How to evaluate DSCSA ATP Credential Adoption

This article is mostly intended for people ‘in the know’. However, if you got here not really knowing what the title means, I salute you with gratitude for your curiosity as every reader and happily provide a brief intro.

For the uninitiated

DSCSA is the Drug Supply Chain Security Act, signed into law in 2013 and, in principle, fully enforceable since November 27, 2023. It’s been a rollercoaster for everyone involved with FDA enforcement deadlines approaching and then being pushed out again. Now it looks like, this is it. No more delaying. Even manufacturers keep saying, they want no more of this grey area. Just do it, FDA!

One core DSCSA requirement is,

The legal text repeats the same “authorized trading partner” (ATP) requirement for wholesalers, dispensers and repackagers.

Of course, you can grab a lawyer and go to town with interpretations of what a trading partner is and which of your trade actions and items are given consideration in the legal text. That’s wise when it comes to determining your compliance programme. In the end, though, the intent of the law is clear.

So, is all this just about regulatory compliance? No! It’s about human lives.

It’s about cybersecurity coupled with operational efficiency, too.

How do you recognise an ATP?

There are a few checks you can do manually or electronically to ascertain whether a trading partner is duly authorised. You should have SOPs in place for this. PDG, the public-private partnership with FDA, has provided useful guidelines in their Foundational Blueprint. In addition to WHAT to check, you also need to determine HOW OFTEN and WHEN to check.

About 5 years ago, the Verification Router Service (VRS) community under HDA’s facilitation approached other technology providers, including Spherity, to build an automated ATP check into the VRS network.

The pioneers developed a digital trust framework based on verifiable credentials that led to the foundation of a non-profit governance body, the Open Credentialing Initiative (OCI), in 2021. The fully interoperable DSCSA-compliant ATP credentials were ready for use in real-world VRS interactions before the original enforcement deadline in November 2023.

This technology choice fits right into other such developments around the globe and provides enhanced cybersecurity properties that can evolve as attack vectors increase over time as they always do. Remember, ca. 25% of all cybersecurity incidents in 2024 targeted healthcare.

Where are ATP credentials now?

Since ATP credentials are strictly dependent on the success of EPCIS and VRS, they naturally follow the successful implementation and issue handling of those. So far, trading partners have had their hands full with EPCIS connection and error handling, and in some regards, VRS is still trying to find its feet. Not all VRS providers offer ATP credentials to their customers and do not process incoming credentials. Thus, it comes as no surprise that ATP credentials won’t show in their transaction records, and the VRS network is not yet flooded with ATP credentials.

We’ve seen early ATP credential adoption by large manufacturers who understood the value of this technological approach and invested early-on. This group was followed by smaller manufacturers looking for efficient, affordable DSCSA compliance management, some wholesalers, latterly also dispensers and even a state regulator (read Rising VRS and digital credential adoption).

The current ATP credential acquisition level reported by OCI (see chart above) is respectable given the hold-ups in the aforementioned technological areas combined with sequential FDA enforcement delays and the comparably low levels of awareness amongst dispensers of DSCSA requirements in general. It is now down to VRS providers to enable their customers and put these digital credentials to good use.

If you have one, we recommend that you opt to always send your ATP credential with a VRS exchange, even if you do not receive one. This will help adoption and keep credentials flowing through the VRS network so that all service providers’ systems get used to processing them, too. Even if their VRS provider does not process ATP credentials, any recipient can extract the credential’s meaning with our free VP Checker. So, not all is lost.

What future would you like to create?

VRS is still transitioning from the original use for saleable returns verification, where transaction volume would have been mainly driven by few very large entities (especially the ‘big 3’ wholesalers), to being used by a large variety of trading partners and regulators who have no prior business relationship with each other. That’s really where ATP credentials come to their own. You’ll get instant assurance of the other side’s ATP or authority status without having to onboard a new trading partner or perform other lengthy manual processes (depending on your SOPs, of course).

We expect increasing acquisition of ATP credentials once trading partners get some breathing space to assess compliance process improvements, data protection and cybersecurity more deeply.

How do you want your VRS system to react when an unknown entity sends you a product identifier request or response?

Blind trust? Reliance on the GLN and contact details that come with it?

Think twice.

The GLN is a publicly available identifier. Anyone can grab it off the GS1 registry or elsewhere online. All they have to do then is somehow spoof the VRS system, maybe even set up their own basic service. Fraudsters are smart and creative. That’s why we need to put as many nifty obstacles in their way as possible. Humans make mistakes. That’s why automation with engrained digital trust beats homegrown GLN list management (read 5 Reasons Why DSCSA ATP Digital Credentials Beat GLN Allow Lists).

Technology standards underpin any good technological design intended for an industry ecosystem. Be suspicious of solution providers that offer non-interoperable methods. You’re heading for vendor lock-in and manual workarounds. Around the globe, credible ecosystem technology is set up with a trust framework that includes easily accessible, well-governed, usually open technology specifications, often also a service provider accreditation scheme. Accept less and pay the price.

For ecosystem technology to truly blossom, a critical mass of adopters must create a so-called network effect— most effectively achieved through peer encouragement. It’s like social media — you join because your ‘ friends’ are on it. In the VRS network, the beauty of technology governed by open standards is the provider choice. Not every trading partner needs to use the same solution provider because everyone who follows the standards will be interoperable, meaning their solutions communicate seamlessly. This ensures a baseline quality level, and brings frictions and costs down for everyone.

. . .

Vendor-neutral education

As part of the OCI team, I also write and contribute to vendor-neutral articles suitable for continuing education. Get in touch at hello@oc-i.org if you’re interested.

. . .

Disclaimer

Since this post touches on legal and regulatory requirements, I’d like to make clear that I’m not qualified to provide legal advice. Nothing stated here should be taken as such.

Why am I writing about this? — Because FDA puts strong emphasis on digitalising the US pharma supply chain, especially through its EDDS guidance. I currently work for a technology solution provider (Spherity) that offers a tool to perform automated electronic ‘Authorized Trading Partner’ checks via Verification Router Services. So, the topic is not only close to my job but also super interesting to think about and watch unfold.