Large scale identity theft-based fraud in unemployment assistance stunned many, even those who fight fraud for a living.
When I got the call asking if I would consider leaving my private sector consulting job to help lead the newly created Pandemic Response Accountability Committee, I didn’t hesitate. The country was in the midst of the worst health and financial crisis in a generation so ensuring effective oversight of trillions of federal dollars felt like a public service calling. Having spent 10 years in government oversight—at the Government Accountability Office, where I spearheaded the development of the only guidance aimed at managing fraud risks in government programs—I felt a strong pull to help manage the risk of fraud, waste and abuse in pandemic response funding.
The year I spent as deputy executive director of the PRAC provided a wealth of lessons—about weaknesses in government administration of benefits, the challenges of bureaucracy, and the deep passion for and commitment to public service so many government workers feel. Below are three key takeaways.
1. Federal, state and local agencies were profoundly unprepared for the task of distributing trillions of dollars in federal aid. The pandemic brought with it an unprecedented financial crisis and the CARES Act—the enormous response bill passed to help manage the financial fallout—strained many agencies tasked with distributing trillions of dollars in just a couple of months. Brand new programs like the Paycheck Protection Program were rolled out within days of being created. The Small Business Administration approved more PPP loans in four weeks than it had approved in traditional loans in four years. With limited staff, few technological tools to conduct prepayment verification and crushing need, SBA and other agencies abandoned many traditional controls and simply approved applicants with little or no verification of self-reported information. Both federal programs, like the PPP, and state programs like Pandemic Unemployment Assistance, attracted sophisticated fraudsters armed with massive volumes of stolen data. They swarmed state unemployment offices, applying for benefits using stolen identities to a degree never before witnessed. Many states are now reporting at least 30% likely fraud in PUA payments. Small business loans programs were similarly fleeced.
“Pay and chase” is the term used to describe the practice of making payments later deemed inappropriate and then chasing down the perpetrators to get the money back after the fact. Best practice calls for due diligence at the front end to avoid making the fraudulent or improper payment in the first place. But in the rush to quickly distribute pandemic relief, we failed to do that and so now we are chasing—the work being done to track down fraud in these programs is just getting started. Armies of forensic accountants and lawyers will be mounting cases for a decade or more, but the recovered funds will be a fraction of what was stolen. Speed must be balanced with controls, and the government was not equipped with the automated tools needed to control fraud while getting payments out quickly.
2. Nearly all aspects of collecting and using data in the government are broken. Data is the backbone of effective administration of any large program and distributing billions or trillions of dollars simply cannot be done effectively without the use of data. The pandemic revealed the extent of the government’s weaknesses in data usage in key areas:
- Data collection. Data in small business programs was so poorly collected that meaningful analysis of loans after the fact was exceptionally difficult—only 10% of loans reported any demographic information, and there were no clear data standards, which meant, for example, that “Washington, D.C.,” was reported 13 different ways. Further, many agencies used vague descriptors when reporting their pandemic spending. The PRAC’s analysis identified 40,000 awards that had the same project description as the program—usually simply “CARES Act,” which did not allow the public to understand how the money was being spent. GAO also reported data collection weaknesses in Health and Human Services programs. This lack of transparency in pandemic spending—which the PRAC publicly reported in October, 2020—limited oversight agencies’ and the public’s ability to fully track pandemic funds.
- Data sharing. Data sharing within the government is embarrassingly nonexistent, in large part due to restrictive privacy laws. The result is that federal agencies do not have access to data to verify information from applicants that would allow them to reject many as ineligible. For example, only four states have electronic marriage records, meaning the Social Security Administration cannot verify the accuracy of a beneficiary’s marriage claim, which would have enormous implications on the amount of their benefit. “Double dipping,” in which individuals get benefits from multiple programs for which they are ineligible, is rampant due to agencies’ inability to verify that an applicant is receiving a benefit from another program. State unemployment agencies have the option to use a clearinghouse that shares data on unemployment applicants across states, but only about half of the states use it.
- Data analytics. And finally, for those agencies that do collect data, few are using it to prevent and detect fraud or improper payments. If agencies collected and used IP address data, for example, they could identify an unemployment applicant using a computer that is based in a foreign country. If they cross checked applicants’ data with prison records, tens of thousands of prisoners in California would not have fraudulently received unemployment assistance payments. If agencies analyzed payment data, they would uncover patterns that indicated fraud ring activity.
The pandemic has revealed the depth of the data challenges in government and addressing these challenges must be a top priority going forward.
3. The future of fraud lies in the value of stolen personal information. Large scale identity theft-based fraud in pandemic unemployment assistance stunned many, even those who fight fraud for a living. This problem has been brewing for at least a decade and the financial services sector has been innovating in the fight against identity theft for several years now. Data breaches are now just another fact of life, most people will acknowledge that their personal information has been breached with a resignation that hints at a sense of futility in trying to stop it. The many large scale data breaches that occurred in the last decade created a windfall for fraudsters during the pandemic, when they learned how few controls states had in place to detect identity theft.
I certainly hope we never experience another crisis like the pandemic again in our lifetimes, but because this was a unique event does not mean states and federal agencies should maintain the status quo when it comes to verifying the identity of applicants. Investment in identity verification tools—those that are more common like multi-factor authentication to the more cutting edge that use biometrics to verify an applicants’ identity—are paramount. And using data analytics to authenticate the device an applicant is using is no longer optional. Building an arsenal against identity theft will pay dividends in the future, as the use of online benefits applications grows along with the threat of identity theft-based fraud.
Much work lies ahead to repair the fissures in government systems uncovered during the pandemic. Investments in modernizing IT systems and implementing advanced analytics, including identity management, across federal and state agencies are badly needed, as is legislation to facilitate better data sharing and more stringent requirements to proactively address the risks of fraud. It's time to make the investments in and demonstrate commitment to the integrity of taxpayer dollars. In the future, we cannot simply blame an unprecedented set of circumstances for the fleecing of the American taxpayer.
Linda Miller served as deputy executive director of the Pandemic Response Accountability Committee from June 2020 to June 2021. She is returning to private practice as a Principal at Grant Thornton, LLP, where she will lead the firm’s Fraud and Financial Crimes Practice.