Brussels, 18 May 2022
WK 7216/2022 INIT
LIMITE
FIN
This is a paper intended for a specific community of recipients. Handling and
further distribution are under the sole responsibility of community members.
MEETING DOCUMENT
From:
General Secretariat of the Council
To:
Budget Committee
N° Cion doc.:
8910/22 + ADD 1 (COM(2022) 223 final + ANNEXES 1 to 2)
Subject:
Financial Regulation (recast): Amendments related to the recording and storing of
data on recipients of EU funding and data-mining (for audit and control) (Fiche 2)
Delegations will find enclosed the Commission's Fiche No 2 regarding the amendments related to the
recording and storing of data on recipients of EU funding and data-mining (for audit and control).
WK 7216/2022 INIT
ECOFIN.2.A GT/ML/ab
LIMITE
EN
Fiche1 n° 2
May 2022
Financial Regulation recast
(COM(2022)223 final)
Amendments related to the recording and storing of data on recipients of EU
funding and data-mining (for audit and control)
The Inter-institutional Agreement (‘IIA’) of 16 December 2020
stipulates that ‘in order to enhance
the protection of the Union budget and the European Union Recovery Instrument against fraud and
irregularities, the Institutions agree on the introduction of standardised measures to collect, compare
and aggregate information and figures on the final recipients and beneficiaries of Union funding, for
the purposes of control and audit’ (point 30). In addition, collecting ‘data on those ultimately
benefitting, directly or indirectly, from Union funding under shared management and from projects
and reforms supported under Regulation of the European Parliament and of the Council establishing
a Recovery and Resilience Facility, including data on beneficial owners of the recipients of the
funding, is necessary to ensure effective controls and audits’ (point 31). Moreover, the Commission
is required to ‘make available an integrated and interoperable information and monitoring system,
including a single data-mining and risk-scoring tool, to access and analyse the data (…) with a view
to a generalised application by Member States (…)’ (point 32).
For the 2021-2027 MFF and NGEU, the Commission proposed to improve the collection and
interoperability of data by Member States on recipients of EU funding where the budget is implemented
under shared management and under the Recovery and Resilience Facility (‘RRF’). Important progress
was achieved in the adopted legislation as regards the type of data, including beneficial ownership data,
which now has to be collected by Member States. However, the adopted legislation does not provide for
the compulsory use of the single data-mining and risk-scoring tool to be provided by the Commission and
the Commission made formal statements concerning this point.
The Commission considers that analysing relevant data on the recipients of EU funding from
different perspectives, dimensions or angles and summarising it into useful new information,
categorising it, and identifying relationships, correlations or patterns, can be an effective means to
enhance the protection of the EU budget.
Therefore, to further improve the internal control of budget implementation, in particular the
prevention, detection, correction and follow-up of fraud, corruption, conflicts of interest, double
funding and other irregularities, the Commission considers essential ensuring standardised
electronic recording and storing of data on the recipients of EU funding and their beneficial owners
(where the recipient is not a natural person) and using an integrated IT system for data-mining and
risk scoring to access and analyse those data, for control, audit and anti-fraud purposes, and
identifying, based on a set of risk indicators, situations that might be susceptible to risks of
irregularities, fraud, corruption and conflicts of interest.
The European Parliament has been recurrently calling on the Commission to take action in this
respect, for instance in the context of the 2018, 2019 and 2020 discharge. In addition, in its own
initiative report on the revision of the Financial Regulation (‘FR’), the Parliament suggested the
compulsory use of a single data-mining and risk-scoring tool and the systematic collection of
beneficial ownership data. Moreover, in its own initiative legislative resolution (on the basis of
Article 225 TFEU) on digitalisation of the European reporting, monitoring and audit, the Parliament
1 This fiche is a non-paper prepared by the responsible Commission department to facilitate the decision making process.
Fragments of the Commission proposal have been inserted in Annex for ease of reference only. The authentic text of the
proposal is the one published in th
e Official Journal of the European Union.
1
requested the Commission to include, as part of the targeted revision of the FR, the necessary
legislative proposals with a view to establish an ‘integrated and interoperable electronic information
and monitoring system, including a single data mining tool to ensure the digitalisation of European
reporting, monitoring and audit for the CAP, cohesion and structural funds policies and other
policies
’.
Following the Commission proposals for sectoral legislation under shared management and RRF, the
revision of the FR, as the overarching and horizontal regulation for the implementation and control of the
EU budget, provides an opportunity to enshrine the same core principles in the internal control of all
methods of EU budget implementation (direct, indirect and shared management) and therefore
enhancing the protection of the EU budget against irregularities, fraud, corruption and conflicts of
interest and the effectiveness of controls and audits.
The proposed modifications consist of:
- Establishing horizontal measures in Article 36 FR, applicable to all methods of EU budget
implementation, to ensure standardised electronic recording and storing of data on the recipients
of EU funding, including their beneficial owners.
- Establishing horizontal measures requiring the use a single integrated IT system for data-mining
and risk-scoring (to be provided by the Commission) to access and analyse those data on the
recipients of EU funding and allow identifying measures, contracts and recipients which might
be susceptible to risks of irregularities, fraud, corruption and conflicts of interest.
- Applying the new provisions only to programmes adopted under and financed as from the post-
2027 MFF to allow enough time for the necessary adaption of electronic data systems, and for
guidance and training. Voluntary application will remain possible and will be encouraged during
that transitional period.
- Including an explicit reference to the application of Article 36 FR, taking into consideration the
transitional period, to any future instruments where Member States receive and implement EU
funds under direct management (as in the case of Member States under RRF).
These modifications will facilitate risk assessment for the purposes of selection, award, financial
management, monitoring, investigation, control and audit and contribute to effective prevention,
detection, correction and follow-up of fraud, corruption, conflicts of interest, double funding and
other irregularities. Overall support for such modifications was expressed in the public consultation
on the FR that closed on 1 October 2021. These modifications are to be distinguished from the
proposal for centralised publication of data on recipients of EU funding that is dealt with in a separate
fiche.
1. Scene setter
In light of the IIA and the recurrent calls from the European Parliament and in the context of various
new legal acts for the 2021-2027 MFF and NGEU (Common Provisions Regulation (CPR)2, Common
2 Recitals 72 to 74 and Art. 69(2), Regulation (EU) 2021/1060 of the European Parliament and of the Council of 24 June
2021 (CPR).
2
Agricultural Policy3, Brexit Adjustment Reserve (BAR)4, European Globalisation Adjustment Fund
for Displaced Workers (EGF)5 and Recovery and Resilience Facility 6), the Commission proposed the
mandatory recording and storing of data on the recipients of EU funding and their beneficial owners
and the use of a single data-mining and risk-scoring tool to access and analyse those data. The outcome
resulted in a fragmented legal framework.
As regards the electronic recording and storing of data on beneficial ownership, in the CPR, BAR,
EGF and RRF the legislator agreed to it. However, for CAP the legislator agreed on the collection of
data on groups in which the beneficiaries participate.
As regards the compulsory use of a single data-mining and risk-scoring tool for the CPR, EGF, BAR,
CAP and RRF only recitals or provisions recalling or requiring the Commission to make it available
and encouraging its use by Member States were agreed. In addition, for the CAP, the Commission
should, by 2025, present a report on the use and interoperability of single data-mining and risk-scoring
tool, accompanied by legislative proposals, if necessary.
Following the proposals above mentioned the Commission aims to harmonise and expand them to all
methods of EU budget implementation. The FR is the overarching and horizontal regulation for the EU
budget and covers all of its methods of implementation. The FR is therefore the most appropriate legal
instrument to regulate a uniform approach to recording and storing of data on the recipients of EU funding
and the use of a single integrated IT system for data-mining and risk-scoring.
Finally, it is noted that the use of a single integrated IT system for data-mining and risk-scoring will be
instrumental for the development of digital controls and audits.
2. Details of the proposal
Article 36 FR is placed in Title II ‘Budget and budgetary principles’, Chapter 7
‘Principle of sound
financial management and performance’ and sets out the core principles for the internal control of
budget implementation.
The proposed modifications aim at reinforcing the provisions of Article 36 FR, in particular, regarding
the requirement for “prevention, detection, correction and follow-up of fraud and irregularities”. The
proposed modifications consist of:
1) Establishing horizontal measures in Article 36 FR, applicable to all methods of EU budget
implementation (direct, indirect and shared management), to ensure standardised electronic
recording and storing of data on the recipients of EU funding, including their beneficial owners.
Unique identifiers at recipient level such as the VAT registration number or tax identification
number7 are required in order to allow a more accurate identification, filtering and grouping of
3 Recitals 52 and 82, Art. 59(2)(4), Regulation (EU) 2021/2116 of the European Parliament and of the Council of
2 December 2021 (CAP).
4 Recital 25 and Art. 14(1), Regulation (EU) 2021/1755 of the European Parliament and of the Council of 6 October 2021
(BAR).
5 Recital 44 and Art. 23(2), Regulations (EU) 2021/691 of the European Parliament and of the Council of 28 April 2021
(EGF).
6 Recital 54 and Art. 22(4), Regulation (EU) 2021/241 of the European Parliament and of the Council of 12 February 2021
(RRF).
7 OECD provides an overview of domestic rules in the different jurisdictions (including third countries) governing the
issuance, structure, use and validity of Tax Identification Numbers ("TIN") or their functional equivalents. The
jurisdiction-specific information of the TINs is split into a section for individuals and a section for entities. Please see
further details here
https://www.oecd.org/tax/automatic-exchange/crs-implementation-and-assistance/tax-identification-
numbers/.
3
recipients of EU funding. Such data should be made available in the single integrated IT system
for data-mining and risk-scoring mentioned below.
2) Establishing horizontal measures requiring the use a single integrated IT system for data-
mining and risk-scoring (provided by the Commission) to access and analyse those data on the
recipients of EU funding and allow identifying measures, contracts and recipients which might
be susceptible to risks. The IT system should facilitate risk assessment for the purposes of
selection, award, financial management, monitoring, investigation, control and audit and
contribute to effective prevention, detection, correction and follow-up of fraud, corruption,
conflicts of interest, double funding and other irregularities.
3) Specifying that an efficient internal control shall also be based on the implementation of an
appropriate anti-fraud strategy coordinated among appropriate actors involved in the control
chain;
4) Assigning to the Commission the responsibility to develop the IT system and specifying that
the use of and access to the data processed by IT system is limited to some bodies/entities
within the exercise of their respective competences (the Commission, Member State
authorities, entrusted partners, OLAF, ECA, EPPO and other Union investigative and control
bodies) and that such use and access must comply with applicable data protection rules.
5) Including an explicit reference to the application of Article 36 FR, taking into consideration
the transitional period, to any future instruments where Member States receive and implement
EU funds under direct management (as in the case of Member States under RRF). Given the
latest developments of new instruments with Member States in the context of direct
management (as opposed to those under shared management already regulated by Article 36
FR), such application would cover potential future instruments and avoid lengthy legislative
proposals.
6) As regards indirect management, data on the beneficial owners of the recipients will be
collected by entrusted partners (and made available in the IT system) with regard to their direct
recipients and to the extent that data on beneficial owners is collected in accordance with their
rules and procedures. This is in line with the rationale of this method of budget implementation,
based on reliance on partners’ rules, the equivalence of those rules to those of the Commission
and the principle of proportionality. The proposed approach strikes the right balance between
the protection of the EU financial interests and the need to collect and feed the IT system by
the entrusted partners.
7) Applying the new provisions only to programmes adopted under and financed as from the post-
2027 MFF to allow enough time for the necessary adaption of electronic data systems, for the
provision of guidance and training on the IT system and, in the case of indirect management,
for renegotiating the agreements with entrusted partners, just revised in 2021. It is also noted
that for CAP, the Commission should, by 2025, present a report on the use and interoperability
of the data-mining tool, accompanied by legislative proposals, if necessary. The results of this
report may also require more time for further improvements and developments of the IT
system. Voluntary application will remain possible and will be encouraged during the
transitional period. The Commission will continue to provide training and to offer support and
technical assistance and in parallel, the Commission will continue to improve the features of the IT
system, its user-friendliness and interoperability with other sources of data.
4
Annex: Financial Regulation proposal – relevant parts
Recital/Article
Proposed modifications
New recital
(27) In order to enhance the protection of the Union budget against fraud,
(27) for
corruption, conflicts of interest, double funding and other irregularities,
collection of
standardised measures to collect, compare and aggregate information on the
BO data and
recipients of Union funding should be introduced. In particular, in order to
integrated IT
effectively prevent, detect, investigate and correct frauds or remedy irregularities,
system for
it is necessary to be able to identify the natural persons that ultimately benefit,
data-mining
directly or indirectly, from Union funding and who ultimately profit from the
and risk-
misuse of EU funding. The electronic recording and storage of data on the
scoring (for
recipients of Union funding, including their beneficial owners as defined in Article
revised Article 3, point (6), of Directive (EU) 2015/849 of the European Parliament and of the
36)
Council and the regular making of those data available in a single integrated IT
system for data-mining and risk-scoring provided by the Commission, should
facilitate risk assessment for the purposes of selection, award, financial
management, monitoring, investigation, control and audit and contribute to
effective prevention, detection, correction and follow-up of fraud, corruption,
conflicts of interest, double funding and other irregularities. The Commission
should be responsible for the development, management and supervision of the
single integrated IT system for data-mining and risk-scoring. The Commission,
the Member States, the persons or entities implementing the budget, the European
Anti-Fraud Office (‘OLAF’) and other Union investigative and control bodies
should have the necessary access to those data within the exercise of their
respective competences. The rules related to the recording, storage, transfer and
processing of data should comply with applicable data protection rules.
New recital
(256) Some modifications regarding the transmission to the Commission of data
(256) for
on recipients for the purposes of publication, and regarding the electronic
transitional
recording and storage of data on recipients and the use of the single integrated IT
provisions
system for data-mining and risk-scoring to access and analyse those data should
Articles 36 and apply only to programmes adopted under and financed from the post-2027
38
multiannual financial framework in order to ensure a smooth transition by
allowing sufficient time for the necessary adaption of electronic data systems and
of relevant agreements, as well as the provision of guidance and training.
Revised
Article 36
Article 36
Internal control of budget implementation
1.
Pursuant to the principle of sound financial management, the budget shall
be implemented in compliance with the effective and efficient internal control
appropriate to each method of implementation, and in accordance with the relevant
sector-specific rules.
2.
For the purposes of budget implementation, internal control shall be
applied at all levels of management and shall be designed to provide reasonable
assurance of achieving the following objectives:
(a) effectiveness, efficiency and economy of operations;
(b) reliability of reporting;
(c) safeguarding of assets and information;
(d) prevention, detection, correction and follow-up of fraud,
corruption, conflicts of interest, double funding and other irregularities ,
including through the electronic recording and storage of data on the
5
Recital/Article
Proposed modifications
recipients of Union funds including their beneficial owners, as defined in
Article 3, point (6), of Directive (EU) 2015/849 , and through the use of
a single integrated IT system for data-mining and risk-scoring provided
by the Commission to access and analyse those data;
(e) adequate management of the risks relating to the legality and
regularity of the underlying transactions, taking into account the
multiannual character of programmes as well as the nature of the
payments concerned.
3.
Effective internal control shall be based on best international practices and
include, in particular, the following elements:
(a) segregation of tasks;
(b) an appropriate risk management and control strategy that includes
control at recipient level;
(c)
avoidance of conflict of interests;
(cd) adequate audit trails and data integrity in data systems including
electronic ones;
(de) procedures for monitoring effectiveness and efficiency;
(ef) procedures for follow-up of identified internal control weaknesses
and exceptions;
(fg) periodic assessment of the sound functioning of the internal control
system.
4.
Efficient internal control shall be based on the following elements:
(a) the implementation of an appropriate risk management and control
strategy and of an anti-fraud strategy coordinated among appropriate
actors involved in the control chain;
(b) the accessibility for all appropriate actors in the control chain of the
results of controls carried out;
(c) reliance, where appropriate, on management declarations of
implementation partners and on independent audit opinions, provided
that the quality of the underlying work is adequate and acceptable and
that it was performed in accordance with agreed standards;
(d) the timely application of corrective measures including, where
appropriate, dissuasive penalties;
(e) clear and unambiguous legislation underlying the policies
concerned, including basic acts on the elements of the internal control;
(f)
the elimination of multiple controls;
(g) the improvement of the cost benefit ratio of controls.
5.
If, during implementation, the level of error is persistently high, the
Commission shall identify the weaknesses in the control systems, analyse the costs
and benefits of possible corrective measures and take or propose appropriate
action, such as simplification of the applicable provisions, improvement of the
control systems and redesign of the programme or delivery systems.
6.
For the purposes of point (d) of paragraph 2, the following data shall be
recorded and stored electronically in an open, interoperable and machine-readable
6
Recital/Article
Proposed modifications
format and regularly made available in the single integrated IT system for data-
mining and risk-scoring provided by the Commission:
(a) the recipient’s full legal name in the case of legal persons, the first
and last name in the case of natural persons, their VAT
identification number or tax identification number where available
or another unique identifier at country level and the amount of
funding. If a natural person, also the date of birth;
(b) the first name(s), last name(s), date of birth, and VAT identification
number(s) or tax identification number(s) where available or
another unique identifier at country level of beneficial owner(s) of
the recipients, where the recipients are not natural persons.
7.
The single integrated IT system for data-mining and risk-scoring shall be
designed to facilitate risk assessment for the purposes of selection, award,
financial management, monitoring, investigation, control and audit and contribute
to effective prevention, detection, correction and follow-up of fraud, corruption,
conflicts of interest, double funding and other irregularities.
The use of and access to the data processed by the single integrated IT system for
data-mining and risk-scoring shall comply with applicable data protection rules
and shall be limited to the Commission or an executive agency as referred to in
Article 69, the Member States implementing the budget pursuant to Article 62(1),
first subparagraph, point (b), the Member States that receive and implement Union
funds pursuant to budget implementation under Article 62(1), first subparagraph,
point (a), the persons or entities implementing the budget pursuant to Article
62(1), first subparagraph, point (c), OLAF, the Court of Auditors, EPPO and other
Union investigative and control bodies, within the exercise of their respective
competences.
The Commission shall be the controller within the meaning of Article 3(8) of
Regulation (EU) 2018/1725 and shall be responsible for the development,
management and supervision of the single integrated IT system for data-mining
and risk-scoring, for ensuring the security, integrity and confidentiality of data,
the authentication of the users and for protecting the IT system against
mismanagement and misuse.
8.
Member States that receive and implement Union funds, pursuant to
budget implementation under Article 62(1), first subparagraph, point (a), shall
apply paragraphs 1 to 7 of this Article.
9. For the purposes of the application of the requirements of paragraphs 2, 3 and
6 of this Article by Member States implementing the budget under Article 62(1),
first subparagraph, point (b), references to recipients shall be understood as
references to beneficiaries as defined in sector-specific rules.
10.
As part of its control strategy, the Commission shall, where appropriate,
design and perform controls and audits that use automated IT tools and emerging
technologies.
Specific
5.
Article 36(6), points (a) and (b), shall apply to persons or entities
provisions for
implementing Union funds pursuant to Article 62(1), first subparagraph, point (c)
indirect
with regard to their direct recipients and in respect of the beneficial owners of
management in these recipients to the extent that data on beneficial owners is collected in
Article 159(5)
accordance with their rules and procedures.
7
Recital/Article
Proposed modifications
Transitional
3.
Without prejudice to sector-specific rules and to a voluntary application,
provisions in
the obligations set out in Article 36, point (d) of paragraph 2, paragraphs 6, 7 and
Article 275(3)
8, concerning the electronic recording and storage of data on the recipients of
funds and their beneficial owners and the use of the single integrated IT system
for data-mining and risk-scoring shall apply only to programmes adopted under
and financed from the post-2027 multiannual financial framework.
8
Document Outline
