Tackling fraud in EU cohesion spending: managing authorities need to strengthen detection, response and coordination
(pursuant to Article 287(4), second subparagraph, TFEU)
About the report
The Commission and the Member States share the responsibility to counter fraud and any other illegal activities affecting the EU’s financial interests. In the field of EU cohesion policy, where there is a significant incidence of reported fraud compared to other spending areas, the bodies in the front line of the fight against fraud are the Member State authorities responsible for managing EU programmes.
In this audit, we assessed whether managing authorities have properly fulfilled their responsibilities at each stage of the anti-fraud management process: fraud prevention, fraud detection and fraud response.
We found that managing authorities have improved the way they assess fraud risks and design preventive measures, but they still need to strengthen fraud detection, response and coordination among different Member State bodies. In particular, they have made no significant progress towards proactive fraud detection and the use of data analytics tools. Managing authorities under-report fraud cases to the Commission, which affects the reliability of published fraud detection rates. Deterrence is limited to the threat of withdrawing EU funding, with no other dissuasive penalties or sanctions. Moreover, suspicions of fraud are not systematically communicated to investigation or prosecution bodies.
EU legislation defines fraud as a deliberate infringement that is, or could be, prejudicial to the EU budget. It is the joint responsibility of the EU and the Member States to counter fraud and any other illegal activities, such as corruption, affecting the EU’s financial interests. Between 2013 and 2017, the Commission and the Member States identified more than 4 000 potentially fraudulent irregularities. The EU support affected by these irregularities amounted to almost €1.5 billion, 72 % of which concerned EU cohesion policy. In this field, the managing authorities in the Member States are responsible for setting up proportionate and effective anti-fraud measures that take account of the identified risks. Such measures should cover the full anti-fraud management process (fraud prevention, detection and response, up to and including reporting on detected cases and recovery of funds unduly paid). The rate of detected fraud in relation to EU cohesion funding for the 2007‑2013 period ranged from 0 % to 2.1 %, depending on the Member State.II
Through this audit, we assessed whether managing authorities have properly met their responsibilities at each stage of the anti-fraud management process. To this end, we assessed whether managing authorities have:
- developed anti-fraud policies, performed a thorough risk assessment and implemented adequate preventive and detective measures; and
- properly responded to detected fraud in coordination with other anti-fraud bodies.
We found that managing authorities assessed the risk of fraud in the use of Cohesion funding better for the 2014‑2020 programming period, using in most cases the “ready-to-use” tool included in the Commission guidance. However, some of these analyses were not sufficiently thorough. Although they have improved fraud prevention measures, they have made no significant progress towards proactive fraud detection. Additionally, they have not often developed procedures for monitoring and evaluating the impact of their prevention and detection measures.IV
In the area of fraud response, managing authorities, in coordination with other anti-fraud bodies, have not been sufficiently reactive to all detected cases of fraud. In particular, reporting arrangements are unsatisfactory, several managing authorities fail to systematically communicate suspicions of fraud to the competent bodies, corrective measures have a limited deterrent effect and the coordination of anti-fraud activities is insufficient. We also found that the fraud detection rate for the 2007-2013 programming period in the Commission’s 2017 report on the protection of the EU’s financial interests is not a true representation of the level of fraud actually detected in the Member States visited, but rather show an indication of the fraud cases that they decided to report to the Commission.V
As a result of our audit, we recommend that:
- Member States that do not have a national anti-fraud strategy should formulate one; unless a sufficiently detailed strategy exists at national level, the Commission should require managing authorities to develop formal strategies and policies to combat fraud against EU funds;
- managing authorities make fraud risk assessment more robust by involving relevant external actors in the process;
- Member States improve fraud detection measures by generalising the use of data analytics tools and the Commission by promoting actively the use of other ‘proactive’ and other new fraud detection methods;
- the Commission monitors fraud response mechanisms to ensure they are consistently applied; and
- the Commission encourages Member States to expand the AFCOSs’ functions to improve coordination.
During the negotiations and approval process of the CPR for the period 2021-2027, the co-legislators could consider:
- making compulsory the adoption of national strategies or anti-fraud policies and the use of proper data analytics tools (e.g. Arachne);
- introducing sanctions and penalties for those responsible for fraud against EU’s financial interests.
While respecting the Member States’ right to flexibility in defining and organising their own work against fraud in line with the principle of subsidiarity, the EU co-legislators could consider determining minimum functions for the Anti-Fraud Coordination Service (AFCOS) in the Member States in order to ensure an effective coordination role.
The fight against fraud in the EU01
EU legislation distinguishes between1:
- “Non-fraudulent irregularities”, defined as any infringement of a provision of EU law resulting from an act or omission by an economic operator which has, or would have, the effect of prejudicing the general budget of the EU or budgets managed by them because of an unjustified item of expenditure2.
- “Fraudulent irregularities” (or “fraud”), defined3 as any intentional act or omission relating to:
- the use or presentation of false, incorrect or incomplete statements or documents, which has as its effect the misappropriation or wrongful retention of funds from the general budget of the EU or budgets managed by, or on behalf of, the EU,
- non-disclosure of information in violation of a specific obligation, with the same effect, or
- the misapplication of such funds for purposes other than those for which they were originally granted.
Article 325 of the Treaty on the Functioning of the European Union (TFEU) stipulates that it is the joint responsibility of the EU (represented by the Commission) and the Member States to counter fraud and any other illegal activities affecting the EU’s financial interests. This obligation covers all EU revenue and expenditure programmes and all policy areas.03
EU cohesion policy is structured around three of the European Structural and Investment Funds4 (ESIFs): the European Regional Development Fund (ERDF), the Cohesion Fund (CF) and the European Social Fund (ESF) — which together are known as the EU cohesion policy funds. The Commission and the Member States jointly implement these funds through operational programmes (OPs), which detail how Member States will spend EU funding during a programming period:
- There were 440 OPs in Cohesion for the 2007-2013 programming period. Almost two thirds of these OPs are already closed.
- There are 389 OPs for the 2014-2020 programming period. These OPs are still ongoing.
At the level of the Commission, two directorates-general are responsible for the implementation of EU cohesion policy: the Directorate-General for Employment, Social Affairs and Inclusion and the Directorate-General for Regional and Urban Policy. In the Member States, three different types of ‘programme authorities’ are involved in implementing and checking each OP:
- the managing authority (responsible for implementing the OP),
- the certifying authority (responsible for submitting payment applications to the Commission and preparing the OP’s annual accounts), and
- the audit authority (responsible for providing an independent opinion on the reliability of the accounts, the legality of the expenditure incurred and the functioning of the management and control systems).
The legal framework for EU cohesion policy in the 2007‑2013 programming period made Member States responsible for the prevention, detection and correction of irregularities (including fraud) and for the recovery of funds unduly paid5. This requirement is more explicit in the Common Provisions Regulation (CPR) for the 2014‑2020 programming period, which requires managing authorities to “put in place effective and proportionate anti-fraud measures taking into account the risks identified”6. The Commission recommends7 that managing authorities deal with the full anti-fraud management process (see Figure 1 which comprises fraud prevention, fraud detection and fraud response (mainly including reporting on detected cases and recovery of funds unduly paid). In this regard, the Commission applies a principle of zero tolerance for fraud and corruption8.
The European Anti-Fraud Office (OLAF) is the key anti-fraud body for the EU. It contributes to the design and implementation of the Commission’s anti-fraud policy and conducts administrative investigation into fraud, corruption and any other illegal activity affecting the EU budget.07
At the level of the Member States, managing authorities are not alone in the implementation of anti-fraud measures. Since 2013, each Member State has been required to designate an anti-fraud coordination service (AFCOS) to facilitate effective cooperation and exchange of information, including information of an operational nature, with OLAF9. Through further guidance10, the Commission specified that AFCOSs should have the mandate, within the Member State, to coordinate all legislative, administrative and investigative obligations and activities relating to the protection of the EU’s financial interests. In shared management, Member State authorities report cases of suspected or established fraud (and other irregularities) to the Commission through the Irregularity Management System (IMS) hosted at OLAF’s anti-fraud information platform.
Significant incidence of reported fraud in EU cohesion policy compared to other spending areas08
On 5 July 2017, the European Parliament and the Council adopted Directive (EU) 2017/1371 on the fight against fraud to the Union's financial interests by means of criminal law (the “PIF Directive”11). The Directive establishes a common definition of fraud against the EU’s financial interests, in particular in the field of public procurement. Member States must enact the PIF Directive in national legislation by 6 July 201912.09
In September 2018, the Commission published its 29th annual report on the protection of the European Union’s financial interests13 (hereafter referred to as the 2017 PIF report). For shared management, the Commission prepares this report based on the information reported by Member States through the IMS (see paragraph 07). The analysis of the 2017 PIF report shows that the incidence of reported fraud (suspected and established) in EU cohesion policy is significantly higher than in other areas: Cohesion represents just one third of the budget but accounts for 39 % of all reported fraud cases and 72 % of the total financial amounts involved in these cases (see Figure 2).
According to the data supporting the 2017 PIF report, irregularities reported as fraudulent by Member States represent 0.44 % of the EU funds paid in the field of cohesion policy. This indicator is known as the fraud detection rate14 and varies widely by Member State (see Figure 3), ranging from 0 % to 2.1 % in relation to EU cohesion funding for the whole 2007‑2013 programming period. The 2017 PIF report does not provide any specific explanation regarding the significantly higher fraud detection rate reported for Slovakia. The average individual value of the irregularities as fraudulent amounts to €0.8 million.
We considered it necessary to assess the work carried out by managing authorities, as they are in the front line of the fight against fraud in EU cohesion policy. According to the Commission15, the combination of a thorough risk assessment leading to adequate preventive and detective measures by managing authorities, on the one hand, and coordinated and timely investigations by competent bodies (usually the police or prosecutors), on the other hand, could significantly reduce fraud risk in the field of cohesion policy and provide suitable deterrence against fraud. This audit was structured around these two broad areas.
Audit scope and approach12
We decided to audit the work of managing authorities in fighting fraud in cohesion policy because of the key role they play, and will continue to play in the 2021‑2027 programming period. We assessed whether managing authorities have properly fulfilled their responsibilities at each stage of the anti-fraud management process: fraud prevention, fraud detection and fraud response (including reporting on fraud and recovery of funds unduly paid). To this end, we assessed whether managing authorities have:
- developed anti-fraud policies, performed a thorough risk assessment and implemented adequate preventive and detective measures; and
- properly responded to detected fraud in coordination with the investigation and prosecution bodies and with AFCOSs, considering the design of these services in the Member States we visited.
We looked at the role played by managing authorities and AFCOSs in the Member States in cohesion policy. We audited the managing authorities for the operational programmes funded by the three main European Structural and Investment Funds concerning EU cohesion policy: the CF, the ESF and the ERDF. We decided to exclude the European Territorial Cooperation objective (ETC) of the ERDF, as the projects financed by the corresponding OPs involve partners from different countries under the supervision of authorities in different Member States.14
We reviewed how managing authorities had considered the Member States’ legal and strategic anti-fraud framework for the management of the anti-fraud process, in particular when a national anti-fraud strategy was available. We invited all managing authorities to participate in a survey on fraud prevention and detection measures and obtained replies from authorities in 23 Member States.15
We visited seven Member States: Bulgaria, France, Hungary, Greece, Latvia, Romania and Spain. For the selection of these Member States, we considered the fraud detection rates and the number of fraud cases presented in the 2016 PIF report, as well as their correlation with other available fraud risk indicators. During our visits, we met with representatives of the authorities responsible for implementing a total of 43 OPs (22 OPs for 2007‑2013 and 21 OPs for 2014‑2020) and with key actors in the fight against fraud (prosecution and judicial bodies, investigative bodies, anti-fraud agencies, competition authorities). In the Member States we visited we audited a judgemental sample of OPs selected to be representative of all funds (ERDF, ESF and, where applicable, CF) and a range of intervention types.16
We reviewed the case files of a sample of 138 irregularities reported to the Commission as fraudulent from the 22 OPs we tested for 2007‑2013. Wherever the size of the population allowed, we applied the random method known as monetary unit sampling to select the irregularities to be reviewed. We did not assess the work of investigation, prosecution and judicial bodies – although we did look at the managing authorities’ coordination and communication with those bodies.17
The findings in this report complement those in special report 01/2019: “Fighting fraud in EU spending: action needed”, published on 10 January 2019, which covered the design and implementation of the Commission’s Anti-Fraud Strategy. In that report, we mainly focused on the role of OLAF, but also looked at the work done on anti-fraud policies by the Commission DGs responsible for the implementation of EU cohesion policy (see paragraph 04).
Anti-fraud policy, fraud prevention and detection measures
Managing authorities generally have no specific anti-fraud policy18
The Commission has provided guidelines for Member States and managing authorities to help them comply with their legal obligation to put in place anti-fraud measures that are proportionate and effective.
- At the level of the Member States, the Commission recommends the adoption of national anti-fraud strategies for the protection of the ESI Funds, with the objective of ensuring homogenous and effective implementation of anti-fraud measures, especially where Member States’ organisational structures are decentralised.
- At the level of operational programmes, the Commission recommends that managing authorities develop a structured approach to tackling fraud, organised around the four key elements in the anti-fraud management process: prevention, detection, correction and prosecution16.
- The Commission has further defined concrete criteria for evaluating the way managing authorities have complied with their legal obligations for setting up proportionate and effective anti-fraud measures17.
The Commission recommends that managing authorities use a formal anti-fraud policy18 to communicate their determination to combat and address fraud. This policy should, in particular, include strategies for the development of an anti-fraud culture and the allocation of responsibilities for tackling fraud. We consider that managing authorities should have prepared a formal anti-fraud policy or a similar single, stand-alone document specifying their fraud prevention, detection and response measures and making clear to their own staff, the beneficiaries of EU funding and other authorities that measures to tackle fraud are in place and being implemented.20
We found during our visits that very few of these policies actually constitute formal reference documents summarising the measures to be implemented at each stage of the anti-fraud management process in response to identified fraud risks. We only found examples of formalised anti-fraud policies in Latvia, at specific intermediate bodies in Spain, and in France (where the policy has not been made public). In all other cases, to obtain a full description of anti-fraud measures we needed to consult multiple management documents and manuals of procedures. We consider that the absence of formalised anti-fraud policies limits Member States’ ability to supervise and coordinate anti-fraud measures and evaluate their effectiveness. This is particularly relevant in that only ten Member States have adopted a national anti-fraud strategy19 based on the Commission’s recommendation (see paragraph 18).21
We also consider the absence of provisions requiring managing authorities to adopt formal anti-fraud policies as a shortcoming in the design of the anti-fraud framework for 2014‑2020. Furthermore, Commission Delegated Regulation (EU) No 480/2014 (complementing the CPR for 2014‑2020) does not mention shortcomings in the implementation of proportionate and effective anti-fraud measures in the context of determining ‘serious deficiencies’ that could lead on their own to the suspension of payments to or the financial correction of operational programmes20. As a result, the use of anti-fraud measures is given less weight than other areas in the assessment of management and control systems. The Commission’s proposal for the CPR for 2021‑2027 does not consider anti-fraud measures as one of the enabling conditions21 which Member States must meet before they can obtain EU cohesion funding.
Managing authorities systematically assess fraud risks, but this process could be further improved
Managing authorities systematically identify fraud risks22
The most significant change compared to the 2007‑2013 programming period is that managing authorities now have to assess fraud risks in line with the requirements of the 2014-2020 control framework (see paragraph 05). The purpose of this exercise is for managing authorities to determine the suitability of existing internal controls to address the risks associated with different fraud scenarios and identify areas where additional controls are necessary.23
Among other anti-fraud topics, the EGESIF guidelines for Member States and managing authorities (see paragraph 18) address the task of fraud risk assessment including a practical “ready-to-use” tool to perform the assessment22. All the managing authorities we visited in the context of our audit had complied with their obligation to perform a fraud risk assessment. This marks an improvement in the way these authorities approach the fight against fraud in Cohesion. In most cases, the authorities applied the model fraud risk assessment developed by the Commission or their own adaptation of that model.24
On 28 November 2018, the Commission published the results of a study23 on the fraud and corruption prevention practices implemented by Member States in response to the specific provisions in place for the 2014-2020 programming period that it had outsourced in December 2016. The study concluded that the new legislative requirements, in particular as regards the fraud risk assessment process, had helped to make Member States’ efforts to tackle fraud more formalised and systematic. However, the study also concluded that some authorities may underestimate their self-assessed levels of risk (see Box 1).
Stock taking study on preventing fraud and corruption in the ESIFs
The study was based on a sample of 50 2014‑2020 OPs (41 of which related to Cohesion, excluding ETC) selected by the Commission on a judgemental basis to cover all Member States and a range of sectors and funds. The study team reviewed information from Member States (in particular the outcome of their fraud risk assessments) and conducted interviews with programme authorities and AFCOSs.
The study focused on the design of fraud prevention measures and (to a lesser extent) fraud detection methods and assessed how proportionated the measures were to the identified risks. However, it did not address the manner in which the fraud risk assessment had been conducted. The study did not conclude on the effectiveness of the measures put in place, either.
The key lessons drawn from the study can be summarized as follows:
|Positive remarks||Areas for improvement|
|Anti-fraud and anti-corruption efforts are more formalised and systematic in the 2014-2020 programming period.||Proportionateness of mitigating measures is lowest for the risks of collusive bidding and double funding.|
|Mitigating measures are generally proportionate to the self-assessed risks.||Some authorities may underestimate their self-assessed levels of fraud risk.|
|Most authorities are using the Commission`s fraud risk assessment template.||Not all managing authorities conduct a fraud risk assessment at OP level.|
|A more inclusive fraud risk assessment process is better suited to reducing fraud risks.||There is a need for more communication to Member State authorities on anti-fraud activities.|
|In its current form, the managing authorities in the sample perceive Arachne as not entirely meeting their needs.|
There are some areas for further improvement25
However, we note that some of the managing authorities we visited take a mechanical approach to the assessment of fraud risks, suggesting that they favour form over substance.26
In addition, they generally base the identification of fraud risks on their own experience, without any additional input from other knowledgeable actors (anti-fraud coordination services, investigative and prosecution bodies or other specialised expert agencies).27
During our Member State visits, we found indications that several managing authorities and intermediate bodies might have inadequately evaluated fraud risks:
- In Bulgaria, the audit authority had already detected that some managing authorities had incorrectly classified specific fraud risks as low and therefore failed to address them through additional control procedures.
- In France, the managing authorities we visited had not assessed the impact of additional controls on the residual risk of fraud.
- In Spain, where the responsibility for fraud risk assessment is partly delegated to intermediate bodies, an independent evaluation mandated by the managing authority detected coherence problems between identified risks and planned controls (e.g. certain risks not covered by an action plan or controls set up in areas marked as not applicable).
- In one of the OPs audited in Romania, intermediate bodies dealing with similar delegated functions and funding provided different fraud risk assessments.
- In Hungary, we found that the fraud risk assessment was insufficiently comprehensive (it excluded previous audit results) and did not identify risks specifically associated with the types of operations and beneficiaries covered by the OPs.
In nearly all cases the managing authorities concluded that existing anti-fraud measures address the identified fraud risks. Given the shortcomings identified, we consider that this conclusion may be too optimistic.
Managing authorities have improved their fraud prevention measures but made no significant progress towards proactive fraud detection29
Managing authorities are expected to develop effective and proportionate fraud prevention and detection measures in response to identified risks, in such a way that the opportunity to commit fraud is substantially reduced.
Managing authorities have developed specific fraud prevention measures for 2014‑202030
We found that the additional anti-fraud measures developed for the 2014-2020 period largely focus on preventive actions, which are more comprehensive than those set up for 2007-2013. Our survey showed that such additional preventive measures mainly comprise fraud-awareness training for staff, policies on conflicts of interest and ethical guidance for employees and beneficiaries, and the publication of high-level institutional anti-fraud statements or declarations.31
Our survey also showed that managing authorities consider fraud-awareness measures (both staff training and measures targeting intermediate bodies and project beneficiaries), policies on conflicts of interest and codes of conduct to be the most effective way of preventing fraud in the use of EU Cohesion funding (see Figure 4). Other fraud prevention measures, such as employee support programmes (aimed at reducing pressure on employees exposed to fraud) and bounty schemes (whereby managing authorities make public their intention to reward whistleblowers of fraud), remain infrequent, although they are considered reasonably effective.
Several Member States have taken a more innovative approach to preventing fraud against the EU’s financial interests, such as by involving civil society organisations in monitoring the execution of public contracts or running campaigns questioning the social acceptability of certain fraudulent practices (see Box 2).
Innovative fraud prevention measures
In 2015 the European Commission and Transparency International, a global non-governmental organisation actively fighting corruption and particularly known for its publication of the Corruption Perception Index (CPI), launched a pilot project on ‘integrity pacts’ as an innovative way of preventing fraud in EU cohesion policy projects. An integrity pact is an agreement in which the authority responsible for awarding a public contract and the economic operators bidding for the contract undertake to abstain from corrupt practices and ensure transparency in the procurement process. Pacts also include a separate agreement engaging a civil society organisation (such as an NGO, a foundation or a local community-based organisation) to monitor all parties’ compliance with their commitments. The purpose of integrity pacts is to increase transparency, accountability and good governance in public contracting, enhance trust in public authorities and promote cost efficiency and savings through better procurement. The second phase of the project began in 2016 and will run for four years24. We discussed the use of integrity pacts with civil society organisations in Latvia, Romania and Hungary, which were generally positive about the initiative.
“FRAUD OFF!” campaign
In March 2017, the Latvian AFCOS launched an awareness-raising campaign called “FRAUD OFF!” questioning the social acceptability of certain types of fraudulent behaviour. National TV channels ran campaign advertisements featuring national celebrities, and publicity material was distributed to institutions, businesses, shops and the population in general. The campaign reached a significant audience and trended heavily for a while.
Fraud detection measures for 2014‑2020 remain largely the same as for 2007‑201333
While the compulsory fraud risk assessment has meant a greater focus on fraud prevention, managing authorities have developed very few additional fraud detection methods for the 2014-2020 programming period. They rely instead on the internal controls and procedures that were already in place for 2007‑2013 under a weaker control framework (see Figure 5). These are mainly on-the-spot checks (audits), internal fraud reporting mechanisms and, to a lesser extent, the identification of specific fraud indicators25 (red flags). Both through the survey and during our visits to Member States, we found very few additional ’proactive’ controls to detect fraud (e.g. specific checks for collusion in public procurement, such as the semantic analysis of bids received or the identification of abnormal bidding patterns).
Practical problems limit the usefulness of fraud hotlines for whistleblowers34
Our survey showed that managing authorities make little use of fraud hotlines for whistleblowers, even though they generally consider this tool to be an effective fraud detection method. Fraud hotlines and other whistleblowing mechanisms allow managing authorities (and other relevant Member State authorities) to become aware of potential fraud that other controls have failed to detect26. Various studies show that these methods are regarded as the most important source of fraud reports27. During our visits, we assessed whistleblowing mechanisms and found a number of practical problems with their use. For example, they are not always anonymous and there is a risk of insufficient awareness of them among project beneficiaries and the general public. In the event of regulatory limitations on the use of anonymous denunciation channels, managing authorities and AFCOSs can always redirect anonymous whistleblowers to the fraud notification system put in place by OLAF28.35
On 23 April 2018 the Commission proposed a Directive on the protection of whistleblowers. This aimed to unify the different approaches currently applied by Member States and to increase the level of protection for people reporting on breaches of Union law, including all breaches affecting the EU`s financial interests. In our opinion on the proposal, issued on 15 October 2018, we stated our view that the introduction or expansion of whistleblowing arrangements in all Member States would help improve the management of EU policies through the actions of citizens and employees. However, we also highlighted some areas of concern, such as the overly complex material scope of the proposal, which could reduce the legal certainty for potential whistleblowers and thus deter them from reporting. Other issues we raised were the lack of clear obligations regarding awareness-raising and staff training, and our conviction that people who have reported anonymously should not be denied whistleblower protection if their identity is subsequently revealed29. In relation to the adoption of this Directive, the European Parliament and the Member States reached on 12 March 2019 a provisional agreement on the new rules that would guarantee protection for whistleblowers who report breaches of EU law30.
Data analytics is under-used for fraud detection36
The Commission encourages managing authorities to use data analytics proactively to detect potentially high-risk situations, identify red flags and refine the aim of measures to combat fraud. Data analytics should be a systematic part of project selection, management verifications and audits31. In the framework of the fight against fraud, the Commission offers a specific data-mining tool (Arachne) to help managing authorities identify projects that might be subject to risks of fraud. According to the information we received from the Commission, in December 2018 Arachne was being used by 21 Member States for 165 OPs representing 54 % of all EU cohesion funding for 2014‑2020 (excluding ETC). In our special report 01/2019: “Fighting fraud in EU spending: action needed”, we highlighted the importance of Arachne as a fraud prevention tool. We have now assessed Arachne’s role as a data analytics tool for fraud detection.37
One of the most significant observations arising from our audit work is that managing authorities do not sufficiently use data analytics for fraud detection. Our survey showed that only one in every two managing authorities uses data analytics tools in this way (see Figure 5). Arachne in particular is under-used. In the Member States we visited we found that:
- One Member State (Greece) has not provided any information as to whether or not Arachne will be introduced in the near future. However, the Greek managing authorities have not adopted an equivalent data analytics tool which could be used for all OPs in the country.
- In four of the remaining six Member States, even where they have decided to use Arachne the managing authorities have made little progress on uploading the necessary operational data or using the tool for their internal controls.
- The Arachne Charter allows access only to managing authorities, certifying authorities and audit authorities. Thus, Arachne cannot be automatically used by investigative bodies.
We also found that, in two of the Member States we visited, managing authorities which have fully incorporated Arachne into their management procedures have used the tool to help them to adapt their specific anti-fraud measures to high-risk beneficiaries.38
We did not obtain any convincing explanation as to why managing authorities were not making full use of the tool, which the Commission makes available free of charge. However, the Commission’s own November 2018 study (see paragraph 24 and Box 1) concluded that managing authorities consider that, its current form, Arachne does not entirely meet their needs. The authors of the study found this particularly worrying, as the usefulness of Arachne is largely perceived to depend on the number of OPs feeding information into the tool32.39
Nevertheless, during our visits we were able to identify some examples of good practice where Member State authorities had developed data analytics tools to help with the identification of potential fraud risks (see Box 3).
Good practices in data analytics by Member States
We identified the following data analytics tools that are used directly to detect potential fraud in the use of EU Cohesion funding:
- In Romania, the National Integrity Agency has developed an IT system (’PREVENT’) that compares the public procurement information provided by contracting authorities and bidders with information from other national databases (e.g. the trade register). Use of the system in connection with 839 public procurement procedures financed by the EU enabled the Agency to issue 42 integrity warnings for correction or investigation.
- In Spain, the intermediate body responsible for implementing a large part of the OP ’Comunidad Valenciana’, in cooperation with higher education institutions, has developed a rapid alert IT system (‘SALER’) combining four separate national and regional databases in order to identify fraud risks. Implementation of this tool is ongoing.
Managing authorities lack procedures for monitoring and evaluating fraud prevention and detection measures40
The Commission encourages Member States and managing authorities to define procedures for monitoring the implementation of fraud prevention and detection measures. These should include specific arrangements for reporting what anti-fraud measures have been set up and how they are applied. Member States and managing authorities should use the results of monitoring to evaluate the measures’ effectiveness and rework their anti-fraud strategies and policies as necessary.41
Except in Latvia, we found that none of the managing authorities we visited examines the effectiveness of fraud prevention and detection measures. They keep limited records of which measures are used and seldom link them to specific results. Consequently, anti-fraud systems are not evaluated in terms of their actual results – either by managing authorities or by any other programme authority (e.g. the audit authority) or the AFCOS.
Similar levels of fraud reported for the 2007‑2013 and 2014‑2020 programming periods42
Managing authorities and other Member State bodies report fraudulent and non-fraudulent irregularities to the Commission through the IMS. As of December 2018, Member States (mainly managing and audit authorities) had reported a total of 1 925 and 155 irregularities as fraudulent, respectively, for the 2007‑2013 and 2014‑2020 programming periods. These concerned suspected and established fraud cases potentially affecting €1.6 billion (2007‑2013) and €0.7 billion (2014‑2020) in EU funds.43
Figure 6 charts the evolution in the number and value of irregularities reported in the IMS for the 2007‑2013 and 2014‑2020 programming periods. So far, 155 irregularities have been reported as fraudulent for 2014‑2020 – 10 % fewer than at the same stage in the 2007‑2013 period (174). In financial terms the situation is rather different: the potential impact of reported fraud on EU cohesion policy funds in the 2014‑2020 programming period (€0.7 billion) is more than three times higher than at the same stage of the previous period (€0.2 billion). However, this significant increase is the result of two separate cases of suspected fraud that we consider to be data outliers33.
Most fraud cases reported to the Commission are detected through on-the-spot checks or revealed by investigative and prosecution bodies or the media44
The IMS contains a number of data fields that are to be used to characterise irregularities and indicate the status of any proceedings. One of these fields is headed ‘source of the information leading to a suspicion of an irregularity’, which represents the method of detection. Based on the data recorded in the IMS up to and including December 2018, we analysed the sources of information leading to the reporting of irregularities as fraudulent for the 2007‑2013 programming period (see Figure 7). We did not assess the data for 2014‑2020 because it is still very incomplete and contains outliers (see paragraph 43).45
By number, most irregularities were detected by means of on-the-spot checks by programme authorities (see paragraph 04), followed by reports from investigative or prosecution bodies. This would suggest that these are the most effective means of detecting fraud in the use of Cohesion funding. However, the statistics are influenced by the generalised use of audits as a fraud detection method (see paragraph 33 and Figure 5). By value, the bulk of reports of fraudulent irregularities resulted from cases opened directly by investigative and prosecution bodies, or from revelations in the press and other media. We consider that the statistics on the sources of information on fraud by value are strongly affected by uncertainty about the true amounts concerned, although less so when the information comes from an investigative or prosecution body.
Fraud response, investigation and coordination among the relevant bodies46
The Commission requires managing authorities to develop effective fraud response measures. These should include clear mechanisms for reporting suspected fraud and clear procedures for referring cases to the competent investigation and prosecution authorities. There should also be procedures for following up suspected fraud and, where necessary, recovering EU funds. Managing authorities should work with their AFCOSs, and there is a need for adequate coordination among all administrative and law enforcement bodies.
Managing authorities’ under-reporting has affected the reliability of the fraud detection rates published in PIF reports47
Member States must use the IMS to notify the Commission of irregularities exceeding €10 000 that cause them to suspect or establish fraud34. Member States must report suspected or established fraud cases even if they have been resolved before certification of the related expenditure to the Commission.
Not all potential fraud is reported as such in the IMS48
Figure 3 above presents the fraud detection rates for 2007‑2013 in EU cohesion policy. These are based on IMS data and were published in the 2017 PIF report. In special report 01/2019, we stated that the PIF report data on detected fraud was incomplete35. Our work for this audit confirmed that assessment. We also detected several cases that raised questions about the completeness and reliability of the fraud data in the IMS and therefore limit the use that the Commission and Member States can make of the system.49
We found that not all Member States interpret the EU definition of fraud in the same way (see paragraph 01). For instance, cartel offences (bid rigging) are not always reported as fraudulent in Spain but other Member States, such as Latvia, systematically report them.50
We came across cases where irregularities giving clear indications of fraud were not properly reported to the Commission because they had been detected and corrected before certification of the related expenditure to the Commission. However, Member States are supposed to report suspicions of fraud (as ‘attempted fraud’) even if there is ultimately no EU co-financing. In Hungary, the managing authorities do not report suspicions of fraud that are resolved prior to certification to the Commission. In Spain, the managing authority responsible for the ESF withheld payments as a precautionary measure, but without reporting to the Commission on the expenditure affected by cases of alleged fraud that had appeared in the press.51
We found inconsistencies in the Member States’ use of administrative or legal acts to trigger reporting to the Commission. For instance, Romania does not systematically report ongoing investigations or decisions to prosecute in the IMS. As required by Romanian law, suspicions of fraud are only encoded when a managing authority, the audit authority, the AFCOS or OLAF issues an additional separate control/investigation report, even if an investigation is already ongoing or has been concluded. As a result, reporting in IMS is unduly delayed and some cases in the courts might be totally excluded from the system.52
Finally, we also found that the Hungarian AFCOS has a large backlog of cases to be analysed prior to reporting in the IMS.
The IMS contains some inaccuracies and obsolete data53
We found examples of inaccurate or obsolete data in the IMS, particularly in relation to the status of a case and the key dates in the sanctioning procedure. This could indicate that a managing authority, the data validator or AFCOS has not carefully checked data quality. While this situation is not satisfactory, it does not usually affect the number of fraud cases reported in IMS.54
We identified inconsistencies in the approach taken by managing authorities to assess the financial impact of potential fraud. As a result, similar legal offences may be quantified differently in the IMS by different Member States. Most concerned are cases where it is difficult to state accurately how much expenditure is affected (e.g. conflicts of interest in project selection or public procurement infringements).
Under-reporting has affected the reliability of fraud detection rates55
The 2017 PIF report gives fraud detection rates for each Member State and for the EU as a whole, based on the data reported in the IMS by Member States’ authorities and AFCOSs (see paragraph 07). It does not provide a similar comparative indicator regarding the number of irregularities across the EU in the field of cohesion policy. To compute this figure, we compared the number of fraudulent irregularities reported by each Member State with the amount they had received in EU funds (see Figure 8). We found that France reports the fewest fraudulent irregularities for each euro it receives from the EU. In our view, France does not adequately report irregularities, including suspicions of fraud.
In our view, the fraud detection rates published by the Commission are actually fraud reporting rates: they do not necessarily reflect the effectiveness of Member States’ detection mechanisms or even indicate how much fraud is actually detected, but rather show how many cases Member States have decided to report to the Commission (see paragraphs 48 to 52). In our special report 01/2019, we concluded that the correlation between fraud detection rates and other corruption risk indicators is weak36.57
In the light of the problems we identified, we consider that the fraud detection rate published in the 2017 PIF report for cohesion policy does not give a true representation of the incidence of fraud in the Member States we visited.
Several managing authorities fail to systematically communicate suspicions of fraud to investigation or prosecution bodies58
A key part of reducing fraud risk and heightening fraud deterrence is for competent judicial bodies (police, prosecutors and others) to investigate reports of fraud in a coordinated and timely manner. Although this audit did not cover the work of investigation and prosecution bodies, we did assess the way managing authorities communicate and coordinate with them.59
Putting the principle of fraud deterrence into practice requires managing authorities (or any other authority detecting potential irregularities) promptly and systematically to communicate suspicions of fraud to the relevant investigative or prosecution bodies, which are the only ones capable of determining intent. In several cases we found that managing authorities failed to systematically report suspected fraud to the bodies charged with investigation. In Greece, for instance, the managing authorities had not referred any of the suspicions of fraud sampled for our audit to the prosecution services. In Spain we found no specific instructions or procedures requiring managing authorities to report all suspected fraud in this way. Failure to communicate suspicions of fraud severely limits the deterrent effect of possible investigation and prosecution.60
Investigators and prosecutors regularly turn down requests to open criminal investigation of cases referred to them by managing authorities. This is quite normal, as only these specialised services have the legal capacity and investigative resources to establish whether a criminal act may have taken place. However, managing authorities should always analyse the reasons for a rejection and, where possible and appropriate, amend their operational procedures. We found that only Latvia has made arrangements to analyse why referred cases are rejected and take the necessary action.
Corrective measures have a limited deterrent effect61
Managing authorities are expected to recover EU funds that are spent fraudulently37. They are also charged with making a thorough and critical review of any internal control systems that may have exposed them to potential or proven fraud.62
The most common corrective measure is to withdraw affected expenditure from the declarations made to the Commission, but without recovering funds from the perpetrator of fraud or imposing any type of additional deterrent action such as a sanction or penalty. There is nothing unusual about this procedure, as in most of the cases we reviewed the actual occurrence of fraud had not yet been established. According to the IMS, however, Member State authorities had initiated the recovery of EU funds in only 84 out of 159 cases of established fraud38. Withdrawing expenditure from declarations to the Commission is an effective way of protecting the EU’s financial interests. However, this protection does not extend to national public funding – i.e. Member States’ budgets are still affected if there is no recovery – which places limits on the deterrent effect of corrective action taken by managing authorities. Our special report 01/2019 provides additional information on the recovery of funds related to established fraud cases39.63
As well as recovering any EU funds affected by fraud, managing authorities are expected to assess the horizontal implications for their management and control systems and other projects (e.g. same beneficiary or similar signs of fraud).64
Of the seven Member States we visited, we only found evidence of this kind of assessment in Spain (see Box 4). However, even there, verification is not systematic.
Example of good practice: checking for systematic fraud based on an initial case
Most individual suspicions of fraud reported by Spain in relation to the 2007-2013 programming period can be traced to a single investigation triggered by an intermediate body.
Based on the preliminary conclusions of an initial verification, the intermediate body made horizontal checks of all other grants awarded to the same final beneficiary. It concluded that there was enough evidence to suspect systematic fraud involving false invoicing and collusion with external suppliers.
The intermediate body duly reported the results of its checks and its suspicions of fraud to the Spanish prosecutors and to the Commission. The investigation currently covers 73 % of all the cases of suspected fraud reported in Spain for the 2007‑2013 programming period and 56 % of their estimated potential impact on the EU contribution.
The fight against fraud is weakened by various management issues
It can take a long time to punish fraud65
There may be a long time between the commission of fraud and the imposition of sanctions (see Figure 9). According to the data recorded in the IMS, on average suspicions of fraud are raised around two years after the perpetration of an irregularity40. It can take another year to confirm those suspicions through a preliminary assessment leading to a primary administrative or judicial finding41 and to report the case to the Commission through the IMS. From this point onwards, the Commission is in a position to monitor the case and consider it for the purposes of the annual PIF report. Following the preliminary assessment (and in parallel to reporting to the Commission), it takes around five months to initiate any administrative or criminal proceedings with a view to imposing sanctions. These proceedings take three years on average to come to term.
The functions of AFCOSs are insufficiently defined in the Regulation and vary considerably among Member States66
Even though the main responsibility for fighting fraud in the use of Cohesion funding lies with the managing authorities, the AFCOSs play an essential role in coordinating the work of these authorities with other Member State bodies and with OLAF. The EU legislation establishing the AFCOSs42 does not provide guidance regarding their terms of reference, organisational framework or tasks. The Commission has provided specific recommendations in this respect through further guidance43 (see paragraph 07). However, it is up to each Member State to make specific arrangements for its AFCOS.67
The resources and organisational arrangements of AFCOSs should allow them to properly monitor fraud reporting and coordinate the work of all parties involved in the fight against fraud. In the absence of clear guidance, we found that the AFCOSs in the seven Member States we visited had significantly different structures and powers. They ranged from small departments without investigative authority to complex structures that are fully empowered to carry out administrative investigations (see Figure 10). The French AFCOS has the same number of staff as the Latvian AFCOS, despite the difference between the two countries in terms of size and volume of funds received.
The Hungarian AFCOS lacks proper arrangements for reporting on activities carried out by the Member State to protect the EU’s financial interests. This AFCOS does not make public any reports on those activities or on potential fraud in EU Cohesion spending (see Figure 10).69
On 23 May 2018, the Commission issued a proposal for amendments to the OLAF Regulation44. Before putting forward the proposal, in 2017 the Commission had conducted an evaluation45 of the way the OLAF Regulation was being applied. The evaluation identified discrepancies in the way AFCOSs were set up in different Member States, and in their powers, as the main factor inhibiting their effectiveness.70
On 22 November 2018, the Court gave its opinion on the proposal46. Our view was that the proposal does not sufficiently contribute to the more harmonised and effective implementation of AFCOSs in all Member States, as it only addresses the services’ cooperation with OLAF and fails to provide clarity as to their minimum functions.
The status of fraud cases is inadequately reported and followed up71
In order to follow up the status of a case, it may be necessary to consult parties involved in the fight against fraud that are outside the OP management and control structures. We consider that, as the central structures liaising with OLAF in the fight against fraud, AFCOSs should have an overview at all times of cases of fraud involving EU funding. To do this, they should be able to obtain information on the status of cases investigated by the competent authorities in their Member States. In addition, they should have statistics on the number and progress of cases under investigation, with due regard to procedural confidentiality.72
In five of the Member States we visited, the AFCOSs were insufficiently aware of the investigative status of cases reported to the Commission. In Romania and Hungary we found no formal mechanism for systematic cooperation between the managing authorities, the AFCOS and the investigative and prosecution bodies; thus the AFCOS had no full overview of ongoing investigations involving EU-funded projects. That said, the Romanian AFCOS periodically approaches the prosecution bodies for information on the status of ongoing investigations about which it is aware. In Spain, the AFCOS also takes a proactive approach by requesting data on ongoing investigations. In spite of this, it is unable to ensure that updated information is forwarded to the Commission.73
We found coordination and information exchange issues in six of the seven Member States. We were also unable to reconcile the information recorded in the IMS regarding cases of suspected and confirmed fraud involving EU funding with that held by the various authorities. This finding raises questions about the reliability of the information reported to the Commission. The Member States concerned keep no central database or other form of centralised statistical records that might provide an overview of the nature and status of fraud cases (see paragraph 48).
Coordination mechanisms are often lacking74
Protection for the EU’s financial interests at the level of the Member States does not exclusively concern the authorities responsible for the implementation of Cohesion funding or the AFCOSs. Other interested parties include investigation and prosecution bodies, competition authorities, procurement agencies and, depending on the country, certain other institutions. Member States should put in place adequate coordination mechanisms so that the various actors can exchange information about measures taken and planned, as well as recommendations for improvement.75
However, most of the Member States we visited do not have proper coordination mechanisms involving all the relevant parties in the fight against fraud involving EU Cohesion funding.76
In Bulgaria, where 60 % of the cases we examined had been rejected or terminated by the prosecutor`s office, neither the AFCOS nor the managing authorities systematically analyse the reasons for rejection. In Hungary, the AFCOS does not have an overview of measures actually implemented as part of the anti-fraud management process or of the status of reported cases. The Romanian AFCOS carries out coordination work solely on the basis of bilateral agreements with each of the programme authorities, but there is no national multilateral coordination mechanism involving all stakeholders. In Spain, the establishment of a body meant to assist the AFCOS by coordinating all parties to the fight against fraud has been pending since the AFCOS was set up in 201647.77
We found an example of good coordination practice in Latvia (see Box 5).
Coordination between managing authorities and investigation and prosecution bodies
In Latvia, the investigative authorities refused to start criminal proceedings in a number of cases identified by the managing authority and its delegated intermediate bodies. To analyse the reasons for these refusals and determine whether changes were required to working practices, the AFCOS set up an interinstitutional working group involving the authorities, the Ministry of Justice, the police and the State prosecution service. The working group now meets regularly to examine cases of suspected fraud in the implementation of Cohesion funding.
Conclusions and recommendations78
Through this audit, we assessed whether managing authorities have properly met their responsibilities at each stage of the anti-fraud management process: fraud prevention, fraud detection and fraud response (including reporting on fraud and recovery of funds unduly paid). To this end, we assessed whether managing authorities have:
- developed anti-fraud policies, performed a thorough risk assessment and implemented adequate preventive and detective measures; and
- properly responded to detected fraud in coordination with AFCOSs and other competent anti-fraud bodies.
Our overall conclusion is that, although there have been improvements in the way managing authorities identify fraud risks and design preventive measures, they still need to strengthen fraud detection, response and coordination.
Managing authorities generally have no specific anti-fraud policy80
Managing authorities seldom prepare a formal anti-fraud policy or a similar single document specifying the fraud prevention, detection and response (correction and prosecution) measures which they have designed following a risk assessment. We consider that the preparation and publication of a formal anti-fraud policy in the form of a single, stand-alone document is essential in order to communicate a managing authority’s determination to actively combat fraud. This is particularly relevant, as only ten Member States have adopted a national anti-fraud strategy based on the Commission’s recommendation. We consider the absence of provisions requiring managing authorities to adopt formal anti-fraud policies to be a shortcoming in the design of the anti-fraud framework for 2014‑2020 (paragraphs 18 to 21).Recommendation 1 – Develop formal strategies and policies to combat fraud against EU funds
- Member States that do not have a national anti-fraud strategy (see paragraph 20 and footnote 19) should formulate one. The strategy should at least:
- be based on the assessment of existing risks and involve knowledgeable actors from different areas (managers of EU funds, competent fraud investigation and prosecution bodies, etc.) in its preparation;
- outline concrete measures for fraud prevention, detection, investigation and prosecution, and recovery and sanctions;
- contain specific arrangements for monitoring the implementation of anti-fraud measures and measuring results; and
- explicitly assign responsibilities for the implementation, monitoring, coordination and comparative evaluation of anti-fraud measures.
Timeframe: by the end of 201981
In line with the zero-tolerance approach to fraud, and during negotiations and approval process for the CPR for the period 2021-2027, the co-legislators could consider making compulsory the adoption of national strategies or anti-fraud policies.
Managing authorities systematically assess fraud risks, but this process could be further improved82
In line with the provisions of the 2014‑2020 control framework, managing authorities now systematically assess fraud risks (largely based on the guidance provided by the Commission), which is an improvement in the fight against fraud (paragraphs 22 and 23). However, for some of the managing authorities we visited the approach is still too mechanical and does not include additional input from other knowledgeable parties such as the AFCOSs or investigative and prosecution bodies.83 Recommendation 2 – Make fraud risk assessment more robust by involving relevant external actors in the process
Managing authorities, in particular those in charge of programmes with particular high risk and high financial volume, should seek to involve relevant external actors with proven experience in combating fraud (e.g. representatives from prosecution bodies) in the evaluation of risks and of the suitability of existing anti-fraud measures.
Timeframe: by the end of 2019
Managing authorities have improved fraud prevention measures but made no significant progress towards proactive fraud detection84 85
However, fraud detection measures for 2014‑2020 remain largely the same as for 2007‑2013, which were designed in a weaker control framework (paragraphs 33 to 35). Managing authorities make insufficient use of data analytics for fraud detection, and most of the Member States we visited did not use the Arachne tool to its full potential (paragraphs 36 to 38).86
Managing authorities made no significant progress towards ’proactive’ fraud detection, for example by checking specifically for collusion in public procurement (paragraph 33). Although managing authorities perceive fraud hotlines and whistleblowing mechanisms to be very effective fraud detection methods, fewer than half of the managing authorities that replied to our survey actually use them (paragraphs 34 and 35).87
Furthermore, it is not possible to assess the effectiveness of fraud prevention or detection measures, since managing authorities lack procedures for monitoring their implementation and evaluating their effectiveness (paragraphs 40 and 41).Recommendation 3 – Improve fraud detection measures by generalising the use of data analytics tools and promoting the use of other ‘proactive’ fraud detection methods
- Managing authorities that do not currently use fraud data analytics tools, in particular Arachne, should take them on for their potential to identify fraud risks in a systematic and cost-efficient manner;
- the Commission, in its supervisory capacity under shared management, should actively promote the use of ’proactive’ and other new fraud detection methods by regularly disseminating specific cases of best practice; and
- in cooperation with the AFCOSs, the Commission should develop minimum arrangements for monitoring and evaluating the implementation and effectiveness of fraud prevention and detection measures.
Timeframe: by the end of 202188
During negotiations and approval process for the CPR for the period 2021‑2027, the co-legislators could consider making compulsory the use of proper data analytics tools (e.g. Arachne) for the 2021-2027 programming period, in order to improve the effectiveness of fraud detection at a relatively low cost.
Managing authorities under-report fraud cases for the PIF reports and fail to refer them to investigative and prosecution bodies89
As regards fraud response, we found that managing authorities under-report fraud and that this affects the reliability of the fraud detection rates published in the PIF reports (paragraphs 48 to 57). Several managing authorities also fail to systematically communicate suspicions of fraud to investigation or prosecution bodies (paragraphs 58 to 60). We found that managing authorities focus on the withdrawal of EU funding and do not always recover fraudulent amounts from perpetrators or impose dissuasive penalties or sanctions (paragraphs 61 and 62). Nor do managing authorities satisfactorily assess the possible horizontal implications of cases where fraud is suspected (paragraphs 63 and 64; Box 4). All of these aspects severely limit the deterrent effect of fraud investigations.Recommendation 4 – Monitor fraud response mechanisms to ensure they are consistently applied
- The Commission should establish clear fraud reporting requirements for Member State bodies in general and managing authorities in particular. These should be based on the standard interpretation of fraud affecting the EU’s financial interests in the new PIF Directive;
- the Commission should require managing authorities to systematically assess the horizontal implications of suspected fraud in their management and control systems; and
- the Commission should encourage managing authorities to communicate all suspicions of fraud to criminal investigation or prosecution bodies.
- To ensure deterrence is effective, managing authorities should take proportionate measures to recover public funds from perpetrators of fraud and not just decertify the expenditure from EU funding.
Timeframe: by the end of 201990
During negotiations for the CPR for the 2021-2027 programming period, the co-legislators could consider introducing specific sanctions and penalties for those responsible for fraud against the EU’s financial interests. In particular, as in other policy areas, these measures could include a specific monetary penalty that would vary according to the financial impact of the irregularity, or a mechanism for exclusion from EU funding for a specific number of years.
The fight against fraud is weakened by the Regulation’s insufficient definition of AFCOS functions and little coordination among Member State bodies91
Regarding the coordination of anti-fraud activities, we found considerable variation in the way AFCOSs are organised and resourced (paragraphs 66 to 70). In this respect, the Commission’s proposal to amend the OLAF Regulation does not provide sufficient clarity as to the minimum functions of an AFCOS. The status of fraud cases is inadequately reported and followed up (paragraphs 71 to 73), as AFCOSs do not always have access to information on the status of fraud cases under investigation. The frequent absence of coordination negatively impacts the effectiveness of the fight against fraud (paragraphs 74 to 78).Recommendation 5 – Support the expansion of the AFCOSs’ function to improve coordination
The Commission should encourage Member States to expand the AFCOSs’ role of coordination with managing authorities to liaising with all national bodies charged with the investigation and prosecution of suspected fraud.
Timeframe: by the end of 201992
While respecting the Member States’ right to flexibility in defining and organising their own work against fraud in line with the principle of subsidiarity, the EU co-legislators could consider determining minimum functions for an AFCOS. This could be done, for example, in the context of the ongoing legislative process for modifying the OLAF Regulation in order to ensure AFCOSs’ effective coordination role. The functions of the AFCOSs could at least include the following:
- liaising between managing authorities (and the other programme authorities) and other Member State bodies involved in combating fraud, in particular investigation and prosecution bodies;
- monitoring the status of individual cases and reporting to the Commission on the follow-up given by the responsible managing authorities, with due regard to the confidentiality of ongoing investigations; and
- certifying annually, with a view to the Commission’s preparation of PIF reports, that the information recorded in the IMS is complete, reliable, accurate and up-to-date.
This Report was adopted by Chamber II, headed by Mrs Iliana IVANOVA, Member of the Court of Auditors, in Luxembourg at its meeting of 27 March 2019.
For the Court of Auditors
Acronyms and abbreviations
AFCOS: Anti-fraud coordination service
CPR: Common Provisions Regulation
ESF: European Social Fund
ERDF: European Regional Development Fund
FDR: Fraud detection rate
FRA: Fraud Risk Assessment
IMS: Irregularity Management System
OLAF: European Anti-Fraud Office (Office européen de lutte antifraude)
OP: Operational programme
1 We have removed references to EU revenue from these definitions.
2 Article 1(2) of Council Regulation (EC, Euratom) No 2988/95 of 18 December 1995 on the protection of the European Communities’ financial interests (the ‘PIF Regulation’) (OJ L 312, 23.12.1995, p. 1).
3 Article 1(a) of the Annex to the Council Act of 26 July 1995 drawing up the Convention on the protection of the European Communities’ financial interests (the ‘PIF Convention’).
4 The other ESIFs are the European Agricultural Fund for Rural Development (EAFRD) and the European Maritime and Fisheries Fund (EMFF).
5 Articles 58(h), 70(1)(b) and 98(1) of the consolidated version of Council Regulation (EC) No 1083/2006 of 11 July 2006, laying down general provisions on the European Regional Development Fund, the European Social Fund and the Cohesion Fund and repealing Regulation (EC) No 1260/1999 (OJ L 210, 31.7.2006, p. 25), and Articles 20(2)(a), 28(1)(e) and (n), 28(2), 30 and 33(2) of the consolidated version of Commission Regulation (EC) No 1828/2006 of 8 December 2006 setting out rules for the implementation of Council Regulation (EC) No 1083/2006 (OJ L 371, 27.12.2006, p. 1).
6 Article 72 and 125(4)(c) of Regulation (EU) No 1303/2013 of the European Parliament and the Council of 17 December 2013 laying down common provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund, the European Agricultural Fund for Rural Development and the European Maritime Fisheries Fund and laying down general provisions on the European Regional Development Fund, the European Social Fund, the Cohesion Fund and the European Maritime Fisheries Fund (OJ L 347, 20.12.2013, p. 320), hereafter referred to as CPR. Throughout this report we refer to the ‘anti-fraud management process’, which corresponds to the term ‘anti-fraud management cycle’ used by the Commission in its guidance documents.
7 Commission’s guidance for Member States and programme authorities on fraud risk assessment and effective and proportionate anti-fraud measures (EGESIF 14-0021), page 11.
8 Section 2.2.1 of the Joint Anti-fraud Strategy 2015-2020 for ERDF, CF, ESF, FEAD, EGF, EUSF and EMFF, Ares (2015) 6023058 of 23 December 2015 (available at: https://ec.europa.eu/sfc/sites/sfc2014/files/sfc-files/JOINT%20ANTI-FRAUD-STRATEGY2015-2020.pdf).
9 Article 3(4) of Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) (OJ L 248, 18.9.2013, p. 1), as amended by Regulation (EU, Euratom) 2016/2030 of the European Parliament and of the Council of 26 October 2016 (OJ L 317, 23.11.2016, p. 1).
10 Guidance note on main tasks and responsibilities of an Anti-Fraud Coordination Service (AFCOS), 13 November 2013, Ares (2013) 3403880.
11 The abbreviation PIF comes from the French ‘protection des intérêts financiers’ and generally refers to the protection of the EU’s financial interests.
12 Article 17(1) of Directive 2017/1371.
13 COM(2018) 553 final of 3 September 2018.
14 Statistical annex to the 2017 PIF report, page 93. The FDR is the ratio between the amounts involved in cases reported as fraudulent and the payments made in the 2007-2013 programming period (page 91). This indicator does not include undetected or unreported fraud.
15 Commission’s guidance for Member States and programme authorities on fraud risk assessment and effective and proportionate anti-fraud measures, page 11 (EGESIF 14-0021 of 16 June 2014).
16 Commission’s Guidance for Member States and programme authorities on fraud risk assessment and effective and proportionate anti-fraud measures (EGESIF 14-0021 of 16 June 2014), OLAF’s Handbook on the role of Member State auditors in fraud prevention and detection (October 2014) and Guidance on a common methodology for the assessment of management and control systems in the Member States (EGESIF 14-0010-final of 18 December 2014).
17 Article 30 and Annex IV of Commission Delegated Regulation (EU) No 480/2014 of 3 March 2014 supplementing Regulation (EU) No 1303/2013 of the European Parliament and of the Council (OJ L 138, 13.5.2014, p. 5) and defining key requirements of management and control systems and their classification with regard to their effective functioning - specifically key requirement 7 (effective implementation of proportionate anti-fraud measures).
18 In this sense, the concept of a formal anti-fraud policy corresponds to the ’fraud risk management programme’ defined by the Association of Certified Fraud Examiners (ACFE) in its ”Fraud examiners manual” or in the ”Fraud Risk Management Guide” it developed with the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and to the “formal counter fraud and corruption strategies” defined by the Chartered Institute of Public Finance and Accountancy (CIPFA) in its “Code of practice on managing the risk of fraud and corruption”.
19 National anti-fraud strategies exist in ten of the 28 Member States: Bulgaria, Czechia, Greece, France, Croatia, Italy, Latvia, Hungary, Malta and Slovakia. Romania also has a strategy, but it is now out-of-date (Source: 2017 PIF report, page 12). The Member States that have not adopted a national strategy are: Belgium, Denmark, Germany, Estonia, Ireland, Spain, Cyprus, Lithuania, Luxembourg, Netherlands, Austria, Poland, Portugal, Slovenia, Finland, Sweden and United Kingdom.
20 Article 30 and Annex IV.
21 Article 11 and Annex III of Commission’s proposal for a CPR for 2021-2027, COM(2018) 375 of 29 May 2018.
22 In the guidance document, the Commission developed a fraud risk assessment model based on 31 standard inherent risks, further subdivided into 40 risks and 128 recommended mitigating controls, all of them structured around four generic management processes (selection of applicants, implementation and verification of operations, certification and payments, and direct procurement by managing authorities). However, the document does not cover financial instruments or risks in relation to state aid.
23 DG REGIO – Preventing fraud and corruption in the European Structural and Investment Funds – taking stock of practices in the EU Member States, October 2018, available at: https://ec.europa.eu/regional_policy/en/information/publications/studies/2018/study-on-the-implementation-of-article-125-4-c-of-the-regulation-eu-no-1303-2013-laying-down-the-common-provisions-on-the-european-structural-and-investment-fund-in-member-states.
24 More information on integrity pacts can be found on the Commission website at http://ec.europa.eu/regional_policy/en/policy/how/improving-investment/integrity-pacts/.
25 Based on those made available by the Commission in its information note of 18 February 2009 on fraud indicators for ERDF, ESF and CF.
26 It is in the very nature of fraud against EU cohesion policy funds that perpetrators identify the limitations of existing controls and attempt to exploit them in order to obtain direct or indirect unlawful gains.
27 In particular ‘Report to the Nations’, the 2018 global study on occupational fraud and abuse published by the Association of Certified Fraud Examiners (ACFE). According to this study, fraud is mainly detected through tip-offs, whether from employees, customers, competitors or anonymous sources.
28 The “Report fraud” tool at https://ec.europa.eu/anti-fraud/olaf-and-you/report-fraud_en.
29 Paragraphs 3, 12, 21, 23 and 32 of ECA Opinion No 4/2018 concerning the proposal for a Directive of the European Parliament and of the Council on the protection of persons reporting on breaches of Union law.
30 See Commission’s press release IP/19/1604 “European Commission welcomes provisional agreement to better protect whistleblowers across the EU” (http://europa.eu/rapid/press-release_IP-19-1604_en.htm).
31 Commission’s guidance for Member States and programme authorities on fraud risk assessment and effective and proportionate anti-fraud measures (EGESIF 14-0021).
32 Page 51 of DG REGIO’s study “Preventing fraud and corruption in the European Structural and Investment Funds – taking stock of practices in the EU Member States”.
33 The two irregularities were reported by Slovakia and are worth close to €0.6 billion. By definition, they are at an early stage in the fraud management process and may yet evolve significantly.
34 Article 122(2) of the CPR; Articles 3 and 4 of Commission Delegated Regulation (EU) 2015/1970 supplementing Regulation (EU) No 1303/2013 of the European Parliament and of the Council with specific provisions on the reporting of irregularities (OJ L 293, 10.11.2015, p. 1); Article 28(2) of Commission Regulation (EC) No 1828/2006 (rules for implementation).
35 ECA special report 01/2019: “Fighting fraud in EU spending: action needed”, paragraphs 21 to 32.
36 Special report 01/2019: “Fighting fraud in EU spending: action needed”, paragraph 29.
37 Annex IV of Commission Delegated Regulation (EU) No 480/2014 of 3 March 2014 supplementing Regulation (EU) No 1303/2013.
38 The amount to be recovered in relation to these 84 fraud cases was €7 million.
39 Special report 01/2019: “Fighting fraud in EU spending: action needed”, paragraphs 112 to 115.
40 Calculated on the basis of the information recorded in the IMS. As already stated, this information is not always accurate.
41 A primary administrative or judicial finding (PACA) is the first written assessment by a competent authority concluding that an irregularity may be fraudulent, without prejudice to further assessment of the case. PACAs can come in a variety of forms, such as a management verification report by a managing authority or intermediate body, an audit report from the audit authority, the Commission or the ECA, or the indictment decision taken by a prosecutor or a judge to trigger a formal criminal investigation.
42 Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) (OJ L 248, 18.9.2013, p. 1), as amended by Regulation (EU, Euratom) 2016/2030 of the European Parliament and of the Council of 26 October 2016 (OJ L 317, 23.11.2016, p. 1).
43 Guidance note on main tasks and responsibilities of an Anti-Fraud Coordination Service (AFCOS), 13 November 2013, Ares (2013) 3403880.
44 Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU, Euratom) No 883/2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) as regards cooperation with the European Public Prosecutor's Office and the effectiveness of OLAF investigations, COM(2018) 338 final 2018/0170 (COD).
45 Report from the Commission to the European Parliament and the Council on the evaluation of the application of Regulation (EU, Euratom) No 883/2013, SWD(2017) 332 final.
46 Opinion No 8/2018 on the Commission’s proposal of 23 May 2018 on amending Regulation 883/2013 as regards cooperation with the European Public Prosecutor’s Office and the effectiveness of OLAF investigations – see in particular paragraphs 16, 38 and 39.
47 The Royal Decree regulating the composition and the functioning of this body was finally adopted on 1 March 2019 and published on 19 March 2019.
|Adoption of Audit Planning Memorandum (APM) / Start of audit||10.1.2018|
|Official sending of draft report to Commission (or other auditee)||23.1.2019|
|Adoption of the final report after the adversarial procedure||27.3.2019|
|Commission’s (or other auditee’s) official replies received in all languages||6.5.2019|
The ECA’s special reports set out the results of its audits of EU policies and programmes, or of management-related topics from specific budgetary areas. The ECA selects and designs these audit tasks to be of maximum impact by considering the risks to performance or compliance, the level of income or spending involved, forthcoming developments and political and public interest.
This performance audit was carried out by Audit Chamber II: Investment for cohesion, growth and inclusion spending areas, which is headed by ECA Member Iliana Ivanova. The audit was led by ECA Member Henri Grethen, supported by Ildikó Preiss, Private Office Attaché; Juan Ignacio González Bastero, Principal Manager; Jorge Guevara López, Head of Task (CFE); Dana Christina Ionita, Sandra Dreimane (CFE), Florence Fornaroli, Efstratios Varetidis, Márton Baranyi, Zhivka Kalaydzhieva, and Janka Nagy-Babos Auditors. Thomas Everett provided linguistic support.
From left to right: Márton Baranyi, Thomas Everett, Efstratios Varetidis, Henri Grethen, Ildikó Preiss, Dana Christina Ionita, Juan Ignacio González Bastero,
EUROPEAN COURT OF AUDITORS
12, rue Alcide De Gasperi
More information on the European Union is available on the internet (http://europa.eu).
Luxembourg: Publications Office of the European Union, 2019
|ISBN 978-92-847-0170-4||ISSN 1977-5679||doi:10.2865/450308||QJ-AB-19-004-EN-N|
|HTML||ISBN 978-92-847-0072-1||ISSN 1977-5679||doi:10.2865/98146||QJ-AB-19-004-EN-Q|
© European Union, 2019.
For any use or reproduction of photos or other material that is not under the European Union copyright, permission must be sought directly from the copyright holders.
GETTING IN TOUCH WITH THE EU
All over the European Union there are hundreds of Europe Direct Information Centres. You can find the address of the centre nearest you at: https://europa.eu/european-union/contact_en
On the phone or by e-mail
Europe Direct is a service that answers your questions about the European Union. You can contact this service
- by freephone: 00 800 6 7 8 9 10 11 (certain operators may charge for these calls),
- at the following standard number: +32 22999696 or
- by electronic mail via: https://europa.eu/european-union/contact_en
FINDING INFORMATION ABOUT THE EU
Information about the European Union in all the official languages of the EU is available on the Europa website at: https://europa.eu/european-union/index_en
You can download or order free and priced EU publications from EU Bookshop at: https://publications.europa.eu/en/web/general-publications/publications. Multiple copies of free publications may be obtained by contacting Europe Direct or your local information centre (see https://europa.eu/european-union/contact_en)
EU law and related documents
For access to legal information from the EU, including all EU law since 1951 in all the official language versions, go to EUR-Lex at: http://eur-lex.europa.eu/homepage.html?locale=en
Open data from the EU
The EU Open Data Portal (http://data.europa.eu/euodp/en/data) provides access to datasets from the EU. Data can be downloaded and reused for free, both for commercial and non-commercial purposes.