FIDE Business Analysis

Office Européen de Lutte Anti-Fraude

AFIS/CIS Development and Maintenance Framework Contract OLAF/02/C003

Specific Agreement 3

FIDE Business Analysis

Subject The Business Analysis of "Fichier d'Indentification des Dossier d' Enquête Douanières (FIDE)

Version / Status 1.0.12 / Final

Release Date 12/04/2004

Filename AFISCIS-SA3-OD1-BA-v1012.doc

Document Reference AFISCIS-SA3-OD1-BA

Document Owner OLAF

AFIS/CIS Development and Maintenance FIDE Business Analysis REF: AFISCIS-SA3-OD1-BA

AFISCIS-SA3-OD1-BA-v1012.doc of 25 Version: 1.0.12 Final

DOCUMENT HISTORY

Ver. Release Date Description Author (Function, Party)

1.01 15/12/2003 Initial draft Trefois, Edwin (Business Analyst, Sword Technologies)

1.02 22/12/2003 Corrections and re-disposition of report Trefois, Edwin (Business Analyst, Sword Technologies)

1.03 15/01/2004 Complementary comments after meeting at OLAF on December 23rd , 2003

Trefois, Edwin (Business Analyst, Sword Technologies)

1.04 20/01/2004 Re-structure and write-up of the BA report after OLAF meeting on January 16th, 2004


1.05 23/01/2004 Add DFD (data flow diagram) BA analysis


1.06 05/02/2004 Modifications of business rules and data definitions after DFD review meeting of 29/01/2004


1.07 20/02/2004 Modifications of BA report after review with Sword’s project mgr


1.08 13/03/2004 Modifications of BA report after first OLAF review


1.09 25/03/2004 Modifications of BA report after second OLAF review


1.010 02/04/2004 Modifications of BA report after second OLAF review by Bertrand Bonnerue


1.011 07/04/2004 Modifications of BA report after third OLAF review by Bertrand Bonnerue


1.012 13/04/2004 Modifications of BA report after internal review

Thierry Guiot

(Technical Director, SWORD Technologies)



CONTROL FOR MALICIOUS CODE

This document has been scanned for Malicious Code using Micro Trend Server Protect anti-viral software.



TABLE OF CONTENTS

Document History ........................................................................................ 2 Control For Malicious Code ............................................................................. 3 Table of Contents ........................................................................................ 4 Reference Documents ................................................................................... 6 Applicable Documents................................................................................... 6 Definitions................................................................................................. 8 Abbreviations and Acronyms ........................................................................... 8 1 INTRODUCTION ..................................................................................... 9

1.1 STRUCTURE of the DOCUMENT ............................................................. 9 1.2 INTENDED AUDIENCE......................................................................... 9 1.3 APPLIED METHODOLOGY .................................................................... 9 1.4 GENERAL REMARKS .......................................................................... 10

2 MANAGEMENT SUMMARY ......................................................................... 11 2.1 TYPOLOGY of EXISTING DATABASES USED by CUSTOMS. .............................. 11 2.2 CURRENT MS CUSTOMS CASE INVESTIGATION pROCEDURES .......................... 12

2.2.1 Case pre-investigation process...................................................... 12 2.2.2 Actual Case investigation process .................................................. 12 2.2.3 Case litigation process ............................................................... 12

2.3 Usage of FIDE as a central database in the case investigation procedure ......... 12 2.4 THE ADDED VALUE OF FIDE ................................................................ 13

3 LEGAL FRAMEWORK of an INVESTIGATION .................................................... 15 4 THE BUSINESS ANALYSIS .......................................................................... 16

4.1 INTRODUCTION .............................................................................. 16 4.2 THE CONTEXT................................................................................ 17

4.2.1 THE ACTORS............................................................................ 17 4.2.1.1 Customs ‘internal’ Actors......................................................... 17 4.2.1.2 Customs ‘external’ Actors ........................................................ 18

4.3 The main processes ......................................................................... 18 4.3.1 The MS investigation process........................................................ 18

4.3.1.1 The recording of the Case ........................................................ 18 4.3.1.2 Assessment on the GO / NO GO.................................................. 19 4.3.1.3 The assignment of the investigation ............................................ 19



4.3.1.4 The Investigation ................................................................... 19 4.3.1.5 The Positive Closing ............................................................... 19 4.3.1.6 The Negative Closing .............................................................. 19

4.3.2 Maintenance of the FIDE database ................................................. 19 4.3.3 Workflow ............................................................................... 20

5 SECURITY AND INTEGRATION WITH LEGACY SYSTEMS ....................................... 21 6 TRAINING REQUIREMENTS........................................................................ 23 7 ESTIMATED VOLUMES ............................................................................. 24 8 OPERATING PARAMETERS ........................................................................ 25



REFERENCE DOCUMENTS

Ref. Title Reference Version Date

RD1 Expression des besoins FIDE (Fr) OLAF/XXXX/03 1.0 10/09/03

RD2 Acte du Conseil (Fr) 2003/C 139/01 - 08/05/03

RD3 Acte du conseil du 26 juillet 95 établissant la convention sur l’emploi de l’informatique dans le domaine des douanes.

95/C 316/02 - 26/07/95

RD4 Exposé des motifs (Fr) OLAF - -

RD5 Règlement du Conseil (Fr), 515/97 Journal Officiel des C.E. Règlem. – L82/1 22/03/97

- 13/3/97

RD5 Système d’information des douanes aux fins du 3ième Pillier

Conseil des l’UE

5260/00

- 13/1/2000

RD6 Etablissant, sur base de l’article K.3 du traité de l’UE, la convention relative à l’assistance mutuelle et à la coopération entre les administrations douanières.

Acte du Conseil 98/C 24/01

- 18/12/1997

RD7 EC regulation concerning investigations conducted by OLAF

PE & Council N° 1073/1999

- 25/05/1999

RD8 FIDE Business Analysis Annexes AFISCIS-SA3-OD1-BA-ANNEXES

1.0.11 14/04/2004

RD9 FIDE Functional Specification AFISCIS-FS_FIDE 1.06 14/04/2004

Table 1: Reference Documents

APPLICABLE DOCUMENTS

Ref. Title Reference Version Date

AD1 Terms of Reference-Invitation to Tender OLAF/2002/C.2-1-Provision of IT Services for the European Anti-Fraud Office (OLAF)

OLAF/2002/C.2-1 1.0-EN 20/03/02

AD2 Answer of Cronos Technologies to the Invitation to Tender OLAF/2002/C.2-1

OLAF – OLAF/2002/C.2-1– AFIS/CIS

- -

AD3 Framework Contract OLAF/02/C003 OLAF/02/C003 - 13/08/2002

AD4 Specific Agreement n° 3 to the Framework Contract OLAF/02/C003

- - 13/11/2003

AD5 Take-Over Plan AFISCIS-SA1-TO-TOPL

2.00 17/10/2002



AD6 Project Quality Plan AFISCIS-SA1-TO-PQP1

1.40 07/04/2003

Table 2: Applicable Documents



DEFINITIONS

Term Definition

CEN Customs Enforcement Network

CIS Customs Information System

FIDE Fichier d’Identification des Dossiers d’Enquêtes Douanières

ICT Information and Communication Technology

Record Is the name used for a FIDE or a National database record which contains information of involved persons or companies (in pillar 1 and pillar 3 cases)

SID – CIS Système d’Information des Douanes; Customs Information System

SIS (II) Schengen Information System II (2006/7)

Web-enabled Web-enabled applications are applications that are based on the internet technologies

Table 3: Definitions

ABBREVIATIONS AND ACRONYMS

Abbreviation/Acronym Definition

BA Business Analysis

B.R. Business Rule

DFD Data Flow Diagram

EC European Commission

EP European Parliament

EU European Union

OMD Organisation Mondiale des Douanes

MS Member States of the European Union

UC Use Case: detailed description of the various steps needed to executed a given task

Table 4: Abbreviations and Acronyms



1 INTRODUCTION

1.1 STRUCTURE OF THE DOCUMENT

This Business Analysis document serves as a basis for further Functional Analysis and Prototyping tasks, it has been structured as follows:

• Chapter 1 is the introduction of the FIDE and its Business Analysis report: structure of the report, its intended audience, and the applied analysis methodology.

• Chapter 2 contains a Management Summary explaining the objectives and role of the FIDE application,

• Chapter 3 is a brief description of the legal framework of a Customs investigation.

• Chapter 4 contains the Business Analysis itself: the generalized processes of the current and future MS investigation procedures.

• Chapter 5 contains a summary of suggested Security rules, as well as a brief overview concerning data migration considerations.

• Chapter 6 contains the Training requirements and a suggested solution.

• Chapter 7 contains an initial attempt to estimate the number of Users and the number of FIDE database records: estimated volumes.

• Chapter 8 is an approach concerning the expected performance of the FIDE application.

1.2 INTENDED AUDIENCE

The following is a list of parties that have an interest in the content of this document:

• OLAF;

• The MS Customs Authorities;

• The competent MS Authorities involved in Customs investigations in the fields covered by FIDE 1st and 3rd pillars.

1.3 APPLIED METHODOLOGY

Business Analysis always starts with the study of current manual and automated systems as well as procedures in use to accomplish all the tasks of public and private organisations.

The business analysis actually started by analysing the various documents received from OLAF. These documents are listed under Table 1 ‘Reference Documents’. After this short period of introduction of the Customs business context, as well as with the applied Customs EU regulations, a series of meetings with OLAF representatives were organised. The objective of these meetings was to clarify some specific Customs expressions and procedures, to discuss and agree on the structure of the BA document, to organise the MS



visits, and to identify the various current Customs investigation data flows needed as a basis for further BA study.

In order to perform this study, a questionnaire was prepared (see chapter 7 of the Annexes to this document [RD8]) and discussed with Customs representatives in France, Germany, The Netherlands and the Czech Republic. The questionnaires have been reviewed and completed by Customs representatives present during the visits.

The Questionnaire was also mailed to the Customs Head Quarter of all the other European Union Member States. Answers from these MS provide a more complete picture of the Anti-Fraud organisation and the national systems/procedures in use (if any) in the MS. At the time of publishing this report, answers from over 50% of the MS involved were available. They are included in the annexes of this Business Analysis [RD8].

1.4 GENERAL REMARKS

Please note that throughout this document OLAF is considered as a Member State (MS) in its own right, with the exception that OLAF cannot operate on the 3rd pillar cases.

Please also note that throughout this document the term “fraud” is defined as “an action in breach with the national & European customs legislations”.



2 MANAGEMENT SUMMARY FIDE - abbreviation of “Fichier d’Identification des Dossiers d’Enquête Douanière” (Customs Investigation Files Identification database) – is a central European database containing identification data of persons and companies condemned or suspected of having infringed Customs laws.

The main objectives of this document is to provide Customs and OLAF management with a complete overview of the business flows and tasks being accomplished in the scope of fraud investigations.

The Business Analysis report has to address four fundamental ‘business’ questions:

1. What is the typology of the existing databases used by the Customs?

2. What are the current MS Customs Case Investigation procedures?

3. When could FIDE be used in a Case Investigation procedure?

4. What is the added value of FIDE for the MS Customs?

2.1 TYPOLOGY OF EXISTING DATABASES USED BY CUSTOMS.

With the years, the various MS have concluded that combating national & trans-border criminality and fraud can only be efficiently accomplished if the Customs Authorities are rapidly informed of all on-going and past case investigations realised in their own or other MS.

In addition to their national Customs, anti-fraud, case investigation, … applications and related databases, the various MS are using – or are invited to use – several EU-wide systems and their databases to improve their co-operation; these systems are grouped into three main categories:

• ‘Alert based systems’: this concerns systems used on an operational basis. They provide information to help the decision for actions on the field. Examples of such systems are CIS (Customs Information System) or SIS (Schengen Information System) used by the police. Some Member states have also their own national system.

• ‘Case based systems’: this concerns databases containing references to cases under investigation. They do not contain actual information but contact points where information can be requested. FIDE belongs to this category of systems.

• ‘Analysis based systems’: this concerns databases used for ‘surveillance’ or ‘risk analysis’. These tools help the investigators to establish parallelism between fraud cases, to evaluate trends and to start observations. An example of analysis system is the CEN (Customs Enforcement Network). In fact, all (criminal) investigation databases are part of this category of systems.



2.2 CURRENT MS CUSTOMS CASE INVESTIGATION PROCEDURES

A Customs case investigation is usually performed through three main processes:

• The case pre-investigation process;

• The actual case investigation process;

• The case litigation process.

2.2.1 CASE PRE-INVESTIGATION PROCESS In this early phase of investigation, information is gathered in several ways by Customs authorities (often assisted by Officers from their national Intelligence Services), these are as follows:

• Suspicion of a Customs Officer;

• Risk analysis regularly performed by Customs Authorities;

• Concluded fraud/irregularity;

• Denunciation by a Customs informer;

• Customs internal spontaneous information.

2.2.2 ACTUAL CASE INVESTIGATION PROCESS If the suspicion, conclusion or denunciations are founded, a Customs administrative decision is taken to start an actual investigation on the fraud.

Several recurring investigation tasks are performed during this phase, leading to the final conclusion whether the case has to be ‘negatively’ closed – (i.e. there are no further investigation actions foreseen) -, or whether the case has to be closed ‘positively’ – (i.e. an infringement has been established and further actions are needed).

2.2.3 CASE LITIGATION PROCESS When the case has been positively closed and depending on the gravity of the litigation, the person(s) or company implicated will either pay an administrative fine or will face judicial sanctions.

2.3 USAGE OF FIDE AS A CENTRAL DATABASE IN THE CASE INVESTIGATION PROCEDURE

Although different Customs legislations, rules and systems are in use in the various MS, it appears that the Customs Authorities currently collaborate quite well.

There is however a real need, to improve MS mutual assistance and to further improve the co-ordination missions and transmission/sharing of information. A central database for Customs cases registration would therefore meet these goals. This is the purpose of FIDE.

It is proposed to build a centralised web-enabled database system, designed in view to be integrated with the current and future MS custom investigation processes. FIDE will provide



a single integrated view to the MS users of the 1st & 3rd pillar databases (Note: OLAF will have only access to the 1st pillar data).

Considering the investigation data flow explained in the previous paragraphs, the roles of FIDE are:

• At the level of the pre-investigation phase, FIDE’s search procedures will ‘alert’ Customs Authorities on the fact that a person – or a company – is already identified and involved in national and/or other MS cases.

• At the level of the investigation phase, Customs Users will access FIDE to record new cases, and to maintain them during their entire life cycle.

• At the level of the litigation phase, FIDE will be updated according to the result of the investigations: the customs case information stored in FIDE will be positively or negatively closed.

2.4 THE ADDED VALUE OF FIDE

The deployment of FIDE will have a very positive impact on the current Customs case investigation procedures in the MS because:

• FIDE will centralize and “concentrate” the national expertise of the different MS in terms of customs investigation knowledge, thereby allowing other MS to benefit from past and present experience.

• FIDE will provide search and query functions to the Customs Authorities to check if a person or company is suspected or involved in irregular Customs activities in another MS. If yes, FIDE will provide with all necessary information to contact the MS Customs department(s) dealing with the investigations.

• FIDE will significantly decrease the time-consuming communications between MS Customs Officers who verify the possible implication of a person or a company in a Customs investigation in another MS. Instead of several communications (phone calls, faxes or e-mails) to the other MS Customs, FIDE will reduce this procedure to a search in the database followed by a communication to the MS Customs for which a case exists in FIDE.

• FIDE will be a common central database into which Customs Users will introduce their Customs case investigation data in a standard way. This information will immediately be accessible at any time by all authorised persons. The advantages of this approach are:

• Standardising the recording process of the Customs Case will reduce the risk of possible errors.

• The quality of the information will be higher and more complete because FIDE will aggregate the information provided by the various MS.

• Because FIDE is a centralised web-enabled database system, it is potentially accessible everywhere by every authorised person. The web approach will also suppress the cumbersome deployment of software on local workstations.

• FIDE will provide a single integrated view of the 1st & 3rd pillar databases (Note: OLAF will only have access to 1st pillar data).

In conclusion the added value of FIDE can be summarised as follows:



• Reduction of the complexity of the investigation process for Customs fraud cases.

• Reduction of the time spent investigating Customs fraud cases (less time will be spent searching and collating the relevant information).

• Increase of the knowledge base of Custom Investigation data (Custom Authorities will have access to larger volumes of relevant data).

• The Web-enabled tool will allow the potential use of the system everywhere. No deployment of software on local workstations will be required.

• Centralisation of custom data.

• Integration into current and future MS Custom Investigation processes.

• Increase of the number of Custom Investigations with larger quantities of better quality of data acquired in less time.



3 LEGAL FRAMEWORK of an INVESTIGATION

Several official EP and EU Council documents have been issued to define the scope and the legal framework of Customs Investigation processes. The descriptions of the framework contain on one hand the rights of the OLAF and the rights of Customs Authorities in the MS (rights to set up the FIDE database, to start an administrative investigation, …), and on the other hand the limits of these rights (conservation time of records in FIDE and in National files, limited number of personal data, pillars 1 and 3 cases distinction, …).

The following is a brief overview of each of the documents which were used in the business analysis tasks.

• Council EC Regulations 515/97 dated 13/03/1997: is the regulation for the set-up of the CIS, and for specifying the procedures concerning Assistance on Demand, Spontaneous Assistance, Relations with the EC, and Relations with third countries. Thanks to this regulation, we can stipulate the exact definition of an administrative investigation (page L 82/3): ‘… shall mean all inspections, checks and other measures undertaken by employees of the Administrative (Customs) Authorities in performance of their duties …, with a view to achieving the objectives set out in … and to establishing, where necessary, the irregular nature of the activities under investigation. These investigations should not affect the powers of the MS to bring criminal proceedings.’ The same definition can be found in the EP and Council EC Regulations concerning investigations conducted by the European Anti-Fraud Office (OLAF) document, dated 25/05/1999 (page L 136/3).

• Council Act dated 18/12/1997: establishment of the convention concerning the mutual assistance and the co-operation between Customs Administrations.

• EP and Council EC Regulations concerning investigations conducted by the European Anti-Fraud Office (OLAF) dated 25/05/1999: specifications of external (in the MS and third countries) and internal investigations, as well as procedures to open and to conduct investigations.

• Council Act dated 08/05/2003 concerning the use of information technologies in the Customs domain. This Council act specifies the rules concerning the creation of FIDE, the functional and usage rules of FIDE, and the FIDE data conservation limits.

• Council Act 95/C 316/02 dated 26/07/1995, this council act establishes the convention for the use of information technologies in the customs domain.



4 THE BUSINESS ANALYSIS

4.1 INTRODUCTION

If all MS had been visited, different Customs Anti-Fraud organisation models would probably have been identified. However, in the scope of the business analysis, it was impossible to take into account all the possible (sometimes minor) differences in procedures, automated systems, databases, operations, national regulations, etc.

In addition, all the Customs investigation steps presented in section 2.2 – processes from early Suspicion till possible final sanctions - are generally executed, in all the European countries, in the same sequence.

Although OLAF has an additional objective that is the on demand co-ordination of MS Customs investigation tasks, its own investigations are following the same process sequences as those executed by the MS.

For these reasons, the analysis has been intentionally limited to the full specification of only one generalised Customs investigation data flow. This concerns the current and future contexts and includes the processes of the two organisational models described below.

The investigation processes in its future context will only differ from the current context by introducing the use of the FIDE database.

The two organisational models identified during the MS visits are:

• The centralised model: in this model, the Case Officer does not have direct access to the national database systems. They are maintained and queried by a central group of specialised Competent Authorities. Any intervention made by a case Officer has to be approved and confirmed by a ‘Privileged Officer’ who belongs to the same central service.

• The decentralised model: in this model, the Case Officer has a direct access to the national database systems. They are maintained and queried by decentralised (regional) groups of specialised Competent Authorities. Any intervention made by a case Officer has to be approved and confirmed by a ‘Privileged Officer’ belonging to the same decentralised groups.

In both model, the privileged Officer is responsible for several users.

In addition to the generalised MS investigation processes, FIDE will provide three additional technical processes:

• The Update of the FIDE database;

• The Deletions in the FIDE database;

• The Audit Trail of the FIDE database.

Note: the detailed business analysis is given in annex. It contains Data Flow Diagrams and Business Rules.

A Business Rule consists of the description of the conditions and rules that manage the business of an organisation. The set of all the business rules describes the actual business activity.



4.2 THE CONTEXT

4.2.1 THE ACTORS The actors involved in the investigation of fraud case are described hereafter. They are involved in the MS investigation processes for both the current and future contexts. They are involved in the technical processes as well.

They actors are grouped into ‘Customs internal Actors’ and ‘Customs external Actors’.

4.2.1.1 Customs ‘internal’ Actors

Person informing Customs Authorities (Source)

This source is a person – known or unknown by the Customs – who informs national customs officers of possible customs irregularities at a given period of time and location.

National Intelligence Services

This is a group of Customs Competent Authorities assisting the National Customs Authorities during the first phases of the investigations, i.e. case record activities and “go/no go” assessment and decision. The members of this specific service have the required competence, means, information and contacts needed to assist Customs Authorities.

National Customs Authority

This is the most frequent source of Customs investigation requests: the Customs Officers (mobile or not), spread over the whole territory of each MS. They are in charge of informing their hierarchy on possible customs irregularities.

Investigators

The investigator is the persons responsible for starting and/or carrying out investigations. She/he can perform the investigations alone or with other actors. She/he is also referred to as Case Officer or ‘specialised’ Customer Officer.

National Customs Police

Some MS Customs may have their own police organisation for Customs law enforcement. Members of this Competent Authority assist – or replace sometimes when needed - the National Customs Officer during investigation activities. This organisation has the required competence, experience, authority and means to help efficiently the National Litigation department during Customs investigations.

National Litigation department

Some MS Customs may have their own Litigation department. This Competent Authority has the responsibility to take over the files of the Customs Officers once the decision has been taken to pursue a suspected person or company for infraction to the Customs laws and regulations. The members of this department will assist the National Magistrate when actual infraction has been proven.



European Commission

Considered as sources, some of the European Commission Directorates and EC Programs (for example FEOGA, known as agriculture financing and subsidising program), transmit their requests for investigation to OLAF based on irregularities on agricultural transactions financed by them.

Director OLAF

This is the person at OLAF who is heading the entire DG. He/she is responsible for the final results of all OLAF investigation and co-operation activities.

Data Protection Officer

The DPO of the European Commission is the only Competent Authority allowed to view any FIDE record, deleted records included. In the context of his function of Auditor, he receives all the reports (on demand, by exception and statistics) issued from the Auditing of the FIDE database.

4.2.1.2 Customs ‘external’ Actors

National Police

All MS have a National Police organisation. Members of this law enforcement Authority assist the National Customs Officer during investigation activities in case where there is no National Customs Police unit. This organisation has the required competence, experience, authority and means to help efficiently the National Litigation department during Customs investigations.

National Magistrate

As a Competent Authority, the National Magistrate is allowed to pronounce the condemnation of a person or company for infraction to the Customs laws and regulations. He receives the necessary information (files) from either the National Police/National Customs Police or from the National Litigation department.

4.3 THE MAIN PROCESSES

This section gives an overview of the main processes that were analysed during the business analysis. Please refer to the first paragraph of the annex to this Business Analysis [RD8] for more details on the main processes and on the FIDE interaction with the processes.

4.3.1 THE MS INVESTIGATION PROCESS The following section summarises the most common processes appearing during an investigation in the member states.

4.3.1.1 The recording of the Case

Information on Customs irregularities collected form various source is evaluated by Customs Officers in order to fully document and describe the irregularities.

National Intelligence Services may also provide support by investigating if the persons or companies are already involved in other cases in other MS. This process is currently not supported by an IT system.



At this stage, depending on the internal Customs organisation, some MS may already register the case in their Case Register database. However, in most of the Member Sates the case is recoded only after the next processes described in section 4.3.1.2 or 4.3.1.3.

4.3.1.2 Assessment on the GO / NO GO

At this stage, the decision to start or not an investigation on the case is taken. On request of a Custom officer, this “go/no go” assessment is done with the assistance from the National Intelligence Service. Information collected during process 4.3.1.1 and information from other Customs files may be used for the go/no go assessment. In some MS, all available information on the case is registered in a Local Register.

If the decision is taken not to start an investigation, the sources of information are usually notified of that decision.

At this point of the investigation process, depending on the internal Customs organisation, some MS are storing the case information in their cases register database. However, most of the MS do it only during process 4.3.1.3.

4.3.1.3 The assignment of the investigation

In this process the Customs Officer in charge of the assignments assigns an Investigator to the case. The latter has the responsibility of carrying out the investigation. The assignment is registered in a file. At this stage, all the MS register all the information available on the case in a Local Register. In some Member States, this information is stored in a central register as well.

4.3.1.4 The Investigation

At this stage, various investigation tasks are performed by the Investigator. He may co-operate with Customs Officers of other MS if the involved persons or companies are also involved in cases in other MS. When more than two MS are involved or when the investigation has an extended international implication, the investigator may ask to OLAF to co-ordinate the investigation.

4.3.1.5 The Positive Closing

If the Case Officer demonstrates that the irregularity is real and the suspicions are valid, the investigation is closed “positively”.

Depending on the scope of the irregularity and on the MS regulations/Customs laws, it may be decided to apply a fine or to prepare further actions to institute a legal proceeding.

Important remark

The Positive Closing ends the Investigation processes but not the entire Case cycle.

4.3.1.6 The Negative Closing

When the Case Officer cannot demonstrate that the irregularity is real and the suspicions are valid, the investigation is closed “negatively”.

4.3.2 MAINTENANCE OF THE FIDE DATABASE The maintenance of FIDE database will involve the following processes:

• Creation of FIDE record information.



• Modification of FIDE record information.

• Deletion of FIDE record information.

• Creation, Modification and Deletion of Audit trail record information.

These processes are further detailed in the annex of this Business Analysis [RD8].

4.3.3 WORKFLOW During the Business Analysis we discovered that:

• The National Custom Authorities are organised in one or more groups of users;

• Each Service is responsible for Custom Cases (The Custom Cases processing is under the responsibility of a Service and NOT of a single Case Officer);

• Each Service will have one or more Case Officers and optionally one Privileged Officer. The role of the latter is to authorise Custom Case handling by the Case Officer(s) using FIDE;

• Each Case Officer will process Custom Cases using FIDE.

We could not find a unique workflow organisation of those several actors in the several Member States we visited. Therefore we decided to propose the implementation of a ‘common’ workflow in the Functional Specifications [RD9], that could be used by the Member States. But, as such FIDE do not need this proposed workflow, and can be integrated in an easy way within the MS current procedures & workflows.



5 SECURITY AND INTEGRATION WITH LEGACY SYSTEMS Security aspects of a new system always have to be part of the general design and may not be studied separately to avoid any risk of incompatibilities with the requirements. Therefore the principles of total security must be taken into account as soon as possible in the process of designing FIDE.

To meet the required level of security, a combination of appropriate manual procedures, specific hardware and specific software components will have to be implemented.

Security topics to be addressed in a further stage of the FIDE project are suggested hereafter:

• To guarantee the integrity of FIDE, all records (investigations) should be based, as soon as possible, on official (national) authorised documents.

• Only the users from the same service and the same country are allowed to modify and delete their own records.

• The minimum authentication mechanism for the users (persons) is the use of a personal login and personal secret password. The users must be forced to change periodically their password. Measures such as login disabling after 3 wrong log-in attempts should be considered. Additional authentication mechanisms should be considered such as the use of smart card or challenge/response mechanisms.

• Any access to FIDE by the users (National Users of OLAF users) or the system must be logged into an audit database. The audit database should allow to identify what information has been accessed by who and when. The retention period of the audit records should be at least 6 months.

• The Auditing database must be regularly analysed by the DPO and/or by Auditors to detect any abusive access to FIDE.

• Some fields (registered names, dates and status codes) cannot be modified manually and are managed by the system only.

• All data elements must be checked against the rules of the data dictionary (‘Data Definitions’ section of the Functional Analysis report) when there are created and when they are modified.

• FIDE will not verify if information has been introduced more than once.

• In some aspects, because FIDE will be multi-lingual whenever possible, the communication between users speaking different languages will be better. This can be considered as a security element.

• Data exchange between the MS and FIDE should secure in such a way that unauthorised person cannot read the information. This implies the encryption of the data before transmission.

• FIDE is in line with the EU Data Classification Rules as it contains only EU restricted information and the access to the data is restricted to officials only. In addition, FIDE will not export data to other systems.



In terms of integration with legacy systems (current OLAF and National systems), the FIDE legislation stipulates that the database will not be built using data of another system. The advantage of this decision is that there is no migration process to be foreseen. In other words, no ‘one shot’ loading program has to be developed at the various MS and at OLAF to collect all current case records and to transform them into FIDE-compatible records.

The disadvantage of this decision is that it will take several years before the FIDE database will reach in terms of volume its cruise level. This means that considering that a case is kept in a national database during a period of 3 years (the retention period is between 0 and 6 years) FIDE will be at its cruise level only after 3 years.



6 TRAINING REQUIREMENTS In this chapter a first estimate of the effort to train the various FIDE Users is provided. Recommendations for the training methods are given at the end of the chapter.

Very often the training requirements for a new IT application are underestimated. This is partially due to the fact the training take place at the end of the development process and is used as a contingency on the financial resources. This may however have a damageable consequence on the usage of the application. Indeed, if no appropriate training is provided to the users, the application is not properly used or very partially used.

Currently, OLAF is using the “train the trainer” method avoiding to organise different training sessions in its premises or in the Member States. This is also in line with the subsidiary principle of the EU Treaty. However, this method does not guarantee permanent training of the users.

In addition, with such training sessions have the following drawbacks:

• The actual learning is quite low;

• There is a risk that the focus is on the appropriate subjects for the end users;

• The organisations are often modified and the people replaced.

This results in a poor level of knowledge of the application. To circumvent this problem, regular training sessions are organised but this leads to significant additional costs.

To avoid these problems, an alternate training method is proposed: the inter-active multimedia (I-MM) courseware. It provides permanent and up-to-date training support at a lower cost compared to usual training sessions. During the last decade, I-MM courseware has proved to be the best training method and will most probably be generalised in the future.

Compared to usual training sessions, the I-MM courseware has the following advantages:

• Permanently accessible by all the users according to their own schedule;

• If they are translated, they are in the end-user language;

• The courseware can be stored and made available on CD-Rom, DVD or on a private central server (web-site);

• When the system is modified, the I-MM courseware can be modified and no new training session must be organised;

• I-MM avoids the organisation of training sessions for new user.

• I-MM avoids travelling costs (‘out of pocket’ costs and time).

Considering the above advantages and the large number of users involved in 25 EU countries, I-MM seems to be a solution that must be considered in the scope of FIDE.



7 ESTIMATED VOLUMES Based on the figures provided in the answers to the Questionnaire (currently 11 on 25), the estimated population of current potential users is around 35.000 to 40.000 for the EU. This is the extrapolation of the average potential Users of 1.500 per MS.

However, in the near future (2006 – 2007), part of the MS will be subject to the review of their external borders due to the introduction of SIS II. The number of potential users could then be reduced to the half (15.000 to 20.000 users).

Potential users do not mean that all of them would have access to FIDE. It is indeed the responsibility of each MS Customs Authorities to decide which users have access or not to FIDE. Nevertheless, even if only one third of the potential Users – i.e. 5.000 – would have access and work regularly with FIDE, this figure still represents a large number of persons to be trained.

Another important figure is the expected number of FIDE records. This figure should not be considered at the start-up of the system because the database will be empty but after 3 years of operation. Whilst it is impossible to provide reliable figures, the volume derived from the answers on the questionnaire is 800 average new records on a yearly basis per country. Considered that in 2007, the number of Member States will probably be 30, this represent 70.000 records over a period of 3 years1.

Volume estimates derived for the current usage of CIS & the Mutual Assistance application are probable more realistic. Assuming that the new MS states would have similar volumes2 the following extrapolations are done:

• There is around 3.000 users for the current 15 MS. Therefore for 25 MS with similar average volumes would lead to (3000/15) X 25= 5000 users.

• Around 15 cases per year per user are created with 15 MS. Therefore for 25 MS, it is expected to have 25 cases per year per user.

• Therefore in conclusion, the estimated average number of records is equal to 5000 users X 25 cases/year/user = 125.000 cases/year for the 25 MS. This represents around 342 records/day.

1 3 years represents the average number of years a record will be kept in FIDE. 2 This is of course a projection since the member state do not have the same size or do not process the same number of cases



8 OPERATING PARAMETERS This chapter provides some considerations in terms of performance for FIDE.

To be successfully used, the response time of FIDE should as short as possible. This can only be achieved by using the appropriate combination of hardware, network communication means (often the most critical component), software (the application and off-the-shelf software). The potential high volume of the data to be process is also to be taken into consideration when choosing the above elements. Because the user population and the usage of FIDE may evolve over time, scalable solution must be considered.

In the scope of FIDE, OLAF has the entire control concerning the hardware and software choices. However, currently OLAF has no control for the communication network that is provided by the EC.

Considering the FIDE investigation process and the estimated volumes, an average of 8 accesses (two searches, one record creation, and four record modifications) to FIDE will be done by the MS per new case. On a yearly basis this represents 8 X 800 X 3O = +/- 200.000 MS accesses. Considering that a year has 260 working days and the accesses are spread over 10 hours a day, about 75 MS accesses per hour could be expected (or 1.25 MS access a minute). This requirement should be easily met.

The FIDE application will be available 24/24 hours 7/7 days. However, very few accesses are expected between 22:00 and 06:00 and during the week-ends.

FIDE hardware and software maintenance activities will take place between 24:00 and 04:00 o’clock when needed, in order to minimise access disturbance.

FIDE will be Web based. This means that a Web browser has to be available for each MS user. However, this constraint is largely compensated by the dramatic reduction of the deployment and maintenance costs.

FIDE Business Analysis

Documents

Transcript of FIDE Business Analysis