The U.S. Senate introduced a Fraud Prevention Recovery Act bill in April 2024 to fund fraud investigation and prosecution and implement fraud prevention improvements. This was largely in response to widescale fraud and improper use of COVID-19 pandemic-related programs established to safeguard the economy and provide relief to people affected by the crisis.
In a very short timeframe following the disease’s initial impact, Congress created new programs and greatly expanded existing ones to deliver desperately needed funds. The immense amount of money spent in response to the pandemic was unprecedented—and unfortunately, fraudsters took advantage of existing weaknesses in fraud risk management practices to access that money.
The potential for fraud was exacerbated by several contributing factors. Agencies were overwhelmed by the massive surge in claims and the need to quickly pay benefits to affected people across all government programs. Severe shortage of resources leading to the use of inexperienced or under-trained staff and contractors to administer these relief programs provided opportunities for fraud. Outdated IT platforms faltered during the pandemic and lacked safeguards that could detect fraudulent claims. Some internal controls were also ignored or suspended to pay claims quickly.
Fraud costs as of April 2024 have been estimated at $100-135 billion for the Department of Labor’s pandemic-related unemployment insurance programs and over $200 billion in potentially fraudulent pandemic-related Small Business Administration loans.1 This massive scale of fraud has raised serious concerns, causing the public to question the stewardship of taxpayer dollars.
The U.S. Department of Justice’s COVID-19 Fraud Enforcement Task Force reported in April 2024 that its efforts have resulted in criminal charges of over 3,500 defendants, more than 400 civil settlements and judgments, and forfeiture of over $1.4 billion in fraudulently obtained CARES Act funds.2
Essential preparation for the next crisis
Based on our extensive experience identifying the root causes of fraud and helping organizations develop and implement strategic fraud risk management programs, we know that any improvements made to strengthen ongoing programs will have a dramatic impact on an organization’s ability to respond more efficiently and effectively to future crises.
Oversight authorities have conducted numerous reviews of the various relief programs to determine how fraud risk was managed and identify ways to improve fraud risk management for all government programs—especially those that may be used to respond to future emergencies. Their findings, which are generally consistent with our observations from working with federal, state, and local agencies in administering pandemic relief programs, highlight key vulnerabilities in human capital management, technology, and internal controls.3
Human capital management
An essential component of an effective fraud risk program is people. Executives must set the “tone at the top” to ensure that program integrity and effective stewardship of resources are paramount.4 The U.S. Government Accountability Office (GAO) recommends that organizations designate someone responsible for designing and overseeing fraud risk management activities that are tailored for each program.5 This dedicated individual should be able to effectively apply fraud risk management strategies to existing and new programs, even in emergencies. To be successful, the approach should focus on:
- Developing a trained, capable workforce. GAO standards recommend that personnel responsible for crucial functions such as fraud risk management be recruited, developed, and retained.6 Organizations should also ensure that personnel responsible for execution of all key program functions are appropriately trained to identify fraud risks. For example, call center personnel should be trained to recognize red flags when communicating with applicants. Personnel tasked with application and payment processing should be trained to recognize potential misrepresentations and fraudulent supporting documentation. In addition, there should be a process to enable escalation of suspicious claims to a dedicated professional with expertise to investigate potential fraud.
- Committing to ongoing resource assessment. Organizations should continuously assess their resource capacity and capabilities. In addition, where necessary organizations should seek assistance from outside entities with expertise to design and implement effective fraud risk management practices.
We supported federal and state agencies by quickly and effectively designing robust fraud risk management programs for a variety of large pandemic relief programs—preventing over a billion dollars in fraudulent payments from being made while spending just a small fraction of that on program execution.
As part of our state emergency rental assistance program management efforts for several state clients, we developed and implemented automated and manual fraud prevention and detection controls to identify and investigate applications with potential fraud indicators. Our fraud specialists trained the operations team to identify potential fraudulent misrepresentation and other fraud flags in applications. The team conducted fraud trend analysis using data queries and network analysis to identify groups of potentially fraudulent applications with similar attributes. The team also built machine learning fraud models to expedite the review process and focus resources on reviews of higher risk applications.
Technology
When administering new pandemic relief programs, many organizations used legacy IT systems that lacked sufficient fraud controls and the basic capacity to process the unprecedented volume of applications. Existing case management systems were not tailored to new program requirements or emerging fraud risks—creating opportunities for exploitation and inappropriate payments.7
To avoid these issues occurring during future emergencies, leaders should:
- Develop flexible IT systems with automated fraud risk controls. Any IT system used to administer benefit programs must be able to access crucial data at each program stage to identify red flags, trends, and vulnerabilities. Systems should provide ready retrieval of information and evidence needed to investigate and prosecute fraudsters. To achieve that, agencies should ensure that fraud risk management professionals work closely with their own IT and data management personnel. Together, they can design flexible systems equipped with role-based security and access controls, system flags, audit logs, and effective data management capabilities for tracking and reporting.
- Optimize data integration, enhancement, and analysis. IT systems must be able to leverage existing data from a multitude of internal and external sources. Integrated systems should allow for data mining within and across benefits programs to identify application anomalies, duplicate claims, and emerging patterns of fraudulent activities. This can be done through data analytics tools such as advanced data querying, anomaly detection, network analysis, and machine learning. Systems should also be capable of cross-referencing such external data sources as the U.S. Treasury’s Do Not Pay List, Social Security Master Death File, and other relevant public records to enhance internal controls through independent data validation.
- Ensure systems are able to recover funds. The ability to recover improper payments is crucial to effective stewardship. Systems must track fund expenditures to recipients and include a process to facilitate the recoupment of improper payments.8 For example, it’s important to ensure that application and payment systems can verify bank account information and confirm that a recipient is associated with a physical address. This provides a minimal level of payment integrity and a place to begin recoupment efforts when needed.
Internal controls
Although federal laws have traditionally required agencies to submit specific internal control plans for relief programs during emergencies such as hurricanes, GAO found that there was no similar requirement for the pandemic relief programs.9 To rectify this, agencies and organizations need to transform programs with a greater emphasis on fraud risk management by:
- Incorporating risk assessment and management strategies into all program design and administration. Because fraud risk is inherent in all benefit programs, it’s essential to include controls at every stage.10 GAO has recommended that Congress require the U.S. Office of Management and Budget to provide guidance for agencies to develop internal control plans that can be immediately employed in future emergencies.11 Management must ensure that effective fraud mitigation strategies are in place and continually updated based on periodic risk assessments—even during an emergency.
- Setting up rigorous identity verification controls. Many pandemic-related programs were defrauded through fictitious or stolen identities. The GAO has recommended that program design assumes some identity information is compromised and apply controls at the earliest stages to detect potentially suspicious identities.12 A benefit application platform that’s interconnected with public records databases can automatically check identity information and flag questionable applications for further review early in the process.
- Enhancing eligibility verification processes. Many pandemic-related programs struggled with misrepresentations about applicant eligibility. To quickly disburse relief payments, some programs allowed eligibility self-certification, resulting in billions of dollars in losses.13 In its analysis, GAO noted that self-certification alone is insufficient as a control to mitigate misrepresentation.14 Programs must validate eligibility criteria by checking reliable source records and cross-referencing available data sources.15 Future legislation and regulation must consider this vulnerability and allow for access to existing data sources.
What’s next?
The fallout from this high volume of fraud, waste, and abuse will continue to have lasting repercussions. Regardless of the nature of any future crises, organizations should expect increased scrutiny of relief programs, fraud obligation-related legislation, and regulations requiring more robust internal controls to address fraud risks across all programs.16 Reporting requirements covering internal controls and how funds are spent will also likely be more demanding.17
To avoid reputational damage, safeguard program integrity, and maintain eligibility to participate in current and future programs, leaders must prioritize ways to prepare for and sufficiently address fraud risks.
In 2024, lender Kabbage, Inc., a significant player in the Paycheck Protection Program, settled two cases with the U.S. Department of Justice for knowingly failing to implement appropriate fraud controls to comply with that program’s requirements as well as Bank Secrecy Act and anti-money laundering obligations. The settlements, which included recovery of over $100 million in fraud-related claims, ultimately forced the company into bankruptcy.18
Deutschland
India
Lietuva
United Kingdom
Search
