Passport Issuance Systems Regional Conference on Migration Vancouver Tuesday, 8 March 2005

What We Will Cover - I Based on Informative Annex to Document 9303 What it does and does not cover The vulnerabilities of passport operations The need for issuance standards Recommended practices Passport handling process Passport application and adjudication process Passport issuance and delivery process Organizational and personnel issues

What We Will Cover - II Advantages of automated systems & MRTDs Need for senior management support Funding the costs Centralization vs. dispersed issuance Passports issued at posts abroad Summary of internal controls principles

What Led to Writing The Annex? 9/11 lessons – Impede the travel of terrorists G-8 effort: capacity building Relevant experience Critique and participation by 8 countries Not the final word: other ideas welcome

What it Does and Does Not Do Talking here about preventing staff from engaging in internal fraud/malfeasance By following guidelines, it prevents one person from issuing a fraud unaided, and increases the possibility that attempts at fraud will be caught External fraud is the subject of a separate paper.

Intended Uses of The Annex Wide varieties of internal controls presented: pick and choose Protects staff who follow rules Makes it possible to identify internal malfeasance Makes it hard for managers to increase production by shortcutting internal controls Supports executive requests for resources Can be used by any organization producing security documents

Vulnerabilities of Passport Operations - I Passport is inherently valuable document Documents an identity and citizenship Allows entry to country of issue Essential tool for legal entry into other countries Passport document has become harder to alter or counterfeit

Vulnerabilities of Passport Operations - II This drives the criminal element to attack the issuing process Internally by “buying” an employee or placing criminal on staff to steal blank passports or assist in fraudulent issuance Externally, by deception, using falsified or genuine documents

Need for Passport Issuance Security Standards It is a given that your passport issuance system will be attacked Successful attack threatens internal security & has potential for costly costly criminal activity International reputation of your passport & its utility to citizens as a travel document Protection of passport application revenues

Recommended Practices: Passport Handling Process - I Design, printing and shipping of blank passports Involvement of the passport issuing authority in design and selection of materials Production of, and accounting for blanks Security of passport blank production facilities

Recommended Practices: Passport Handling Process - II Passport Book Control Limiting access Tracking inventory control numbers Spoiled, defective and excess blank passports End-of-day reconciliation

Recommended Practices: Passport Application & Adjudication Process -I Vulnerabilities of documents used as the basis for issuance Documents to establish identity and citizenship Importance of training on document characteristics On-line access to data bases to confirm documents Anti-Fraud specialist officers on staff

Recommended Practices: Passport Application & Adjudication Process-II Establishing clear procedural standards Random assignment of applications to staff Retain documents throughout process Handling of friends & family applications Thorough notations on applications Verifying questionable documents Complicated cases to senior staff

Recommended Practices: Passport Application & Adjudication Process-III Periodic and random audit and checking systems Routine local audits: periodic and random Management by sampling work in process Headquarters reviews with recommendations for improvement

Recommended Practices: Passport Application & Adjudication Process -IV Verifying the identity of passport applicants The key to passport integrity First-time applicants – personal appearance as a minimum Documentary evidence Identifying witnesses

Recommended Practices: Passport Application & Adjudication Process-V Replacement of lost/stolen passports Invalidate lost/stolen passports Get them into a data base & share with border Replacing should not be automatic Limiting replacements

Recommended Practices: Passport Application & Adjudication Process-VI Biometric enrollment “Freezing” the identity Verifying the quality of biometric capture Verifying the biometric

Recommended Practices: Passport Issuance & Delivery Process - I Passport printers and other production equipment used in the issuance process The need for unique features capability Physical security of equipment Passwords and access codes for operation Tracking who approved and performed steps

Recommended Practices: Passport Issuance & Delivery Process Physical security of the passport issuing plant Government controlled buildings/space Presence of security personnel, alarms, TV, surveillance Special requirements for vault & book personalization Customers and security Protection of applications in process

Recommended Practices: Organizational & Personnel Issues - I Hiring of and standards of conduct for all staff Background checks – initial & continuing Telling new employees what is expected of them Authorities of direct hire staff vs. contractors Internal controls in employee position descriptions

Recommended Practices: Organizational & Personnel Issues -II Need for a legal framework Passport issuing authority & responsibility Requirements of those applying: Who is entitled? Fee setting Privacy of applicant information Defining types of criminal activity and specifying penalties Laws and regulations

Recommended Practices: Organizational & Personnel Issues-III Building an internal controls network A senior person at HQ and in each field unit should be assigned to oversee internal controls An internal controls standards handbook An ongoing search for vulnerabilities (systemic and operational)

Recommended Practices: Organizational & Personnel Issues - IV Investigation and punishment of internal fraud Sources of allegations Investigative authorities Punishment – significant and public Lessons learned exercises

Recommended Practices: Organizational & Personnel Issues-V Employee morale Money is not the only motivator Deterrence measures: (1) Crime does not pay You will be caught; we will prosecute; it isn’t worth the risk. (2) Encouraging loyalty: Adequate pay & benefits; enlightened management; making the employee feel part of a team Training Employee recognition systems

Recommended Practices: Organizational & Personnel Issues-VI Name clearance systems Having an internal name check data base – sources of information Electronic vs. manual Matches and trials

Advantages of Automated Systems Speed Comprehensiveness - setting parameters Limiting access Recording access Allows for trackability & link analysis Promotes training Provides resources

Senior Management Support Treating internal controls as an important part of the process Approving the needed resources that are within your authority Being an effective advocate with more senior executives Management at all levels must be subject to the rules established

Funding the Costs of Issuance Systems Hard to quantify, but there are savings Efficiency promoted Government funding appropriate Prevention of criminal activity Reliable document for border control Respected document benefits to citizen travelers Ultimately, promotes respect for issuing country If no government funding, add to cost of passport

Balancing Centralised vs. Dispersed Issuance Centralized issuance (production) provides the best controls & least expense But it may be inconvenient for citizens Some decentralisation is usually needed (distinction between production and registration is important) Minimum government security standards for all facilities Adjudication, issuance and internal controls must be uniform Changes, when made, should be system-wide (easier with centralised systems)

Passports Issued at Foreign Service Posts Adjudication standards uniform On-line access to clearance information Appropriate internal controls Headquarters review Emergency issuance and regional/centralised issuance

Summary of 15 Important Internal Controls Principles - I 1. Senior management support is critical 2. Use automated systems whenever possible 3. Every facility including overseas posts must operate on the same standards 4. An angry employee is as great a threat as a venal employee 5. Account for blank passports from printing to personalization

Summary of 15 Important Internal Controls Principles - II 6. Assure random assignment of applications to staff 7. Assure that no employee can take an application through the entire adjudication and issuance system 8. Build in regular and random checks and audits 9. Encourage staff to report approaches to malfease and suspicious activity by other employees 10. Use direct-hire government employees as authorizing officers and fraud prevention specialists

Summary of 15 Important Internal Controls Principles -III 11. Establish clear procedural standards and make sure that employees know what they are 12. Use background checks when hiring and throughout employees’ careers 13. Be able to track who on staff worked on each application at every stage 14. Protect equipment from unauthorized use 15. Search constantly for unrecognized vulnerabilities

Thanks to: John Hotchner Director,Office of Passport Policy and Legal Advisory Services Passport Services Bureau of Consular Affairs U.S. Department of State Email: hotchnerjm@state.gov Tel: +1-202-663-2427 Fax: +1-202-663-2654