The Drug Enforcement Administration (DEA) recently announced an enhancement to the Automation of Reports and Consolidated Orders System (ARCOS) to allow DEA-registered drug manufacturers and distributors to access anonymized information concerning their customers’ orders of certain controlled substances. Manufacturers and distributors of Schedule I and II and certain other Schedule III controlled substances are required to submit quarterly reports to ARCOS of controlled substance purchases and sales. With this enhancement, registrants will be able to view ARCOS data submitted by other manufacturers and distributors. Specifically, registrants will be able to see and download data on a customer’s (e.g., pharmacy’s) controlled substance purchases, in terms of both the amount of purchased controlled substances and the number of distributors from which controlled substances were procured. While this enhancement will help controlled substance manufacturers and distributors fulfill their suspicious order monitoring obligations, it also raises questions regarding the steps that distributors and manufacturers will be required to take if suspicious order patterns are detected.
Under the DEA’s regulations, controlled substance manufacturers and distributors are required to “design and operate a system” to detect suspicious orders of controlled substances, including orders of unusual size, orders that deviate from a normal pattern, and orders of unusually high frequency. In the event a suspicious order is found, the registrant must notify the DEA. This requirement is commonly known as the “know your customer” requirement. In recent years, this requirement has received increased attention as a result of some high-profile DEA wins related to alleged suspicious order monitoring deficiencies.
Not only have these recent cases brought attention to suspicious order monitoring, but the DEA would likely view some of them as expanding the monitoring requirement from “know your customer” to “know your customer’s customer.” In a press release concerning a settlement with Mallinckrodt, the DEA described a parallel agreement with the manufacturer that required that the company “analyze data it collects on orders from customers down the supply chain to identify suspicious sales.” The DEA further stated, “The resolution advances the DEA’s position that controlled substance manufacturers need to go beyond ‘know your customer’ to use otherwise available company data to ‘know your customer’s customer’ to protect these potentially dangerous pharmaceuticals from getting into the wrong hands.”
According to the DEA, the ARCOS enhancement “will provide valuable information for distributors to consider as part of their [suspicious order monitoring] assessment.” While the ARCOS data will no doubt be useful and will assist in identifying suspicious orders, exactly how it should factor into the suspicious order assessment is not clear. The DEA provided the specific example that “if a query resulted in a large number of suppliers who have recently sold unusual quantities of opioid analgesics to a prospective purchaser, this may represent a ‘red flag’ to the new distributor and foster a dialogue between that distributor and the pharmacy.” What the DEA does not explain, however, is its expectations regarding the substance of this dialogue and whether this dialogue must extend beyond the pharmacy. This lack of a clear and consistent suspicious order monitoring policy is an ongoing concern within the industry. While the access to ARCOS data will be a useful tool for controlled substance manufacturers and distributors, further guidance is needed from the DEA to clarify the agency’s suspicious order monitoring expectations.