CBP Customs Audit 2026: How AI Targeting Works and What IT, Medtech and Equipment Importers Must Do Now

The numbers define the scale of what is happening. In FY2024, CBP collected $117.7 million from importer audits across the full year. By June 2025, FY25 collections had already reached $192.77 million from 348 completed audits, with $37.88 million of that from penalties and liquidated damages alone. The full FY2025 figure reached $235.46 million according to CBP Trade Statistics updated April 30, 2026. FY2026 enforcement has accelerated further: CBP collected $182.22 million from just 181 audits through April 30, 2026, meaning the average recovery per audit has crossed the one million dollar mark. That is not a gradual trend. It is a step change in enforcement intensity. And the tool driving this acceleration is artificial intelligence. CBP has invested heavily in AI-powered supply chain mapping, anomaly detection, and risk scoring systems that can analyse patterns across thousands of import entries simultaneously, flagging inconsistencies that would have taken years to identify through manual review. Problems that used to take years to surface are now being identified in weeks. For IT hardware companies importing servers and networking equipment, medtech companies shipping diagnostic equipment, aerospace manufacturers importing components, and heavy equipment distributors, the question is not whether CBP’s AI systems are looking at their entries. It is whether their entries will pass the review when they are selected. This guide explains how the CBP customs audit 2026 environment works, what the AI targeting system is looking for, which compliance gaps are triggering the most enforcement action, and what to do before a CF-28 arrives.

Why the CBP Customs Audit 2026 Environment Is Different From Any Previous Year

Three forces are converging in 2026 to create the most aggressive customs enforcement environment in modern US trade history.

Force 1: Revenue Incentive at an Unprecedented Scale

CBP collected $264 billion in customs duties in calendar year 2025, up from $79 billion in 2024. That more than three-fold increase is driven primarily by the layered tariff environment: Section 301 duties on Chinese-origin goods, Section 232 duties on metals and derivatives, IEEPA tariffs, and reciprocal tariffs. Every dollar of duty owed is now significantly more valuable to the federal government than it was two years ago. CBP has both the incentive and the mandate to ensure that every dollar owed is collected. Importers who are underpaying, misclassifying, or claiming preferences they do not qualify for represent the highest-value enforcement targets in the agency’s history.

Force 2: AI-Powered Targeting Is Operational

CBP has invested millions in artificial intelligence and data analytics capabilities for trade enforcement. The CBP Trade Compliance division publishes enforcement statistics and audit programme details on its official portal. The agency’s Automated Targeting System (ATS) cross-references import entry data against commercial databases, financial records, supplier information, and historical entry patterns simultaneously. In 2025, CBP awarded contracts to AI companies to build supply chain mapping capabilities specifically designed to detect transshipment, identifying when goods from China-origin suppliers route through third countries before entering the US. The ATS enhancements mean that the same data that used to require a manual audit to analyse is now screened automatically on every entry at the time of filing. The AI systems are looking for specific anomaly types:

• Classification inconsistencies: The same product classified differently across multiple entries, or classified in a manner inconsistent with the declared product description or supplier invoices
• Valuation anomalies: Declared values significantly below market rates for comparable products, sudden drops in declared values across entries, or patterns consistent with invoice splitting or value suppression
• Origin patterns: Supply chain routes consistent with transshipment through third countries, sudden shifts in country of origin for the same product from the same supplier, or declared origins inconsistent with the supplier’s known manufacturing footprint
• Preference claim mismatches: FTA preference claims combined with supply chain data that does not support the claimed origin qualification, or duplicate tariff exclusion claims across multiple entries
• Shell company signals: Importing entities with minimal commercial footprint, new entities claiming large import volumes, or entities whose profile is inconsistent with the declared import value and product category

The AI system does not need to identify fraud. It flags statistical anomalies and inconsistencies. A CBP officer then reviews the flagged entries and decides whether to issue a CF-28 Request for Information, a CF-29 Notice of Action, or refer the case for a Focused Assessment or formal investigation.

Force 3: The DOJ-DHS Trade Fraud Task Force Is Producing Results

In August 2025, the US Department of Homeland Security and the Department of Justice launched a joint Trade Fraud Task Force with a mandate to pursue customs fraud through criminal prosecution, civil penalties, and False Claims Act litigation simultaneously. The Task Force moved fast. By December 2025, it had secured settlements including a $54 million resolution for misclassification, failure to mark country of origin, and transshipment. The alleged misconduct dated back to 2015. A corporate officer faced individual criminal charges for duty evasion. These actions establish clearly that the current enforcement environment reaches back years and holds individuals personally accountable, not just the importing company.

The enforcement mechanism that most importers overlook is the False Claims Act qui tam provision. The DOJ Trade Fraud Task Force explicitly invites industry insiders, former employees, competitors, and any person with knowledge of customs duty evasion to file suit on the government’s behalf. A successful whistleblower receives a percentage of the government’s recovery. In the $54 million settlement from December 2025, the qui tam relator filed the original complaint that triggered the investigation. This means the risk to an importer is not only CBP’s AI targeting system. A disgruntled former logistics employee, an out-priced competitor with knowledge of classification practices, or a supplier who understands the origin of the goods can all initiate an enforcement action independently. The DOJ Corporate Whistleblower Program announced in August 2024 expanded this further by creating a direct channel for corporate insiders to report customs fraud. CBP also operates the e-Allegations portal at e-allegations.cbp.dhs.gov, which allows any person to submit an allegation of trade fraud directly to CBP anonymously. These e-Allegations feed directly into CBP’s targeting system and can trigger a CF-28 or Focused Assessment referral on the reported importer.

The Four Compliance Gaps That Trigger the Most CBP Audit Referrals

Trigger 1: HS Code Misclassification

Classification is the highest-volume audit trigger in 2026. With layered tariffs now applying at different rates to different HS code categories, the financial incentive to misclassify goods is higher than at any previous point. CBP’s AI systems are specifically calibrated to identify classification patterns that appear inconsistent with the declared product description, the supplier’s known product range, or historical classification practice for similar goods.

For IT hardware importers, the specific classification risks are:

• Chapter 84 vs Chapter 85: Servers and computers (Chapter 84) and networking/electrical equipment (Chapter 85) carry different duty treatments under Section 301. Misclassification between these chapters, whether intentional or the result of a broker error, generates an anomaly in the AI system
• ITA product eligibility: Not all IT products qualify for the Information Technology Agreement zero duty rate. Equipment classified as eligible for ITA zero-rating that does not meet the product definition produces a duty underpayment that CBP’s system can identify by comparing declared duty with expected duty for the declared product
• AI hardware classification: GPU accelerators, AI inference cards, and high-performance computing components are classified under various Chapter 84 and 85 subheadings with different Section 301 exposure. The rapid growth of AI hardware imports has placed this category under particular scrutiny

Trigger 2: Customs Valuation Discrepancies

Customs valuation is the second highest-volume trigger. CBP’s AI systems compare declared customs values against market data, comparable product imports, and historical entry values for the same importer. Specific patterns that trigger review include declared values that are significantly below comparable market prices, sudden reductions in declared value for the same product from the same supplier, invoice structures that appear to split the true transaction value, and royalty or licence fee payments made separately from the invoice that may be required to be included in the customs value.

For medtech companies, valuation complexity is particularly acute. A medical device that is part of a transfer pricing arrangement between related parties requires a customs valuation that satisfies CBP’s related party transaction standards. Transfer pricing documentation that does not support the customs value declared is a documented audit trigger. For aerospace and industrial equipment importers, equipment purchased under long-term supply contracts with price escalation clauses may have declared values that drift from market prices over time, creating valuation anomalies that the AI system flags for review.

Trigger 3: Country of Origin and Transshipment

Country of origin is the enforcement priority that the Trade Fraud Task Force has most aggressively pursued. All three of the Task Force’s December 2025 enforcement actions involved Chinese-origin merchandise allegedly misdeclared through misclassification, improper entry declarations, or transshipment through third countries. For IT hardware importers who have shifted sourcing from China to Vietnam, Malaysia, Thailand, or Mexico in response to Section 301 tariffs, the origin documentation supporting the shift must be airtight. CBP’s AI systems cross-reference declared country of origin against supplier information, manufacturing footprint data, and supply chain route patterns. A company that was sourcing IT hardware from China-based suppliers in 2023 and is now declaring Vietnam as the origin for the same products from the same corporate family is in a risk profile that CBP’s targeting system is specifically designed to identify.

Trigger 4: UFLPA Forced Labor Enforcement

The Uyghur Forced Labor Prevention Act operates on a rebuttable presumption: any goods manufactured wholly or in part in Xinjiang, or by entities on the UFLPA Entity List, are presumed to have been produced with forced labor and are barred from US importation unless the importer can rebut that presumption with clear and convincing evidence. For IT hardware, medtech, and industrial equipment importers, the UFLPA risk is immediate: solar cells and modules, polysilicon, aluminium, steel, and certain electronics all have well-documented supply chain links to Xinjiang. CBP can detain any shipment where the supply chain mapping indicates potential Xinjiang nexus. The AI system is specifically calibrated to identify supply chain patterns consistent with Xinjiang-origin goods, and CBP has published an updated UFLPA enforcement statistics dashboard for 2026 with granular tracking by HTS-4 category and shipment value. The UFLPA creates a separate enforcement pathway from a standard classification or valuation audit: the burden of proof reverses, requiring the importer to demonstrate compliance rather than CBP to prove non-compliance.

How a CBP Audit Escalates: CF-28 to Focused Assessment

Understanding the escalation sequence helps importers respond correctly at each stage and avoid turning an information request into a formal investigation.

Stage 1: CF-28 Request for Information

• CBP issues a CF-28 to the importer of record requesting documentary support for specific entries
• Typical requests: supplier invoices, purchase orders, proof of payment, country of origin documentation, classification ruling support, valuation evidence
• Response time: typically 30 days from receipt
• Critical point: a CF-28 is an information request, not a penalty. The response quality at this stage determines whether the matter escalates
• A complete, well-documented response that addresses every item in the CF-28 frequently closes the matter at this stage
• An incomplete response, a delayed response, or a response that raises more questions than it answers escalates the matter to CF-29

Stage 2: CF-29 Notice of Action

• CBP issues a CF-29 when it has determined that a duty, classification, or valuation discrepancy exists and is proposing corrective action
• The CF-29 states the proposed action: reclassification, value adjustment, or duty assessment
• The importer has 20 days to respond and provide additional evidence or arguments before CBP finalises the action
• A CF-29 that is not contested becomes a binding determination and can trigger liquidation of the entry with additional duties assessed
• A CF-29 that is contested with strong supporting documentation can be resolved in the importer’s favour without further escalation

Stage 3: Focused Assessment

• A Focused Assessment is a structured audit covering specific compliance areas across a defined period of entries, typically one to three years
• CBP assigns a team of auditors who review the importer’s complete compliance programme including classification methodology, valuation practices, origin determination procedures, and internal controls
• The Focused Assessment can result in duty assessments, penalties, liquidated damages, and referral to the Trade Fraud Task Force if systemic non-compliance or evidence of intentional evasion is identified
• The retrospective exposure in a Focused Assessment is significant: CBP can reach back four to five years under the statute of limitations, meaning a compliance gap from 2021 or 2022 is within scope in 2026

Five Actions Every Importer Should Take in the CBP Customs Audit 2026 Environment

1. Audit your HS code classification for every active product line. Pull every product you are currently importing and verify the HS code against the current Harmonized Tariff Schedule. See our guide to the upcoming HS 2028 update for classification changes coming in January 2027 that may affect your current codes. Confirm that the classification is supported by a CBP ruling, a binding classification opinion, or documented internal classification analysis. An HS code that was correct in 2022 may be incorrect in 2026 following tariff reclassifications, new CBP rulings, or product specification changes. Use a licensed customs broker to verify US-specific duty treatment for each product. A CBP binding ruling is the most defensible classification support available. Pay particular attention to any product in Chapter 84 or 85 that carries Section 301 exposure. The difference between the correct and incorrect classification in these chapters can be 25% or more in tariff liability
2. Compile and retain complete country of origin documentation for every sourcing shift made since 2022. See our guide to supply chain diversification from China 2026 for the documentation framework required when shifting origin declarations. If you moved any product sourcing from China to Vietnam, Malaysia, Thailand, India, or Mexico in response to Section 301 or IEEPA tariffs, compile the full origin documentation trail now: supplier qualification records, manufacturing process documentation, substantial transformation analysis, bills of materials, and any other evidence that supports the declared country of origin. The Trade Fraud Task Force is specifically targeting cases where origin declarations changed at the same time that tariff rates made Chinese origin significantly more expensive. Origin documentation that cannot be produced in response to a CF-28 is the compliance gap that converts an information request into a Focused Assessment
3. Review your customs valuation methodology for related party transactions. If you import from a related party supplier, whether a parent company, affiliate, or subsidiary, confirm that your customs valuation satisfies CBP’s related party transaction standards. Transfer pricing documentation and customs valuation documentation are not the same. A transfer price that satisfies your tax authority may not satisfy CBP’s test for the customs value of the goods. Related party imports are a known AI targeting risk. The declared value must be supported by documentation that demonstrates it meets the transaction value standard or one of the alternative valuation methods under 19 USC 1401a
4. Establish a prior disclosure programme for any identified compliance gaps. For importers who have paid IEEPA tariffs that were subsequently ruled invalid, see our guide to IEEPA tariff refund claims via the CAPE portal for a parallel reclaim opportunity. If your HS code audit or origin review identifies a past classification error or undervaluation, file a prior disclosure with CBP before CBP contacts you. A prior disclosure on a duty underpayment reduces the penalty to interest on the unpaid duty only. The same underpayment discovered during a CBP audit carries penalties of up to four times the unpaid duty for negligent violations, and higher for intentional evasion. The Importer of Record named on every entry bears the legal responsibility for the accuracy of the declaration and the full legal exposure if it is wrong
5. Appoint a dedicated trade compliance resource and document your internal controls. CBP’s Focused Assessment process specifically evaluates whether the importer has a documented compliance programme with internal controls for classification, valuation, and origin determination. An importer who can demonstrate that they have written classification procedures, a documented origin determination methodology, and periodic internal audits is treated differently than one who cannot. A specialist trade compliance provider can conduct classification audits, valuation methodology reviews, origin documentation frameworks, and CF-28 response support. Carra Globe’s Global Trade Compliance service covers these areas for IT hardware, medical device, aerospace, and heavy equipment importers

Frequently Asked Questions

How does CBP’s AI system select which importers to audit?

CBP’s AI system cross-references entry data against commercial databases, supplier records, and historical import patterns to identify statistical anomalies in classification, valuation, and origin. Importers with inconsistent classification across entries, declared values below market comparables, or supply chain patterns consistent with transshipment score higher in the risk model. Volume alone does not determine selection: a small importer with a consistent anomaly pattern can be selected as readily as a large one.

How far back can a CBP audit reach?

CBP can audit entries going back four to five years under the applicable statute of limitations. A Focused Assessment opened in 2026 can cover entries from 2021 and 2022. Classification errors, valuation discrepancies, or origin misdeclarations from those years are within scope. The $54 million Trade Fraud Task Force settlement announced in December 2025 involved alleged misconduct dating back to 2015, demonstrating that False Claims Act litigation can reach even further.

What is the difference between a CF-28 and a CF-29?

A CF-28 is an information request. CBP is asking for documentation to support entries already filed. It is not a penalty or a determination of non-compliance. A CF-29 is a Notice of Action: CBP has made a determination that a discrepancy exists and is proposing corrective action. The CF-29 stage is where duty assessments and penalties begin. A strong CF-28 response frequently prevents escalation to CF-29.

Is IT hardware at higher audit risk in 2026?

Yes. Chapter 84 and 85 products carry significant Section 301 exposure on Chinese-origin goods and have seen widespread supply chain shifts to third countries since 2022. Both characteristics are high-priority risk indicators in CBP’s AI targeting model. AI hardware, including GPU accelerators, faces additional scrutiny for both classification and export control compliance.

What happens if I discover a classification error before CBP contacts me?

File a prior disclosure with CBP immediately. A prior disclosure filed before CBP initiates a formal inquiry reduces the penalty to interest on the underpaid duty only. The same error discovered during a CBP audit carries penalties of up to four times the unpaid duty for negligent violations. Prior disclosure is the single most effective tool an importer has for managing a compliance gap that has already occurred.