Detecting Conflicts of Interest in Public Procurement with AI: A Practical Guide for Municipalities

Why use AI to detect conflicts of interest in public procurement

Early detection of conflicts of interest reduces legal risk, improves transparency, and prevents awards that may later be voided or challenged. AI does not replace administrative responsibility, but it can increase the effectiveness of pre-award checks and contract monitoring. This article provides practical steps to design and deploy a hybrid system (rules + AI) aligned with Spanish and European regulations.

Legal framework and limits to respect

• Law 9/2017 on Public Sector Contracts: requires ensuring fair competition and foreseeing incompatibilities and grounds for recusal. Automated detection should support documentary checks and transparency obligations.
• GDPR: processing personal data (e.g., corporate links, public positions) requires a clear legal basis, data minimization, and guarantees of rights (access, rectification).
• EU AI Act (progressive application): anticipate requirements for transparency, technical documentation and risk management according to the system's use and impact.
• ENS (Royal Decree 311/2022): if the solution integrates with public administration systems or processes sensitive data, it must comply with the National Security Scheme requirements.

Do not automate final or punitive decisions. AI should produce alerts or scores that require documented human review.

Practical design: hybrid and phased approach

1. Identify objective and scope

   • Are you detecting corporate links between bidders and municipal staff? Relating awardees to previous beneficiaries? Defining concrete categories reduces false positives.
   • Prioritize contract categories with higher risk (construction, high-value services).

2. Permitted and useful data sources

   • Declarations of interest and bidders’ documentation (mandatory).
   • Commercial Register, Official State Gazette/official journals, public contracts registries.
   • Public databases of positions and family relationships (when legally accessible).
   • Avoid indiscriminate extraction of sensitive data from social media without a solid legal basis.

3. Architecture: rules + AI

   • Rules layer: clear legal checks (e.g., explicit prohibitions, direct corporate links).
   • AI layer (NLP and graph analysis): identify non-trivial patterns (shared surnames across companies, indirect links via directors, participation networks).
   • Prefer explainable models (extractable rules, similarity models with textual evidence) over opaque ones.

4. Interpretability and traceability

   • The system must record the evidence behind each alert (documents consulted, relevant excerpts, links between entities).
   • Produce a readable report for legal reviewers with a risk score and attached evidence to enable human review.

5. Thresholds and workflows

   • Define risk thresholds that trigger concrete actions: notify the contracting authority, perform further checks, temporary suspension.
   • Always include a human responsible for validation before any administrative measure.

Implementation and organizational best practices

• Data audit: verify coverage and quality of registers (Commercial Register, past contracts). Document gaps.
• Manage false positives: set up a fast verification and rectification process for affected bidders.
• Privacy by design: minimize processed data, record purposes and retention periods; facilitate GDPR rights.
• Data Protection Impact Assessment (DPIA): when processing may pose high risks to rights and freedoms, perform a DPIA and implement mitigation measures.
• Testing in a sandbox: start with anonymized historical data to validate accuracy and operational load.
• Team training: train lawyers, technicians and procurement staff in the tool’s use and limitations.

Operational integration and maintenance

• Integrate into the processing workflow (bid admission) so alerts arrive before awarding.
• Maintain a catalogue of sources and automated updates (e.g., periodic ingestion from the Commercial Register).
• Monitor operational metrics: number of alerts, confirmation rate after human review, average verification time.
• Review and adjust rules and models in response to regulatory (Law 9/2017) or case-law changes.

Risks and how to mitigate them

• Legal risk from purely automated decisions: mitigate by requiring human review and maintaining auditable records.
• Privacy risk: apply data minimization and legal bases; document processing activities.
• Technical risk (false negatives/positives): combine rules and models, and perform regular audits.
• Reputational risk from erroneous notifications to companies: design a prompt communication and correction protocol.

Recommended initial use case (low-risk pilot)

• Select a recurring contract type (e.g., ICT supplies) and the past 12 months of procurements.
• Build a dataset with case files, awardees and public registers.
• Implement basic rules + an NLP module for entity matching and test with human review.
• Validate results, measure confirmed-alert rate and adjust before scaling up.

Conclusion and recommended action

AI can speed up conflict-of-interest detection if designed as an audit support tool, not as the sole decision-maker. Immediate action: launch a scoped pilot (one contract type) that combines explicit legal rules with explainable network analysis; carry out a DPIA and define protocols for human review and communications. Such a project improves detection, documentation and traceability without compromising legal compliance or the rights of the parties.

Practical takeaway: within the next 8 weeks, form a mixed team (legal, procurement, IT), map data sources and define 3 non-negotiable legal rules; with that you can run an AI-assisted detection pilot on a set of files.