Tackling fraud in EU cohesion spending: managing authorities need to strengthen detection, response and coordination

Executive summary

EU legislation defines fraud as a deliberate infringement that is, or could be, prejudicial to the EU budget. It is the joint responsibility of the EU and the Member States to counter fraud and any other illegal activities, such as corruption, affecting the EU’s financial interests. Between 2013 and 2017, the Commission and the Member States identified more than 4 000 potentially fraudulent irregularities. The EU support affected by these irregularities amounted to almost €1.5 billion, 72 % of which concerned EU cohesion policy. In this field, the managing authorities in the Member States are responsible for setting up proportionate and effective anti-fraud measures that take account of the identified risks. Such measures should cover the full anti-fraud management process (fraud prevention, detection and response, up to and including reporting on detected cases and recovery of funds unduly paid). The rate of detected fraud in relation to EU cohesion funding for the 2007‑2013 period ranged from 0 % to 2.1 %, depending on the Member State.

Through this audit, we assessed whether managing authorities have properly met their responsibilities at each stage of the anti-fraud management process. To this end, we assessed whether managing authorities have:

1. developed anti-fraud policies, performed a thorough risk assessment and implemented adequate preventive and detective measures; and
2. properly responded to detected fraud in coordination with other anti-fraud bodies.

We found that managing authorities assessed the risk of fraud in the use of Cohesion funding better for the 2014‑2020 programming period, using in most cases the “ready-to-use” tool included in the Commission guidance. However, some of these analyses were not sufficiently thorough. Although they have improved fraud prevention measures, they have made no significant progress towards proactive fraud detection. Additionally, they have not often developed procedures for monitoring and evaluating the impact of their prevention and detection measures.

In the area of fraud response, managing authorities, in coordination with other anti-fraud bodies, have not been sufficiently reactive to all detected cases of fraud. In particular, reporting arrangements are unsatisfactory, several managing authorities fail to systematically communicate suspicions of fraud to the competent bodies, corrective measures have a limited deterrent effect and the coordination of anti-fraud activities is insufficient. We also found that the fraud detection rate for the 2007-2013 programming period in the Commission’s 2017 report on the protection of the EU’s financial interests is not a true representation of the level of fraud actually detected in the Member States visited, but rather show an indication of the fraud cases that they decided to report to the Commission.

As a result of our audit, we recommend that:

1. Member States that do not have a national anti-fraud strategy should formulate one; unless a sufficiently detailed strategy exists at national level, the Commission should require managing authorities to develop formal strategies and policies to combat fraud against EU funds;
2. managing authorities make fraud risk assessment more robust by involving relevant external actors in the process;
3. Member States improve fraud detection measures by generalising the use of data analytics tools and the Commission by promoting actively the use of other ‘proactive’ and other new fraud detection methods;
4. the Commission monitors fraud response mechanisms to ensure they are consistently applied; and
5. the Commission encourages Member States to expand the AFCOSs’ functions to improve coordination.

During the negotiations and approval process of the CPR for the period 2021-2027, the co-legislators could consider:

• making compulsory the adoption of national strategies or anti-fraud policies and the use of proper data analytics tools (e.g. Arachne);
• introducing sanctions and penalties for those responsible for fraud against EU’s financial interests.

While respecting the Member States’ right to flexibility in defining and organising their own work against fraud in line with the principle of subsidiarity, the EU co-legislators could consider determining minimum functions for the Anti-Fraud Coordination Service (AFCOS) in the Member States in order to ensure an effective coordination role.

Introduction

The fight against fraud in the EU

EU legislation distinguishes between¹:

• “Non-fraudulent irregularities”, defined as any infringement of a provision of EU law resulting from an act or omission by an economic operator which has, or would have, the effect of prejudicing the general budget of the EU or budgets managed by them because of an unjustified item of expenditure².
• “Fraudulent irregularities” (or “fraud”), defined³ as any intentional act or omission relating to:
• the use or presentation of false, incorrect or incomplete statements or documents, which has as its effect the misappropriation or wrongful retention of funds from the general budget of the EU or budgets managed by, or on behalf of, the EU,
• non-disclosure of information in violation of a specific obligation, with the same effect, or
• the misapplication of such funds for purposes other than those for which they were originally granted.

Article 325 of the Treaty on the Functioning of the European Union (TFEU) stipulates that it is the joint responsibility of the EU (represented by the Commission) and the Member States to counter fraud and any other illegal activities affecting the EU’s financial interests. This obligation covers all EU revenue and expenditure programmes and all policy areas.

EU cohesion policy is structured around three of the European Structural and Investment Funds⁴ (ESIFs): the European Regional Development Fund (ERDF), the Cohesion Fund (CF) and the European Social Fund (ESF) — which together are known as the EU cohesion policy funds. The Commission and the Member States jointly implement these funds through operational programmes (OPs), which detail how Member States will spend EU funding during a programming period:

• There were 440 OPs in Cohesion for the 2007-2013 programming period. Almost two thirds of these OPs are already closed.
• There are 389 OPs for the 2014-2020 programming period. These OPs are still ongoing.

At the level of the Commission, two directorates-general are responsible for the implementation of EU cohesion policy: the Directorate-General for Employment, Social Affairs and Inclusion and the Directorate-General for Regional and Urban Policy. In the Member States, three different types of ‘programme authorities’ are involved in implementing and checking each OP:

• the managing authority (responsible for implementing the OP),
• the certifying authority (responsible for submitting payment applications to the Commission and preparing the OP’s annual accounts), and
• the audit authority (responsible for providing an independent opinion on the reliability of the accounts, the legality of the expenditure incurred and the functioning of the management and control systems).

The legal framework for EU cohesion policy in the 2007‑2013 programming period made Member States responsible for the prevention, detection and correction of irregularities (including fraud) and for the recovery of funds unduly paid⁵. This requirement is more explicit in the Common Provisions Regulation (CPR) for the 2014‑2020 programming period, which requires managing authorities to “put in place effective and proportionate anti-fraud measures taking into account the risks identified”⁶. The Commission recommends⁷ that managing authorities deal with the full anti-fraud management process (see Figure 1 which comprises fraud prevention, fraud detection and fraud response (mainly including reporting on detected cases and recovery of funds unduly paid). In this regard, the Commission applies a principle of zero tolerance for fraud and corruption⁸.

Source: ECA, based on COSO framework

The European Anti-Fraud Office (OLAF) is the key anti-fraud body for the EU. It contributes to the design and implementation of the Commission’s anti-fraud policy and conducts administrative investigation into fraud, corruption and any other illegal activity affecting the EU budget.

At the level of the Member States, managing authorities are not alone in the implementation of anti-fraud measures. Since 2013, each Member State has been required to designate an anti-fraud coordination service (AFCOS) to facilitate effective cooperation and exchange of information, including information of an operational nature, with OLAF⁹. Through further guidance¹⁰, the Commission specified that AFCOSs should have the mandate, within the Member State, to coordinate all legislative, administrative and investigative obligations and activities relating to the protection of the EU’s financial interests. In shared management, Member State authorities report cases of suspected or established fraud (and other irregularities) to the Commission through the Irregularity Management System (IMS) hosted at OLAF’s anti-fraud information platform.

Significant incidence of reported fraud in EU cohesion policy compared to other spending areas

On 5 July 2017, the European Parliament and the Council adopted Directive (EU) 2017/1371 on the fight against fraud to the Union's financial interests by means of criminal law (the “PIF Directive”¹¹). The Directive establishes a common definition of fraud against the EU’s financial interests, in particular in the field of public procurement. Member States must enact the PIF Directive in national legislation by 6 July 2019¹².

In September 2018, the Commission published its 29th annual report on the protection of the European Union’s financial interests¹³ (hereafter referred to as the 2017 PIF report). For shared management, the Commission prepares this report based on the information reported by Member States through the IMS (see paragraph 07). The analysis of the 2017 PIF report shows that the incidence of reported fraud (suspected and established) in EU cohesion policy is significantly higher than in other areas: Cohesion represents just one third of the budget but accounts for 39 % of all reported fraud cases and 72 % of the total financial amounts involved in these cases (see Figure 2).

Source: 2017 PIF report - Statistical Annex Part II (Expenditure)

According to the data supporting the 2017 PIF report, irregularities reported as fraudulent by Member States represent 0.44 % of the EU funds paid in the field of cohesion policy. This indicator is known as the fraud detection rate¹⁴ and varies widely by Member State (see Figure 3), ranging from 0 % to 2.1 % in relation to EU cohesion funding for the whole 2007‑2013 programming period. The 2017 PIF report does not provide any specific explanation regarding the significantly higher fraud detection rate reported for Slovakia. The average individual value of the irregularities as fraudulent amounts to €0.8 million.

N.B. The calculation of the fraud detection rate represented in this figure excludes irregularities concerning fisheries policy (which are included in the statistics published by the Commission under cohesion and fisheries policies and which do not increase the fraud detection rate for the EU Total. This figure also excludes the multi-country European Territorial Cooperation (ETC) programmes. However, these programmes are considered for the calculation of the EU average in the figure. As regards the Member States presenting a zero FDR, Finland and Luxembourg reported no fraudulent irregularities, while Ireland and Sweden reported some irregularities with a low financial value.

Source: ECA, based on 2017 PIF report, Statistical annex.

We considered it necessary to assess the work carried out by managing authorities, as they are in the front line of the fight against fraud in EU cohesion policy. According to the Commission¹⁵, the combination of a thorough risk assessment leading to adequate preventive and detective measures by managing authorities, on the one hand, and coordinated and timely investigations by competent bodies (usually the police or prosecutors), on the other hand, could significantly reduce fraud risk in the field of cohesion policy and provide suitable deterrence against fraud. This audit was structured around these two broad areas.

Audit scope and approach

We decided to audit the work of managing authorities in fighting fraud in cohesion policy because of the key role they play, and will continue to play in the 2021‑2027 programming period. We assessed whether managing authorities have properly fulfilled their responsibilities at each stage of the anti-fraud management process: fraud prevention, fraud detection and fraud response (including reporting on fraud and recovery of funds unduly paid). To this end, we assessed whether managing authorities have:

1. developed anti-fraud policies, performed a thorough risk assessment and implemented adequate preventive and detective measures; and
2. properly responded to detected fraud in coordination with the investigation and prosecution bodies and with AFCOSs, considering the design of these services in the Member States we visited.

We looked at the role played by managing authorities and AFCOSs in the Member States in cohesion policy. We audited the managing authorities for the operational programmes funded by the three main European Structural and Investment Funds concerning EU cohesion policy: the CF, the ESF and the ERDF. We decided to exclude the European Territorial Cooperation objective (ETC) of the ERDF, as the projects financed by the corresponding OPs involve partners from different countries under the supervision of authorities in different Member States.

We reviewed how managing authorities had considered the Member States’ legal and strategic anti-fraud framework for the management of the anti-fraud process, in particular when a national anti-fraud strategy was available. We invited all managing authorities to participate in a survey on fraud prevention and detection measures and obtained replies from authorities in 23 Member States.

We visited seven Member States: Bulgaria, France, Hungary, Greece, Latvia, Romania and Spain. For the selection of these Member States, we considered the fraud detection rates and the number of fraud cases presented in the 2016 PIF report, as well as their correlation with other available fraud risk indicators. During our visits, we met with representatives of the authorities responsible for implementing a total of 43 OPs (22 OPs for 2007‑2013 and 21 OPs for 2014‑2020) and with key actors in the fight against fraud (prosecution and judicial bodies, investigative bodies, anti-fraud agencies, competition authorities). In the Member States we visited we audited a judgemental sample of OPs selected to be representative of all funds (ERDF, ESF and, where applicable, CF) and a range of intervention types.

We reviewed the case files of a sample of 138 irregularities reported to the Commission as fraudulent from the 22 OPs we tested for 2007‑2013. Wherever the size of the population allowed, we applied the random method known as monetary unit sampling to select the irregularities to be reviewed. We did not assess the work of investigation, prosecution and judicial bodies – although we did look at the managing authorities’ coordination and communication with those bodies.

The findings in this report complement those in special report 01/2019: “Fighting fraud in EU spending: action needed”, published on 10 January 2019, which covered the design and implementation of the Commission’s Anti-Fraud Strategy. In that report, we mainly focused on the role of OLAF, but also looked at the work done on anti-fraud policies by the Commission DGs responsible for the implementation of EU cohesion policy (see  paragraph 04).

Observations

Anti-fraud policy, fraud prevention and detection measures

Managing authorities generally have no specific anti-fraud policy

The Commission has provided guidelines for Member States and managing authorities to help them comply with their legal obligation to put in place anti-fraud measures that are proportionate and effective.

• At the level of the Member States, the Commission recommends the adoption of national anti-fraud strategies for the protection of the ESI Funds, with the objective of ensuring homogenous and effective implementation of anti-fraud measures, especially where Member States’ organisational structures are decentralised.
• At the level of operational programmes, the Commission recommends that managing authorities develop a structured approach to tackling fraud, organised around the four key elements in the anti-fraud management process: prevention, detection, correction and prosecution¹⁶.
• The Commission has further defined concrete criteria for evaluating the way managing authorities have complied with their legal obligations for setting up proportionate and effective anti-fraud measures¹⁷.

The Commission recommends that managing authorities use a formal anti-fraud policy¹⁸ to communicate their determination to combat and address fraud. This policy should, in particular, include strategies for the development of an anti-fraud culture and the allocation of responsibilities for tackling fraud. We consider that managing authorities should have prepared a formal anti-fraud policy or a similar single, stand-alone document specifying their fraud prevention, detection and response measures and making clear to their own staff, the beneficiaries of EU funding and other authorities that measures to tackle fraud are in place and being implemented.

We found during our visits that very few of these policies actually constitute formal reference documents summarising the measures to be implemented at each stage of the anti-fraud management process in response to identified fraud risks. We only found examples of formalised anti-fraud policies in Latvia, at specific intermediate bodies in Spain, and in France (where the policy has not been made public). In all other cases, to obtain a full description of anti-fraud measures we needed to consult multiple management documents and manuals of procedures. We consider that the absence of formalised anti-fraud policies limits Member States’ ability to supervise and coordinate anti-fraud measures and evaluate their effectiveness. This is particularly relevant in that only ten Member States have adopted a national anti-fraud strategy¹⁹ based on the Commission’s recommendation (see paragraph 18).

We also consider the absence of provisions requiring managing authorities to adopt formal anti-fraud policies as a shortcoming in the design of the anti-fraud framework for 2014‑2020. Furthermore, Commission Delegated Regulation (EU) No 480/2014 (complementing the CPR for 2014‑2020) does not mention shortcomings in the implementation of proportionate and effective anti-fraud measures in the context of determining ‘serious deficiencies’ that could lead on their own to the suspension of payments to or the financial correction of operational programmes²⁰. As a result, the use of anti-fraud measures is given less weight than other areas in the assessment of management and control systems. The Commission’s proposal for the CPR for 2021‑2027 does not consider anti-fraud measures as one of the enabling conditions²¹ which Member States must meet before they can obtain EU cohesion funding.

Managing authorities systematically assess fraud risks, but this process could be further improved

Managing authorities systematically identify fraud risks

The most significant change compared to the 2007‑2013 programming period is that managing authorities now have to assess fraud risks in line with the requirements of the 2014-2020 control framework (see paragraph 05). The purpose of this exercise is for managing authorities to determine the suitability of existing internal controls to address the risks associated with different fraud scenarios and identify areas where additional controls are necessary.

Among other anti-fraud topics, the EGESIF guidelines for Member States and managing authorities (see paragraph 18) address the task of fraud risk assessment including a practical “ready-to-use” tool to perform the assessment²². All the managing authorities we visited in the context of our audit had complied with their obligation to perform a fraud risk assessment. This marks an improvement in the way these authorities approach the fight against fraud in Cohesion. In most cases, the authorities applied the model fraud risk assessment developed by the Commission or their own adaptation of that model.

On 28 November 2018, the Commission published the results of a study²³ on the fraud and corruption prevention practices implemented by Member States in response to the specific provisions in place for the 2014-2020 programming period that it had outsourced in December 2016. The study concluded that the new legislative requirements, in particular as regards the fraud risk assessment process, had helped to make Member States’ efforts to tackle fraud more formalised and systematic. However, the study also concluded that some authorities may underestimate their self-assessed levels of risk (see Box 1).

There are some areas for further improvement

However, we note that some of the managing authorities we visited take a mechanical approach to the assessment of fraud risks, suggesting that they favour form over substance.

In addition, they generally base the identification of fraud risks on their own experience, without any additional input from other knowledgeable actors (anti-fraud coordination services, investigative and prosecution bodies or other specialised expert agencies).

During our Member State visits, we found indications that several managing authorities and intermediate bodies might have inadequately evaluated fraud risks:

• In Bulgaria, the audit authority had already detected that some managing authorities had incorrectly classified specific fraud risks as low and therefore failed to address them through additional control procedures.
• In France, the managing authorities we visited had not assessed the impact of additional controls on the residual risk of fraud.
• In Spain, where the responsibility for fraud risk assessment is partly delegated to intermediate bodies, an independent evaluation mandated by the managing authority detected coherence problems between identified risks and planned controls (e.g. certain risks not covered by an action plan or controls set up in areas marked as not applicable).
• In one of the OPs audited in Romania, intermediate bodies dealing with similar delegated functions and funding provided different fraud risk assessments.
• In Hungary, we found that the fraud risk assessment was insufficiently comprehensive (it excluded previous audit results) and did not identify risks specifically associated with the types of operations and beneficiaries covered by the OPs.

In nearly all cases the managing authorities concluded that existing anti-fraud measures address the identified fraud risks. Given the shortcomings identified, we consider that this conclusion may be too optimistic.

Managing authorities have improved their fraud prevention measures but made no significant progress towards proactive fraud detection

Managing authorities are expected to develop effective and proportionate fraud prevention and detection measures in response to identified risks, in such a way that the opportunity to commit fraud is substantially reduced.

Managing authorities have developed specific fraud prevention measures for 2014‑2020

We found that the additional anti-fraud measures developed for the 2014-2020 period largely focus on preventive actions, which are more comprehensive than those set up for 2007-2013. Our survey showed that such additional preventive measures mainly comprise fraud-awareness training for staff, policies on conflicts of interest and ethical guidance for employees and beneficiaries, and the publication of high-level institutional anti-fraud statements or declarations.

Our survey also showed that managing authorities consider fraud-awareness measures (both staff training and measures targeting intermediate bodies and project beneficiaries), policies on conflicts of interest and codes of conduct to be the most effective way of preventing fraud in the use of EU Cohesion funding (see Figure 4). Other fraud prevention measures, such as employee support programmes (aimed at reducing pressure on employees exposed to fraud) and bounty schemes (whereby managing authorities make public their intention to reward whistleblowers of fraud), remain infrequent, although they are considered reasonably effective.

Source: ECA survey of managing authorities

Several Member States have taken a more innovative approach to preventing fraud against the EU’s financial interests, such as by involving civil society organisations in monitoring the execution of public contracts or running campaigns questioning the social acceptability of certain fraudulent practices (see Box 2).

Fraud detection measures for 2014‑2020 remain largely the same as for 2007‑2013

While the compulsory fraud risk assessment has meant a greater focus on fraud prevention, managing authorities have developed very few additional fraud detection methods for the 2014-2020 programming period. They rely instead on the internal controls and procedures that were already in place for 2007‑2013 under a weaker control framework (see Figure 5). These are mainly on-the-spot checks (audits), internal fraud reporting mechanisms and, to a lesser extent, the identification of specific fraud indicators²⁵ (red flags). Both through the survey and during our visits to Member States, we found very few additional ’proactive’ controls to detect fraud (e.g. specific checks for collusion in public procurement, such as the semantic analysis of bids received or the identification of abnormal bidding patterns).

Source: ECA survey of managing authorities

Practical problems limit the usefulness of fraud hotlines for whistleblowers

Our survey showed that managing authorities make little use of fraud hotlines for whistleblowers, even though they generally consider this tool to be an effective fraud detection method. Fraud hotlines and other whistleblowing mechanisms allow managing authorities (and other relevant Member State authorities) to become aware of potential fraud that other controls have failed to detect²⁶. Various studies show that these methods are regarded as the most important source of fraud reports²⁷. During our visits, we assessed whistleblowing mechanisms and found a number of practical problems with their use. For example, they are not always anonymous and there is a risk of insufficient awareness of them among project beneficiaries and the general public. In the event of regulatory limitations on the use of anonymous denunciation channels, managing authorities and AFCOSs can always redirect anonymous whistleblowers to the fraud notification system put in place by OLAF²⁸.

On 23 April 2018 the Commission proposed a Directive on the protection of whistleblowers. This aimed to unify the different approaches currently applied by Member States and to increase the level of protection for people reporting on breaches of Union law, including all breaches affecting the EU`s financial interests. In our opinion on the proposal, issued on 15 October 2018, we stated our view that the introduction or expansion of whistleblowing arrangements in all Member States would help improve the management of EU policies through the actions of citizens and employees. However, we also highlighted some areas of concern, such as the overly complex material scope of the proposal, which could reduce the legal certainty for potential whistleblowers and thus deter them from reporting. Other issues we raised were the lack of clear obligations regarding awareness-raising and staff training, and our conviction that people who have reported anonymously should not be denied whistleblower protection if their identity is subsequently revealed²⁹. In relation to the adoption of this Directive, the European Parliament and the Member States reached on 12 March 2019 a provisional agreement on the new rules that would guarantee protection for whistleblowers who report breaches of EU law³⁰.

Data analytics is under-used for fraud detection

The Commission encourages managing authorities to use data analytics proactively to detect potentially high-risk situations, identify red flags and refine the aim of measures to combat fraud. Data analytics should be a systematic part of project selection, management verifications and audits³¹. In the framework of the fight against fraud, the Commission offers a specific data-mining tool (Arachne) to help managing authorities identify projects that might be subject to risks of fraud. According to the information we received from the Commission, in December 2018 Arachne was being used by 21 Member States for 165 OPs representing 54 % of all EU cohesion funding for 2014‑2020 (excluding ETC). In our special report 01/2019: “Fighting fraud in EU spending: action needed”, we highlighted the importance of Arachne as a fraud prevention tool. We have now assessed Arachne’s role as a data analytics tool for fraud detection.

One of the most significant observations arising from our audit work is that managing authorities do not sufficiently use data analytics for fraud detection. Our survey showed that only one in every two managing authorities uses data analytics tools in this way (see Figure 5). Arachne in particular is under-used. In the Member States we visited we found that:

• One Member State (Greece) has not provided any information as to whether or not Arachne will be introduced in the near future. However, the Greek managing authorities have not adopted an equivalent data analytics tool which could be used for all OPs in the country.
• In four of the remaining six Member States, even where they have decided to use Arachne the managing authorities have made little progress on uploading the necessary operational data or using the tool for their internal controls.
• The Arachne Charter allows access only to managing authorities, certifying authorities and audit authorities. Thus, Arachne cannot be automatically used by investigative bodies.

We also found that, in two of the Member States we visited, managing authorities which have fully incorporated Arachne into their management procedures have used the tool to help them to adapt their specific anti-fraud measures to high-risk beneficiaries.

We did not obtain any convincing explanation as to why managing authorities were not making full use of the tool, which the Commission makes available free of charge. However, the Commission’s own November 2018 study (see paragraph 24 and Box 1) concluded that managing authorities consider that, its current form, Arachne does not entirely meet their needs. The authors of the study found this particularly worrying, as the usefulness of Arachne is largely perceived to depend on the number of OPs feeding information into the tool³².

Nevertheless, during our visits we were able to identify some examples of good practice where Member State authorities had developed data analytics tools to help with the identification of potential fraud risks (see Box 3).

Managing authorities lack procedures for monitoring and evaluating fraud prevention and detection measures

The Commission encourages Member States and managing authorities to define procedures for monitoring the implementation of fraud prevention and detection measures. These should include specific arrangements for reporting what anti-fraud measures have been set up and how they are applied. Member States and managing authorities should use the results of monitoring to evaluate the measures’ effectiveness and rework their anti-fraud strategies and policies as necessary.

Except in Latvia, we found that none of the managing authorities we visited examines the effectiveness of fraud prevention and detection measures. They keep limited records of which measures are used and seldom link them to specific results. Consequently, anti-fraud systems are not evaluated in terms of their actual results – either by managing authorities or by any other programme authority (e.g. the audit authority) or the AFCOS.

Similar levels of fraud reported for the 2007‑2013 and 2014‑2020 programming periods

Managing authorities and other Member State bodies report fraudulent and non-fraudulent irregularities to the Commission through the IMS. As of December 2018, Member States (mainly managing and audit authorities) had reported a total of 1 925 and 155 irregularities as fraudulent, respectively, for the 2007‑2013 and 2014‑2020 programming periods. These concerned suspected and established fraud cases potentially affecting €1.6 billion (2007‑2013) and €0.7 billion (2014‑2020) in EU funds.

Figure 6 charts the evolution in the number and value of irregularities reported in the IMS for the 2007‑2013 and 2014‑2020 programming periods. So far, 155 irregularities have been reported as fraudulent for 2014‑2020 – 10 % fewer than at the same stage in the 2007‑2013 period (174). In financial terms the situation is rather different: the potential impact of reported fraud on EU cohesion policy funds in the 2014‑2020 programming period (€0.7 billion) is more than three times higher than at the same stage of the previous period (€0.2 billion). However, this significant increase is the result of two separate cases of suspected fraud that we consider to be data outliers³³.

Source: ECA, based on IMS data

Most fraud cases reported to the Commission are detected through on-the-spot checks or revealed by investigative and prosecution bodies or the media

The IMS contains a number of data fields that are to be used to characterise irregularities and indicate the status of any proceedings. One of these fields is headed ‘source of the information leading to a suspicion of an irregularity’, which represents the method of detection. Based on the data recorded in the IMS up to and including December 2018, we analysed the sources of information leading to the reporting of irregularities as fraudulent for the 2007‑2013 programming period (see Figure 7). We did not assess the data for 2014‑2020 because it is still very incomplete and contains outliers (see paragraph 43).

By number, most irregularities were detected by means of on-the-spot checks by programme authorities (see paragraph 04), followed by reports from investigative or prosecution bodies. This would suggest that these are the most effective means of detecting fraud in the use of Cohesion funding. However, the statistics are influenced by the generalised use of audits as a fraud detection method (see paragraph 33 and Figure 5). By value, the bulk of reports of fraudulent irregularities resulted from cases opened directly by investigative and prosecution bodies, or from revelations in the press and other media. We consider that the statistics on the sources of information on fraud by value are strongly affected by uncertainty about the true amounts concerned, although less so when the information comes from an investigative or prosecution body.

Source: ECA, based on IMS data

Fraud response, investigation and coordination among the relevant bodies

The Commission requires managing authorities to develop effective fraud response measures. These should include clear mechanisms for reporting suspected fraud and clear procedures for referring cases to the competent investigation and prosecution authorities. There should also be procedures for following up suspected fraud and, where necessary, recovering EU funds. Managing authorities should work with their AFCOSs, and there is a need for adequate coordination among all administrative and law enforcement bodies.

Managing authorities’ under-reporting has affected the reliability of the fraud detection rates published in PIF reports

Member States must use the IMS to notify the Commission of irregularities exceeding €10 000 that cause them to suspect or establish fraud³⁴. Member States must report suspected or established fraud cases even if they have been resolved before certification of the related expenditure to the Commission.

Not all potential fraud is reported as such in the IMS

Figure 3 above presents the fraud detection rates for 2007‑2013 in EU cohesion policy. These are based on IMS data and were published in the 2017 PIF report. In special report 01/2019, we stated that the PIF report data on detected fraud was incomplete³⁵. Our work for this audit confirmed that assessment. We also detected several cases that raised questions about the completeness and reliability of the fraud data in the IMS and therefore limit the use that the Commission and Member States can make of the system.

We found that not all Member States interpret the EU definition of fraud in the same way (see paragraph 01). For instance, cartel offences (bid rigging) are not always reported as fraudulent in Spain but other Member States, such as Latvia, systematically report them.

We came across cases where irregularities giving clear indications of fraud were not properly reported to the Commission because they had been detected and corrected before certification of the related expenditure to the Commission. However, Member States are supposed to report suspicions of fraud (as ‘attempted fraud’) even if there is ultimately no EU co-financing. In Hungary, the managing authorities do not report suspicions of fraud that are resolved prior to certification to the Commission. In Spain, the managing authority responsible for the ESF withheld payments as a precautionary measure, but without reporting to the Commission on the expenditure affected by cases of alleged fraud that had appeared in the press.

We found inconsistencies in the Member States’ use of administrative or legal acts to trigger reporting to the Commission. For instance, Romania does not systematically report ongoing investigations or decisions to prosecute in the IMS. As required by Romanian law, suspicions of fraud are only encoded when a managing authority, the audit authority, the AFCOS or OLAF issues an additional separate control/investigation report, even if an investigation is already ongoing or has been concluded. As a result, reporting in IMS is unduly delayed and some cases in the courts might be totally excluded from the system.

Finally, we also found that the Hungarian AFCOS has a large backlog of cases to be analysed prior to reporting in the IMS.

The IMS contains some inaccuracies and obsolete data

We found examples of inaccurate or obsolete data in the IMS, particularly in relation to the status of a case and the key dates in the sanctioning procedure. This could indicate that a managing authority, the data validator or AFCOS has not carefully checked data quality. While this situation is not satisfactory, it does not usually affect the number of fraud cases reported in IMS.

We identified inconsistencies in the approach taken by managing authorities to assess the financial impact of potential fraud. As a result, similar legal offences may be quantified differently in the IMS by different Member States. Most concerned are cases where it is difficult to state accurately how much expenditure is affected (e.g. conflicts of interest in project selection or public procurement infringements).

Under-reporting has affected the reliability of fraud detection rates

The 2017 PIF report gives fraud detection rates for each Member State and for the EU as a whole, based on the data reported in the IMS by Member States’ authorities and AFCOSs (see paragraph 07). It does not provide a similar comparative indicator regarding the number of irregularities across the EU in the field of cohesion policy. To compute this figure, we compared the number of fraudulent irregularities reported by each Member State with the amount they had received in EU funds (see Figure 8). We found that France reports the fewest fraudulent irregularities for each euro it receives from the EU. In our view, France does not adequately report irregularities, including suspicions of fraud.

Source: ECA, based on 2017 PIF report. This chart does not include Finland or Luxembourg, which reported no fraudulent irregularities for the period.

In our view, the fraud detection rates published by the Commission are actually fraud reporting rates: they do not necessarily reflect the effectiveness of Member States’ detection mechanisms or even indicate how much fraud is actually detected, but rather show how many cases Member States have decided to report to the Commission (see paragraphs 48 to 52). In our special report 01/2019, we concluded that the correlation between fraud detection rates and other corruption risk indicators is weak³⁶.

In the light of the problems we identified, we consider that the fraud detection rate published in the 2017 PIF report for cohesion policy does not give a true representation of the incidence of fraud in the Member States we visited.

Several managing authorities fail to systematically communicate suspicions of fraud to investigation or prosecution bodies

A key part of reducing fraud risk and heightening fraud deterrence is for competent judicial bodies (police, prosecutors and others) to investigate reports of fraud in a coordinated and timely manner. Although this audit did not cover the work of investigation and prosecution bodies, we did assess the way managing authorities communicate and coordinate with them.

Putting the principle of fraud deterrence into practice requires managing authorities (or any other authority detecting potential irregularities) promptly and systematically to communicate suspicions of fraud to the relevant investigative or prosecution bodies, which are the only ones capable of determining intent. In several cases we found that managing authorities failed to systematically report suspected fraud to the bodies charged with investigation. In Greece, for instance, the managing authorities had not referred any of the suspicions of fraud sampled for our audit to the prosecution services. In Spain we found no specific instructions or procedures requiring managing authorities to report all suspected fraud in this way. Failure to communicate suspicions of fraud severely limits the deterrent effect of possible investigation and prosecution.

Investigators and prosecutors regularly turn down requests to open criminal investigation of cases referred to them by managing authorities. This is quite normal, as only these specialised services have the legal capacity and investigative resources to establish whether a criminal act may have taken place. However, managing authorities should always analyse the reasons for a rejection and, where possible and appropriate, amend their operational procedures. We found that only Latvia has made arrangements to analyse why referred cases are rejected and take the necessary action.

Corrective measures have a limited deterrent effect

Managing authorities are expected to recover EU funds that are spent fraudulently³⁷. They are also charged with making a thorough and critical review of any internal control systems that may have exposed them to potential or proven fraud.

The most common corrective measure is to withdraw affected expenditure from the declarations made to the Commission, but without recovering funds from the perpetrator of fraud or imposing any type of additional deterrent action such as a sanction or penalty. There is nothing unusual about this procedure, as in most of the cases we reviewed the actual occurrence of fraud had not yet been established. According to the IMS, however, Member State authorities had initiated the recovery of EU funds in only 84 out of 159 cases of established fraud³⁸. Withdrawing expenditure from declarations to the Commission is an effective way of protecting the EU’s financial interests. However, this protection does not extend to national public funding – i.e. Member States’ budgets are still affected if there is no recovery – which places limits on the deterrent effect of corrective action taken by managing authorities. Our special report 01/2019 provides additional information on the recovery of funds related to established fraud cases³⁹.

As well as recovering any EU funds affected by fraud, managing authorities are expected to assess the horizontal implications for their management and control systems and other projects (e.g. same beneficiary or similar signs of fraud).

Of the seven Member States we visited, we only found evidence of this kind of assessment in Spain (see Box 4). However, even there, verification is not systematic.

The fight against fraud is weakened by various management issues

It can take a long time to punish fraud

There may be a long time between the commission of fraud and the imposition of sanctions (see Figure 9). According to the data recorded in the IMS, on average suspicions of fraud are raised around two years after the perpetration of an irregularity⁴⁰. It can take another year to confirm those suspicions through a preliminary assessment leading to a primary administrative or judicial finding⁴¹ and to report the case to the Commission through the IMS. From this point onwards, the Commission is in a position to monitor the case and consider it for the purposes of the annual PIF report. Following the preliminary assessment (and in parallel to reporting to the Commission), it takes around five months to initiate any administrative or criminal proceedings with a view to imposing sanctions. These proceedings take three years on average to come to term.

Source: ECA, based on information extracted from IMS

The functions of AFCOSs are insufficiently defined in the Regulation and vary considerably among Member States

Even though the main responsibility for fighting fraud in the use of Cohesion funding lies with the managing authorities, the AFCOSs play an essential role in coordinating the work of these authorities with other Member State bodies and with OLAF. The EU legislation establishing the AFCOSs⁴² does not provide guidance regarding their terms of reference, organisational framework or tasks. The Commission has provided specific recommendations in this respect through further guidance⁴³ (see paragraph 07). However, it is up to each Member State to make specific arrangements for its AFCOS.

The resources and organisational arrangements of AFCOSs should allow them to properly monitor fraud reporting and coordinate the work of all parties involved in the fight against fraud. In the absence of clear guidance, we found that the AFCOSs in the seven Member States we visited had significantly different structures and powers. They ranged from small departments without investigative authority to complex structures that are fully empowered to carry out administrative investigations (see Figure 10). The French AFCOS has the same number of staff as the Latvian AFCOS, despite the difference between the two countries in terms of size and volume of funds received.

Source: ECA

The Hungarian AFCOS lacks proper arrangements for reporting on activities carried out by the Member State to protect the EU’s financial interests. This AFCOS does not make public any reports on those activities or on potential fraud in EU Cohesion spending (see Figure 10).

On 23 May 2018, the Commission issued a proposal for amendments to the OLAF Regulation⁴⁴. Before putting forward the proposal, in 2017 the Commission had conducted an evaluation⁴⁵ of the way the OLAF Regulation was being applied. The evaluation identified discrepancies in the way AFCOSs were set up in different Member States, and in their powers, as the main factor inhibiting their effectiveness.

On 22 November 2018, the Court gave its opinion on the proposal⁴⁶. Our view was that the proposal does not sufficiently contribute to the more harmonised and effective implementation of AFCOSs in all Member States, as it only addresses the services’ cooperation with OLAF and fails to provide clarity as to their minimum functions.

The status of fraud cases is inadequately reported and followed up

In order to follow up the status of a case, it may be necessary to consult parties involved in the fight against fraud that are outside the OP management and control structures. We consider that, as the central structures liaising with OLAF in the fight against fraud, AFCOSs should have an overview at all times of cases of fraud involving EU funding. To do this, they should be able to obtain information on the status of cases investigated by the competent authorities in their Member States. In addition, they should have statistics on the number and progress of cases under investigation, with due regard to procedural confidentiality.

In five of the Member States we visited, the AFCOSs were insufficiently aware of the investigative status of cases reported to the Commission. In Romania and Hungary we found no formal mechanism for systematic cooperation between the managing authorities, the AFCOS and the investigative and prosecution bodies; thus the AFCOS had no full overview of ongoing investigations involving EU-funded projects. That said, the Romanian AFCOS periodically approaches the prosecution bodies for information on the status of ongoing investigations about which it is aware. In Spain, the AFCOS also takes a proactive approach by requesting data on ongoing investigations. In spite of this, it is unable to ensure that updated information is forwarded to the Commission.

We found coordination and information exchange issues in six of the seven Member States. We were also unable to reconcile the information recorded in the IMS regarding cases of suspected and confirmed fraud involving EU funding with that held by the various authorities. This finding raises questions about the reliability of the information reported to the Commission. The Member States concerned keep no central database or other form of centralised statistical records that might provide an overview of the nature and status of fraud cases (see paragraph 48).

Coordination mechanisms are often lacking

Protection for the EU’s financial interests at the level of the Member States does not exclusively concern the authorities responsible for the implementation of Cohesion funding or the AFCOSs. Other interested parties include investigation and prosecution bodies, competition authorities, procurement agencies and, depending on the country, certain other institutions. Member States should put in place adequate coordination mechanisms so that the various actors can exchange information about measures taken and planned, as well as recommendations for improvement.

However, most of the Member States we visited do not have proper coordination mechanisms involving all the relevant parties in the fight against fraud involving EU Cohesion funding.

In Bulgaria, where 60 % of the cases we examined had been rejected or terminated by the prosecutor`s office, neither the AFCOS nor the managing authorities systematically analyse the reasons for rejection. In Hungary, the AFCOS does not have an overview of measures actually implemented as part of the anti-fraud management process or of the status of reported cases. The Romanian AFCOS carries out coordination work solely on the basis of bilateral agreements with each of the programme authorities, but there is no national multilateral coordination mechanism involving all stakeholders. In Spain, the establishment of a body meant to assist the AFCOS by coordinating all parties to the fight against fraud has been pending since the AFCOS was set up in 2016⁴⁷.

We found an example of good coordination practice in Latvia (see Box 5).

Conclusions and recommendations

Through this audit, we assessed whether managing authorities have properly met their responsibilities at each stage of the anti-fraud management process: fraud prevention, fraud detection and fraud response (including reporting on fraud and recovery of funds unduly paid). To this end, we assessed whether managing authorities have:

1. developed anti-fraud policies, performed a thorough risk assessment and implemented adequate preventive and detective measures; and
2. properly responded to detected fraud in coordination with AFCOSs and other competent anti-fraud bodies.

Our overall conclusion is that, although there have been improvements in the way managing authorities identify fraud risks and design preventive measures, they still need to strengthen fraud detection, response and coordination.

Managing authorities generally have no specific anti-fraud policy

Managing authorities seldom prepare a formal anti-fraud policy or a similar single document specifying the fraud prevention, detection and response (correction and prosecution) measures which they have designed following a risk assessment. We consider that the preparation and publication of a formal anti-fraud policy in the form of a single, stand-alone document is essential in order to communicate a managing authority’s determination to actively combat fraud. This is particularly relevant, as only ten Member States have adopted a national anti-fraud strategy based on the Commission’s recommendation. We consider the absence of provisions requiring managing authorities to adopt formal anti-fraud policies to be a shortcoming in the design of the anti-fraud framework for 2014‑2020 (paragraphs 18 to 21).

1. Member States that do not have a national anti-fraud strategy (see paragraph 20 and footnote 19) should formulate one. The strategy should at least:
• be based on the assessment of existing risks and involve knowledgeable actors from different areas (managers of EU funds, competent fraud investigation and prosecution bodies, etc.) in its preparation;
• outline concrete measures for fraud prevention, detection, investigation and prosecution, and recovery and sanctions;
• contain specific arrangements for monitoring the implementation of anti-fraud measures and measuring results; and
• explicitly assign responsibilities for the implementation, monitoring, coordination and comparative evaluation of anti-fraud measures.
2. Unless a sufficiently detailed strategy exists at national level, the Commission should require managing authorities to adopt a formal anti-fraud policy or statement covering the OPs under their responsibility. This policy should serve as a single reference source specifying the strategies for the development of an anti-fraud culture, the allocation of responsibilities for tackling fraud, the reporting mechanisms for suspicious of fraud and the way different actors need to cooperate in line with Key Requirement 7 and the Commission´s guidance.

Timeframe: by the end of 2019

In line with the zero-tolerance approach to fraud, and during negotiations and approval process for the CPR for the period 2021-2027, the co-legislators could consider making compulsory the adoption of national strategies or anti-fraud policies.

Managing authorities systematically assess fraud risks, but this process could be further improved

In line with the provisions of the 2014‑2020 control framework, managing authorities now systematically assess fraud risks (largely based on the guidance provided by the Commission), which is an improvement in the fight against fraud (paragraphs 22 and 23). However, for some of the managing authorities we visited the approach is still too mechanical and does not include additional input from other knowledgeable parties such as the AFCOSs or investigative and prosecution bodies.

Managing authorities generally conclude that their existing anti-fraud measures are good enough to address fraud risks. We consider that this conclusion may be too optimistic (paragraphs 24 to 28).

Managing authorities, in particular those in charge of programmes with particular high risk and high financial volume, should seek to involve relevant external actors with proven experience in combating fraud (e.g. representatives from prosecution bodies) in the evaluation of risks and of the suitability of existing anti-fraud measures.

Timeframe: by the end of 2019

Managing authorities have improved fraud prevention measures but made no significant progress towards proactive fraud detection

The additional anti-fraud measures developed for the 2014‑2020 period largely focus on preventive measures, which are more comprehensive than those set up for 2007-2013 (paragraphs 29 to 32).

However, fraud detection measures for 2014‑2020 remain largely the same as for 2007‑2013, which were designed in a weaker control framework (paragraphs 33 to 35). Managing authorities make insufficient use of data analytics for fraud detection, and most of the Member States we visited did not use the Arachne tool to its full potential (paragraphs 36 to 38).

Managing authorities made no significant progress towards ’proactive’ fraud detection, for example by checking specifically for collusion in public procurement (paragraph 33). Although managing authorities perceive fraud hotlines and whistleblowing mechanisms to be very effective fraud detection methods, fewer than half of the managing authorities that replied to our survey actually use them (paragraphs 34 and 35).

Furthermore, it is not possible to assess the effectiveness of fraud prevention or detection measures, since managing authorities lack procedures for monitoring their implementation and evaluating their effectiveness (paragraphs 40 and 41).

1. Managing authorities that do not currently use fraud data analytics tools, in particular Arachne, should take them on for their potential to identify fraud risks in a systematic and cost-efficient manner;
2. the Commission, in its supervisory capacity under shared management, should actively promote the use of ’proactive’ and other new fraud detection methods by regularly disseminating specific cases of best practice; and
3. in cooperation with the AFCOSs, the Commission should develop minimum arrangements for monitoring and evaluating the implementation and effectiveness of fraud prevention and detection measures.

Timeframe: by the end of 2021

During negotiations and approval process for the CPR for the period 2021‑2027, the co-legislators could consider making compulsory the use of proper data analytics tools (e.g. Arachne) for the 2021-2027 programming period, in order to improve the effectiveness of fraud detection at a relatively low cost.

Managing authorities under-report fraud cases for the PIF reports and fail to refer them to investigative and prosecution bodies

As regards fraud response, we found that managing authorities under-report fraud and that this affects the reliability of the fraud detection rates published in the PIF reports (paragraphs 48 to 57). Several managing authorities also fail to systematically communicate suspicions of fraud to investigation or prosecution bodies (paragraphs 58 to 60). We found that managing authorities focus on the withdrawal of EU funding and do not always recover fraudulent amounts from perpetrators or impose dissuasive penalties or sanctions (paragraphs 61 and 62). Nor do managing authorities satisfactorily assess the possible horizontal implications of cases where fraud is suspected (paragraphs 63 and 64; Box 4). All of these aspects severely limit the deterrent effect of fraud investigations.

1. The Commission should establish clear fraud reporting requirements for Member State bodies in general and managing authorities in particular. These should be based on the standard interpretation of fraud affecting the EU’s financial interests in the new PIF Directive;
2. the Commission should require managing authorities to systematically assess the horizontal implications of suspected fraud in their management and control systems; and
3. the Commission should encourage managing authorities to communicate all suspicions of fraud to criminal investigation or prosecution bodies.
4. To ensure deterrence is effective, managing authorities should take proportionate measures to recover public funds from perpetrators of fraud and not just decertify the expenditure from EU funding.

Timeframe: by the end of 2019

During negotiations for the CPR for the 2021-2027 programming period, the co-legislators could consider introducing specific sanctions and penalties for those responsible for fraud against the EU’s financial interests. In particular, as in other policy areas, these measures could include a specific monetary penalty that would vary according to the financial impact of the irregularity, or a mechanism for exclusion from EU funding for a specific number of years.

The fight against fraud is weakened by the Regulation’s insufficient definition of AFCOS functions and little coordination among Member State bodies

Regarding the coordination of anti-fraud activities, we found considerable variation in the way AFCOSs are organised and resourced (paragraphs 66 to 70). In this respect, the Commission’s proposal to amend the OLAF Regulation does not provide sufficient clarity as to the minimum functions of an AFCOS. The status of fraud cases is inadequately reported and followed up (paragraphs 71 to 73), as AFCOSs do not always have access to information on the status of fraud cases under investigation. The frequent absence of coordination negatively impacts the effectiveness of the fight against fraud (paragraphs 74 to 78).

The Commission should encourage Member States to expand the AFCOSs’ role of coordination with managing authorities to liaising with all national bodies charged with the investigation and prosecution of suspected fraud.

Timeframe: by the end of 2019

While respecting the Member States’ right to flexibility in defining and organising their own work against fraud in line with the principle of subsidiarity, the EU co-legislators could consider determining minimum functions for an AFCOS. This could be done, for example, in the context of the ongoing legislative process for modifying the OLAF Regulation in order to ensure AFCOSs’ effective coordination role. The functions of the AFCOSs could at least include the following:

• liaising between managing authorities (and the other programme authorities) and other Member State bodies involved in combating fraud, in particular investigation and prosecution bodies;
• monitoring the status of individual cases and reporting to the Commission on the follow-up given by the responsible managing authorities, with due regard to the confidentiality of ongoing investigations; and
• certifying annually, with a view to the Commission’s preparation of PIF reports, that the information recorded in the IMS is complete, reliable, accurate and up-to-date.

This Report was adopted by Chamber II, headed by Mrs Iliana IVANOVA, Member of the Court of Auditors, in Luxembourg at its meeting of 27 March 2019.

For the Court of Auditors

Klaus-Heiner LEHNE
President

Endnotes

¹ We have removed references to EU revenue from these definitions.

² Article 1(2) of Council Regulation (EC, Euratom) No 2988/95 of 18 December 1995 on the protection of the European Communities’ financial interests (the ‘PIF Regulation’) (OJ L 312, 23.12.1995, p. 1).

³ Article 1(a) of the Annex to the Council Act of 26 July 1995 drawing up the Convention on the protection of the European Communities’ financial interests (the ‘PIF Convention’).

⁴ The other ESIFs are the European Agricultural Fund for Rural Development (EAFRD) and the European Maritime and Fisheries Fund (EMFF).

⁵ Articles 58(h), 70(1)(b) and 98(1) of the consolidated version of Council Regulation (EC) No 1083/2006 of 11 July 2006, laying down general provisions on the European Regional Development Fund, the European Social Fund and the Cohesion Fund and repealing Regulation (EC) No 1260/1999 (OJ L 210, 31.7.2006, p. 25), and Articles 20(2)(a), 28(1)(e) and (n), 28(2), 30 and 33(2) of the consolidated version of Commission Regulation (EC) No 1828/2006 of 8 December 2006 setting out rules for the implementation of Council Regulation (EC) No 1083/2006 (OJ L 371, 27.12.2006, p. 1).

⁶ Article 72 and 125(4)(c) of Regulation (EU) No 1303/2013 of the European Parliament and the Council of 17 December 2013 laying down common provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural Development and the European Maritime Fisheries Fund and laying down general provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund and the European Maritime Fisheries Fund (OJ L 347, 20.12.2013, p. 320), hereafter referred to as CPR. Throughout this report we refer to the ‘anti-fraud management process’, which corresponds to the term ‘anti-fraud management cycle’ used by the Commission in its guidance documents.

⁷ Commission’s guidance for Member States and programme authorities on fraud risk assessment and effective and proportionate anti-fraud measures (EGESIF 14-0021), page 11.

⁸ Section 2.2.1 of the Joint Anti-fraud Strategy 2015-2020 for ERDF, CF, ESF, FEAD, EGF, EUSF and EMFF, Ares (2015) 6023058 of 23 December 2015 (available at: https://ec.europa.eu/sfc/sites/sfc2014/files/sfc-files/JOINT%20ANTI-FRAUD-STRATEGY2015-2020.pdf).

⁹ Article 3(4) of Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) (OJ L 248, 18.9.2013, p. 1), as amended by Regulation (EU, Euratom) 2016/2030 of the European Parliament and of the Council of 26 October 2016 (OJ L 317, 23.11.2016, p. 1).

¹⁰ Guidance note on main tasks and responsibilities of an Anti-Fraud Coordination Service (AFCOS), 13 November 2013, Ares (2013) 3403880.

¹¹ The abbreviation PIF comes from the French ‘protection des intérêts financiers’ and generally refers to the protection of the EU’s financial interests.

¹² Article 17(1) of Directive 2017/1371.

¹³ COM(2018) 553 final of 3 September 2018.

¹⁴ Statistical annex to the 2017 PIF report, page 93. The FDR is the ratio between the amounts involved in cases reported as fraudulent and the payments made in the 2007-2013 programming period (page 91). This indicator does not include undetected or unreported fraud.

¹⁵ Commission’s guidance for Member States and programme authorities on fraud risk assessment and effective and proportionate anti-fraud measures, page 11 (EGESIF 14-0021 of 16 June 2014).

¹⁶ Commission’s Guidance for Member States and programme authorities on fraud risk assessment and effective and proportionate anti-fraud measures (EGESIF 14-0021 of 16 June 2014), OLAF’s Handbook on the role of Member State auditors in fraud prevention and detection (October 2014) and Guidance on a common methodology for the assessment of management and control systems in the Member States (EGESIF 14-0010-final of 18 December 2014).

¹⁷ Article 30 and Annex IV of Commission Delegated Regulation (EU) No 480/2014 of 3 March 2014 supplementing Regulation (EU) No 1303/2013 of the European Parliament and of the Council (OJ L 138, 13.5.2014, p. 5) and defining key requirements of management and control systems and their classification with regard to their effective functioning - specifically key requirement 7 (effective implementation of proportionate anti-fraud measures).

¹⁸ In this sense, the concept of a formal anti-fraud policy corresponds to the ’fraud risk management programme’ defined by the Association of Certified Fraud Examiners (ACFE) in its ”Fraud examiners manual” or in the ”Fraud Risk Management Guide” it developed with the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and to the “formal counter fraud and corruption strategies” defined by the Chartered Institute of Public Finance and Accountancy (CIPFA) in its “Code of practice on managing the risk of fraud and corruption”.

¹⁹ National anti-fraud strategies exist in ten of the 28 Member States: Bulgaria, Czechia, Greece, France, Croatia, Italy, Latvia, Hungary, Malta and Slovakia. Romania also has a strategy, but it is now out-of-date (Source: 2017 PIF report, page 12). The Member States that have not adopted a national strategy are: Belgium, Denmark, Germany, Estonia, Ireland, Spain, Cyprus, Lithuania, Luxembourg, Netherlands, Austria, Poland, Portugal, Slovenia, Finland, Sweden and United Kingdom.

²⁰ Article 30 and Annex IV.

²¹ Article 11 and Annex III of Commission’s proposal for a CPR for 2021-2027, COM(2018) 375 of 29 May 2018.

²² In the guidance document, the Commission developed a fraud risk assessment model based on 31 standard inherent risks, further subdivided into 40 risks and 128 recommended mitigating controls, all of them structured around four generic management processes (selection of applicants, implementation and verification of operations, certification and payments, and direct procurement by managing authorities). However, the document does not cover financial instruments or risks in relation to state aid.

²³ DG REGIO – Preventing fraud and corruption in the European Structural and Investment Funds – taking stock of practices in the EU Member States, October 2018, available at: https://ec.europa.eu/regional_policy/en/information/publications/studies/2018/study-on-the-implementation-of-article-125-4-c-of-the-regulation-eu-no-1303-2013-laying-down-the-common-provisions-on-the-european-structural-and-investment-fund-in-member-states.

²⁴ More information on integrity pacts can be found on the Commission website at http://ec.europa.eu/regional_policy/en/policy/how/improving-investment/integrity-pacts/.

²⁵ Based on those made available by the Commission in its information note of 18 February 2009 on fraud indicators for ERDF, ESF and CF.

²⁶ It is in the very nature of fraud against EU cohesion policy funds that perpetrators identify the limitations of existing controls and attempt to exploit them in order to obtain direct or indirect unlawful gains.

²⁷ In particular ‘Report to the Nations’, the 2018 global study on occupational fraud and abuse published by the Association of Certified Fraud Examiners (ACFE). According to this study, fraud is mainly detected through tip-offs, whether from employees, customers, competitors or anonymous sources.

²⁸ The “Report fraud” tool at https://ec.europa.eu/anti-fraud/olaf-and-you/report-fraud_en.

²⁹ Paragraphs 3, 12, 21, 23 and 32 of ECA Opinion No 4/2018 concerning the proposal for a Directive of the European Parliament and of the Council on the protection of persons reporting on breaches of Union law.

³⁰ See Commission’s press release IP/19/1604 “European Commission welcomes provisional agreement to better protect whistleblowers across the EU” (http://europa.eu/rapid/press-release_IP-19-1604_en.htm).

³¹ Commission’s guidance for Member States and programme authorities on fraud risk assessment and effective and proportionate anti-fraud measures (EGESIF 14-0021).

³² Page 51 of DG REGIO’s study “Preventing fraud and corruption in the European Structural and Investment Funds – taking stock of practices in the EU Member States”.

³³ The two irregularities were reported by Slovakia and are worth close to €0.6 billion. By definition, they are at an early stage in the fraud management process and may yet evolve significantly.

³⁴ Article 122(2) of the CPR; Articles 3 and 4 of Commission Delegated Regulation (EU) 2015/1970 supplementing Regulation (EU) No 1303/2013 of the European Parliament and of the Council with specific provisions on the reporting of irregularities (OJ L 293, 10.11.2015, p. 1); Article 28(2) of Commission Regulation (EC) No 1828/2006 (rules for implementation).

³⁵ ECA special report 01/2019: “Fighting fraud in EU spending: action needed”, paragraphs 21 to 32.

³⁶ Special report 01/2019: “Fighting fraud in EU spending: action needed”, paragraph 29.

³⁷ Annex IV of Commission Delegated Regulation (EU) No 480/2014 of 3 March 2014 supplementing Regulation (EU) No 1303/2013.

³⁸ The amount to be recovered in relation to these 84 fraud cases was €7 million.

³⁹ Special report 01/2019: “Fighting fraud in EU spending: action needed”, paragraphs 112 to 115.

⁴⁰ Calculated on the basis of the information recorded in the IMS. As already stated, this information is not always accurate.

⁴¹ A primary administrative or judicial finding (PACA) is the first written assessment by a competent authority concluding that an irregularity may be fraudulent, without prejudice to further assessment of the case. PACAs can come in a variety of forms, such as a management verification report by a managing authority or intermediate body, an audit report from the audit authority, the Commission or the ECA, or the indictment decision taken by a prosecutor or a judge to trigger a formal criminal investigation.

⁴² Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) (OJ L 248, 18.9.2013, p. 1), as amended by Regulation (EU, Euratom) 2016/2030 of the European Parliament and of the Council of 26 October 2016 (OJ L 317, 23.11.2016, p. 1).

⁴³ Guidance note on main tasks and responsibilities of an Anti-Fraud Coordination Service (AFCOS), 13 November 2013, Ares (2013) 3403880.

⁴⁴ Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU, Euratom) No 883/2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) as regards cooperation with the European Public Prosecutor's Office and the effectiveness of OLAF investigations, COM(2018) 338 final 2018/0170 (COD).

⁴⁵ Report from the Commission to the European Parliament and the Council on the evaluation of the application of Regulation (EU, Euratom) No 883/2013, SWD(2017) 332 final.

⁴⁶ Opinion No 8/2018 on the Commission’s proposal of 23 May 2018 on amending Regulation 883/2013 as regards cooperation with the European Public Prosecutor’s Office and the effectiveness of OLAF investigations – see in particular paragraphs 16, 38 and 39.

⁴⁷ The Royal Decree regulating the composition and the functioning of this body was finally adopted on 1 March 2019 and published on 19 March 2019.

Audit team

The ECA’s special reports set out the results of its audits of EU policies and programmes, or of management-related topics from specific budgetary areas. The ECA selects and designs these audit tasks to be of maximum impact by considering the risks to performance or compliance, the level of income or spending involved, forthcoming developments and political and public interest.

This performance audit was carried out by Audit Chamber II: Investment for cohesion, growth and inclusion spending areas, which is headed by ECA Member Iliana Ivanova. The audit was led by ECA Member Henri Grethen, supported by Ildikó Preiss, Private Office Attaché; Juan Ignacio González Bastero, Principal Manager; Jorge Guevara López, Head of Task (CFE); Dana Christina Ionita, Sandra Dreimane (CFE), Florence Fornaroli, Efstratios Varetidis, Márton Baranyi, Zhivka Kalaydzhieva, and Janka Nagy-Babos Auditors. Thomas Everett provided linguistic support.

From left to right: Márton Baranyi, Thomas Everett, Efstratios Varetidis, Henri Grethen, Ildikó Preiss, Dana Christina Ionita, Juan Ignacio González Bastero, Janka Nagy-Babos, Jorge Guevara López, Florence Fornaroli, Sandra Dreimane.

Contact

EUROPEAN COURT OF AUDITORS
12, rue Alcide De Gasperi
1615 Luxembourg
LUXEMBOURG

Tel. +352 4398-1
Enquiries: eca.europa.eu/en/Pages/ContactForm.aspx
Website: eca.europa.eu
Twitter: @EUAuditors

More information on the European Union is available on the internet (http://europa.eu).

Luxembourg: Publications Office of the European Union, 2019

© European Union, 2019.

For any use or reproduction of photos or other material that is not under the European Union copyright, permission must be sought directly from the copyright holders.

GETTING IN TOUCH WITH THE EU

In person
All over the European Union there are hundreds of Europe Direct Information Centres. You can find the address of the centre nearest you at: https://europa.eu/european-union/contact_en

On the phone or by e-mail
Europe Direct is a service that answers your questions about the European Union. You can contact this service

• by freephone: 00 800 6 7 8 9 10 11 (certain operators may charge for these calls),
• at the following standard number: +32 22999696 or
• by electronic mail via: https://europa.eu/european-union/contact_en

FINDING INFORMATION ABOUT THE EU

Online
Information about the European Union in all the official languages of the EU is available on the Europa website at: https://europa.eu/european-union/index_en

EU Publications
You can download or order free and priced EU publications from EU Bookshop at: https://publications.europa.eu/en/web/general-publications/publications. Multiple copies of free publications may be obtained by contacting Europe Direct or your local information centre (see https://europa.eu/european-union/contact_en)

EU law and related documents
For access to legal information from the EU, including all EU law since 1951 in all the official language versions, go to EUR-Lex at: http://eur-lex.europa.eu/homepage.html?locale=en

Open data from the EU
The EU Open Data Portal (http://data.europa.eu/euodp/en/data) provides access to datasets from the EU. Data can be downloaded and reused for free, both for commercial and non-commercial purposes.