The WCO Revised Kyoto Convention, officially known as the International Convention on the Simplification and Harmonization of Customs Procedures, did not merely set standards for its time — it became the catalyst and the genetic code for a generation of international Customs instruments that followed. Its core principles including risk management, advance information, the use of technology, and partnership with the trading community, proved so foundational that they were carried forward, adapted, and extended into virtually every significant Customs reform framework developed in the decades since. Among the most important of those instruments is the WCO SAFE Framework of Standards to Secure and Facilitate Global Trade, which drew directly from the RKC's architecture to address the supply chain security challenges of the post-9/11 world.

My years at the WCO spanned a pivotal period — one of major revision and updating of international Customs standards, and of accelerating digital transformation both within the Organisation and across member administrations globally. Serving in various capacities during that era placed me at the centre of the ICT and trade facilitation work from which both the RKC and the SAFE Framework grew.

The honest assessment, after more than 20 years since its adoption at the WCO Council, is that WCO SAFE Framework implementation rates are disappointing. The framework exists. The guidance exists. The political commitment, and crucially the ICT investment to support it, frequently does not.

From Kyoto to SAFE: A Standards Continuum

To understand the SAFE Framework properly, it is necessary to understand where it came from. The WCO Revised Kyoto Convention (RKC) is the foundational international instrument for modern Customs practice. Originally adopted in 1973 and substantially revised in 1999, the RKC established the core principles that define professional Customs administration: predictable and transparent procedures, risk management as the basis for controls, use of information technology, and partnership with the trading community. It entered into force in 2006 and today has over 120 Contracting Parties.

During my time as Senior Technical Officer in the Trade Facilitation Sub-Directorate at the WCO, I had the honour to work on the ICT standards and trade facilitation provisions of the Revised Kyoto Convention — the very foundations upon which the SAFE Framework was subsequently built. When the SAFE Framework was adopted in June 2005, in direct response to post-9/11 supply chain security concerns, it did not start from a blank page. It drew explicitly and extensively from the RKC's existing architecture. The mapping between the two instruments is specific and substantial.

The most prominent example is the Authorised Economic Operator (AEO) concept that sits at the heart of SAFE Pillar 2. The AEO programme — the certification of trusted traders in exchange for facilitated clearance — has its direct origins in the RKC's "authorised persons" provisions. The RKC established the principle that Customs administrations should identify and differentiate compliant, low-risk traders and grant them procedural benefits accordingly. SAFE took that principle and developed it into a full international certification standard, complete with security criteria, compliance requirements, and the expectation of mutual recognition between administrations.

Risk management as the organising principle of Customs controls is equally a direct inheritance from the RKC. The Convention established that physical inspection of every consignment is neither necessary nor desirable and that intelligence-based targeting, using pre-arrival information and risk profiling, should determine where Customs resources are deployed. SAFE Pillar 1 operationalised this into the advance electronic cargo information requirement: the obligation on administrations to collect and analyse cargo data before goods depart, enabling risk assessment prior to arrival. The RKC's General Annex mandated the use of information technology and electronic data interchange in Customs procedures; SAFE built its interoperability and automated data exchange requirements directly on that mandate.

The RKC also established the principle of coordinated controls — where Customs inspection should take place in coordination with other competent authorities rather than in isolation. This is the direct precursor to SAFE's Customs-to-Customs cooperation standards, including joint targeting, mutual recognition of control results, and the sharing of risk intelligence across administrations. In many cases, the SAFE Framework's technical specifications were not newly written but taken directly from existing RKC provisions — meaning the ICT and procedural groundwork laid during the RKC era fed straight into the SAFE standards that followed.

This is not a minor historical footnote. It means that SAFE and the RKC are not parallel or competing instruments — they are layered. The RKC provides the legal and procedural architecture; the SAFE Framework applies and extends that architecture to the specific challenges of supply chain security and trade facilitation in the modern global economy.

An administration that has not yet implemented the RKC in substance will struggle to implement SAFE in practice, because the underlying procedural and IT foundations will be absent. Conversely, a strong RKC implementation, with functioning risk management, electronic declarations, and authorised trader programmes, provides a direct runway to SAFE compliance. Understanding this layered relationship is, in my view, one of the most underappreciated insights in Customs modernisation strategy.

What the SAFE Framework Requires

The SAFE Framework is built around two pillars: customs-to-customs co-operation, and customs-to-business co-operation. The first pillar requires participating administrations to share advance cargo information with destination customs prior to departure, use consistent risk management approaches, and conduct joint targeting and mutual recognition of control results where possible. Each of these obligations has a direct ICT dependency — advance data sharing requires interoperable electronic messaging systems; risk management requires analytical platforms; mutual recognition requires standardised data formats and trusted interconnection. The framework does not just require political will: it requires IT architecture.

The second pillar involves Authorised Economic Operator programmes — the certification of trusted traders who are granted facilitated clearance in exchange for compliance with security and procedural standards. AEO programmes are fundamentally data-driven: vetting applicants, tracking compliance history, issuing certificates, and verifying status at the border all require robust, integrated IT systems. Without them, AEO exists only as a paper exercise.

Implementation: Where Progress Has Been Made

It would be unfair, and inaccurate, to characterise SAFE Framework implementation as uniformly poor. In certain areas, genuine and measurable progress has been made over the twenty years since the Framework's adoption in 2005.

The most visible success has been the rollout of national AEO programmes. In the first decade after SAFE's adoption, the number of WCO Members with functioning AEO programmes grew from a handful to nearly 100. That represents a significant institutional achievement — administrations establishing the legal frameworks, validation processes, and benefit structures that AEO requires is not trivial work, and many have done it well. The domestic half of the AEO equation, in other words, has largely been delivered.

Advance cargo information collection has also become broadly established, particularly in larger trading economies and in air cargo, where the Pre-Loading Advance Cargo Information (PLACI) regime has driven meaningful adoption. Most major ports and airports now operate under some form of advance declaration requirement. Risk management as a principle — the idea that intelligence-based targeting should replace blanket physical inspection — has been at least nominally adopted by the majority of WCO Members, even where operational depth varies considerably.

Where Implementation Has Fallen Short

The areas where the SAFE Framework has consistently underdelivered are, not coincidentally, precisely those that require cooperation between administrations rather than action within a single one. The international dimensions of SAFE — mutual recognition, information exchange, and joint targeting — have proven far harder to achieve than the domestic ones.

  • Mutual recognition of AEO programmes. This is the most significant gap between SAFE's ambition and its reality. A national AEO certification that is not recognised by major trading partners provides limited competitive advantage to the certified trader. While the number of bilateral Mutual Recognition Arrangements have grown — the EU has concluded MRAs with the US, China, Japan, Canada and a handful of others — the global picture remains fragmented. Different AEO programmes apply different criteria, use different validation methodologies, and produce different data. The international mutual recognition network that SAFE envisaged has not materialised at scale.
  • Cross-border information exchange and joint targeting. Collecting advance cargo data domestically is one thing; sharing risk intelligence with partner administrations in a timely, standardised, and legally grounded way is quite another. Data quality remains a persistent challenge. Automation, which is fundamental to improving it, is still a work in progress for many administrations. The bilateral legal frameworks required for routine intelligence sharing have been concluded between relatively few country pairs. Operational Customs-to-Customs joint targeting, as envisioned in SAFE Pillar 1, remains the exception rather than the rule.
  • Risk management in practice versus on paper. Even where risk management frameworks have been formally adopted, the operational reality in many administrations is that inspection remains predominantly physical, volume-driven, or guided by informal criteria that are never documented or validated against outcomes. A risk management policy that does not change how officers make decisions at the border is not risk management — it is a policy document. Closing that gap requires sustained investment in analytical systems, training, and management culture, all of which take time and resources that many administrations have not yet committed.

The IT Infrastructure Imperative

Having worked across Customs ICT implementations for over three decades — from the Irish Revenue Commissioners' Automated Entry Processing (AEP) system in the early days of electronic customs, through to the WCO's global IT strategy, and more recently as senior advisor to the Bahamas Ministry of Finance overseeing Customs Modernization, VAT automation, and the government's private cloud rollout — I am consistently struck by how often the IT gap is the binding constraint on SAFE Framework implementation.

An agency that cannot receive, process, and act on advance electronic cargo information cannot implement Pillar 1. An agency that cannot issue and verify AEO certificates electronically cannot implement Pillar 2 at scale. The framework is sound. The IT infrastructure to execute it is frequently inadequate or absent.

Customs ICT as the Backbone of SAFE Compliance

When I led the Information Systems and Telecommunications Service at the WCO, a central part of my remit was translating the Organisation's policy frameworks into actionable ICT strategies for member administrations. The SAFE Framework is, at its core, an ICT-dependent standard. Every one of its headline obligations — advance cargo data exchange, electronic risk profiling, AEO certificate management, joint targeting — requires functional, interoperable customs IT systems to deliver.

This is particularly relevant in small island developing states across the Caribbean, where I have been working since 2006. These administrations face a compound challenge: they are expected to meet international SAFE standards while operating with limited IT budgets, small technical teams, and aging infrastructure. The answer is not to lower the standard — it is to architect smarter ICT solutions, including Managed Services and government cloud approaches that can deliver enterprise-grade capability without enterprise-scale investment. The work I have been doing with Cloud Carib since 2018, promoting national digital transformation strategies to Caribbean governments, is directly relevant here: the same cloud and managed services logic that applies to government ICT broadly applies with equal force to Customs modernisation under the SAFE Framework.

A Practical Implementation Path

For agencies that want to make genuine progress on SAFE Framework implementation, I recommend starting with the IT infrastructure assessment. Map exactly what data you can currently receive, store, and analyse. Then map what the SAFE Framework requires you to do with that data. The gap between those two maps is your implementation priority list.

Do not wait for perfect conditions. My experience in the Bahamas — where I supported both Customs Modernization and the introduction of VAT alongside the government's move to a private cloud infrastructure — demonstrates that incremental, sequenced ICT reform is both achievable and effective. Pick the highest-value element of the framework, build the IT capability to support it, implement it, measure the results, and then move to the next element. Incremental, evidence-based implementation beats ambitious plans that never leave the paper stage. The SAFE Framework is a destination; a sound Customs ICT strategy is the road that gets you there.