Thorough customer screening is essential to a strong biosecurity program.
Customer screening, flagging, and follow-up play essential roles in establishing the legitimacy of customers ordering synthetic dsDNA sequences. It’s not enough to merely flag a potential bad actor. Companies must also be prepared to take immediate, defined action once a customer has been identified as a potential bad actor. Once a determination of the risk involved is made, the company must rectify the situation or inform law enforcement. Without this final step, the screening program is without teeth.
What is Screened
Both the U.S. HHS 2010 Screening Framework Guidance and the IGSC Harmonized Screening Protocol provide frameworks and guidance for screening programs. Customer screening is an essential element of both. The Australia Group (AG) also maintains a list of dual-use (can be used for good or ill) equipment and substances.
Verification of basic customer information is the foundation of customer screening. The information includes a shipping address; the name of the company, lab, or institution; country; telephone number; and email address. Suppliers also take steps to ensure that the customer is the end-user for the materials ordered. Finally, the IGSC Harmonized Screening Protocol specifically states that shipments cannot be made to PO Boxes.
Interested in Battelle’s ThreatSEQ™ DNA Screening Service?
The HHS screening framework recommends that suppliers vet customers against additional watch lists since U.S. law prohibits “U.S. persons from dealing with certain foreign persons, entities, and companies.” The IGSC also recommends further vetting of customers against various watchlists.
The lists cited by HHS and IGSC cover sanction lists spanning the globe for domestic and export orders and include:
- Department of Treasury Office of Foreign Assets Control (OFAC) list of Specially Designated Nationals and Blocked Persons (SDN List)
- Department of State persons subject to nonproliferation sanctions
- Department of State Debarred Parties
- Department of Commerce/Bureau of Industry and Security (BIS) Denied Personas List (DPL) and Parties of Concern
- Export Administration Regulations (EAR)
In addition, the U.S. Government recommends that customers making domestic orders should be screened against the DPL. HHS also states that, for international orders for any dsDNA order that cannot be classified under an Export Control Classification Number (ECCN), providers must consult the lists designated by EAR.
Members of IGSC take an additional step when verifying a customer’s bona fides before accepting an order for DNA sequences from regulated pathogens or toxins. These entities require any customer ordering sequences associated with select agents or organisms on the Australia Group list to provide a written description of the intended use of the synthetic product. With this information, the intended use is examined to determine if it is consistent with that entity.
When an effective screening program encounters a customer that doesn’t fit the stated parameters, it will flag that customer for additional screening. The HHS suggests that the following types of customers warrant a flag and follow-up: the customer’s identity is not clear, that customer is not expected to request those materials, there is an unusual labeling or delivery procedure associated with the order, the method of payment or terms of payment are non-standard, or the customer requests unusual conditions of confidentiality.
Ideally, screening software will assign a value to an assigned flag to identify the risk associated with that flag. This is sensible because there is a vast difference between an unintentional error in an address or contact information and an intentional error used to evade detection. Still, since it’s not possible to know by looking which simple errors are truly unintentional, even the most “obvious” errors need follow-up when flagged.
The most serious flags will come into play when a known banned, debarred, denied, or identified bad actor is trying to make a purchase. Every nation or region of the world has lists of these players; they must be used as part of an effective screening program. This is so because, for these customers, even the most benign of requests must be viewed with suspicion and reported to law enforcement.
HHS Guidance has additional information to consider when screening. Most important:
- No U.S. persons or entities may conduct business transactions with individuals or entities on the SDN list without a license from OFAC. These licenses are provided on an extremely limited basis.
- No U.S. persons or entities may conduct business with individuals sanctioned by the Department of State for engaging in proliferation activities.
By determining that a customer is acting in good faith and has no known restrictions in place, suppliers are taking the necessary first step to maintain control of potentially harmful synthetic genetic materials, pathogens, and toxins.