without using private accreditation, the tiny staff of CPSC could never have recognized hundreds of laboratories throughout the developing world. The Food Safety Modernization Act (FSMA) requires the FDA to follow the example of CPSC’s success. Professor McAllister focuses on reverse example of NRTLP in the Labor Department, which uses quarterly inspections by its own employees directly to recognize 16 private laboratories according to government-unique standards. This is an outlier, and may represent the largest scale of direct lab accreditation ever attempted by a regulating agency.5
Since the Conference is a “public-private partnership,” the failure to interview regulated entities and auditing organizations may be the most fatal gap in Conference’s research to date. Professor McAllister interviewed 20 government officials, one NGO, and the chairman of one accrediting organizations and no regulated party or private auditor. Their specific contributions are not identified within the article, but may account for some unduly skeptical views about delegating proof of regulatory compliance to the private sector.
Skepticism often assumes that private inspections are automatically suspect because of their “commercial” purposes. In The Costs of Accidents (1970), Judge Calabresi explained how tort liability rules could reduce social costs by promoting the socially optimal level of preventive measures. Thus, private companies who conduct
4 I note Mr. Gillerman’s concerns about characterizing consensus organizations as entirely “private,” since they include some members of governmental or international organizations.
5 NIST provides accreditation services to other federal agencies, also using consensus standard ISO 17025. The FCC directly accredits some foreign laboratories, as Prof. McAllister notes.
Rafferty Comments on Third-Party Programs, page 7.
inspections to minimize tort liability are often acting in concert with regulatory purposes, provided that that well-designed liability rules place the social costs of violations on the regulated parties. Unfortunately, liability rules do not always function effectively with regard to all producers, particularly when the industry is fragmented or the supply chain is globalized. Regulatory programs can extend and enhance the economic incentives provided by tort liability.
The study fails to analyze long-standing successes overseen by federal agencies that are among the most eager to support this research.
(1) The most widely-known program of all is the attestations required by the Securities and Exchange Commission. For seven decades, these attestations were regarded as a gold standard in reliability. Generally accepted accounting principles were designed and maintained exclusively by a private body. The reforms required by Sarbanes-Oxley and Dodd-Frank need to be reviewed for their potential applicability to other third-party programs.
(2) It is difficult to imagine safety inspections that the federal government takes more seriously that those conducted by the full-time government inspectors who reside in nuclear plants. Yet INPO, which the conference studied as a model in Rec. 78-04, continues to enforce some requirements that are more rigorous than the Nuclear Regulatory Commission. The desire to providing additional confidence to state utility commissions (who may control rates) and to local public opinion (which may influence regulators) may explain some of the additional margin of safety that the industry imposes on itself. Yet, the overriding force behind INPO is the industry’s collective insurance program, which has strong economic interests in reducing the risk of any catastrophic accident. Obviously, this private objective is in harmony with the public interest. Until recently, the NRC general counsel was a member of this Committee with detailed insights into INPO’s complex history under the Freedom of Information Act.
(3) The exclusion of the Joint Commission on Accreditation of Health Care Organizations (“jay-co”) as “outside the scope of this report” is also unfortunate. Professor McAllister characterizes JCAHCO as focused on oversight of procurement and federal assistance. JCAHCO and its predecessor, the Hospital Standardization Program, performed para-regulatory roles more than four decades before Medicare. It continues to be the de facto regulator for hospitals and nursing homes. It is certainly true that, as the federal role in financing health care increased, so did HHS supervision of JCAHCO. Indeed, JCAHCO’s evolution has been studied by two ACUS consultants,
Rafferty Comments on Third-Party Programs, page 8.
Eleanor Kinney and Timothy S. Jost, with somewhat different viewpoints. Prof. Jost, perhaps the more skeptical of the two, credits JCAHCO with being able to adapt standards more quickly to rapid changes in technology. 51 Law & Contemp. Prob. 15, 30 (1994).
SSA Commissioner Astrue (who was HHS General Counsel in 1989), reports how HCFA resisted regulatory responsibility for 600,000 health care laboratories, which “the FDA would have eagerly taken on.” 51 Law & Contemp. Prob. 75, 77 (1994). Comm. Astrue details FDA’s “adamant opposition to any delegation” and asserts that FDA “invariably sees expansion of its jurisdiction as … desirable.” He describes how, as an alternative to direct FDA control, HHS’s Office of Inspector General grew to 1500 employees within five years. The inspector general is a member of the Conference, and has been eager to discuss this unique role.
Professor McAllister’s discussion of the CPSC’s rule omits relevant historical context, which explains the Commission’s limited authority. Before and after CPSIA, no agency has regulated so much with so few staff and resources. However, except for the accreditation of many laboratories, the program relies on supplier declarations, not “third-party certification” as defined in consensus standards.6
6 Until 1972, the FDA regulated most consumer products, but that enormously broad jurisdiction was dormant. CPSC was created to increase the safety of products that were not subject to jurisdiction of the FDA, OSHA, or the Treasury Department. Except for products designated by Congress, such as cribs and swimming pools, CPSC’s had only reactive authority. It generally had to make a complex finding demonstrating risk before imposing a standard or ban; this usually happened only after a significant number of accidents. CPSC powers were much more limited that those exercised by the FDA over food, drugs, and medical devices. In 2008, CPSIA expanded the powers of the Commission over children’s products by permitting it to adopt preventive standards subject to testing in laboratories, many of which are accredited third-party labs. Congress also required the Commission to permit “firewalled” labs, which many view as a loophole for large manufacturers.
Congress used the term “third-party certification” regarding products, but the regime does not meet the standardized criteria that Prof. McAllister accurately describes at pages 5-6. It is the manufacturer who attests to compliance with a “supplier declaration,” which is not a third-party assessment. It is also the manufacturer, not the lab, which selects the sample and (in 2013) is responsible for its own testing plan. 16 CFR 1107. The lab simply tests whatever sample it receives. It conducts no facility inspection. The lab engages in no form of “surveillance,” to assure that the product has the quality tested in the sample. This is an essential element of third-party certification, as that term is defined in consensus standards.
Rafferty Comments on Third-Party Programs, page 9.
Some of the Conference’s most effective recommendations have drawn on the experience of state governments. States have long used third-party auditors, often with great success.
State utility commissions almost always select a private auditor for major utility audits. In many cases, an independent consumer advocate also retains a private auditor. These consultants bring experience from many different utilities, which commission employees can gain only indirectly. The commission often pays the auditors from a regulatory assessment imposed by statute. Utilities sometimes “consent” to pay auditors selected by government, usually out of respect for the substantial discretion that these commissions exercise over rates and licenses. State statutes often give these Commissions broad powers that federal agencies may lack. The important lesson is that agencies may need specific Congressional authority before that can make regulated parties pay for the auditors that they do not select.
Another successful program is state licensing of boilers and pressure vessels, which usually rely on third-party inspectors. Here, the insurance industry plays a critical role because premiums depend on the quality and independence of these inspections. In making recommendations to the FDA, it is important to explain why insurance premiums have not sufficiently affected behavior of food producers to control food-borne outbreaks.
Once a violation has been charged, some agencies use consent decrees to impose the cost of verifying future compliance on the regulated party. Whether periodic certifications are prepared by third-party auditors or by company officials, they are backed by the potential sanctions of judicial supervision. EPA appears often to require long-term or perpetual reporting, but other agencies (including the FDA) use this vehicle infrequently, or require only short-term remedial action.
Accused violators may be motivated by litigation costs or the magnitude of potential fines. It seems likely, however, that they may consent to control the damage to their public and commercial reputations. There is very little empirical research on these regulatory consent decrees. If they can be shown to reduce the incidence of non-
Rafferty Comments on Third-Party Programs, page 10.
compliance, consent decrees offer a compelling model for giving agencies the statutory authority they need to impose these certification requirements generally. Pro-active third-party certification programs would deter, rather than punish, violations.
The prospect of judicial contempt proceedings is a powerful incentive to complying with these consent decrees. For preventive programs to work in the absence of court supervision, Congress will usually have to provide greater statutory powers to the agency, such as penalties. Increased user fees for regulated parties who opt out of third-party programs are another tool that usually requires statutory change.
Congress has mandated the Conference to promote public participation in rulemaking. 5 U.S.C. 591(2). Members of the public cannot meaningfully comment at the rulemaking stage unless they can understand the system of conformity assessment. Some principles may be complex, but when consensus standards are used, there are many common elements in the framework. It would be useful for agencies to have access to a more comprehensive general explanation (accessible to laymen), which the agency can tailor to their specific program. This should apply both to product certifications (under Guide 65) and management system certifications (e.g., ISO 13485 for medical devices; ISO 22000 for food processing). The draft study does not explain how management systems are certified, although these standards may be increasingly useful to regulators.
Recommendation 5(a) refers to “reasonable availability [of copyrighted materials] to regulated entities and other interested parties.” This is too vague and limited. All members of the public, without proving an “interest,” should have a timely opportunity to participate in rulemaking, which requires a meaningful summary in the published notice. Copyright does not prevent the disclosure of the essential details of any standards being adopted. More fundamentally (whether or not copyrighted material is involved), there must be an adequate summary that the public can understand.
The draft study does little to analyze the issues raised by unlimited public access to audit reports or work papers. Some agencies provide broad access to the details of official inspections, but most do not. Good reasons exist for this – disclosure may invade personal privacy; may disclose facts about the timing, volume, and techniques of manufacture that competitors or customers could use for commercial advantage; and may reveal auditing patterns that could facilitate evasion. The Conference has provided general guidance in the past (e.g., Rec. 84-06), but it needs to be updated for new technology and refined to address third-party audits.
Industry will make two additional arguments for some confidentiality that are specific to collaborative audits. (1) Auditing principles, such as HACCP, can rely on the “continuous improvement” of goals that can be tailored to an individual facility. Real-time publication of every prescriptive note made in the course of a HACCP audit could threaten legitimate commercial interests, especially because inspections are not uniform and may require proprietary knowledge to interpret. Unlimited publication (or even availability in response to FOIA) could diminish the effectiveness of improvement-based auditing systems. (2) With regard to supplemental aspects of audits that are being used for insurance purposes, some confidentiality from regulators may also be necessary. The NRC, for example, requires INPO to maintain a reading room where its inspectors can review, but not copy, audit work papers.
Input from industry leaders would likely provide the following insights regarding the VQIP:
(1) The proposed incentive may have limited scope since CBP already has programs to expedite food imports – such as expedited delivery and CT-PAT.
(2) VQIP will almost certainly rely on HACCP, with a possible FDA “addendum.” (HACCP is mentioned in the scope of work, but not explained in the study.)
(3) FDA may ultimately need to rely on some (relaxed) form of third-party HACCP certification to support mandatory verification. This may also dilute the VQIP incentive.
(4) The FDA program will substantially increase worldwide demand for qualified auditors. FDA’s ability to change existing industry practices is limited by the ability of regulated parties to find a sufficient number of auditors who understand the changes. There is substantial scope for an initial strengthening of these existing practices, but FDA may be less able to impose revisions in the future. The FDA also needs to harmonize with other importing nations, especially the European Union.
(5) In the past, developing countries have permitted ISO-based inspections to assure the quality of their imports. These may be more acceptable than inspections conducted by officials of importing countries. But restrictions on
Rafferty Comments on Third-Party Programs, page 12.
independence have already emerged and may increase with the economic and political influence of certain exporting countries.
(6) A few large importers currently have the power to designate auditors who impose standards more rigorous than those likely to be accepted by the FDA. As third-party programs are implemented, exporters will seek to require all nations and importers to accept a single audit for all regulatory and commercial purposes. This would restrict the ability for individual customers to select an additional auditor.
(7) Tort liability may affect the largest importers, but for a variety of reasons insurance premiums have not yet been effective in optimizing preventive measures by smaller entities. Although food-borne illness imposes great social costs, food contaminated before purchase is a very small part of the total food supply. It is rare still that the contamination is diagnosed, and rarer still that one is traced to small importers or retailers, who may not insure against such a small risk. The rarity of traceable contaminations also means that it is uneconomic for consumers to pay any safety premium. Even if accurate, marketing claims about food safety are counterproductive, since they only increase consumer anxiety at the “safer” retailer. Since no premium can be charged, effective safety measures are not proprietary. Those who discover and implement effective measures are generally glad to have their innovations adopted by their competitors.
(8) At present, industry leaders in food safety are a subset of those large firms that have experienced a fatal outbreak in the past. These leading companies have a deep commitment within their corporate culture that is not attributable to economic factors or even to concern about their public reputation.
There are many other private-sector insights that further research can and should develop.
I look forward to the Committee’s meeting on October 15, 2012 to discuss the proposed recommendations.
Scott J. Rafferty