As the tally of fraud and abuse in pandemic relief spending mounts, the Government Accountability Office (GAO) has a reminder: Program managers have a list of leading practices for preventing fraud. The question some have for those managers is why they did not use that list. For more, the Federal Drive with Tom Temin spoke with GAO’s Rebecca Shea, the Director of Forensic Audits.
Tom Temin I guess at this point, it’s fair to say we still don’t really know the extent of fraudulent and improper payments under the various pandemic relief programs, do we? What’s the latest sense of how bad it is?
Rebecca Shea Yeah, that’s true. We will never know the true extent of the fraud, but we do have some estimates at this point and some other information. For example, GAO recently released a report estimating the amount of fraud in the unemployment insurance program, and we estimated that the fraud that occurred in that program was between 100 and $135 billion. The [Small Business Administration (SBA)], OIG has also estimated fraud in the two lead programs, their [Paycheck Protection Program (PPP) and [Economic Injury Disaster Loan (EIDL)] programs, and they estimate about 200 billion in fraud. And those are just two of the largest programs. And we’ve also been tracking some of the [Department of Justice (DOJ)] cases since the pandemic began. That also gives you a little bit of a sense of the scope of the problem. And at this point, there are nearly 1400 guilty pleas or convictions and about 600 more in the pipeline. And, of course, many, many more under investigation at this point.
Tom Temin I can remember when the entire federal budget was $200 billion, and this is how much we threw away on that. But it’s fair to say, too, that these were bigger than normal programs. But the rate or percentage of fraud in these cases is beyond band for what we normally expect in programs.
Rebecca Shea Yeah, that is definitely true. Just to give you a sense of the scope, the PPP and EIDL, the SBA programs and unemployment insurance programs, they were about $2 trillion collectively. So that’s a very attractive target to fraudsters, obviously. But you’re right about the fact that the fraud that occurred in the pandemic is worse than what you would expect in normal operations. And that’s true for a variety of reasons. There are a number of known risk factors for fraud and the pandemic programs, they had them all. Some of them are new programs. Some of them were greatly increased funding. With the nearly $2 trillion there that agencies had to make quick disbursements and they also had limited controls. Most important among those limited controls was the reliance on self-certification to determine if you get a benefit. So absolutely a much greater fraud in those programs than you would expect the normal operations because of those risk factors.
Tom Temin Because just given the practicalities of the programs, even normally they’re pretty big. A certain amount of fraud is to be expected, but it can cost you more to stop it than you would prevent. So in general, there’s a risk management or inverted pyramid type of approach to this. Fair to say?
Rebecca Shea Yeah, that’s absolutely right. And I’m glad you mentioned that because it’s important to realize fraud is inevitable. Any time you have something of value, people are going to try to get it through misrepresentation. But the important thing is to manage the risk of that strategically because it’s pennies on the dollar when you try to recover. So prevention is absolutely the goal here.
Tom Temin And I guess you’ve told us why fraud was worse in these programs because of these factors presents the newness of them, the great expansion of existing programs and the limited controls. And that’s because I guess they wanted to get everything up and running fast. And unlike the relief for the financial crisis back in 2009, at least there was an apparatus set up before some of that money started flowing out.
Rebecca Shea Yeah, that’s right. A couple of other things were going on as well. So agencies were not prepared and not managing their fraud risk strategically prior to the pandemic. The CG, the Comptroller General testified earlier this year that an agency has been in a better place on that since the requirements to do that came out in 2016. They would have been better prepared to handle the pandemic. So that’s one of the reasons why they weren’t very well prepared. And then, as you say, the other issue of trying to get the funds out quickly and making some determinations about the controls that would or would not be in place, as it’s been described, lowering the guardrails. And then again, as you mentioned, there was not that apparatus in place for the governmentwide oversight analytic capability that got stood up the initial year of the pandemic. And it is going to sunset again, like the one for the financial crisis did, unless Congress acts to make that permanent.
Tom Temin We’re speaking with Rebecca Shea. She’s director of forensic audits at the Government Accountability Office. And you testified that jail for many years has had a reference framework for fraud prevention, some best practices or good practices for this. What are some of those? And I guess why don’t agencies use them more? First of all, tell us more about the framework.
Rebecca Shea Sure. Yeah. It’s our fraud risk framework, and it outlines 38 leading practices for strategically managing fraud risk. And it’s broken down into four different components. And they align with broad themes that agencies should be covering to strategically manage the fraud risk. The first component relates to creating a culture and a structure to combat fraud. You want to have the right environment, you want to have the right organization to be able to do the things that you need to do throughout the year, regardless of your environment, normal operations or emergency. The second component relates to fraud risk assessments. Many agencies still are operating without comprehensive fraud risk assessment. They aren’t even aware of their risks and understanding what controls they have in place to address those risks. So a full review of what your risks are, what you have in place to manage them, the likelihood and impact. And then also what’s your tolerance for risk and will that change? And how does it need to change when you’re in normal operations versus steady state? And then what are the consequences of that? The third component relates to the implementing the controls that you need, implementing your profile that you have developed from your fraud risk assessment. And then the last component is to evaluate and adapt that. Fraud does not stay static, it continues to change. The risk environment changes. So you want to make sure that the controls that you’ve figured you need from your fraud risk assessment are actually working as you want them to and evaluate and adapt that then go around in the circle. We are visual for the fraud risk framework as a circle, and it’s meant to imply that this is an ongoing process.
Tom Temin Right. So there’s really two takes that I get from what you’ve said. One is that if you are already oriented and sensitive to and have programs in place and think about fraud prevention, then when something big comes along like a new program, you’re already at a baseline where you can maybe scale more easily to protect yourself.
Rebecca Shea That is absolutely right.
Tom Temin And the other is you got to think like a thief and maybe pressure test your own system to see maybe I can try a fraudulent try here. I mean, the food stamp program, SNAP program has done that for years. They used to go shopping and see if they could use their card to buy beer somewhere and this kind of thing.
Rebecca Shea Yeah, that’s right. And I’m glad that you mentioned that because that relates to a resource that is available through Department of Treasury and the CFO Council. They have years ago, after we issued our framework, they issued an anti fraud playbook and it breaks down all of the components and the leading practices from our framework, and it provides agencies with this nice set of plays for how you can implement that. And one of them is to think like a fraudster and it helps agencies do that. Think like the bad guy so that they can figure out how their systems could be broken.
Tom Temin I know when I used to go into banks back when people went into banks and big lobbies, I used to figure, how would I rob this place? How would I get out and where would I head if I ever wanted to do that? But I didn’t take myself up on that. And in your testimony, you actually described a couple of the fraud mechanisms which weren’t all that clever. They just did it.
Rebecca Shea Yeah, and you are right about that. They weren’t all that clever. And a lot of that relates to the fact that in benefit fraud, there are two key issues there. You have the eligibility and identity and identity. Are you who you say you are and on eligibility, are you entitled to the benefits that you say you’re entitled to in the amount? And because self attestation was accepted as the key control in a number of these programs, the mechanisms used were really pretty simple. In a lot of cases it was false statements and attestations people just straight up lied. There was document manipulation. They falsified, altered or forged documents. There was a quite a lot of fictitious entities, stolen identities, synthetic identities, shell and shelf companies used to apply for benefits. Some got a little bit more creative through collusion, use of kickbacks and incentives. And then often once the funds were received, they were laundered through other mechanisms. But the mechanisms were pretty basic. Now, technology, I will admit it did help scale up some of those simple mechanisms, because people could apply many at a time and then also from anywhere in the world. And then also tips were shared on the dark web and other chat rooms. So simple mechanisms, but then scaled up through some technologies.