CARO is the acronym for Credentialing of ATP for Regulatory Observance. It is our solution to authenticate direct and indirect trading partners in the U.S. pharmaceutical supply chain in real-time.

Contact the CARO team for detailed information or to arrange an onboarding session.

Using CARO, credential details of your DSCSA-relevant authorized status are automatically embedded into messages between you and other businesses, such as Product Identifier verifications with manufacturers. This way, you can both trust that your communication is compliant with DSCSA Authorized Trading Partner (ATP) requirements. Regardless of whether your counterparty is a direct or indirect (no prior relationship) trading partner, you can be sure that the message has come from them.

You only need to acquire an ATP credential once, as it can be reused in every message.
What’s more, credentials are so flexible that they can be employed in various business scenarios. Thus, using credentials is a future-proof method.

Electronic or so-called Verifiable Credentials are digital representations of real-life certified facts, for example your company registration details. These can be shared in a completely hands-off manner allowing for efficient process automation.

No. Legisym is fully integrated with CARO both functionally and commercially.

This depends on the type of credential and the kind of evidence you provide to the Credential Issuer Legisym for due diligence. For example, for an Identity Credential Legisym offers multiple options for you to choose from when submitting evidence that validates both the existence and identity of your organization as well as your identity and authority to act as a representative of that organization.

If you provide evidence that can be validated through Legisym's automated due diligence processes, your Identity and ATP Credentials could be issued within seconds of your submission. If a deeper investigation is required, it can take as little as 15 minutes or up to 24 hours for Legisym to complete and document the required level of due diligence in alignment with OCI’s Credential Issuer Conformance Criteria.

Note - the stated periods are for guidance only. While the team strives to deliver credentials as quickly as possible, we are committed to the OCI Credential Issuer Conformance Criteria to ensure credentials are only issued to legitimate trading partners.

To establish your organization’s identity find the:
- required registration information that shows entity name and address as shown on corporate legal documents and
- the DEA Signing Certificate or notarized documents (DUNS number, Articles of Incorporation, IRS EIN Assignment Letter).Ask your Admin or Legal Team if needed.

To establish your Authorized Trading Partner status find your valid license registration number as applicable (BoP License Number and State or FEI number). Ask your Compliance or Licensing Registration Team if needed.

Download a brief overview of the information needed for due diligence here.

Note - the integrated Credential Issuer Legisym is constantly exploring options to expand the range of possible types of evidence for due diligence in accordance with OCI’s Credential Issuer Conformance Criteria. Hence, the above list may change over time.

The verification is part of our due diligence process. If you cannot prove to us that you are who you say you are and that your ATP status is valid, you cannot be onboarded to CARO. Please seek advice from your legal or compliance department.

Yes. In principle, there are two options:
1. You can manage several distinct Enterprise Accounts in your digital wallet if you have been invited as a user to these Enterprise Accounts. So, for example, if you want to join as an Account Administrator for 5 of your enterprise’s subsidiaries, each one of these verified entities must add you as an Account Administrator in the User Management module. Once you have accepted the invite, you will see each of these 5 subsidiaries as separate Enterprise Accounts within your wallet. You can also be set up in different user roles for different Enterprise Accounts.

2. You can manage several entities within the same Enterprise Account if it is OK to share data and user access between these entities.

Feel free to discuss with us which option might be more suitable to your business needs.

CARO provides essential details, such as your unique Enterprise Account identifier, automatically to your VRS providers once they have been granted the relevant account access. In addition, your VRS requires the GLN that you want to use for product verifications or other interactions. Please contact your VRS directly to provide any further details and learn more.