The United Kingdom Accreditation Service (UKAS) has ruled that Lloyds Register (LRQA) was in full compliance with ISO 17021 accreditation rules when it issued an ISO 9001 certificate to an organization it had knowledge was circulating counterfeit certificates just months prior. Oxebridge had filed a complaint with LRQA, to which LRQA responded by threatening a lawsuit and blocking all Oxebridge emails. UKAS has also ruled that these activities are entirely consistent with ISO 17021.

The full response from UKAS may be read here. The original Oxebridge complaint may be read here.

Click to enlarge

At the heart of the case was the discovery that Hoerbiger Hungary was circulating counterfiet ISO 9001 certificates, featuring the logos of LRQA and UKAS, in order to obtain a contract with a third party vendor in Croatia. A representative of that vendor discovered the certificates had been manipulated, and reported the problem to LRQA, who responded shortly thereafter by indicating it had awarded Hoerbiger Hungary a valid ISO 9001 certificate, rather than investigate or prosecute Hoerbiger for the violation. The original complainant then asked Oxebridge to escalate the complaint to UKAS, but rules require that Oxebridge first address the issue directly with LRQA. LRQA denied any wrongdoing, and instead threatened to sue Oxebridge for its reporting on the matter — something it never brought forth — and instituted a sitewide ban blocking all Oxebridge.com emails from arriving at any LRQA recipient anywhere in the world.

This marks the second UKAS ruling which sided entirely with the CB being investigated. The previous decision ruled that registrars are allowed to provide software and training services marketed as “implementation” of ISO 9001 without that running afoul of ISO 17021’s prohibitions against CBs offering consulting services.

Oxebridge alleges that LRQA granted the certification to Hoerbiger Hungary in order to obtain a 3-year contract for auditing services. Had LRQA instead prosecuted Hoerbiger for trademark violation, it would have lost out on this revenue.  Because LRQA must pay fees to its accreditation body for every such contract, UKAS was also a direct beneficiary of the deal.

UKAS Now In Violation, Too?

UKAS itself may have violated its own regulations under ISO 17011 by failing to address a key portion of the Oxebridge complaint, pertaining to LRQA’s alleged failure to notify stakeholders and the public of the release of the photoshopped certificates. The Oxebridge complaint read as follows:

LRQA has failed to consider, discuss or determine, if the public should be notified of the circulation of false certificates bearing its name, despite knowledge that this puts at risk both the validity of LRQA certificates and ISO 9001 certificates in general, and despite knowledge that this circulation may be in violation of local and national laws, and as such it may be in the best interest of the public to be alerted to this condition, per ISO 17021 clause 9.8.10 (The certification body shall determine, together with the client and the complainant, whether and, if so to what extent, the subject of the complaint and its resolution shall be made public.)

The UKAS ruling ignored this allegation entirely, apparently failing to uphold its own obligations under the complaints processing rules. Because UKAS tightly constrained its investigation into only the single incident, it did not conduct a holistic examination of LRQA’s practices or the scale of Hoerbiger’s counterfeiting. Oxebridge maintains, therefore, that there is no way to know how many of the counterfeit certificates remain in circulation, and puts the entire supply chain at risk. As a result, UKAS may be cited as knowingly refusing to not only enforce its trademark usage, but also enabling an environment that allows its certificates to be counterfeited with impunity.

Furthermore, the Oxebridge complaint was only issued after LRQA failed to satisfy a complaint filed by another stakeholder.  At no time did UKAS contact the original stakeholder for more information, instead relying entirely on information provided to it by LRQA, thereby skewing the results in LRQA’s favor. Worsening matters, the UKAS response indicates that LRQA “issued an appropriate statement regarding the invalid certificate to the relevant parties.” Oxebridge had provided information to UKAS showing that the response given by LRQA to the original complainant contradicted the response later given to Oxebridge. It is not clear how UKAS could claim that a contradictory answer could be deemed “an appropriate statement” on the matter.

Oxebridge would be within its rights to escalate the issue to the International Accreditation Forum (IAF), but given that organization’s poor history in policing its members, and its reliance not on independent assessments but “peer reviews” among the ABs, it is likely not to have any effect.

Oxebridge VP Operations Christopher Paris, author of the complaint, called the UKAS ruling “deeply troubling” and “indicative of systemic corruption throughout the ISO certification scheme.” Mr. Paris will be speaking at state and federal committee hearings calling on various agencies, including the US Dept. of Defense, to pull ISO 9001 or similar certifications from government contracts until such time as “the full extent of IAF collusion and incest can be ascertained, rooted out, and removed, so as to once again provide confidence and trust in the marks.”