Detecting and Preventing Fraud in Public Procurement with AI: A Practical Guide for Municipalities
Introduction
Fraud and collusion in public procurement processes undermine competition, drive up costs and erode public trust. AI can help spot anomalous patterns and prioritize investigations, provided its design and deployment respect the legal framework (Law 9/2017 on Public Sector Contracts), the GDPR, the ENS (Royal Decree 311/2022) and the emerging obligations under the EU AI Act. This guide offers practical steps for municipalities that want to use AI against fraud without creating legal or operational risks.
What can AI detect in public procurement?
High-value, concrete use cases:
- Collusion detection: networks of companies submitting coordinated bids, suspicious price variations, or repeated awards among the same parties.
- Bid anomalies: out-of-range prices, proposals with duplicated documentation, or inconsistent digital signatures.
- Document fraud: forged documents or conflicting corporate information (e.g., tax ID, address, directors).
- Preferential award patterns: repeated contracts awarded to the same company without technical or competitive justification.
- Early warnings during contract execution: duplicate invoices, inconsistent work certifications, or payments made outside established procedures.
Legal and security requirements (practical summary)
- Law 9/2017: procedures and evaluation criteria must be transparent and auditable. Any use of AI that influences award decisions must allow for review and traceability.
- GDPR: establish the legal basis (e.g., Article 6.1.e — performance of a task carried out in the public interest) and apply principles of data minimization, retention limitation and technical safeguards. Conduct a Data Protection Impact Assessment (DPIA) if profiles or automated decisions are involved.
- ENS (Royal Decree 311/2022): infrastructure and data must meet security requirements according to the applicable system level.
- EU AI Act: check whether the solution is considered "high risk" (for example, if it affects third-party rights in essential processes). If so, comply with requirements on technical documentation, risk management, transparency and registration.
Practical implementation: minimum steps and technical considerations
-
Define objectives and operational scope
- Detect collusion in tenders over X euros? Monitor all contracts? Limiting scope reduces risk and makes compliance easier.
-
Map data sources
- Internal procurement records, the Public Sector Contracts Registry, the Official State Gazette (BOE), public company registries, sanctions lists, invoicing and contract execution files. Record the origin and purpose of each dataset.
-
Legal review and DPIA
- Carry out a DPIA and consult the legal department. Document the legal basis, mitigation measures and data subject rights handling.
-
Select techniques and models
- Start with explainable models: business rules, anomaly detection (z-score, isolation forest), graph analysis to uncover relationship networks. Avoid black boxes in critical decision stages.
- Validate with historical data and test scenarios; document limitations.
-
Operational design: alerts and human review
- Use AI to prioritize, not to make final decisions. Define alert thresholds and escalation paths (legal team, internal audit).
- Log every alert with metadata for auditability: which data triggered the alert, the human reviewer responsible and the outcome.
-
Transparency and communication
- Inform suppliers and stakeholders about the use of AI in anti-fraud controls in tender documents or on the procurement website. Provide channels for companies to request human review.
-
Integration, security and governance
- Integrate with the Public Procurement Platform and local systems via secure APIs. Ensure access control, encryption and backups per ENS.
- Appoint a governance lead (AI committee) to oversee performance metrics, false positives and corrective actions.
Operational best practices
- Start with a pilot limited to a single area or contract category and improve iteratively.
- Require explainability: alerts must be justifiable in an audit.
- Measure both false positives and false negatives; too many useless alerts create operational fatigue.
- Maintain full traceability of training data and model versions (model cards / data sheets).
- Train procurement and internal control teams to interpret alerts and take action in line with Law 9/2017.
Risks to watch
- Bias: models that unfairly penalize companies from certain regions or of certain sizes. Mitigate with fairness audits.
- Improper disclosure of personal data: apply GDPR principles and anonymize data where possible.
- Operational dependency: AI should complement, not replace, legal and administrative controls.
Action checklist (7 quick steps)
- Agree objectives and scope with senior management and internal control.
- Inventory data sources and assess their lawful use.
- Carry out a DPIA and ENS review.
- Develop a pilot with explainable models and real test cases.
- Design bot-to-human (B2H) workflows for alert review.
- Publish a notice on the Public Procurement Platform and provide transparency documentation.
- Monitor, audit and adjust thresholds quarterly.
Conclusion and takeaway
AI can be an effective tool to detect and prioritize fraud risks in public procurement—but only if implemented with legal controls, traceability and human review. Immediate recommended action: launch an anomaly-detection pilot in one procurement category, accompanied by a DPIA and a governance plan. At OptimTech we work with local entities to design these pilots in line with the ENS and current regulations; if your municipality wants a practical, compliant approach, we can help define the first steps.
Related articles
Predictive Maintenance for Municipal Infrastructure with AI
A practical guide to prioritizing interventions and meeting ENS, GDPR and public procurement requirements when implementing predictive maintenance.
AI Interoperability with Legacy Systems in Municipalities
Practical guide to integrating AI with legacy systems: data models, APIs, ENS and GDPR compliance.
Prompt Governance in Public Administration
Practical guide to managing language model prompts in the public sector: logging, auditing, risk and compliance.