Agency Use of Third-Party Programs to Assess Regulatory Compliance

Publication Date
December 6, 2012

Federal agencies in diverse areas have developed third-party programs to assess whether regulated entities are in compliance with regulatory standards and other requirements. Through these programs, third parties assess the safety of imported food, children’s products, medical devices, cell phones and other telecommunications equipment, and electrical equipment used in workplaces. Third parties also ensure that products labeled as organic, energy-efficient, and water-efficient meet applicable federal standards. In these regulatory third-party programs, regulated entities generally contract with and pay third parties to carry out product testing, facility inspections, and other regulatory compliance assessment activities in the place of regulatory agencies. Regulatory agencies then adopt new roles in coordinating and overseeing these third-parties.[1]

In some areas of regulation, Congress has directed federal agencies to develop a third-party program; in others, regulatory agencies have developed programs under existing statutory authority. A third-party program is just one of many regulatory approaches that Congress and agencies may adopt.[2] Regulatory objectives may, for example, be adequately met by requiring regulated entities to self-assess and report their compliance (sometimes referred to as “first-party certification”). Also, statutory restrictions on information disclosure or other legal restrictions may preclude an agency from using third parties to conduct inspections and other compliance assessment activities. Some compliance assessment activities may be inherently governmental, and thus require performance by government personnel.[3]

Several broad reasons support the growing use of third-party programs in federal regulation. In many areas, federal regulatory agencies are faced with assuring the compliance of an increasing number of entities and products without a corresponding growth in agency resources. Third-party programs may leverage private resources and expertise in ways that make regulation more effective and less costly. In comparison with other regulatory approaches, third-party programs may also enable more frequent compliance assessment and more complete and reliable compliance data. Because agencies can authorize third parties located in other countries to undertake assessment activities, third-party programs may be particularly effective when regulated products or processes are international in scope.

Regulatory third-party programs raise a host of important questions. Because third-party programs represent a partial privatization of the public function of implementing and enforcing regulatory law, they are a form of “public-private governance,” in which private actors play roles that are traditionally viewed as governmental in nature.[4] While third-party programs may increase regulatory compliance or otherwise improve the performance of regulated entities and products, these programs also pose risks.[5] If they are not well-conceived and well-operated, they may both undermine the achievement of regulatory goals and impose unnecessary costs on agencies and regulated entities. 

Frequently, regulatory third-party programs use the practices and terminology of a conformity assessment framework that has been developed by international private-sector standards organizations. “Conformity assessment” is defined in international standards as the “demonstration that specified requirements relating to a product, process, system, person, or body are fulfilled.”[6] International standards also set forth how the organizations that conduct conformity assessment – “conformity assessment bodies,” which are usually private organizations – should operate. International standards have been developed for various types of conformity assessment bodies, including testing bodies, certification bodies, and inspection bodies.

Recognizing the assessment of regulatory compliance as a form of conformity assessment, many federal agencies that have established third-party programs have relied on conformity assessment standards and bodies. Agencies may require, for example, that third parties that certify conformity with regulatory requirements operate in accordance with the international standards for certification bodies. Federal agencies may also require that the third parties be accredited by accreditation bodies that operate in accordance with international accreditation standards. Accreditation bodies are established in many countries, and they may be either private or governmental.

Agencies that establish third-party programs generally cannot or do not delegate their regulatory authority to conformity assessment bodies. Rather, agencies authorize conformity assessment bodies to perform certain technical tasks to assess conformity, and regulatory agencies rely on these assessments in their own enforcement of regulatory requirements. The goal is to leverage private expertise and resources to serve regulatory objectives. Because the regulatory agency must remain ultimately responsible for achieving regulatory objectives, it is vital to provide public oversight of third-party assessment activities.

A key resource for agencies considering a regulatory third-party program is the National Institute of Standards and Technology (NIST), which has the responsibility under the National Technology Transfer and Advancement Act of 1995 to coordinate government conformity assessment activities with similar activities of private-sector entities, with the goal of avoiding unnecessary duplication and complexity.  Following Office of Management and Budget (OMB) Circular A-119, NIST published guidance in 2000 for federal agencies on conformity assessment activities.[7] NIST: (1) provides advice, solutions, and program support for development of technical standards and conformity assessment programs to support agency missions; and (2) develops and conducts customized standards-related workshops and educational events for government.

Recognizing the growing use of third parties and the issues it raises, the Administrative Conference makes this recommendation to assist federal agencies in determining whether and how to establish third-party programs to assess regulatory compliance. The Recommendation first suggests that, when considering a third-party program, agencies should consult relevant governmental and nongovernmental resources. Next, agencies should compare the advantages and disadvantages of a third-party approach to a more traditional approach of direct governmental compliance assessment. Also, if an agency is considering a program in which regulated entities could choose whether to contract with a third party for regulatory compliance assessment, it should first determine that regulated entities will have sufficient incentives to choose to contract with a third party.

The recommendation then sets forth considerations for agencies after they have decided to establish a third-party program. An agency should design conformity assessment programs to be proportional to the risks associated with regulatory noncompliance. When regulatory noncompliance implies serious risk to public health, safety, or other important values, third-party program rules should guarantee a high degree of rigor and independence. When possible, the agency should incorporate existing conformity assessment standards, which may avoid unnecessary duplication and create efficiencies for both agencies and regulated entities. The agency should also ensure appropriate government and public access to information about program operation. Finally, the agency should undertake appropriate oversight activities to ensure that the third-party program fulfills its regulatory purpose.


A.  Considerations for a Federal Agency When Deciding Whether to Develop a Third-Party Program to Assess Regulatory Compliance

1.  Resources. When considering whether to develop a third-party program to assess regulatory compliance, the agency should consult governmental and non-governmental resources relating to third-party conformity assessment, as appropriate. These include, but are not limited to, the National Institute of Standards and Technology (NIST); private conformity assessment standards, particularly the standards of the International Organization for Standardization (ISO); and conformity assessment bodies, for practical input on feasibility and the impacts on the regulated entities.

2.  Compare Regulatory Approaches. The agency should compare a third-party approach with direct governmental assessment of compliance. In choosing between them, the agency should evaluate the advantages and disadvantages of these approaches, with consideration of:

    (a)  whether third-party conformity assessment is likely to be effective in practice and as a technical matter for the applicable regulatory standards and context; 

    (b)  the costs and potential delay that may result from developing and establishing a third-party program;

    (c)  the capacity of the agency to perform effective oversight and its related costs;

    (d)  the potential for the agency to achieve efficiencies through reducing its direct compliance assessment costs and resource needs;

    (e)  the costs to regulated entities of paying third parties to perform conformity assessment activities, which are likely to be of particular concern to small businesses;

    (f)  the potential for development of a well-functioning market in third-party conformity assessment services; and

    (g)  the benefits that may accrue to regulated entities by, for example, receiving regulatory approval to market their products more quickly or simultaneously satisfying the regulatory requirements of other agencies to which they are subject, including state agencies or agencies in other countries. (See Administrative Conference of the United States, Recommendation 2011-6, International Regulatory Cooperation, 77 Fed. Reg. 2257, 2259 (Jan. 17, 2012); Exec. Order 13,609 (May 1, 2012); Exec. Order 13,563 (Jan. 18, 2011)).

3.  Evaluate Incentives.  If an agency is contemplating a third-party program in which regulated entities would have the choice of either contracting with third parties or being assessed directly by the agency, the agency should evaluate whether sufficient incentives exist or can be created to attract the participation of regulated entities in the third-party program. Incentives for regulated entities to utilize third parties may include:

    (a)  exemption from a governmental fee that would otherwise be applicable; or

    (b)  the ability to satisfy the regulatory requirements of multiple jurisdictions through a single third-party conformity assessment engagement. 

B.  Considerations for a Federal Agency When Establishing a Third-Party Program to Assess Regulatory Compliance

4.  Proportionality to the Risk. An agency that has decided to establish a third-party program to assess regulatory compliance, or is directed by statute or other provision of law to do so, should design its conformity assessment program to be proportional to the risks associated with regulatory noncompliance. When the risks are high, a conformity assessment program should be characterized by high degrees of rigor and independence. When the risks associated with noncompliance are lower, the regulatory objective may be achievable with less rigor and independence. Types of rules that may be established by the agency to help ensure rigor and independence include:

    (a)  accreditation rules that set high standards of competence for the accreditation of third parties;

    (b)  selection rules that pertain to how regulated entities select third parties, requiring, for example, that third parties disclose conflicts of interests or that regulated entities contract with a different third party after a specified number of assessments;

    (c)  performance rules that require third parties to perform a rigorous set of assessment activities; and

    (d)  reporting rules that require third parties to provide sufficient information to the agency and the public about the process and outcomes of assessment activities.

5.  Use of Existing Conformity Assessment Standards. The agency should consider relying on existing conformity assessment standards, particularly international standards that set forth requirements for conformity assessment and accreditation bodies. Incorporating existing standards may reduce costs for the agency and for the regulated entities. To evaluate the suitability of using existing standards, the agency should take into account the following considerations:

    (a)  When an agency incorporates existing conformity assessment standards into its program requirements, important concerns may arise about the public availability of those standards due to the costs of obtaining copyrighted materials. When an agency considers incorporating copyrighted material by reference, the agency should be cognizant of issues relating to incorporation by reference. (See Administrative Conference of the United States, Recommendation 2011-5, Incorporation by Reference, 77 Fed. Reg. 2257 (Jan. 17, 2012));

    (b)  An agency that anticipates the use of conformity assessment bodies in other countries may particularly benefit by recognizing accreditation bodies that operate in accordance with international standards rather than the agency itself accrediting conformity assessment bodies; 

    (c)  When an agency incorporates existing standards into its requirements for third parties, it can supplement those standards with program-specific rules. An agency may require, for example, that in addition to being accredited to an international standard, a conformity assessment body must satisfy accreditation rules specific to the third-party program; and

    (d)  Agencies should also be aware that existing conformity assessment standards may include confidentiality provisions that apply to information collected during the assessment. Agencies should consider when disclosure to agencies and/or the public is necessary and when confidentiality may be justified. Program-specific reporting rules, as discussed in section 6 below, may be necessary to enable appropriate governmental or public access to such information.

6.  Access to Information. The agency should ensure that both the government and the public will have appropriate access to information about program operations. An agency’s development of third-party program rules and guidance should include notice and an opportunity for public participation. Also, the agency should provide information to the public about the roles and identities of the third parties associated with a regulatory program. Finally, the agency should establish reporting rules that require third parties to provide information to the agency based on the following considerations:

    (a)  The reporting rules should facilitate transparency. Information about the compliance of regulated entities should be available from the agency to the public, comparable to what would be available in the absence of a third-party program. Agencies may also be able to provide additional compliance information to the public that was not available before the third-party program;

    (b)  The reporting rules should facilitate appropriate agency oversight. For example, conformity assessment bodies can be required to report to the agency potential conflicts of interest before performing a conformity assessment, or provide the dates of their assessment activities so that the agency can conduct site visits;

    (c)  In certain circumstances, the agency might have reporting rules that require conformity assessment bodies to send assessment results directly to the agency; and

    (d)  The agency might require conformity assessment bodies and/or regulated entities to report electronically, which may facilitate the provision of information to the public.

7.  Agency Oversight. The agency has a duty to exercise oversight to ensure that the third-party program is fulfilling its regulatory purpose. An agency should generally set forth how it intends to conduct such oversight. For example, it may annually audit a certain number of accreditations or conformity assessments, or carry out a market surveillance program to test regulated products off-the-shelf. In exercising oversight, the agency should also take into account the following considerations:

    (a)  Beyond conducting direct oversight, an agency can require third parties to conduct additional assessment activities that provide further information to the agency about program operation. For example, an agency may require accreditation bodies annually to audit a certain number of conformity assessments, or it may require conformity assessment bodies to conduct particular types of surveillance on products they assess;

    (b)  The agency should establish procedures for receiving and responding to public complaints regarding potential noncompliance or other aspects of program operation. The agency could, for example, require a third party that has assessed the conformity of a regulated product or entity to investigate a complaint of noncompliance. In any event, the agency should ensure that complaints are resolved in an appropriate and timely manner; and 

    (c)  The agency should make clear the possible adverse actions that it may take against third parties that do not comply with program rules. A key adverse action is removing third parties from the program. Third parties may be removed temporarily through a suspension of accreditation, or permanently through a withdrawal of accreditation.


[1] Agencies may use third parties in connection with regulatory, procurement, and federal assistance programs. This Recommendation addresses use of third parties in regulatory programs.

[2] The Administrative Conference has addressed various approaches in prior recommendations. See, e.g., Recommendation 94-1, The Use of Audited Self-Regulation as a Regulatory Technique, 59 Fed. Reg. 44,701 (Aug. 30, 1994); Recommendation 89-1, Peer Review and Sanctions in the Medicare Program, 54 Fed. Reg. 28,965 (Jul. 10, 1989); Recommendation 78-4, Federal Agency Interaction with Private Standard-Setting Organizations, 44 Fed. Reg. 1357 (Jan. 5, 1979).

[3] Office of Mgmt. & Budget, OMB Circular No. A-76 (Revised May 29, 2003).

[4] See William J. Novak, Public-Private Governance: A Historical Introduction, in GOVERNMENT BY CONTRACT: OUTSOURCING AND AMERICAN DEMOCRACY (Freeman and Minow, eds., Harvard University Press, 2009); Martha Minow, Public and Private Partnerships: Accounting for the New Religion, 116 HARV. L. REV. 1229, 1230 (2002-2003); Jody Freeman, Extending Public Law Norms through Privatization, 116 HARV. L. REV.  1285, 1286-87 (2002-2003); Jody Freeman, Private Parties, Public Functions and the New Administrative Law, in RECRAFTING THE RULE OF LAW: THE LIMITS OF LEGAL ORDER 331 (David Dyzenhaus ed., Hart, 1999).

[5] See Lesley K. McAllister, Regulation by Third-Party Verification, 53 B.C. L. REV. 1 (2012).

[6] American National Standards Institute (ANSI), National Conformity Assessment Principles for the United States, 3, available at


[7] OMB Circular A-119 Revised §§ 8, 13(e) (Feb. 10, 1998); NIST, Guidance on Federal Conformity Assessment Activities, 65 Fed. Reg. 48,894 (Aug. 10, 2000).

Recommended Citation: Admin. Conf. of the U.S., Recommendation 2012-7, Agency Use of Third-Party Programs to Assess Regulatory Compliance78 Fed. Reg. 2941 (Jan. 15, 2013).