Office Européen de Lutte Anti-Fraude: FIDE Business Analysis

Office Européen de Lutte Anti-Fraude
AFIS/CIS Development and Maintenance

Framework Contract OLAF/02/C003
Specific Agreement 3
FIDE Business Analysis
Subject The Business Analysis of "Fichier d'Indentification des Dossier d' Enquête
Douanières (FIDE)
Version / Status 1.0.12 / Final

Release Date 12/04/2004
Filename AFISCIS-SA3-OD1-BA-v1012.doc
Document Reference AFISCIS-SA3-OD1-BA
Document Owner OLAF
REF: AFISCIS-SA3-OD1-BA
DOCUMENT HISTORY
Ver. Release Date Description Author (Function,
Party)
1.01 15/12/2003 Initial draft Trefois, Edwin
(Business Analyst,
Sword Technologies)
1.02 22/12/2003 Corrections and re-disposition of report Trefois, Edwin
(Business Analyst,
Sword Technologies)
1.03 15/01/2004 Complementary comments after Trefois, Edwin
meeting at OLAF on December 23rd , (Business Analyst,
2003 Sword Technologies)
1.04 20/01/2004 Re-structure and write-up of the BA Trefois, Edwin
report after OLAF meeting on January (Business Analyst,
16th, 2004 Sword Technologies)
1.05 23/01/2004 Add DFD (data flow diagram) BA Trefois, Edwin
analysis (Business Analyst,
Sword Technologies)
1.06 05/02/2004 Modifications of business rules and Trefois, Edwin
data definitions after DFD review (Business Analyst,
meeting of 29/01/2004 Sword Technologies)
1.07 20/02/2004 Modifications of BA report after review Trefois, Edwin
with Sword’s project mgr (Business Analyst,
Sword Technologies)
1.08 13/03/2004 Modifications of BA report after first Trefois, Edwin
OLAF review (Business Analyst,
Sword Technologies)
1.09 25/03/2004 Modifications of BA report after second Trefois, Edwin
OLAF review (Business Analyst,
Sword Technologies)
1.010 02/04/2004 Modifications of BA report after second Trefois, Edwin
OLAF review by Bertrand Bonnerue (Business Analyst,
Sword Technologies)
1.011 07/04/2004 Modifications of BA report after third Trefois, Edwin
OLAF review by Bertrand Bonnerue (Business Analyst,
Sword Technologies)
1.012 13/04/2004 Modifications of BA report after Thierry Guiot
internal review
(Technical Director,
SWORD Technologies)
AFISCIS-SA3-OD1-BA-v1012.doc Page 2 of 25 Version: 1.0.12 Final

CONTROL FOR MALICIOUS CODE
This document has been scanned for Malicious Code using Micro Trend Server Protect anti-
viral software.

TABLE OF CONTENTS
Document History ........................................................................................ 2

Control For Malicious Code ............................................................................. 3
Table of Contents ........................................................................................ 4
Reference Documents ................................................................................... 6
Applicable Documents................................................................................... 6
Definitions................................................................................................. 8
Abbreviations and Acronyms ........................................................................... 8
1 INTRODUCTION ..................................................................................... 9
1.1 STRUCTURE of the DOCUMENT ............................................................. 9
1.2 INTENDED AUDIENCE ......................................................................... 9
1.3 APPLIED METHODOLOGY .................................................................... 9
1.4 GENERAL REMARKS .......................................................................... 10
2 MANAGEMENT SUMMARY ......................................................................... 11
2.1 TYPOLOGY of EXISTING DATABASES USED by CUSTOMS. .............................. 11
2.2 CURRENT MS CUSTOMS CASE INVESTIGATION pROCEDURES .......................... 12
2.2.1 Case pre-investigation process...................................................... 12
2.2.2 Actual Case investigation process .................................................. 12
2.2.3 Case litigation process ............................................................... 12
2.3 Usage of FIDE as a central database in the case investigation procedure ......... 12
2.4 THE ADDED VALUE OF FIDE ................................................................ 13
3 LEGAL FRAMEWORK of an INVESTIGATION .................................................... 15
4 THE BUSINESS ANALYSIS .......................................................................... 16
4.1 INTRODUCTION .............................................................................. 16
4.2 THE CONTEXT ................................................................................ 17
4.2.1 THE ACTORS............................................................................ 17
4.2.1.1 Customs ‘internal’ Actors ......................................................... 17
4.2.1.2 Customs ‘external’ Actors ........................................................ 18
4.3 The main processes ......................................................................... 18
4.3.1 The MS investigation process ........................................................ 18
4.3.1.1 The recording of the Case ........................................................ 18
4.3.1.2 Assessment on the GO / NO GO.................................................. 19
4.3.1.3 The assignment of the investigation ............................................ 19

4.3.1.4 The Investigation ................................................................... 19

4.3.1.5 The Positive Closing ............................................................... 19
4.3.1.6 The Negative Closing .............................................................. 19
4.3.2 Maintenance of the FIDE database ................................................. 19
4.3.3 Workflow ............................................................................... 20
5 SECURITY AND INTEGRATION WITH LEGACY SYSTEMS ....................................... 21
6 TRAINING REQUIREMENTS ........................................................................ 23
7 ESTIMATED VOLUMES ............................................................................. 24
8 OPERATING PARAMETERS ........................................................................ 25

REFERENCE DOCUMENTS
Ref. Title Reference Version Date
RD1 Expression des besoins FIDE (Fr) OLAF/XXXX/03 1.0 10/09/03
RD2 Acte du Conseil (Fr) 2003/C 139/01 - 08/05/03
RD3 Acte du conseil du 26 juillet 95 95/C 316/02 - 26/07/95
établissant la convention sur
l’emploi de l’informatique dans le
domaine des douanes.
RD4 Exposé des motifs (Fr) OLAF - -
RD5 Règlement du Conseil (Fr), 515/97 Journal Officiel - 13/3/97
des C.E. Règlem. –
L82/1 22/03/97
RD5 Système d’information des douanes Conseil des l’UE - 13/1/2000
aux fins du 3ième Pillier
5260/00
RD6 Etablissant, sur base de l’article K.3 Acte du Conseil - 18/12/1997
du traité de l’UE, la convention 98/C 24/01
relative à l’assistance mutuelle et à
la coopération entre les
administrations douanières.
RD7 EC regulation concerning PE & Council N° - 25/05/1999
investigations conducted by OLAF 1073/1999
RD8 FIDE Business Analysis Annexes AFISCIS-SA3-OD1- 1.0.11 14/04/2004
BA-ANNEXES
RD9 FIDE Functional Specification AFISCIS-FS_FIDE 1.06 14/04/2004
Table 1: Reference Documents
APPLICABLE DOCUMENTS
Ref. Title Reference Version Date
AD1 Terms of Reference-Invitation to OLAF/2002/C.2-1 1.0-EN 20/03/02
Tender OLAF/2002/C.2-1-Provision
of IT Services for the European Anti-
Fraud Office (OLAF)
AD2 Answer of Cronos Technologies to OLAF – - -
the Invitation to Tender OLAF/2002/C.2-1–
OLAF/2002/C.2-1 AFIS/CIS
AD3 Framework Contract OLAF/02/C003 OLAF/02/C003 - 13/08/2002
AD4 Specific Agreement n° 3 to the - - 13/11/2003
Framework Contract OLAF/02/C003
AD5 Take-Over Plan AFISCIS-SA1-TO- 2.00 17/10/2002
TOPL

AD6 Project Quality Plan AFISCIS-SA1-TO- 1.40 07/04/2003

PQP1
Table 2: Applicable Documents

DEFINITIONS
Term Definition
CEN Customs Enforcement Network
CIS Customs Information System
FIDE Fichier d’Identification des Dossiers
d’Enquêtes Douanières
ICT Information and Communication Technology
Record Is the name used for a FIDE or a National
database record which contains information
of involved persons or companies (in pillar 1
and pillar 3 cases)
SID – CIS Système d’Information des Douanes;
Customs Information System
SIS (II) Schengen Information System II (2006/7)
Web-enabled Web-enabled applications are applications
that are based on the internet technologies
Table 3: Definitions
ABBREVIATIONS AND ACRONYMS
Abbreviation/Acronym Definition
BA Business Analysis
B.R. Business Rule
DFD Data Flow Diagram
EC European Commission
EP European Parliament
EU European Union
OMD Organisation Mondiale des Douanes
MS Member States of the European Union
UC Use Case: detailed description of the
various steps needed to executed a given
task
Table 4: Abbreviations and Acronyms

1 INTRODUCTION
1.1 STRUCTURE OF THE DOCUMENT

This Business Analysis document serves as a basis for further Functional Analysis and
Prototyping tasks, it has been structured as follows:
• Chapter 1 is the introduction of the FIDE and its Business Analysis report: structure
of the report, its intended audience, and the applied analysis methodology.
• Chapter 2 contains a Management Summary explaining the objectives and role of
the FIDE application,
• Chapter 3 is a brief description of the legal framework of a Customs investigation.
• Chapter 4 contains the Business Analysis itself: the generalized processes of the
current and future MS investigation procedures.
• Chapter 5 contains a summary of suggested Security rules, as well as a brief
overview concerning data migration considerations.
• Chapter 6 contains the Training requirements and a suggested solution.
• Chapter 7 contains an initial attempt to estimate the number of Users and the
number of FIDE database records: estimated volumes.
• Chapter 8 is an approach concerning the expected performance of the FIDE
application.
1.2 INTENDED AUDIENCE

The following is a list of parties that have an interest in the content of this document:
• OLAF;
• The MS Customs Authorities;
• The competent MS Authorities involved in Customs investigations in the fields
covered by FIDE 1st and 3rd pillars.
1.3 APPLIED METHODOLOGY

Business Analysis always starts with the study of current manual and automated systems as
well as procedures in use to accomplish all the tasks of public and private organisations.
The business analysis actually started by analysing the various documents received from
OLAF. These documents are listed under Table 1 ‘Reference Documents’. After this short
period of introduction of the Customs business context, as well as with the applied
Customs EU regulations, a series of meetings with OLAF representatives were organised.
The objective of these meetings was to clarify some specific Customs expressions and
procedures, to discuss and agree on the structure of the BA document, to organise the MS

visits, and to identify the various current Customs investigation data flows needed as a
basis for further BA study.
In order to perform this study, a questionnaire was prepared (see chapter 7 of the Annexes
to this document [RD8]) and discussed with Customs representatives in France, Germany,
The Netherlands and the Czech Republic. The questionnaires have been reviewed and
completed by Customs representatives present during the visits.
The Questionnaire was also mailed to the Customs Head Quarter of all the other European
Union Member States. Answers from these MS provide a more complete picture of the Anti-
Fraud organisation and the national systems/procedures in use (if any) in the MS. At the
time of publishing this report, answers from over 50% of the MS involved were available.
They are included in the annexes of this Business Analysis [RD8].
1.4 GENERAL REMARKS

Please note that throughout this document OLAF is considered as a Member State (MS) in
its own right, with the exception that OLAF cannot operate on the 3rd pillar cases.
Please also note that throughout this document the term “fraud” is defined as “an action
in breach with the national & European customs legislations”.

2 MANAGEMENT SUMMARY
FIDE - abbreviation of “Fichier d’Identification des Dossiers d’Enquête Douanière”
(Customs Investigation Files Identification database) – is a central European database
containing identification data of persons and companies condemned or suspected of having
infringed Customs laws.
The main objectives of this document is to provide Customs and OLAF management with a
complete overview of the business flows and tasks being accomplished in the scope of
fraud investigations.
The Business Analysis report has to address four fundamental ‘business’ questions:
1. What is the typology of the existing databases used by the Customs?
2. What are the current MS Customs Case Investigation procedures?
3. When could FIDE be used in a Case Investigation procedure?
4. What is the added value of FIDE for the MS Customs?
2.1 TYPOLOGY OF EXISTING DATABASES USED BY CUSTOMS.

With the years, the various MS have concluded that combating national & trans-border
criminality and fraud can only be efficiently accomplished if the Customs Authorities are
rapidly informed of all on-going and past case investigations realised in their own or other
MS.
In addition to their national Customs, anti-fraud, case investigation, … applications and
related databases, the various MS are using – or are invited to use – several EU-wide
systems and their databases to improve their co-operation; these systems are grouped into
three main categories:
• ‘Alert based systems’: this concerns systems used on an operational basis. They
provide information to help the decision for actions on the field. Examples of such
systems are CIS (Customs Information System) or SIS (Schengen Information
System) used by the police. Some Member states have also their own national
system.
• ‘Case based systems’: this concerns databases containing references to cases
under investigation. They do not contain actual information but contact points
where information can be requested. FIDE belongs to this category of systems.
• ‘Analysis based systems’: this concerns databases used for ‘surveillance’ or ‘risk
analysis’. These tools help the investigators to establish parallelism between fraud
cases, to evaluate trends and to start observations. An example of analysis system
is the CEN (Customs Enforcement Network). In fact, all (criminal) investigation
databases are part of this category of systems.

2.2 CURRENT MS CUSTOMS CASE INVESTIGATION

PROCEDURES
A Customs case investigation is usually performed through three main processes:
• The case pre-investigation process;
• The actual case investigation process;
• The case litigation process.
2.2.1 CASE PRE-INVESTIGATION PROCESS

In this early phase of investigation, information is gathered in several ways by Customs
authorities (often assisted by Officers from their national Intelligence Services), these are
as follows:
• Suspicion of a Customs Officer;
• Risk analysis regularly performed by Customs Authorities;
• Concluded fraud/irregularity;
• Denunciation by a Customs informer;
• Customs internal spontaneous information.
2.2.2 ACTUAL CASE INVESTIGATION PROCESS

If the suspicion, conclusion or denunciations are founded, a Customs administrative
decision is taken to start an actual investigation on the fraud.
Several recurring investigation tasks are performed during this phase, leading to the final
conclusion whether the case has to be ‘negatively’ closed – (i.e. there are no further
investigation actions foreseen) -, or whether the case has to be closed ‘positively’ – (i.e.
an infringement has been established and further actions are needed).
2.2.3 CASE LITIGATION PROCESS

When the case has been positively closed and depending on the gravity of the litigation,
the person(s) or company implicated will either pay an administrative fine or will face
judicial sanctions.
2.3 USAGE OF FIDE AS A CENTRAL DATABASE IN THE CASE

INVESTIGATION PROCEDURE
Although different Customs legislations, rules and systems are in use in the various MS, it
appears that the Customs Authorities currently collaborate quite well.
There is however a real need, to improve MS mutual assistance and to further improve the
co-ordination missions and transmission/sharing of information. A central database for
Customs cases registration would therefore meet these goals. This is the purpose of FIDE.
It is proposed to build a centralised web-enabled database system, designed in view to be
integrated with the current and future MS custom investigation processes. FIDE will provide

a single integrated view to the MS users of the 1st & 3rd pillar databases (Note: OLAF will
have only access to the 1st pillar data).
Considering the investigation data flow explained in the previous paragraphs, the roles of
FIDE are:
• At the level of the pre-investigation phase, FIDE’s search procedures will ‘alert’
Customs Authorities on the fact that a person – or a company – is already identified
and involved in national and/or other MS cases.
• At the level of the investigation phase, Customs Users will access FIDE to record
new cases, and to maintain them during their entire life cycle.
• At the level of the litigation phase, FIDE will be updated according to the result of
the investigations: the customs case information stored in FIDE will be positively or
negatively closed.
2.4 THE ADDED VALUE OF FIDE

The deployment of FIDE will have a very positive impact on the current Customs case
investigation procedures in the MS because:
• FIDE will centralize and “concentrate” the national expertise of the different MS in
terms of customs investigation knowledge, thereby allowing other MS to benefit
from past and present experience.
• FIDE will provide search and query functions to the Customs Authorities to check if
a person or company is suspected or involved in irregular Customs activities in
another MS. If yes, FIDE will provide with all necessary information to contact the
MS Customs department(s) dealing with the investigations.
• FIDE will significantly decrease the time-consuming communications between MS
Customs Officers who verify the possible implication of a person or a company in a
Customs investigation in another MS. Instead of several communications (phone
calls, faxes or e-mails) to the other MS Customs, FIDE will reduce this procedure to
a search in the database followed by a communication to the MS Customs for which
a case exists in FIDE.
• FIDE will be a common central database into which Customs Users will introduce
their Customs case investigation data in a standard way. This information will
immediately be accessible at any time by all authorised persons. The advantages of
this approach are:
• Standardising the recording process of the Customs Case will reduce the risk
of possible errors.
• The quality of the information will be higher and more complete because
FIDE will aggregate the information provided by the various MS.
• Because FIDE is a centralised web-enabled database system, it is potentially
accessible everywhere by every authorised person. The web approach will also
suppress the cumbersome deployment of software on local workstations.
• FIDE will provide a single integrated view of the 1st & 3rd pillar databases (Note:
OLAF will only have access to 1st pillar data).
In conclusion the added value of FIDE can be summarised as follows:

• Reduction of the complexity of the investigation process for Customs fraud cases.
• Reduction of the time spent investigating Customs fraud cases (less time will be
spent searching and collating the relevant information).
• Increase of the knowledge base of Custom Investigation data (Custom Authorities
will have access to larger volumes of relevant data).
• The Web-enabled tool will allow the potential use of the system everywhere. No
deployment of software on local workstations will be required.
• Centralisation of custom data.
• Integration into current and future MS Custom Investigation processes.
• Increase of the number of Custom Investigations with larger quantities of better
quality of data acquired in less time.

3 LEGAL FRAMEWORK of an INVESTIGATION
Several official EP and EU Council documents have been issued to define the scope and the
legal framework of Customs Investigation processes. The descriptions of the framework
contain on one hand the rights of the OLAF and the rights of Customs Authorities in the MS
(rights to set up the FIDE database, to start an administrative investigation, …), and on the
other hand the limits of these rights (conservation time of records in FIDE and in National
files, limited number of personal data, pillars 1 and 3 cases distinction, …).
The following is a brief overview of each of the documents which were used in the business
analysis tasks.
• Council EC Regulations 515/97 dated 13/03/1997: is the regulation for the set-up of
the CIS, and for specifying the procedures concerning Assistance on Demand,
Spontaneous Assistance, Relations with the EC, and Relations with third countries.
Thanks to this regulation, we can stipulate the exact definition of an administrative
investigation (page L 82/3): ‘… shall mean all inspections, checks and other
measures undertaken by employees of the Administrative (Customs) Authorities in
performance of their duties …, with a view to achieving the objectives set out in …
and to establishing, where necessary, the irregular nature of the activities under
investigation. These investigations should not affect the powers of the MS to bring
criminal proceedings.’ The same definition can be found in the EP and Council EC
Regulations concerning investigations conducted by the European Anti-Fraud Office
(OLAF) document, dated 25/05/1999 (page L 136/3).
• Council Act dated 18/12/1997: establishment of the convention concerning the
mutual assistance and the co-operation between Customs Administrations.
• EP and Council EC Regulations concerning investigations conducted by the European
Anti-Fraud Office (OLAF) dated 25/05/1999: specifications of external (in the MS
and third countries) and internal investigations, as well as procedures to open and
to conduct investigations.
• Council Act dated 08/05/2003 concerning the use of information technologies in the
Customs domain. This Council act specifies the rules concerning the creation of
FIDE, the functional and usage rules of FIDE, and the FIDE data conservation limits.
• Council Act 95/C 316/02 dated 26/07/1995, this council act establishes the
convention for the use of information technologies in the customs domain.

4 THE BUSINESS ANALYSIS
4.1 INTRODUCTION
If all MS had been visited, different Customs Anti-Fraud organisation models would
probably have been identified. However, in the scope of the business analysis, it was
impossible to take into account all the possible (sometimes minor) differences in
procedures, automated systems, databases, operations, national regulations, etc.
In addition, all the Customs investigation steps presented in section 2.2 – processes from
early Suspicion till possible final sanctions - are generally executed, in all the European
countries, in the same sequence.
Although OLAF has an additional objective that is the on demand co-ordination of MS
Customs investigation tasks, its own investigations are following the same process
sequences as those executed by the MS.
For these reasons, the analysis has been intentionally limited to the full specification of
only one generalised Customs investigation data flow. This concerns the current and future
contexts and includes the processes of the two organisational models described below.
The investigation processes in its future context will only differ from the current context
by introducing the use of the FIDE database.
The two organisational models identified during the MS visits are:
• The centralised model: in this model, the Case Officer does not have direct
access to the national database systems. They are maintained and queried by
a central group of specialised Competent Authorities. Any intervention made
by a case Officer has to be approved and confirmed by a ‘Privileged Officer’
who belongs to the same central service.
• The decentralised model: in this model, the Case Officer has a direct access to
the national database systems. They are maintained and queried by
decentralised (regional) groups of specialised Competent Authorities. Any
intervention made by a case Officer has to be approved and confirmed by a
‘Privileged Officer’ belonging to the same decentralised groups.
In both model, the privileged Officer is responsible for several users.
In addition to the generalised MS investigation processes, FIDE will provide three additional
technical processes:
• The Update of the FIDE database;
• The Deletions in the FIDE database;
• The Audit Trail of the FIDE database.
Note: the detailed business analysis is given in annex. It contains Data Flow Diagrams and
Business Rules.
A Business Rule consists of the description of the conditions and rules that manage
the business of an organisation. The set of all the business rules describes the
actual business activity.

4.2 THE CONTEXT
4.2.1 THE ACTORS

The actors involved in the investigation of fraud case are described hereafter. They are
involved in the MS investigation processes for both the current and future contexts. They
are involved in the technical processes as well.
They actors are grouped into ‘Customs internal Actors’ and ‘Customs external Actors’.
4.2.1.1 Customs ‘internal’ Actors

Person informing Customs Authorities (Source)
This source is a person – known or unknown by the Customs – who informs
national customs officers of possible customs irregularities at a given period
of time and location.
National Intelligence Services
This is a group of Customs Competent Authorities assisting the National
Customs Authorities during the first phases of the investigations, i.e. case
record activities and “go/no go” assessment and decision. The members of
this specific service have the required competence, means, information and
contacts needed to assist Customs Authorities.
National Customs Authority
This is the most frequent source of Customs investigation requests: the
Customs Officers (mobile or not), spread over the whole territory of each
MS. They are in charge of informing their hierarchy on possible customs
irregularities.
Investigators
The investigator is the persons responsible for starting and/or carrying out
investigations. She/he can perform the investigations alone or with other
actors. She/he is also referred to as Case Officer or ‘specialised’ Customer
Officer.
National Customs Police
Some MS Customs may have their own police organisation for Customs law
enforcement. Members of this Competent Authority assist – or replace
sometimes when needed - the National Customs Officer during investigation
activities. This organisation has the required competence, experience,
authority and means to help efficiently the National Litigation department
during Customs investigations.
National Litigation department
Some MS Customs may have their own Litigation department. This
Competent Authority has the responsibility to take over the files of the
Customs Officers once the decision has been taken to pursue a suspected
person or company for infraction to the Customs laws and regulations. The
members of this department will assist the National Magistrate when actual
infraction has been proven.

European Commission
Considered as sources, some of the European Commission Directorates and
EC Programs (for example FEOGA, known as agriculture financing and
subsidising program), transmit their requests for investigation to OLAF based
on irregularities on agricultural transactions financed by them.
Director OLAF
This is the person at OLAF who is heading the entire DG. He/she is
responsible for the final results of all OLAF investigation and co-operation
activities.
Data Protection Officer
The DPO of the European Commission is the only Competent Authority
allowed to view any FIDE record, deleted records included. In the context of
his function of Auditor, he receives all the reports (on demand, by exception
and statistics) issued from the Auditing of the FIDE database.
4.2.1.2 Customs ‘external’ Actors

National Police
All MS have a National Police organisation. Members of this law enforcement
Authority assist the National Customs Officer during investigation activities
in case where there is no National Customs Police unit. This organisation has
the required competence, experience, authority and means to help
efficiently the National Litigation department during Customs investigations.
National Magistrate
As a Competent Authority, the National Magistrate is allowed to pronounce
the condemnation of a person or company for infraction to the Customs laws
and regulations. He receives the necessary information (files) from either
the National Police/National Customs Police or from the National Litigation
department.
4.3 THE MAIN PROCESSES

This section gives an overview of the main processes that were analysed during the
business analysis. Please refer to the first paragraph of the annex to this Business Analysis
[RD8] for more details on the main processes and on the FIDE interaction with the
processes.
4.3.1 THE MS INVESTIGATION PROCESS

The following section summarises the most common processes appearing during an
investigation in the member states.
4.3.1.1 The recording of the Case

Information on Customs irregularities collected form various source is evaluated by
Customs Officers in order to fully document and describe the irregularities.
National Intelligence Services may also provide support by investigating if the persons or
companies are already involved in other cases in other MS. This process is currently not
supported by an IT system.

At this stage, depending on the internal Customs organisation, some MS may already
register the case in their Case Register database. However, in most of the Member Sates
the case is recoded only after the next processes described in section 4.3.1.2 or 4.3.1.3.
4.3.1.2 Assessment on the GO / NO GO

At this stage, the decision to start or not an investigation on the case is taken. On request
of a Custom officer, this “go/no go” assessment is done with the assistance from the
National Intelligence Service. Information collected during process 4.3.1.1 and information
from other Customs files may be used for the go/no go assessment. In some MS, all
available information on the case is registered in a Local Register.
If the decision is taken not to start an investigation, the sources of information are usually
notified of that decision.
At this point of the investigation process, depending on the internal Customs organisation,
some MS are storing the case information in their cases register database. However, most
of the MS do it only during process 4.3.1.3.
4.3.1.3 The assignment of the investigation

In this process the Customs Officer in charge of the assignments assigns an Investigator to
the case. The latter has the responsibility of carrying out the investigation. The assignment
is registered in a file. At this stage, all the MS register all the information available on the
case in a Local Register. In some Member States, this information is stored in a central
register as well.
4.3.1.4 The Investigation

At this stage, various investigation tasks are performed by the Investigator. He may co-
operate with Customs Officers of other MS if the involved persons or companies are also
involved in cases in other MS. When more than two MS are involved or when the
investigation has an extended international implication, the investigator may ask to OLAF
to co-ordinate the investigation.
4.3.1.5 The Positive Closing
If the Case Officer demonstrates that the irregularity is real and the suspicions are valid,
the investigation is closed “positively”.
Depending on the scope of the irregularity and on the MS regulations/Customs laws, it may
be decided to apply a fine or to prepare further actions to institute a legal proceeding.
Important remark
The Positive Closing ends the Investigation processes but not the entire Case cycle.
4.3.1.6 The Negative Closing
When the Case Officer cannot demonstrate that the irregularity is real and the suspicions
are valid, the investigation is closed “negatively”.
4.3.2 MAINTENANCE OF THE FIDE DATABASE

The maintenance of FIDE database will involve the following processes:
• Creation of FIDE record information.

• Modification of FIDE record information.

• Deletion of FIDE record information.
• Creation, Modification and Deletion of Audit trail record information.
These processes are further detailed in the annex of this Business Analysis [RD8].
4.3.3 WORKFLOW
During the Business Analysis we discovered that:
• The National Custom Authorities are organised in one or more groups of users;
• Each Service is responsible for Custom Cases (The Custom Cases processing is under the
responsibility of a Service and NOT of a single Case Officer);
• Each Service will have one or more Case Officers and optionally one Privileged Officer.
The role of the latter is to authorise Custom Case handling by the Case Officer(s) using
FIDE;
• Each Case Officer will process Custom Cases using FIDE.
We could not find a unique workflow organisation of those several actors in the several
Member States we visited. Therefore we decided to propose the implementation of a
‘common’ workflow in the Functional Specifications [RD9], that could be used by the
Member States. But, as such FIDE do not need this proposed workflow, and can be
integrated in an easy way within the MS current procedures & workflows.

5 SECURITY AND INTEGRATION WITH LEGACY SYSTEMS

Security aspects of a new system always have to be part of the general design and may not
be studied separately to avoid any risk of incompatibilities with the requirements.
Therefore the principles of total security must be taken into account as soon as possible in
the process of designing FIDE.
To meet the required level of security, a combination of appropriate manual procedures,
specific hardware and specific software components will have to be implemented.
Security topics to be addressed in a further stage of the FIDE project are suggested
hereafter:
• To guarantee the integrity of FIDE, all records (investigations) should be
based, as soon as possible, on official (national) authorised documents.
• Only the users from the same service and the same country are allowed to
modify and delete their own records.
• The minimum authentication mechanism for the users (persons) is the use of a
personal login and personal secret password. The users must be forced to
change periodically their password. Measures such as login disabling after 3
wrong log-in attempts should be considered. Additional authentication
mechanisms should be considered such as the use of smart card or
challenge/response mechanisms.
• Any access to FIDE by the users (National Users of OLAF users) or the system
must be logged into an audit database. The audit database should allow to
identify what information has been accessed by who and when. The retention
period of the audit records should be at least 6 months.
• The Auditing database must be regularly analysed by the DPO and/or by
Auditors to detect any abusive access to FIDE.
• Some fields (registered names, dates and status codes) cannot be modified
manually and are managed by the system only.
• All data elements must be checked against the rules of the data dictionary
(‘Data Definitions’ section of the Functional Analysis report) when there are
created and when they are modified.
• FIDE will not verify if information has been introduced more than once.
• In some aspects, because FIDE will be multi-lingual whenever possible, the
communication between users speaking different languages will be better. This
can be considered as a security element.
• Data exchange between the MS and FIDE should secure in such a way that
unauthorised person cannot read the information. This implies the encryption
of the data before transmission.
• FIDE is in line with the EU Data Classification Rules as it contains only EU
restricted information and the access to the data is restricted to officials only.
In addition, FIDE will not export data to other systems.

In terms of integration with legacy systems (current OLAF and National systems), the FIDE
legislation stipulates that the database will not be built using data of another system. The
advantage of this decision is that there is no migration process to be foreseen. In other
words, no ‘one shot’ loading program has to be developed at the various MS and at OLAF to
collect all current case records and to transform them into FIDE-compatible records.
The disadvantage of this decision is that it will take several years before the FIDE database
will reach in terms of volume its cruise level. This means that considering that a case is
kept in a national database during a period of 3 years (the retention period is between 0
and 6 years) FIDE will be at its cruise level only after 3 years.

6 TRAINING REQUIREMENTS
In this chapter a first estimate of the effort to train the various FIDE Users is provided.
Recommendations for the training methods are given at the end of the chapter.
Very often the training requirements for a new IT application are underestimated. This is
partially due to the fact the training take place at the end of the development process and
is used as a contingency on the financial resources. This may however have a damageable
consequence on the usage of the application. Indeed, if no appropriate training is provided
to the users, the application is not properly used or very partially used.
Currently, OLAF is using the “train the trainer” method avoiding to organise different
training sessions in its premises or in the Member States. This is also in line with the
subsidiary principle of the EU Treaty. However, this method does not guarantee permanent
training of the users.
In addition, with such training sessions have the following drawbacks:
• The actual learning is quite low;
• There is a risk that the focus is on the appropriate subjects for the end users;
• The organisations are often modified and the people replaced.
This results in a poor level of knowledge of the application. To circumvent this problem,
regular training sessions are organised but this leads to significant additional costs.
To avoid these problems, an alternate training method is proposed: the inter-active
multimedia (I-MM) courseware. It provides permanent and up-to-date training support at
a lower cost compared to usual training sessions. During the last decade, I-MM courseware
has proved to be the best training method and will most probably be generalised in the
future.
Compared to usual training sessions, the I-MM courseware has the following advantages:
• Permanently accessible by all the users according to their own schedule;
• If they are translated, they are in the end-user language;
• The courseware can be stored and made available on CD-Rom, DVD or on a
private central server (web-site);
• When the system is modified, the I-MM courseware can be modified and no
new training session must be organised;
• I-MM avoids the organisation of training sessions for new user.
• I-MM avoids travelling costs (‘out of pocket’ costs and time).
Considering the above advantages and the large number of users involved in 25 EU
countries, I-MM seems to be a solution that must be considered in the scope of FIDE.

7 ESTIMATED VOLUMES
Based on the figures provided in the answers to the Questionnaire (currently 11 on 25), the
estimated population of current potential users is around 35.000 to 40.000 for the EU. This
is the extrapolation of the average potential Users of 1.500 per MS.
However, in the near future (2006 – 2007), part of the MS will be subject to the review of
their external borders due to the introduction of SIS II. The number of potential users
could then be reduced to the half (15.000 to 20.000 users).
Potential users do not mean that all of them would have access to FIDE. It is indeed the
responsibility of each MS Customs Authorities to decide which users have access or not to
FIDE. Nevertheless, even if only one third of the potential Users – i.e. 5.000 – would have
access and work regularly with FIDE, this figure still represents a large number of persons
to be trained.
Another important figure is the expected number of FIDE records. This figure should not be
considered at the start-up of the system because the database will be empty but after 3
years of operation. Whilst it is impossible to provide reliable figures, the volume derived
from the answers on the questionnaire is 800 average new records on a yearly basis per
country. Considered that in 2007, the number of Member States will probably be 30, this
represent 70.000 records over a period of 3 years1.
Volume estimates derived for the current usage of CIS & the Mutual Assistance application
are probable more realistic. Assuming that the new MS states would have similar volumes2
the following extrapolations are done:
• There is around 3.000 users for the current 15 MS. Therefore for 25 MS with similar
average volumes would lead to (3000/15) X 25= 5000 users.
• Around 15 cases per year per user are created with 15 MS. Therefore for 25 MS, it is
expected to have 25 cases per year per user.
• Therefore in conclusion, the estimated average number of records is equal to 5000
users X 25 cases/year/user = 125.000 cases/year for the 25 MS. This represents
around 342 records/day.
1
3 years represents the average number of years a record will be kept in FIDE.
2
This is of course a projection since the member state do not have the same size or do not process
the same number of cases

8 OPERATING PARAMETERS
This chapter provides some considerations in terms of performance for FIDE.
To be successfully used, the response time of FIDE should as short as possible. This can
only be achieved by using the appropriate combination of hardware, network
communication means (often the most critical component), software (the application and
off-the-shelf software). The potential high volume of the data to be process is also to be
taken into consideration when choosing the above elements. Because the user population
and the usage of FIDE may evolve over time, scalable solution must be considered.
In the scope of FIDE, OLAF has the entire control concerning the hardware and software
choices. However, currently OLAF has no control for the communication network that is
provided by the EC.
Considering the FIDE investigation process and the estimated volumes, an average of 8
accesses (two searches, one record creation, and four record modifications) to FIDE will be
done by the MS per new case. On a yearly basis this represents 8 X 800 X 3O = +/- 200.000
MS accesses. Considering that a year has 260 working days and the accesses are spread
over 10 hours a day, about 75 MS accesses per hour could be expected (or 1.25 MS access a
minute). This requirement should be easily met.
The FIDE application will be available 24/24 hours 7/7 days. However, very few accesses
are expected between 22:00 and 06:00 and during the week-ends.
FIDE hardware and software maintenance activities will take place between 24:00 and
04:00 o’clock when needed, in order to minimise access disturbance.
FIDE will be Web based. This means that a Web browser has to be available for each MS
user. However, this constraint is largely compensated by the dramatic reduction of the
deployment and maintenance costs.

Office Européen de Lutte Anti-Fraude: FIDE Business Analysis

Uploaded by

Copyright:

Available Formats

Office Européen de Lutte Anti-Fraude: FIDE Business Analysis

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Office Européen de Lutte Anti-Fraude: FIDE Business Analysis

Uploaded by

Copyright:

Available Formats

Office Européen de Lutte Anti-Fraude

AFIS/CIS Development and Maintenance

FIDE Business Analysis

Version / Status 1.0.12 / Final

AFISCIS-SA3-OD1-BA-v1012.doc Page 2 of 25 Version: 1.0.12 Final

CONTROL FOR MALICIOUS CODE

AFISCIS-SA3-OD1-BA-v1012.doc Page 3 of 25 Version: 1.0.12 Final

Document History ........................................................................................ 2

AFISCIS-SA3-OD1-BA-v1012.doc Page 4 of 25 Version: 1.0.12 Final

4.3.1.4 The Investigation ................................................................... 19

AFISCIS-SA3-OD1-BA-v1012.doc Page 5 of 25 Version: 1.0.12 Final

AFISCIS-SA3-OD1-BA-v1012.doc Page 6 of 25 Version: 1.0.12 Final

AD6 Project Quality Plan AFISCIS-SA1-TO- 1.40 07/04/2003

AFISCIS-SA3-OD1-BA-v1012.doc Page 7 of 25 Version: 1.0.12 Final

ABBREVIATIONS AND ACRONYMS

AFISCIS-SA3-OD1-BA-v1012.doc Page 8 of 25 Version: 1.0.12 Final

1.1 STRUCTURE OF THE DOCUMENT

1.2 INTENDED AUDIENCE

1.3 APPLIED METHODOLOGY

AFISCIS-SA3-OD1-BA-v1012.doc Page 9 of 25 Version: 1.0.12 Final

1.4 GENERAL REMARKS

AFISCIS-SA3-OD1-BA-v1012.doc Page 10 of 25 Version: 1.0.12 Final

2.1 TYPOLOGY OF EXISTING DATABASES USED BY CUSTOMS.

AFISCIS-SA3-OD1-BA-v1012.doc Page 11 of 25 Version: 1.0.12 Final

2.2 CURRENT MS CUSTOMS CASE INVESTIGATION

2.2.1 CASE PRE-INVESTIGATION PROCESS

2.2.2 ACTUAL CASE INVESTIGATION PROCESS

2.2.3 CASE LITIGATION PROCESS

2.3 USAGE OF FIDE AS A CENTRAL DATABASE IN THE CASE

AFISCIS-SA3-OD1-BA-v1012.doc Page 12 of 25 Version: 1.0.12 Final

2.4 THE ADDED VALUE OF FIDE

AFISCIS-SA3-OD1-BA-v1012.doc Page 13 of 25 Version: 1.0.12 Final

AFISCIS-SA3-OD1-BA-v1012.doc Page 14 of 25 Version: 1.0.12 Final

3 LEGAL FRAMEWORK of an INVESTIGATION

AFISCIS-SA3-OD1-BA-v1012.doc Page 15 of 25 Version: 1.0.12 Final

4 THE BUSINESS ANALYSIS

AFISCIS-SA3-OD1-BA-v1012.doc Page 16 of 25 Version: 1.0.12 Final

4.2 THE CONTEXT

4.2.1 THE ACTORS

4.2.1.1 Customs ‘internal’ Actors

AFISCIS-SA3-OD1-BA-v1012.doc Page 17 of 25 Version: 1.0.12 Final

4.2.1.2 Customs ‘external’ Actors

4.3 THE MAIN PROCESSES

4.3.1 THE MS INVESTIGATION PROCESS

4.3.1.1 The recording of the Case

AFISCIS-SA3-OD1-BA-v1012.doc Page 18 of 25 Version: 1.0.12 Final

4.3.1.2 Assessment on the GO / NO GO

4.3.1.3 The assignment of the investigation

4.3.1.4 The Investigation

4.3.1.5 The Positive Closing

4.3.1.6 The Negative Closing

4.3.2 MAINTENANCE OF THE FIDE DATABASE

AFISCIS-SA3-OD1-BA-v1012.doc Page 19 of 25 Version: 1.0.12 Final

• Modification of FIDE record information.

AFISCIS-SA3-OD1-BA-v1012.doc Page 20 of 25 Version: 1.0.12 Final

5 SECURITY AND INTEGRATION WITH LEGACY SYSTEMS

AFISCIS-SA3-OD1-BA-v1012.doc Page 21 of 25 Version: 1.0.12 Final

AFISCIS-SA3-OD1-BA-v1012.doc Page 22 of 25 Version: 1.0.12 Final

AFISCIS-SA3-OD1-BA-v1012.doc Page 23 of 25 Version: 1.0.12 Final