“We have broken the group of VAT fraudsters”, “We have detected the artificial vegetable oil trading being a carousel fraud”, “National Revenue Administration liquidated the Asian mafia thanks to STIR”.
These are just a few headlines from the last few months. They showcase the success of the tax authorities in their fight against tax fraud, and all of them feature STIR prominently.
It’s not about stirring
To begin with, a brief explanation - STIR has nothing to do with stirring. This is an abbreviation (System Teleinformatyczny Izby Rozliczeniowej) for a technical system that aims at automatically identifying suspicious transactions and fraudulent entrepreneurs.
STIR was set up in 2017 by the government but it is built by the National Clearing House (Krajowa Izba Rozliczeniowa, KIR), a private company owned by private banks as well as the national bank, which holds a third of the shares. KIR is a technical hub that provides Polish banks with the infrastructure they need for inter-bank transactions.
Representatives of the Ministry of Finance who discussed STIR with AlgorithmWatch described STIR as a “warehouse of data”. “It is not a magic box showing final results. There is always a human at the end of it, analyzing what the system found” said one of them, who wishes to remain anonymous.
Since April 2018, the main user of STIR has been the National Revenue Administration (Krajowa Administracja Skarbowa, KAS). This new public authority was set up in 2017 after the Law and Justice (PiS) government made a priority of fighting VAT (value-added tax) fraud. KAS was born of the merger of the tax administration and the customs service.
As in all member-states of the European Union, VAT fraud is a large and profitable business. It is commonly measured using the “VAT gap”, which represents the difference between expected VAT revenues and actual VAT revenues (part of the gap is due to other causes, such as bankruptcies).
In 2018, according to CASE, a think-tank, the VAT gap was about 140 billion euros in the EU and 5.8 billion euros in Poland, with a clear downward trend.
The fraud, also known as VAT carousel, involves at least two companies. Company A sells a product with VAT to company B, but does not transfer the VAT it received to the public treasury as is legally required. Company B, which paid VAT to company A, then asks the public treasury for a reimbursement, as it legally should. In real-life, the scheme involves many more intermediary companies and cross-border transactions.
This video, which is part of an investigative project on VAT fraud, explains it in more details:
A data warehouse
What information about Polish entrepreneurs does STIR collect? Quite a lot. The list includes all bank accounts opened and maintained by a company, including the daily statements of transactions, identification data of senders and recipients of transactions and their account numbers; the date, amount, currency, title and description of transactions, and the initial and final balances of statements. Since July 2019, banks must also provide STIR with the IP addresses from which account holders log into their accounts.
“Determining the IP addresses which were used to carry out untypical transactions and the dates and times of these transactions will allow [us] not only to identify the persons, but also to check the places from which the instructions to carry out these transactions were made, the links between these places and the persons using these IP addresses” the Ministry of Finance explained in a memorandum.
Over 5 million people under surveillance
Data released by KAS, the National Revenue Administration, shows that STIR collected data on over 11 million transactions in 2019, related to close to 4 million entities. Five and a half million individuals were connected to these entities, according to the KAS report.
STIR can be accessed by analysts working in a special unit of KAS. Every day, reports from STIR land on their desks, which include information on transactions that were automatically labeled as suspicious as well as “entities classified as high-risk groups using the financial sector for tax evasion”, according to KAS documents.
Analyses based on STIR data are then submitted for approval to the head of the National Revenue Administration, who can decide to freeze the bank accounts deemed suspicious. Freezing an account can be done without informing the bank or the account owner, and can last 72 hours. The freeze can then be extended up to 3 months. Since March 2019, the decision to freeze an account can also be made by regional heads of tax offices.
STIR does not seem to have links to judicial authorities. It is less a tool to find past fraud and bring wrongdoers to justice than a predictive tool aimed at preventing fraud.
How effective is STIR? A glance at the statistics shows that the system is developing slowly.
In 2018, thanks to the algorithm, the 41 accounts belonging to 23 entities were frozen, containing about 10.2 million Polish złoty (2.3 million euros). KAS reported that the operation prevented the theft of 132 million złoty (30 million euros) in VAT fraud, slightly above 0,5% of the estimated VAT gap.
The number increased five-fold in 2019. 537 accounts belonging to 113 entities were frozen, holding over 67 million złoty (15 million euros) in assets. The estimated savings for the state coffers amount to 584 million złoty (133 million euros).
According to the latest data we obtained, data from STIR already lead to 383 accounts to be frozen in 2020.
The Ministry of Finance is satisfied with the algorithm, according to a report by Dziennik Gazeta Prawna. “In December 2019, the Ministry hosted a delegation of the Chinese treasury to learn about the functioning of the latest solutions in the implementation of the split payment mechanism and the STIR system”, the journalists wrote. A system similar to STIR, the Central Electronic System of Payment information (CESOP), is expected to take effect throughout the EU in 2024. It will collect information on the recipients and senders of cross-border transfers.
Entrepreneurs whose accounts have been blocked by KAS, based on the result of STIR analysis, are often helpless in the fight against the algorithm. They seek help in the courts.
Until March 2019, when regional tax offices received the right to freeze bank accounts themselves, the Voivodeship Administrative Court in Warsaw was the only place where entrepreneurs could file complaints against KAS. Judge Ewa Marcinkowska of the Court Information Department told AlgorithmWatch that, since 2018, 52 complaints have been filed by entrepreneurs whose bank accounts had been frozen after a decision by KAS, based on STIR data.
Ms Marcinkowska added that in 41 cases the court dismissed the complaints, and thus ruled against the entrepreneurs.
No investigation needed
In a judgment of the Warsaw Administrative Court of 20 September 2018, judges wrote that the tax office does not have to conduct evidentiary proceedings when freezing an account.
In January 2019, the court made itself even clearer, stating that "a rational entrepreneur should reckon with the fact that the authority may apply procedures in force against him, in particular those consisting in blocking [their bank] account".
Complaining to the ombudsperson
What can a long term account lockout mean for an entrepreneur? This can be seen in the content of complaints received by the office of the Polish Commissioner for Human Rights. “In one of the complaints, the complainant raised general allegations about the nature of the provisions introduced, claiming that this was an abuse of power. In his opinion, the blocking of the entrepreneur's funds may cause the company to become insolvent and consequently bankrupt” said Łukasz Starzewski of the Commissioner for Human Rights’ press office. The entrepreneur pointed out that the most painful thing in the case of account blockage was the inability to pay out salaries to employees. (Current legislation allows for lifting an account freeze to pay salaries, but the procedure is long and cumbersome.)
Rzeczpospolita, a daily newspaper, wrote about this case: “The blockade ‘by surprise’ prevented the entrepreneur from defending his rights, leading to the deregistration of his company from the register of active VAT payers. The Commissioner for Human Rights stated that such actions by the tax authorities may violate civil rights and freedoms and the rule of law".
How does KAS explain their approach? Their philosophy is simple: better safe than sorry. In simple terms, the idea is to ensure that the money belonging to the state treasury will not disappear from accounts of suspected companies, for example.
But there is a silver lining for entrepreneurs. In June 2020, another court, in Poznań, changed its stance, compared to the Warsaw court. The Poznań judges ruled that if the decision to block an account for 72 hours is insufficiently justified, it would also be illegal to extend it for three months.
The secret algorithm
What kind of algorithm does STIR use? What does it look at? It is a closely guarded secret. One official from the Ministry of Finance we talked to, when asked about the details of the algorithm, quickly cut the conversation off, saying that the cook does not reveal the secrets of his recipes.
According to the KAS press office, "the tasks of KIR include running STIR and processing data in this system, determining algorithms and indicators of risk".
I then asked the National Clearing House for more details. Agnieszka Sobczak-Malinowska, from the KIR press office, referred me to the provisions of the law that allowed the deployment of STIR. “Due to the confidentiality of information about STIR, also protected by law, it is not possible to provide data in response to your questions in a wider scope than it results from the above mentioned documents”, she added.
The law in question, passed on 24 November 2017, does not answer our questions. It refers in general terms to the use of the algorithm and that KAS, by means of STIR, is tasked to establish risk indicators.
The 2017 law states that STIR’s algorithm is to be developed by KIR, taking into account “best practices of the banking sector and the cooperative savings and credit unions in terms of preventing their activities from being used for fiscal evasion”. According to the law, the algorithm, when selecting suspicious transactions, uses criteria such as whether an entity made unusual, sudden movements on its bank account and whether it transfers money to “countries where there is a high risk of fraud”.
Since the beginning of work on the STIR, the lack of transparency of the algorithm has been a matter of debate. Objections were raised by NGOs, including Panoptykon, which advocates for the citizens' right to privacy.
During the development of the 2017 STIR law, Panoptykon experts frowned at, among others, the collection of the IP addresses from which account holders log into their accounts. “In what situations should this IP address be disclosed? Does it concern only entrepreneurs or natural persons? And what about people who are permanently (e.g. by phone) logged into banking: will the IP address used at the time of logging in or the one from the moment of executing the transaction be transferred?” the organization asked.
These questions were not addressed but the change in regulations passed anyway. The collection of IP addresses has been effective since July 2019. No public consultation on this matter took place.