lpettet / istock

What I Learned Helping Lead Oversight of $5 Trillion in Pandemic Relief

Large scale identity theft-based fraud in unemployment assistance stunned many, even those who fight fraud for a living.

When I got the call asking if I would consider leaving my private sector consulting job to help lead the newly created Pandemic Response Accountability Committee, I didn’t hesitate. The country was in the midst of the worst health and financial crisis in a generation so ensuring effective oversight of trillions of federal dollars felt like a public service calling. Having spent 10 years in government oversight—at the Government Accountability Office, where I spearheaded the development of the only guidance aimed at managing fraud risks in government programs—I felt a strong pull to help manage the risk of fraud, waste and abuse in pandemic response funding.

The year I spent as deputy executive director of the PRAC provided a wealth of lessons—about weaknesses in government administration of benefits, the challenges of bureaucracy, and the deep passion for and commitment to public service so many government workers feel. Below are three key takeaways.

1. Federal, state and local agencies were profoundly unprepared for the task of distributing trillions of dollars in federal aid. The pandemic brought with it an unprecedented financial crisis and the CARES Act—the enormous response bill passed to help manage the financial fallout—strained many agencies tasked with distributing trillions of dollars in just a couple of months. Brand new programs like the Paycheck Protection Program were rolled out within days of being created. The Small Business Administration approved more PPP loans in four weeks than it had approved in traditional loans in four years. With limited staff, few technological tools to conduct prepayment verification and crushing need, SBA and other agencies abandoned many traditional controls and simply approved applicants with little or no verification of self-reported information. Both federal programs, like the PPP, and state programs like Pandemic Unemployment Assistance, attracted sophisticated fraudsters armed with massive volumes of stolen data. They swarmed state unemployment offices, applying for benefits using stolen identities to a degree never before witnessed. Many states are now reporting at least 30% likely fraud in PUA payments. Small business loans programs were similarly fleeced.

“Pay and chase” is the term used to describe the practice of making payments later deemed inappropriate and then chasing down the perpetrators to get the money back after the fact. Best practice calls for due diligence at the front end to avoid making the fraudulent or improper payment in the first place. But in the rush to quickly distribute pandemic relief, we failed to do that and so now we are chasing—the work being done to track down fraud in these programs is just getting started. Armies of forensic accountants and lawyers will be mounting cases for a decade or more, but the recovered funds will be a fraction of what was stolen. Speed must be balanced with controls, and the government was not equipped with the automated tools needed to control fraud while getting payments out quickly.

2. Nearly all aspects of collecting and using data in the government are broken. Data is the backbone of effective administration of any large program and distributing billions or trillions of dollars simply cannot be done effectively without the use of data. The pandemic revealed the extent of the government’s weaknesses in data usage in key areas:

  • Data collection. Data in small business programs was so poorly collected that meaningful analysis of loans after the fact was exceptionally difficult—only 10% of loans reported any demographic information, and there were no clear data standards, which meant, for example, that “Washington, D.C.,” was reported 13 different ways. Further, many agencies used vague descriptors when reporting their pandemic spending. The PRAC’s analysis identified 40,000 awards that had the same project description as the program—usually simply “CARES Act,” which did not allow the public to understand how the money was being spent. GAO also reported data collection weaknesses in Health and Human Services programs. This lack of transparency in pandemic spending—which the PRAC publicly reported in October, 2020—limited oversight agencies’ and the public’s ability to fully track pandemic funds.
  • Data sharing. Data sharing within the government is embarrassingly nonexistent, in large part due to restrictive privacy laws. The result is that federal agencies do not have access to data to verify information from applicants that would allow them to reject many as ineligible. For example, only four states have electronic marriage records, meaning the Social Security Administration cannot verify the accuracy of a beneficiary’s marriage claim, which would have enormous implications on the amount of their benefit. “Double dipping,” in which individuals get benefits from multiple programs for which they are ineligible, is rampant due to agencies’ inability to verify that an applicant is receiving a benefit from another program. State unemployment agencies have the option to use a clearinghouse that shares data on unemployment applicants across states, but only about half of the states use it. 
  • Data analytics. And finally, for those agencies that do collect data, few are using it to prevent and detect fraud or improper payments. If agencies collected and used IP address data, for example, they could identify an unemployment applicant using a computer that is based in a foreign country. If they cross checked applicants’ data with prison records, tens of thousands of prisoners in California would not have fraudulently received unemployment assistance payments. If agencies analyzed payment data, they would uncover patterns that indicated fraud ring activity.

The pandemic has revealed the depth of the data challenges in government and addressing these challenges must be a top priority going forward.

3. The future of fraud lies in the value of stolen personal information. Large scale identity theft-based fraud in pandemic unemployment assistance stunned many, even those who fight fraud for a living. This problem has been brewing for at least a decade and the financial services sector has been innovating in the fight against identity theft for several years now. Data breaches are now just another fact of life, most people will acknowledge that their personal information has been breached with a resignation that hints at a sense of futility in trying to stop it. The many large scale data breaches that occurred in the last decade created a windfall for fraudsters during the pandemic, when they learned how few controls states had in place to detect identity theft.

I certainly hope we never experience another crisis like the pandemic again in our lifetimes, but because this was a unique event does not mean states and federal agencies should maintain the status quo when it comes to verifying the identity of applicants. Investment in identity verification tools—those that are more common like multi-factor authentication to the more cutting edge that use biometrics to verify an applicants’ identity—are paramount. And using data analytics to authenticate the device an applicant is using is no longer optional. Building an arsenal against identity theft will pay dividends in the future, as the use of online benefits applications grows along with the threat of identity theft-based fraud.

Much work lies ahead to repair the fissures in government systems uncovered during the pandemic. Investments in modernizing IT systems and implementing advanced analytics, including identity management, across federal and state agencies are badly needed, as is legislation to facilitate better data sharing and more stringent requirements to proactively address the risks of fraud. It's time to make the investments in and demonstrate commitment to the integrity of taxpayer dollars. In the future, we cannot simply blame an unprecedented set of circumstances for the fleecing of the American taxpayer. 

Linda Miller served as deputy executive director of the Pandemic Response Accountability Committee from June 2020 to June 2021. She is returning to private practice as a Principal at Grant Thornton, LLP, where she will lead the firm’s Fraud and Financial Crimes Practice.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.