Craig Lynes
Senior Advisor, US
February 22, 2024

Outcome Focused Compliance in Aviation Security

Traditional Approach to Compliance

US federal regulators’ approach to achieving compliance with aviation security regulations has traditionally relied on a Compliance and Enforcement (C&E) model focused on federal assessments and inspections, administrative actions consisting of Warning Notices or Letters of Correction, Letters of Investigation and, in many cases, Civil Penalties.  Although an increased threat level over the last forty years, as well as tragic incidents like Pan Am Flight 103 and ValuetJet 592, have resulted in stronger aviation security oversight, the compliance cycle has largely remained unchanged.  

Figure 1: The standard Compliance and Enforcement Cycle:

In 2010, the US Transportation Security Administration (TSA) and industry stakeholders began rethinking this legacy system, posing questions such as:  

  • What are we attempting to achieve with the C&E model?  
  • Has TSA been successful in increasing the overall level of compliance, or, to the contrary, is the agency continuing to observe the same instances of regulatory noncompliance?  
  • Have oversight actions improved overall levels of compliance and enhanced aviation security?  

As a result of these introspective efforts, TSA stakeholders began to focus on a new philosophy of Outcome Focused Compliance (OFC).  

Outcome Focused Compliance, a New Approach

TSA officially launched OFC in 2019 with the publication of the TSA Action Plan Program, a document outlining the purpose of the approach, its applicability, and how it works in practice.  TSA summarized the goal of OFC as “addressing security vulnerabilities and instances of unintentional non-compliance with administration actions rather than civil enforcement action”.1  As part of OFC, entities such as air carriers or airports agree to voluntarily disclose to TSA any vulnerability or non-compliance they might identify through an Action Plan.  In return, TSA helps the operator identify the root causes of the vulnerability and possible mitigation approaches.  The entity is then required to address the vulnerability, and by doing so, avoid civil penalties.  TSA will always ‘trust but verify’ in ensuring adherence to the Action Plan.

OFC should be understood as a complete reframing of TSA’s approach to compliance and enforcement.  Instead of the never-ending cycle of compliance and enforcement with noncompliant stakeholders, TSA plays a support role in helping the operator enhance its overall security posture.  Mutual trust is at the heart of OFC and the TSA Action Plan Program.

OFC Benefits

While there was some initial hesitation with regards to the implementation of OFC and the Action Plan Program, it has been success for both TSA and industry.  By focusing on how to solve instances of non-compliance through vulnerability identification, TSA and industry stakeholders have been able to increase security levels in partnership, not through adversarial relationships.  TSA has also been able to realign resources by avoiding lengthy civil enforcement actions – where the resulting civil penalty gets assessed years after the original alleged violation took place.  Similarly, stakeholders have reinvested crucial and limited financial and time resources in improving security instead of going through the process of civil litigation.  Since the introduction of the Action Plan Program, TSA estimates that $36 million dollars have been reinvested back into aviation security instead of being assessed through civil penalties!  

What Outcome-Focused Compliance means to not only the federal regulators but more importantly industry, is that:

  • Industry can and has re/invested what it would normally pay in civil penalties directly into its business to improve security processes, procedures, training and implementation of aviation security measures;
  • Industry can and has spent less time on litigation and more time improving security processes and procedures;
  • The AVSEC community can work with TSA to achieve results with aviation security measures, even when there are issues of non-compliance;

And TSA can focus its limited resources on areas needing attention, can inspect more entities, and can ensure that Inspectors meet their annual work plan across all nodes of transportation.

All of this means that the traveling public is receiving a better security product from the aviation industry and the federal regulator charged with oversight of aviation security.  Outcome-Focused Compliance is a win-win-win for the AVSEC community, the federal regulator (TSA) and the traveling public.

Need help navigating OFC or other regulatory matters, get in touch!

Schedule a Consultation

Security and facilitation advisory for the 21st century.

Let's get Started