Expedited Assistance for Victims of Hurricanes Katrina and Rita
FEMA's Control Weaknesses Exposed the Government to Significant Fraud and Abuse Gao ID: GAO-06-655 June 16, 2006In the wake of Hurricanes Katrina and Rita, the Federal Emergency Management Agency (FEMA) faced the challenge of providing assistance quickly while having sufficient controls to provide assurance that benefits were paid only to those eligible under the Individuals and Households Program (IHP). On February 13, 2006, GAO testified on the initial results of its ongoing work related to whether (1) controls are in place and operating effectively to limit assistance to qualified applicants, (2) indications exist of fraud and abuse in the application for and receipt of assistance payments, and (3) controls are in place and operating effectively over debit cards to prevent duplicate payments and improper usage.
GAO identified significant flaws in the process for registering disaster victims that leave the federal government vulnerable to fraud and abuse of expedited assistance (EA) payments. For Internet applications, limited automated controls were in place to verify a registrant's identity. However, there was no independent verification of the identity of those who applied for disaster assistance via the telephone. GAO demonstrated the vulnerability inherent in the call-in applications by using falsified identities, bogus addresses, and fabricated disaster stories to register for IHP. FEMA's automated system frequently identified potentially fraudulent registrations, such as multiple registrations with identical social security numbers (SSN) but different addresses. However, the manual process used to review these flagged applications did not prevent EA and other payments from being issued. Other control weaknesses include the lack of any validation of damaged property addresses for both Internet and telephone registrations. Given these weak or nonexistent controls, it is not surprising that GAO's data mining and investigations showed substantial potential for fraud and abuse of EA. Thousands of registrants misused IHP by applying for assistance using SSNs that were never issued or belonged to deceased or other individuals. GAO's case study investigations of several hundred registrations also indicate the use of bogus damaged property addresses. Visits to over 200 of these damaged properties in Texas and Louisiana showed that at least 80 of these addresses were bogus--including vacant lots and nonexistent apartments. FEMA also made duplicate EA payments to about 5,000 of the nearly 11,000 debit card recipients--once through the distribution of debit cards and again by check or electronic funds transfer. In addition, while debit cards were used predominantly to obtain cash, food, clothing, and personal necessities, a small number were used for adult entertainment, bail bond services, and weapons purchase, which do not appear to be items or services required to satisfy disaster-related needs.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-655, Expedited Assistance for Victims of Hurricanes Katrina and Rita: FEMA's Control Weaknesses Exposed the Government to Significant Fraud and Abuse
This is the accessible text file for GAO report number GAO-06-655
entitled 'Expedited Assistance For Victims of Hurricanes Katrina and
Rita: FEMA's Control Weaknesses Exposed the Government to Significant
Fraud and Abuse' which was released on June 16, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
June 2006:
Expedited Assistance For Victims Of Hurricanes Katrina And Rita:
FEMA's Control Weaknesses Exposed the Government to Significant Fraud
and Abuse:
GAO-06-655:
GAO Highlights:
Highlights of GAO-06-655, a report to congressional committees.
Why GAO Did This Study:
In the wake of Hurricanes Katrina and Rita, the Federal Emergency
Management Agency (FEMA) faced the challenge of providing assistance
quickly while having sufficient controls to provide assurance that
benefits were paid only to those eligible under the Individuals and
Households Program (IHP). On February 13, 2006, GAO testified on the
initial results of its ongoing work related to whether (1) controls are
in place and operating effectively to limit assistance to qualified
applicants, (2) indications exist of fraud and abuse in the application
for and receipt of assistance payments, and (3) controls are in place
and operating effectively over debit cards to prevent duplicate
payments and improper usage.
What GAO Found:
GAO identified significant flaws in the process for registering
disaster victims that leave the federal government vulnerable to fraud
and abuse of expedited assistance (EA) payments. For Internet
applications, limited automated controls were in place to verify a
registrant‘s identity. However, there was no independent verification
of the identity of those who applied for disaster assistance via the
telephone. GAO demonstrated the vulnerability inherent in the call-in
applications by using falsified identities, bogus addresses, and
fabricated disaster stories to register for IHP. Below is a copy of one
of the $2,000 checks that GAO received in response to its bogus
telephone applications.
FEMA‘s automated system frequently identified potentially fraudulent
registrations, such as multiple registrations with identical social
security numbers (SSN) but different addresses. However, the manual
process used to review these flagged applications did not prevent EA
and other payments from being issued. Other control weaknesses include
the lack of any validation of damaged property addresses for both
Internet and telephone registrations.
Given these weak or nonexistent controls, it is not surprising that
GAO‘s data mining and investigations showed substantial potential for
fraud and abuse of EA. Thousands of registrants misused IHP by applying
for assistance using SSNs that were never issued or belonged to
deceased or other individuals. GAO‘s case study investigations of
several hundred registrations also indicate the use of bogus damaged
property addresses. Visits to over 200 of these damaged properties in
Texas and Louisiana showed that at least 80 of these addresses were
bogus”including vacant lots and nonexistent apartments. FEMA also made
duplicate EA payments to about 5,000 of the nearly 11,000 debit card
recipients”once through the distribution of debit cards and again by
check or electronic funds transfer. In addition, while debit cards were
used predominantly to obtain cash, food, clothing, and personal
necessities, a small number were used for adult entertainment, bail
bond services, and weapons purchase, which do not appear to be items or
services required to satisfy disaster-related needs.
What GAO Recommends:
GAO recommends that the Department of Homeland Security direct FEMA to
take six actions, including establishing both an identity and address
verification process, entering into agreements with other agencies to
authenticate information on IHP registrations, establishing procedures
to collect duplicate payments, and providing assurance that future
distribution of debit cards includes instructions on the proper use of
IHP funds. DHS and FEMA concurred fully with four of the six
recommendations, and partially concurred with the remaining two. In
addition, FEMA reported that it has instituted corrective actions to
remedy the weaknesses we identified.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-655].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Gregory D. Kutz at 202-
512-7455 or kutzg@gao.gov.
[End of Section]
Contents:
Letter:
Overview of Testimony:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Testimony on FEMA's Control Weaknesses over Expedited
Assistance for Victims of Hurricanes Katrina and Rita:
Appendix II: Comments from the Federal Emergency Management Agency:
Letter:
June 16, 2006:
Congressional Committees:
On February 13, 2006, we testified before the Senate Committee on
Homeland Security and Governmental Affairs on the initial results of
our ongoing forensic audits and related investigations of assistance
provided by the Federal Emergency Management Agency (FEMA) to
individuals and households affected by Hurricanes Katrina and
Rita.[Footnote 1] The Individuals and Households Program (IHP), a major
component of the federal disaster response efforts established under
the Robert T. Stafford Disaster Relief and Emergency Assistance Act
(Stafford Act),[Footnote 2] is designed to provide financial assistance
to individuals and households who, as a direct result of a major
disaster, have necessary expenses and serious needs that cannot be met
through other means. In the wake of Hurricanes Katrina and Rita, FEMA
provided $2,000 in IHP payments to affected households via its
Expedited Assistance (EA) program. Victims who received EA may qualify
for up to $26,200 in IHP assistance. As of mid-December 2005, IHP
payments totaled about $5.4 billion, with $2.3 billion provided in the
form of EA. These payments were made via checks, electronic fund
transfers, and a small number of debit cards. Our initial work focused
on whether (1) controls are in place and operating effectively so that
expedited assistance payments are only made to qualified registrants,
(2) indications exist of fraud and abuse in the registration for and
receipt of expedited assistance and other payments, and (3) controls
are in place and operating effectively over debit cards to prevent
duplicate payments and improper usage. This report summarizes our
testimony, which is reprinted in Appendix I, and makes specific
recommendations for corrective actions. These recommendations relate
only to the limited scope of work completed for our testimony and will
therefore not prevent all improper and fraudulent IHP payments. In the
future, we will continue to audit and investigate the assistance
provided by FEMA in the aftermath of hurricanes Katrina and Rita, and
we will issue further recommendations designed to create a more
comprehensive fraud prevention program for IHP.
Overview of Testimony:
In our testimony, we stated that weaknesses in the process that FEMA
used to review registrations for disaster relief and approve assistance
payments left the government vulnerable to fraud and abuse. Our work
indicated that FEMA put in place limited procedures designed to
prevent, detect, and deter certain types of duplicate and potentially
fraudulent disaster registrations. Specifically, individuals could
apply for disaster assistance via the Internet or telephone. FEMA
subjected the Internet registrations to a limited verification process
whereby a FEMA contractor used credit and other information to validate
the identity of registrants. Those who failed the Internet verification
process were advised to contact FEMA via telephone to reregister.
However, FEMA did not apply the identity validation process to
telephone registrations. Of the more than 2.5 million registrations
recorded in FEMA's database as of mid-December 2005, 60 percent (more
than 1.5 million) were exempt from any identity verification because
they were submitted via the telephone. Our data mining and
investigations confirmed FEMA's representation. For example, using
falsified identities, bogus addresses, and fabricated disaster stories,
we applied for disaster assistance over the telephone and obtained
$2,000 expedited assistance payments.
Other control weaknesses further increased the government's exposure to
fraud and abuse. For example, we found that FEMA instituted automated
checks that flagged hundreds of thousands of potentially duplicate
registrations in the computer system FEMA used to process and approve
IHP registrations for payments. FEMA officials informed us that these
flagged registrations were subjected to additional reviews to conclude
whether they were, in fact, duplicates. However, while the additional
review process may have prevented some potentially fraudulent and
improper payments, it did not prevent other potentially fraudulent and
improper payments based on duplicate registrations. We also found that
FEMA did not implement procedures to validate whether damaged addresses
used to register for assistance were bogus, for either Internet or
telephone registrations.
With limited or nonexistent validation of registrants' identities and
damaged addresses, it is not surprising that our data mining and
investigations found substantial indicators of potential fraud and
abuse related to false or duplicate information submitted on disaster
registrations. For example, according to Social Security Administration
(SSA) data, FEMA made millions of dollars in payments to thousands of
registrants who submitted Social Security Numbers (SSN) that have not
been issued or belonged to deceased individuals. Our data mining also
detected that FEMA made tens of thousands of payments to registrants
who provided other false or duplicate information on their
registrations. Specifically, we investigated 20 case studies with
multiple registrations.[Footnote 3] A majority of these registrations-
-165 of 248--contained SSNs that, according to the SSA, were never
issued, belonged to deceased individuals, or did not match the name
provided. In addition, about 80 of the over 200 alleged disaster
addresses that we attempted to validate were bogus addresses. Also, our
case study registrants did not live in many of the remaining valid
addresses. In one specific case example, 17 individuals, some of whom
shared the same last name and current addresses, used 34 different SSNs
that did not belong to them and addresses that were either bogus or
were not their residences to receive more than $103,000 in FEMA
payments. In addition, because the hurricanes had destroyed many homes,
we could not determine if approximately 15 of the alleged disaster
addresses had ever existed.
Similar to the control weaknesses over expedited assistance payments
distributed through checks and electronic funds transfers, we found
that FEMA did not validate the identities of debit card recipients at
three relief centers in Texas who registered via the telephone.
Consequently, FEMA issued $2,000 debit cards to over 60 registrants who
provided SSNs that were never issued or belonged to deceased
individuals. We also found that FEMA made multiple expedited assistance
payments to over 5,000 of the 11,000 debit card recipients. That is,
FEMA provided the registrant both a $2,000 debit card and a $2,000
check or electronic fund transfer. Further, at the time of debit card
issuance, unlike the recipients who received expedited assistance
payments via checks or EFTs, FEMA did not issue specific instructions
to debit card recipients on the use of the cards. We found that debit
cards were used predominantly to obtain cash and thus are unable to
determine how the money was actually used. The majority of the
remaining debit card purchases were for food, clothing, and personal
necessities. However, in isolated instances, a few debit cards were
used to pay for items or services that, on their face, do not seem
essential to satisfy disaster related needs. For example, these debit
cards were used in part to purchase adult entertainment, a .45 caliber
hand gun, jewelry, bail bond services, and to pay for prior traffic
violations.[Footnote 4]
Conclusions:
FEMA has a substantial challenge in balancing the need to get money out
quickly to those who are actually in need and sustaining public
confidence in disaster programs by taking all possible steps to
minimize fraud and abuse. Nevertheless, FEMA could reasonably be
expected to have mature, fully tested processes, along with business
partners in the federal, state, and private sector, that can provide it
with real time access to the data required to validate identities and
addresses for those seeking disaster assistance. Once fraudulent
registrations are made and money is disbursed, detecting and pursuing
those who committed fraud in a comprehensive manner is costly and may
not result in recoveries. Further, many of those fraudulently
registered in the FEMA system already received expedited assistance and
will likely receive more money, as each registrant can receive as much
as $26,200 per registration.
Another key element to preventing fraud in the future is to ensure
there are consequences for those that commit fraud. We are referring
the fraud cases that we are investigating to the Katrina Fraud Task
Force for further investigation and, where appropriate, prosecution. We
believe that prosecution of individuals who have obtained disaster
relief payments through fraudulent means will send a message for future
disasters that there are consequences for defrauding the government.
Recommendations for Executive Action:
We recommend that the Secretary of the Department of Homeland Security
(DHS) direct the Director of the Federal Emergency Management Agency to
take six actions to address the weaknesses we identified in the
administration of IHP. These six recommendations relate only to the
limited scope of work that we have completed to date and will not
prevent all types of improper and fraudulent IHP payments.
Consequently, we will continue to audit and investigate the assistance
provided by FEMA in the aftermath of hurricanes Katrina and Rita and we
will issue further recommendations designed to create a more
comprehensive fraud prevention program for IHP. To address the concerns
raised in our February 13, 2006, testimony, we recommend that DHS and
FEMA do the following:
* Establish an identity verification process for Individuals and
Households Program (IHP) registrants applying via both the Internet and
telephone, to provide reasonable assurance that disaster assistance
payments are made only to qualified individuals. Within this process:
* establish detailed criteria for registration and provide clear
instructions to registrants on the identification information required,
* create a field within the registration that asks registrants to
provide their name exactly as it appears on their Social Security Card
in order to prevent name and Social Security Number (SSN) mismatches,
* fully field test the identity verification process prior to
implementation,
* ensure that call center employees give real-time feedback to
registrants on whether their identities have been validated, and:
* establish a process that uses alternative means of identity
verification to expeditiously handle legitimate applicants that are
rejected by identity verification controls.
* Develop procedures to improve the existing review process of
duplicate registrations containing the exact same SSN and to identify
the reasons why registrations flagged as invalid or as potential
duplicates have been overridden and approved for payment.
* Establish an address verification process for IHP registrants
applying via both the Internet and telephone, to provide reasonable
assurance that disaster assistance payments are made only to qualified
individuals. Within this process:
* create a uniform method to input street names and numbers and
apartment numbers into the registration,
* institute procedures to check IHP registration damaged addresses
against publicly available address databases so that payments are not
made based on bogus property addresses,
* fully field test the address verification process prior to
implementation,
* ensure that call center employees can give real time feedback to
registrants on whether addresses have been validated, and:
* establish a process that uses alternative means of address
verification to expeditiously handle legitimate applicants that are
rejected by address verification controls.
* Explore entering into an agreement with other agencies, such as the
Social Security Administration, to periodically authenticate
information contained in IHP registrations.
* Establish procedures to collect duplicate expedited assistance
payments or to offset these amounts against future payments. Such
duplicate payments include:
* the payments made to IHP recipients who improperly received the
$2,000 debit cards and an additional $2,000 EA check or Electronic
Funds Transfer (EFT) and:
* the thousands of duplicate EA payments made to the same IHP
registration number.
* Ensure that any future distribution of IHP debit cards includes
instructions on the proper use of IHP funds, similar to those
instructions provided to IHP check and EFT recipients, to prevent
improper usage.
Agency Comments and Our Evaluation:
In written comments on a draft of this report, which are reprinted in
appendix II, DHS and FEMA made a number of observations that were not
related to any specific recommendation, concurred fully with four of
our six recommendations, and partially concurred with the remaining two
recommendations. In general comments, FEMA and DHS stated that they
could benefit more from the report if information sharing between GAO
and FEMA had been reciprocal. We believe that we employed such an
arrangement throughout this engagement. We regularly briefed DHS and
FEMA concerning the progress of the audit. For example, we notified
FEMA management immediately after we detected that duplicate EA
payments were made to individuals who had received debit cards, and
worked closely with FEMA's Disaster Finance Center to resolve other
issues related to payments that appeared to exceed the $26,200 limit
for specific recipients.
DHS and FEMA also expressed concern over the objectivity and fairness
of our report. Specifically, DHS and FEMA noted that our selection of
248 registrations was not a representative sample and was geared
specifically toward identifying and reporting on registrations that had
problems. Our testimony clearly states that the case studies we used
were intended to demonstrate the type of fraud and abuse that occurred
because of weak or nonexistent controls over the registration process
and did not represent a statistical sample of registrations. The
primary findings of our work relate to weak or nonexistent controls
that leave the government vulnerable to substantial fraud and abuse in
the IHP. Furthermore, as represented at the February 13, 2006, hearing,
we are continuing our work in this area. Specifically, we have taken a
statistical sample of IHP payments so that we can statistically
estimate the magnitude of improper and potentially fraudulent claims.
We have nearly completed this work and plan to report our findings
later this month.
FEMA and DHS also found problems with our assertion that EA payments
were the gateway to future IHP payments. Specifically, FEMA and DHS
noted that future IHP payments are subjected to additional scrutiny. We
did not test this additional scrutiny as part of our February 13, 2006,
testimony. However, we continue to believe that accepting registrations
for individuals using invalid identity and damaged property information
subjects the federal government to a high risk of fraud and abuse
beyond EA payments. We believe that our ongoing audit and investigative
work sheds further light on whether the additional scrutiny that FEMA
asserts does in fact prevent fraudulent and improper payments related
to rental assistance and other covered losses.
FEMA and DHS further noted that we made several references to isolated
incidents where debit cards were used for purchases that did not appear
to be for disaster needs, and FEMA questioned whether highlighting
those examples was appropriate. We specifically noted in each reference
to these purchases that they were isolated and were not representative
of the general breakdown of known debit card usage. We also clearly
stated that over 60 percent of debit card transactions were used to
obtain cash and could not be tracked further to identify the final use
of the IHP funds. We identified the non-disaster-related purchases to
highlight the fact that FEMA did not provide any instruction to debit
card recipients on the appropriate use of IHP funds.
With regard to specific recommendations, FEMA and DHS concurred fully
that FEMA (1) improve procedures to review registrations containing the
same SSNs and other duplicate information; (2) subject all registration
addresses to verification during the registration process; (3) explore
entering into agreements with other agencies, such as the Social
Security Administration, to periodically authenticate IHP information;
and (4) issue proper instructions to any future debit card recipients.
FEMA and DHS stated that they have already taken actions to address
these recommendations. These actions include instituting an Internet
application process that will prevent all duplicate registrations from
the Internet, implementing procedures so that call centers will no
longer accept duplicate registrations with the same SSN in the same
disaster, and conducting conference calls and conducting data sharing
tests with SSA. In addition, DHS and FEMA stated that, starting in June
2006, all registration addresses (even phone-in) will be subjected to
an online verification during the registration process. While these are
steps in the right direction, we will follow up on whether the actions
taken fully address our recommendations.
FEMA and DHS partially concurred with our recommendation concerning
duplicate payments. FEMA and DHS took exception with our categorization
of some payments as being potential duplicates, and with our assessment
that they should initiate actions to collect duplicate EA payments or
offset these amounts in the future, stating that it was unclear whether
some of the of the payments were in fact valid due to the "separated
households" policy instituted for hurricanes Katrina and Rita. With
respect to duplicate registrations, we maintain that these
registrations are very likely duplicates because the payments were made
to several individuals with the same last names, same damaged
addresses, and the same current addresses; FEMA's own database clearly
indicates that these were not separated households. For all our case
study examples, we conducted further investigative work to confirm that
the payments were made to actual duplicates, not covered by the
separated household policy, and were therefore improper payments.
As for initiating actions to collect duplicate payments, DHS and FEMA
stated that they had processed for recoupment nearly all the payments
they believed were duplicates as of April 1, 2006. While we have not
assessed the effectiveness of FEMA's recoupment process, we continue to
believe that FEMA should attempt to recoup as many dollars of improper
payments as possible, including those duplicate payments that we
identified that FEMA questioned.
FEMA also stated that many of what we identified as duplicate payments
effectively will be offset because the registrant will ultimately be
eligible for more than the amount of the duplicate payments, up to a
maximum of $26,200 that a single household can receive. We believe that
FEMA's position is shortsighted because it does not reflect the
likelihood that some individuals are not entitled to, and will not
receive, additional funds regardless of the cap limitations. Thus, FEMA
should not use $26,200 as the aggregate dollar test. Rather, FEMA
should follow its own policy of limiting EA to $2,000; adhere to the
statutory caps that are allowed for specific categories of aid; and
promptly recover the amounts that exceed the category limits.
Therefore, we continue to believe that FEMA should review all the
registrations we identified as potential duplicates to access whether
collection is necessary.
We also disagree with FEMA's statement that its "management was keenly
aware" that a recipient could receive more than one EA payment, and
that it knowingly issued these duplicate payments partly because
individuals in shelters did not have access to their banking
institution (and thus their EA payments) and therefore were in need of
immediate assistance in the form of debit cards. While we recognize
that providing individuals access to immediate funds was a priority
following the hurricanes, FEMA's data and its representations made to
us months ago do not support its claim that it knowingly made those
payments. For example, when we questioned the official responsible for
managing FEMA's national disaster assistance processing center about
the more than duplicate 5,000 EA payments to individuals who had
already received debit cards, he told us that he was unaware of the
magnitude of the duplicate payments. After researching the issue, he
informed us that the duplicate payments in question were made as a
result of a "system glitch" and not as a result of a deliberate action
on the part of FEMA management. In addition, the more than 5,000
duplicate payments in question were all made within the span of several
hours roughly a week after FEMA completed issuing all the debit cards.
An analysis of the more than 5,000 duplicate payments indicates that
there was no apparent reason why only about half of the roughly 10,000
debit card recipients received the duplicate payments. Using FEMA's
rationale, all 10,000 registrants who received a debit card should have
received a duplicate EA payment.
FEMA and DHS partially concurred with our recommendation to establish
identity verification processes for IHP registrants applying via the
phone and Internet. FEMA and DHS stated that they had implemented
identity proofing on call center applications. As noted in our report,
FEMA instituted identity proofing for Internet registrants at the time
of the two hurricanes, and FEMA and DHS response to our report
indicates that FEMA instituted identity proofing for call center
registrants. In future work, we will follow up on whether these actions
fully address our recommendations. FEMA and DHS additionally commented
that they did not see the necessity of requiring registrants to also
provide their name exactly as it appears on their Social Security Card,
noting that their data contractor is able to use logic to find aliases
and nicknames. While we do not object to FEMA collecting the nicknames
or aliases of registrants applying for disaster assistance, we continue
to believe that registrants should be instructed to provide their name
as it appears on their Social Security Card to prevent name and social
security mismatches. Instructing registrants to provide the name that
appears on their Social Security Card can only help--not hinder--the
registrant verification process.
FEMA and DHS's responses indicate that they are attempting to address
some of the systemic problems we identified in the IHP program. Going
forward it will be important for FEMA to establish effective controls
to prevent fraudulent and improper payments before they occur, because
fraud prevention is a far more effective control than detecting
improper and potentially fraudulent payments after they are made. Our
experience with organizations that rely on a process that attempts to
detect improper and potentially fraudulent payments after they are made
is that the organization recovers only a fraction of the payments that
should not have been made.
We are sending copies of this report to the Secretary of the Department
of Homeland Security, and the Director of Federal Emergency Management
Agency. We will make copies available to others upon request. In
addition, the report will be available at no charge on the GAO Web site
at [Hyperlink, http://www.gao.gov]. Please contact me at (202) 512-7455
or kutzg@gao.gov if you or your staffs have any questions concerning
this report. Contact points for our Offices of Congressional Relations
and Public Affairs may be found on the last page of this report.
SIgned by:
Gregory D. Kutz:
Managing Director:
Forensic Audits and Special Investigations:
List of Committees:
The Honorable Susan M. Collins:
Chairman:
The Honorable Joseph I. Lieberman:
Ranking Minority Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Tom Davis:
Chairman:
The Honorable Henry A. Waxman:
Ranking Minority Member:
Committee on Government Reform:
House of Representatives:
The Honorable Harold Rogers:
Chairman:
The Honorable Martin Olav Sabo:
Ranking Minority Member:
Subcommittee on Homeland Security:
Committee on Appropriations:
House of Representatives:
The Honorable Michael McCaul:
Chairman:
The Honorable Bob Etheridge:
Ranking Minority Member:
Subcommittee on Investigations:
Committee on Homeland Security:
House of Representatives:
[End of section]
Appendix I: Testimony on FEMA's Control Weaknesses over Expedited
Assistance for Victims of Hurricanes Katrina and Rita:
Testimony:
Before the Senate Committee on Homeland Security and Governmental
Affairs:
United States Government Accountability Office:
GAO:
For Release on Delivery Expected at 10 a.m. EST:
Monday, February 13, 2006:
Expedited Assistance for Victims of Hurricanes Katrina and Rita:
FEMA's Control Weaknesses Exposed the Government to Significant Fraud
and Abuse:
Statement of Gregory D. Kutz, Managing Director, Forensic Audits and
Special Investigations:
GAO-06-403T:
GAO Highlights:
Highlights of GAO-06-403T, a testimony before the Senate Committee on
Homeland Security and Governmental Affairs:
Why GAO Did This Study:
As a result of widespread congressional and public interest in the
federal response to hurricanes Katrina and Rita, GAO conducted an audit
of the Individuals and Households Program (IHP) under Comptroller
General of the United States statutory authority.
Hurricanes Katrina and Rita destroyed homes and displaced millions of
individuals. In the wake of these natural disasters, FEMA faced the
challenge of providing assistance quickly and with minimal ’red tape,“
while having sufficient controls to provide assurance that benefits
were paid only to eligible individuals and households. In response to
this challenge, FEMA provided $2,000 in IHP payments to affected
households via its Expedited Assistance (EA) program. Victims who
received EA may qualify for up to $26,200 in IHP assistance. As of mid-
December 2005, IHP payments totaled about $5.4 billion, with $2.3
billion provided in the form of EA. These payments were made via
checks, electronic fund transfers, and a small number of debit cards.
GAO‘s testimony will provide the results to date related to whether (1)
controls are in place and operating effectively to limit EA to
qualified applicants, (2) indications exist of fraud and abuse in the
application for and receipt of EA and other payments, and (3) controls
are in place and operating effectively over debit cards to prevent
duplicate EA payments and improper usage.
What GAO Found:
We identified significant flaws in the process for registering disaster
victims that leave the federal government vulnerable to fraud and abuse
of EA payments. For Internet applications, limited automated controls
were in place to verify a registrant‘s identity. However, we found no
independent verification of the identity of registrants who registered
for disaster assistance over the telephone. To demonstrate the
vulnerability inherent in the call-in applications, we used falsified
identities, bogus addresses, and fabricated disaster stories to
register for IHP. Below is a copy of one of the $2,000 checks that we
received to date for our bogus telephone applications.
[See PDF for image]
[End of figure]
We also found that FEMA‘s automated system frequently identified
potentially fraudulent registrations, such as multiple registrations
with identical social security numbers (SSN) but different addresses.
However, the manual process used to review these registrations did not
prevent EA and other payments from being issued. Other control
weaknesses include the lack of any validation of damaged property
addresses for both Internet and telephone registrations.
Given the weak or non existent controls, it is not surprising that our
data mining and investigations to date show the potential for
substantial fraud and abuse of EA. Thousands of registrants misused
SSNs, i.e., used SSNs that were never issued or belonged to deceased or
other individuals. Our case study investigations of several hundred
registrations also indicate significant misuse of SSNs and the use of
bogus damaged property addresses. For example, our visits to over 200
of the case study damaged properties in Texas and Louisiana showed that
at least 80 of these properties were bogus”including vacant lots and
nonexistent apartments.
We found that FEMA also made duplicate EA payments to about 5,000 of
the nearly 11,000 debit card recipients”once through the distribution
of debit cards and again by check or electronic funds transfer. We
found that while debit cards were used predominantly to obtain cash,
food, clothing, and personal necessities, a small number were used for
adult entertainment, bail bond services and weapons purchase, which do
not appear to be items or services that are essential to satisfy
disaster related essential needs.
[Hyperlimk, http://www.gao.gov/cgi-bin/getrpt?GAO-06-403T].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Gregory Kutz at (202) 512-
7455 or kutzg@gao.gov.
[End of section]
Chairman and Members of the Committee:
Thank you for the opportunity to discuss our ongoing forensic audit and
related investigations of assistance provided to individuals and
households related to hurricanes Katrina and Rita. The Individuals and
Households Program (IHP), a major component of the federal disaster
response efforts established under the Robert T. Stafford Disaster
Relief and Emergency Assistance Act (Stafford Act),[Footnote 1] is
designed to provide financial assistance to individuals and households
who, as a direct result of a major disaster, have necessary expenses
and serious needs that cannot be met through other means. As of mid-
December 2005, the Federal Emergency Management Agency (FEMA) had
distributed nearly $5.4 billion in IHP assistance on more than 1.4
million registrations. Hurricanes Katrina and Rita destroyed homes and
displaced individuals across the gulf coast region. In the wake of
these massive natural disasters, FEMA faced the formidable challenge of
providing at least some initial assistance to over a million
registrants quickly with minimal "red tape," while having sufficient
controls in place to provide assurance that benefits were paid only to
eligible individuals and households.
Disaster relief covered by IHP includes temporary housing assistance,
real and personal property repair and replacement, and other necessary
expenses related to a disaster. IHP assistance is generally delivered
after an inspection has been conducted to verify the extent of loss and
determine eligibility. Because of the tremendous devastation caused by
hurricanes Katrina and Rita, FEMA activated expedited assistance to
provide fast track money[Footnote 2]--in the form of $2,000 in
expedited assistance payments--to eligible disaster victims to help
with immediate, emergency needs of food, shelter, clothing, and
personal necessities. This swift response was vital in helping victims
of hurricanes Katrina and Rita. FEMA specified that expedited
assistance payments were to be provided only to individuals and
households who, as a result of hurricanes Katrina and Rita, were
displaced from their predisaster primary residences and were in need of
shelter. Typically a household[Footnote 3] can only receive one
expedited assistance payment. Exceptions are made in situations where
household members are displaced to separate locations, in which case
more than one member of the household may be eligible for payments.
FEMA provided expedited assistance payments related to hurricanes
Katrina and Rita predominantly through electronic funds transfer (EFT)
and checks sent to the registrants' current addresses.[Footnote 4] In
addition, FEMA provided a limited amount of expedited assistance via
debit cards[Footnote 5] distributed at three locations in Texas.
As of mid-December 2005, FEMA data showed that the agency had delivered
44 percent ($2.3 billion) of the $5.4 billion in IHP aid through
expedited assistance to hurricanes Katrina and Rita registrants across
at least 175 counties in 4 different states. Almost $1.6 billion went
to individuals with damaged addresses in Louisiana, more than $400
million to individuals in Texas, and over $300 million to individuals
in Alabama and Mississippi. Registrants determined to be eligible for
expedited assistance may also be eligible to receive additional IHP
payments up to the overall IHP cap of $26,200.
Our current audit and investigation is being performed under the
statutory authority given to the Comptroller General of the United
States. Our audit and investigation is conducted under the premise that
while the federal government needs to provide swift and compassionate
assistance to the victims of natural disasters, public confidence in an
effective disaster relief program that takes all possible steps to
minimize fraud, waste, and abuse needs to be preserved. Today, we will
summarize the results from our ongoing forensic audit and related
investigations of the IHP program.[Footnote 6] This testimony will
provide the results of our work related to whether (1) controls are in
place and operating effectively to limit expedited assistance to
qualified registrants, (2) indications exist of fraud and abuse in the
registration for and receipt of expedited assistance and other
payments, and (3) controls are in place and operating effectively over
debit cards to prevent duplicate payments and improper usage. We plan
to issue a detailed report with recommendations on the results of our
audit.
Thus far, our work has focused primarily on the IHP registration
process because individuals whose registrations are approved have
access to expedited assistance payments and subsequently the full range
of IHP benefits. To assess the design of controls, we performed
walkthroughs of FEMA's processes for accepting registrations and
awarding expedited assistance funds. To determine whether indications
existed of fraud and abuse in expedited assistance and other
disbursements, we provided FEMA data to the Social Security
Administration (SSA) to verify against their records of valid social
security numbers (SSNs), and reviewed the FEMA database of IHP
registrations for other anomalies using data mining techniques. To
determine whether registrations resulted in potentially fraudulent or
improper payments, we selected a nonrepresentative selection of 248
registrations from our data mining results for further investigations.
The 248 registrations represented 20 case studies--some involving
multiple registrants--that we linked together through identical names,
SSNs, damaged addresses and/or current addresses. Our analysis of
potentially fraudulent use of SSNs and other data mining efforts are
ongoing, and we plan to report on additional results in the future. For
purposes of this testimony, we did not conduct sufficient work to
project the magnitude of potentially fraudulent and improper IHP
payments. We also proactively tested the adequacy of controls over the
registration process for disaster assistance by submitting claims for
relief using falsified identities, bogus addresses, and fabricated
disaster stories. These tests were performed before FEMA provided us
any information related to the processes used to screen IHP
registrations and preclude some fraudulent registrations. Additional
details on our scope and methodologies are included in appendix I.
In the course of our work, we made numerous written requests for key
documents and sets of data related to the IHP, most dating back to
October 2005. While FEMA officials promptly satisfied one key part of
our request--databases of IHP registrants and payments--the majority of
what we requested has not been provided. On January 18, 2006, the
Department of Homeland Security (DHS)[Footnote 7] Office of General
Counsel did provide us with well less than half of the documents that
were requested. While the database and other data provided by FEMA
enabled us to design procedures to test the effectiveness of FEMA's
system of internal controls, it did not enable us to fully determine
the root causes of weak or non-existent controls and formulate detailed
recommendations. For example, as will be discussed later, FEMA and the
DHS had not provided us documentation to enable us to conclusively
determine the reason that FEMA submitted some registrations, and did
not submit other registrations, to identity validation prior to issuing
expedited assistance payments.
We conducted our audit and investigations from October 2005 through
January 2006. Except for restrictions discussed previously related to
the limitations that DHS placed on the scope on our audit work, we
conducted our audit work in accordance with generally accepted
government auditing standards and conducted investigative work in
accordance with the standards prescribed by the President's Council on
Integrity and Efficiency. Our findings today focus primarily on the
results to date from of our data mining and investigative techniques.
Summary:
We found weaknesses in the process that FEMA used to review
registrations for disaster relief and approve assistance payments.
These weaknesses leave the government vulnerable to fraud and abuse.
Our work indicates that FEMA put in place limited procedures designed
to prevent, detect, and deter certain types of duplicate and
potentially fraudulent disaster registrations. However, FEMA did not
apply these limited procedures to most registrations, thus leaving a
substantial number of registrations without any protection against
fraud and abuse. Specifically, individuals could apply for disaster
assistance via the Internet or telephone. FEMA subjected Internet
registrations to a limited verification process whereby a FEMA
contractor used credit and other information to validate the identity
of registrants. Those who failed the Internet verification process were
advised to contact FEMA via telephone to reregister. However, FEMA did
not apply the identity validation process to any of the 1.5 million
registrants who contacted FEMA and applied for assistance over the
telephone. Our data mining and investigations confirmed FEMA's
representation. For example, using falsified identities, bogus
addresses, and fabricated disaster stories, we applied for disaster
assistance over the telephone and obtained $2,000 expedited assistance
payments.
Other control weaknesses further increased the government's exposure to
fraud and abuse. We found that FEMA instituted automated checks that
flagged hundreds of thousands of potentially duplicate registrations in
the computer system FEMA used to process and approve IHP registrations
for payments. FEMA officials informed us that these flagged
registrations were subjected to additional reviews to conclude whether
they were, in fact, duplicates. However, while the additional review
process may have prevented many potentially fraudulent and improper
payments, it did not prevent what appear to be other potentially
fraudulent and improper payments based on duplicate registrations. We
also found that FEMA did not implement procedures to validate whether
damaged addresses used to register for assistance were bogus, for
either Internet or telephone registrations.
With limited or nonexistent validation of registrants' identities and
damaged addresses, it is not surprising that our data mining and
investigations found substantial indicators of potential fraud and
abuse related to false or duplicate information submitted on disaster
registrations. For example, according to SSA data, FEMA made millions
of dollars in payments to thousands of registrants who submitted SSNs
that have not been issued or belonged to deceased individuals. Our data
mining also detected that FEMA made tens of thousands of payments to
registrants who provided other false or duplicate information on their
registrations. Specifically, in the 20 case studies we investigated, a
majority--165 of 248--of registrations contained SSNs that according to
the SSA were never issued, belonged to deceased individuals, or did not
match the name provided. In addition, about 80 of the over 200 alleged
disaster addresses that we attempted to validate were bogus addresses.
Also, our case study registrants did not live in many of the remaining
valid addresses. In one specific case example, 17 individuals, some of
whom shared the same last name and current addresses, used 34 different
SSNs that did not belong to them and addresses that were bogus or not
their residences to receive more than $103,000 in FEMA payments. In
addition, because the hurricanes had destroyed many homes, we could not
determine if approximately 15 of the alleged disaster addresses had
ever existed.
Similar to the control weaknesses over expedited assistance payments
distributed through checks and electronic funds transfers, we found
that FEMA did not validate the identities of debit card recipients at
three relief centers in Texas who registered via the telephone.
Consequently, FEMA issued $2,000 debit cards to over 60 registrants who
provided SSNs that were never issued or belonged to deceased
individuals. We also found that FEMA made multiple expedited assistance
payments to over 5,000 of the 11,000 debit card recipients. That is,
FEMA provided the registrant both a $2,000 debit card and a $2,000
check or electronic fund transfer. Further, at the time of debit card
issuance, unlike the recipients who received expedited assistance
payments via checks or EFTs, FEMA did not issue specific instructions
to debit card recipients on the use of the cards. We found that debit
cards were used predominantly to obtain cash and thus are unable to
determine how the money was actually used. The majority of the
remaining debit card purchases were for food, clothing, and personal
necessities. However, in isolated instances, a few debit cards were
used for to pay for items or services that, on their face, do not seem
essential to satisfy disaster related needs. For example, these debit
cards were used in part to purchase adult entertainment, a .45 caliber
hand gun, jewelry, bail bond services, and to pay for prior traffic
violations.[Footnote 8]
FEMA's Controls to Prevent Potentially Fraudulent Payments Were Not
Effective:
We found weak or nonexistent controls in the process that FEMA used to
review disaster registrations and approve assistance payments that
leave the federal government vulnerable to fraud and abuse. In the
critical aftermath of hurricanes Katrina and Rita, FEMA moved swiftly
to distribute expedited assistance payments to allow disaster victims
to mitigate and overcome the effects of the disasters. In this context,
the establishment of an effective control environment was a significant
challenge. Specifically, we found that FEMA had implemented some
controls prior to the disaster to provide automated validation of the
identity of registrants who applied for assistance via the Internet.
Our work thus far indicates that this resulted in FEMA rejecting some
registrants who provided names and SSNs that did not pass the
validation test. However, FEMA did not implement the same preventive
controls for those who applied via the telephone. Our use of fictitious
names, bogus addresses, and fabricated disaster stories to obtain
expedited assistance payments from FEMA demonstrated the ease with
which expedited assistance could be obtained by providing false
information over the telephone. Because expedited assistance is a
gateway to further IHP payments (up to $26,200 per registration),
approval for expedited assistance payments potentially exposes FEMA,
and the federal government, to more fraud and abuse related to
temporary housing, home repair and replacement, and other needs
assistance.
Pressure to Swiftly Deliver Aid Led to Approval of Expedited Assistance
Payments with Minimal Verification:
During the course of our audit and investigation, FEMA officials stated
that they did not verify whether registrants had insurance and whether
registrants were unable to live in their home prior to approving
expedited assistance payments. According to FEMA officials, the
unprecedented scale of the two disasters and the need to move quickly
to mitigate their impact led FEMA to implement expedited assistance.
Expedited assistance differs from the traditional way of delivering
disaster assistance in that it calls for FEMA to provide assistance
without requiring proof of losses and verifying the extent of such
losses. Consequently, FEMA implemented limited controls to verify
eligibility for the initial expedited assistance payments. According to
FEMA officials, these controls were restricted to determining whether
the damaged residence was in the disaster area and limited validation
of the identity of registrants who used the Internet. Registrants who
FEMA thought met these qualifications based on their limited
assessments were deemed eligible for expedited assistance.
FEMA Did Not Validate Identity of Registrants Who Applied for
Assistance via Telephone:
FEMA implemented different procedures when processing disaster
registrations submitted via the Internet and telephone calls. Of the
more than 2.5 million registrations recorded in FEMA's database, i.e.,
registrations that were successfully recorded--60 percent (more than
1.5 million) were exempt from any identity verification because they
were submitted via the telephone. Prior to sending out expedited
assistance payments, FEMA did not have procedures in place for Internet
or telephone registrations that screened out registrations where the
alleged damaged address was a bogus address. The lack of identity
verification for telephone registrations and any address validation
exposed the government to fraud and abuse of the IHP program.
For registrations taken through FEMA's Web site, registrants were
required to first provide a name, SSN, and date of birth. This
information was immediately provided (in electronic format) to a FEMA
contractor to compare against existing publicly available records.
While registrants were waiting on the Internet, the FEMA contractor
took steps to verify registrants' identities. The verification steps
involved confirming that the SSN matched with a SSN in public records,
that the name and SSN combination matched with an identity registered
in public records, and that the SSN was not associated with a deceased
individual. The FEMA contractor was responsible for blocking any
registrations for which any of these three conditions was not met.
Additionally, registrants who passed the first gate had to provide
answers to a number of questions aimed at further corroborating the
registrants' identities. Registrants who were rejected via the Internet
were advised to contact FEMA via telephone. Our audit and investigative
work indicated that this verification process helped deter obviously
fraudulent Internet registrations using false names and SSNs. However,
FEMA kept no record of the names, SSNs, and other information related
to the rejected registrations, and no record of the reasons that the
FEMA contractor blocked the registration from going forward. FEMA
acknowledged that it was conceivable that individuals who were rejected
because of false information submitted via the Internet could get
expedited assistance payments by providing the same false information
over the telephone.
Although the identity verification process appeared to have worked for
most Internet registrations, it did not identify a small number of
registrations with invalid SSNs. According to information we received
from the SSA, nearly 60 Internet registrants who received FEMA payments
provided SSNs that were never issued or belonged to individuals who
were deceased prior to the hurricanes. Results indicate that these
individuals may have passed the verification process because public
records used to verify registrants' identities were flawed. For
example, one credit history we obtained indicated that a registrant had
established a credit history using an invalid SSN.
Unlike the Internet process, FEMA did not verify the identity of
telephone registrants who accounted for over 60 percent of disaster
registrations recorded in FEMA's system. For registrants who registered
only via telephone, or registrants who called FEMA subsequent to being
denied on the Internet, FEMA did not have controls in place to verify
that the SSN had been issued, that the SSN matched with the name, that
the SSN did not belong to a deceased individual, or whether the
registrants had been rejected on prior Internet registrations. Because
the identity of telephone registrants was not subjected to basic
verification, FEMA did not have any independent assurance that
registrants did not falsify information to obtain disaster assistance.
According to FEMA officials, FEMA had a request in place to modify its
computer system to allow for identity verification for telephone
registrations similar to those used for the Internet. FEMA also
represented to us that due to budget constraints and other
considerations, the change was not implemented in time to respond to
hurricanes Katrina and Rita. However, to date we have not received
documentation to validate these representations.
Control Weaknesses Enabled GAO to Obtain $2,000 Expedited Assistance
Checks:
The lack of identity verification of phone registrants prior to
disbursing funds makes FEMA vulnerable to authorizing expedited
assistance payments based on fraudulent information submitted by
registrants. Prior to obtaining information on the control procedures
FEMA used to authorize expedited assistance payments, we tested the
controls by attempting to register for disaster relief through two
portals: (1) the Internet via FEMA's Web site and (2) telephone calls
to FEMA. For both portals, we tested FEMA's controls by providing
falsified identities and bogus addresses. In all instances, FEMA's Web
site did not allow us to successfully finalize our registrations.
Instead, the Web site indicated that there were problems with our
registrations and advised us to contact the FEMA toll-free numbers if
we thought that we were eligible for assistance. This is consistent
with FEMA's representation that Internet registrations were compared
against third-party information to verify identities.
Our investigative work also confirmed that the lack of similar controls
over telephone registrations exposed FEMA to fraud and abuse.
Specifically, in instances where we submitted via the telephone the
same exact information that had been rejected on the Internet, i.e.,
falsified identities and bogus addresses, the information was accepted
as valid. Subsequently, the claims were processed and $2,000 expedited
assistance checks were issued. Figure 1 provides an example of an
expedited assistance check provided to GAO.
Figure 1: $2,000 Expedited Assistance Check Provided to GAO Based on
Bogus Registration:
[See PDF for image]
[End of figure]
Additional case study investigations, which we discuss later, further
demonstrated that individuals not affected by the disasters could
easily provide false information to obtain expedited assistance and
other IHP payments from FEMA. Convictions obtained by the Department of
Justice also show that others have exploited these control weaknesses
and received expedited assistance payments. For example, one individual
in a College Station, Texas relief center pleaded guilty to false
claims and mail fraud charges related to IHP and expedited assistance.
Despite never having lived in any of the areas affected by the
hurricane, this individual registered for and received $4,358 ($2,000
in expedited assistance and $2,358 in rental assistance) in hurricane
Katrina IHP payments.
Other Control Weaknesses Exacerbated Government Exposure to Fraud and
Abuse:
We also found that FEMA instituted limited pre-payment checks in the
National Emergency Management Information System (NEMIS) to automate
the identification of duplicate registrations. However, the subsequent
review process used to resolve these duplicate registrations was not
effective in preventing duplicate and potentially fraudulent payments.
We also found that FEMA did not implement procedures to provide
assurance that the disaster address was not a bogus address, either for
Internet or telephone registrations.
FEMA's controls failed to prevent thousands of registrations with
duplicate information from being processed and paid. Our work indicates
that FEMA instituted limited automated checks within NEMIS to identify
registrations containing duplicate information, e.g., multiple
registrations with the same SSNs, duplicate damaged address telephone
numbers, and duplicate bank routing numbers. Data FEMA provided enabled
us to confirm that NEMIS identified nearly 900,000 registrations--out
of 2.5 million total registrations--as potential duplicates. FEMA
officials further represented to us that the registrations identified
as duplicates by the system were "frozen" from further payments until
additional reviews could be conducted. The purpose of the additional
reviews was to determine whether the registrations were true
duplicates, and therefore payments should continue to be denied, or
whether indications existed that the registrations were not true
duplicates, and therefore FEMA should make those payments. It appeared
from FEMA data that the automated checks and the subsequent review
process prevented hundreds of thousands of payments from being made on
duplicate registrations. However, FEMA data and our case study
investigations also indicate that the additional review process was not
entirely effective because it allowed payments based on duplicate
information.
We also found that FEMA did not implement effective controls for
telephone and Internet registrations to verify that the address claimed
by registrants as their damaged address existed. As will be discussed
further below, many of our case studies of potential fraud show that
payments were received based on claims made listing bogus damaged
addresses. Our undercover work also corroborated that FEMA provided
expedited assistance to registrants with bogus addresses.
Potentially Fraudulent Activities Resulting from Weak or Nonexistent
FEMA IHP Controls:
With limited or nonexistent validation of registrants' identities and
the reported damaged addresses, it is not surprising that our data
mining and investigations found substantial indicators of potential
fraud and abuse related to false or duplicate information submitted on
disaster registrations. Our audits and investigations of 20 cases
studies comprising 248 registrations that received payments, and the
undercover work we discussed earlier, clearly showed that individuals
can obtain hundreds of thousands of dollars of IHP payments based on
fraudulent and duplicate information.[Footnote 9] These case studies
are not isolated instances of fraud and abuse. Rather, our data mining
results to date indicate that they are illustrative of the wider
internal control weaknesses at FEMA--control weaknesses that led to
thousands of payments made to individuals who provided FEMA with
incorrect information, e.g., incorrect SSNs and bogus addresses, and
thousands more made to individuals who submitted multiple registrations
for payments.
Case Study Examples Show That Control Weaknesses Have Been Exploited:
Our audits and investigations of 20 case studies demonstrate that the
weak or nonexistent controls over the registration and payment
processes have opened the door to improper payments and individuals
seeking to obtain IHP payments through fraudulent means. Specifically,
a majority of our case study registrations--165 of 248--contained SSNs
that were never issued or belonged to deceased or other individuals.
About 20 of the 248 registrations we reviewed were submitted via the
Internet. Further, of the over 200 alleged damaged addresses that we
tried to visit, about 80 did not exist. Some were vacant lots, others
turned out to be bogus apartment buildings and units. Because the
hurricanes had destroyed many homes, we were unable to confirm whether
about 15 additional addresses had ever existed. We also identified
other fraud schemes unrelated to the weak and nonexistent validation
and prepayment controls previously discussed, such as registrants who
submitted registrations using valid addresses that were not their
residences.
In total, the case study registrants of whom we conducted
investigations have collected hundreds of thousands of dollars in
payments based on potentially fraudulent activities. These payments
include money for expedited assistance, rental assistance, and other
IHP payments. Further, as our work progresses, we are uncovering
evidence of larger schemes involving multiple registrants that are
intended to defraud FEMA. We found these schemes because the
registrants shared the same last names, current addresses, and/or
damaged addresses--some of which we were able to confirm did not exist.
While the facts surrounding the case studies provided us with
indicators that potential fraud may have been perpetrated, further
testing and investigations need to be conducted to determine whether
these individuals were intentionally trying to defraud the government
or whether the discrepancies and inaccuracies were the results of other
errors. Consequently, we are conducting further investigations into
these case studies. Table 1 highlights 10 of the 20 case studies we
identified through data mining that we investigated. In addition, some
individuals in the cases cited below submitted additional registrations
but had not received payments as of mid December 2005.
Table 1: Examples of Potential Fraudulent and Duplicate Registrations
That Received FEMA Payments:
Case: 1;
Number of Registrations with Payments/SSNs: 36/36;
Payments Received[A]: $103,000;
Number of Bogus Properties Used to Receive Payments[B]: At least 10;
Case Details:
* Seventeen individuals received payments on 36 registrations using 34
SSNs that were not theirs;
* Of the 17 addresses we visited, 13 were from the same apartment
building, of which 6 did not exist;
* 4 additional addresses were also invalid;
* Payments included 31 expedited assistance payments totaling $62,000,
and 18 in other payments, including rental payments.
Case: 2;
Number of Registrations with Payments/SSNs: 15/15;
Payments Received[A]: $41,000;
Number of Bogus Properties Used to Receive Payments[B]: At least 8;
Case Details:
* One individual received payments on 15 different SSNs--only one of
which belonged to that person;
* Investigative work also showed that 3 addresses were valid but were
not addresses of the registrant;
* Payments included 13 expedited assistance payments totaling $26,000
and $15,000 in other assistance, including housing;
* The individual may have committed bank fraud by using an invalid SSN
to open an account;
* The individual had established credit using 2 SSNs that did not
belong to the individual.
Case: 3;
Number of Registrations with Payments/SSNs: 8/1;
Payments Received[A]: $16,000;
Number of Bogus Properties Used to Receive Payments[B]: None;
Case Details:
* One individual received 8 expedited assistance payments using the
same name, SSN, and current address;
* Of the 8 addresses declared as damaged, two appeared to belong to the
individual;
* FEMA's automated edits identified at least 7 registrations as
duplicates, nevertheless payments were issued.
Case: 4;
Number of Registrations with Payments/SSNs: 23/23;
Payments Received[A]: $46,000;
Number of Bogus Properties Used to Receive Payments[B]: At least 14;
Case Details:
* Two individuals received expedited assistance payments on 23 SSNs -
21 of which were not theirs;
* Public records indicate that the individuals did not live at any of
the 9 valid addresses;
* Payments included 22 expedited assistance payments and 1 housing
assistance payment.
Case: 5;
Number of Registrations with Payments/SSNs: 38/38;
Payments Received[A]: $76,000;
Number of Bogus Properties Used to Receive Payments[B]: At least 10;
Case Details:
* Six individuals received 38 payments on different SSNs--only 1 of
which was traced back to them;
* Payments included 37 expedited assistance payments totaling $74,000
and over $2,000 in other assistance.
Case: 6;
Number of Registrations with Payments/SSNs: 18/18;
Payments Received[A]: $36,000;
Number of Bogus Properties Used to Receive Payments[B]: At least 12;
Case Details:
* Individual received 18 expedited assistance payments using the same
name and 18 different SSNs--only 1 of which belonged to the person;
* Investigative work and public records also indicate that the
individual had never lived at any of the 6 remaining valid addresses.
Case: 7;
Number of Registrations with Payments/SSNs: 31/30;
Payments Received[A]: $92,000;
Number of Bogus Properties Used to Receive Payments[B]: At least 22;
Case Details:
* A group of 8 individuals received payments on 31 registrations using
26 SSNs that did not belong to them;
* 22 of the registrations were for addresses that did not exist. The
remaining addresses were not validated;
* Payments include 32 payments for expedited assistance and over
$28,000 for other assistance including housing assistance.
Case: 8;
Number of Registrations with Payments/SSNs: 6/6;
Payments Received[A]: $23,000;
Number of Bogus Properties Used to Receive Payments[B]: None;
Case Details:
* Six apparent members of the same household registered 6 times using
the same damaged addresses;
* Five of the 6 individuals also shared the same current address;
* Payments included 5 expedited assistance payments and $13,000 in
other payments including housing assistance.
Case: 9;
Number of Registrations with Payments/SSNs: 7/7;
Payments Received[A]: $15,000;
Number of Bogus Properties Used to Receive Payments[B]: None;
Case Details:
* Seven apparent members of the same household received payments using
the same damaged address;
* One family member used a SSN that did not belong to the family
member;
* Six of the 7 individuals also shared the same current address;
* Payments included 7 payments for expedited assistance.
Case: 10;
Number of Registrations with Payments/SSNs: 7/7;
Payments Received[A]: $80,000;
Number of Bogus Properties Used to Receive Payments[B]: None;
Case Details:
* Seven apparent members of the same household registered using the
same damaged address;
* Payments included 6 expedited assistance payments and $68,000 in
other assistance.
Source: GAO analysis and investigation of FEMA data.
[A] Amount reflects total payments for IHP, which includes expedited
assistance, temporary housing assistance, payments for repair and
replacement of real and personal property, and payments for other needs
such as medical, transportation, and other necessities.
[B] One address could be associated with multiple registrations.
[End of table]
The following provides illustrative detailed information on several of
the cases.
* Case number 1 involves 17 individuals, several of whom had the same
last name, who submitted at least 36 registrations claiming to be
disaster victims of both Katrina and Rita. All 36 registrations were
submitted through the telephone, using 36 different SSNs and 4
different current addresses. These individuals used their own SSNs on 2
of the registrations, but the remaining 34 SSNs were never issued or
belonged to deceased or other individuals. The individuals received
over $103,000 in IHP payments, including $62,000 in expedited payments
and $41,000 in payments for other assistance, including temporary
housing assistance. Our analysis shows that the individuals claimed 13
different damaged addresses within a single apartment building, and 4
other addresses within the same block in Louisiana. However, our
physical inspection of these addresses revealed that 10 of the
addresses were bogus addresses. Further audit and investigative work
also shows that these individuals may not have lived at any of the
valid disaster addresses at the time of hurricanes Katrina and Rita. We
are conducting additional investigations on this case.
* Case number 2 involves an individual who used 15 different SSNs--one
of which was the individual's own--to submit at least 15 registrations
over the telephone. The individual claimed a different damaged address
on all 15 registrations, and used 3 different current addresses--
including a post office box, where the individual received payments.
The individual received 16 payments totaling over $41,000 on 15 of the
registrations. In all, the individual received 13 expedited assistance
payments, 2 temporary housing assistance payments, and another payment
of $10,500. Further investigative work disclosed that the individual
may have committed bank fraud by using a false SSN to open a bank
account. Other publicly available records indicate that the individual
had used 2 SSNs that were issued to other people to establish credit
histories.
* Case number 3 relates to a group of 8 registrations that resulted in
8 payments totaling $16,000. According to FEMA data, an individual
registered for Rita disaster assistance at the end of September 2005.
About 10 days later, the same individual submitted at least 7
additional registrations claiming 7 different disaster addresses, 2 of
which we were able to confirm belonged to the individual and may be
rental properties that the individual owns. However, because the FEMA
database showed that these addresses were entered as the individual's
primary residence--a primary requirement for IHP--the individual
received 8 expedited assistance payments instead of just the one that
he may have qualified for. We also found that the automated edits
established in NEMIS identified these registrations as potential
duplicates. In spite of the edit flags, FEMA cleared the registrations
for improper expedited assistance payments.
* Case number 4 involves 2 individuals who appear to be living together
at the same current address in Texas. These 2 individuals received
payments for 23 registrations submitted over the telephone using 23
different SSNs--two of which belonged to them--to obtain more than
$46,000 in disaster assistance. The information the registrants
provided related to many of the disaster addresses appeared false. The
addresses either did not exist, or there was no proof the individuals
had ever lived at these addresses.
* Case number 8 relates to 6 registrants with the same last name who
registered for disaster assistance using the same damaged address, with
5 of the 6 using the same current address. FEMA criteria specify that
individuals who reside together at the same address and who are
displaced to the same address are entitled to only one expedited
assistance payment. However, all 6 possible family members received 12
payments totaling over $23,000--$10,000 in expedited assistance and
more than $13,000 in other assistance, including rental assistance.
Data Mining Indicates Potential Fraud and Abuse Beyond Our Case
Studies:
The case studies we identified and reported are not isolated instances
of potential fraud and abuse. Rather, our data mining results show that
they are indicative of fraud and abuse beyond these case studies, and
point directly to the weaknesses in controls that we have identified.
The weaknesses identified through data mining include ineffective
controls to detect (1) SSNs that were never issued or belonged to
deceased or other individuals, (2) SSNs used more than once, and (3)
other duplicate information.
Misuse of Social Security Numbers on Registrations:
Our data mining and case studies clearly show that FEMA's controls over
IHP registrations provided little assurance that registrants provided
FEMA with a valid SSN. Under 42 U.S.C. § 408, submitting a false SSN
with the intent to deceive in order to obtain a federal benefit or
other payment is a felony offense. Based on data provided by the SSA,
FEMA made expedited assistance payments to thousands of registrants who
provided SSNs that were never issued or belonged to deceased
individuals. Further, SSA officials who assisted GAO in analyzing
FEMA's registrant data informed us that tens of thousands more provided
SSNs that belonged to other individuals. This problem is clearly
illustrated in case 2, where FEMA made payments totaling over $41,000
to an individual using 15 different SSNs. According to SSA records, the
individual received payments on 4 SSNs that belonged to deceased
individuals and 10 SSNs that did not match with the names provided on
the registrations. As previously discussed, further testing and
investigations need to be conducted to determine whether this
individual was intentionally trying to defraud the government or
whether the discrepancies and inaccuracies were the results of other
errors.
Same Social Security Numbers Used on Multiple Registrations:
Our data mining and case studies clearly show that FEMA's controls do
not prevent individuals from making multiple IHP registrations using
the same SSN. We found thousands of SSNs that were used on more than
one registration associated with the same disaster. Because an
individual can receive disaster relief only on his or her primary
residence and a SSN is a unique number assigned to an individual, the
same SSN should not be used to receive assistance for the same
disaster. This problem is illustrated in case 3 above, where an
individual registered for IHP 8 times using the same name, same SSN,
and same current address--and thus could have qualified for only 1
expedited assistance payments--but instead received expedited
assistance payments of $2,000 for 8 different registrations.
Multiple Payments Made to Different Registrations Containing the Same
Key Information:
Our data mining and case studies also show that the IHP controls to
prevent duplicate payments did not prevent FEMA from making payments to
tens of thousands of different registrants who used the same key
registration information. FEMA's eligibility criteria specify that
individuals who reside together at the same address and who are
displaced to the same address are typically entitled to only one
expedited assistance payment. FEMA policy also provides for expedited
assistance payments to more than one member of the household in unusual
circumstances, such as when a household was displaced to different
locations. However, both our investigations and data mining found
thousands of instances where FEMA made more than one payment to the
same household that shared the same last name and damaged and current
addresses. As illustrated in case 8, 5 of 6 individuals with the same
last name, the same damaged address, and the same current address
received multiple expedited assistance payments, instead of just one
for which they qualified. While not all of the registrations that used
the same key information were submitted fraudulently, additional
investigations need to be conducted to determine whether or not the
entire family was entitled to expedited and other IHP assistance.
Similarly, our data mining also determined that FEMA made payments to
tens of thousands of IHP registrants who provided different damaged
addresses but the same exact current address. As shown in case study 4
above, some registrations that fell into this category contained bogus
addresses or addresses that were not the registrants' residences. Under
18 U.S.C. § 1001, a person who knowingly and willfully makes any
materially false, fictitious, or fraudulent statement or representation
shall be fined or imprisoned up to 5 years, or both.
Our data mining also found that FEMA made duplicate expedited
assistance payments to tens of thousands of individuals for the same
FEMA registration number. FEMA policy states that registrants should
only receive one expedited assistance payment. However, in some cases,
FEMA paid as many as four $2,000 expedited assistance payments to the
same FEMA registration number. As discussed later, we also found that
FEMA issued expedited assistance payments to more than 5,000
registrants who had already received debit cards. FEMA officials
represented to us that they traced some of these obviously duplicate
payments to a computer error that inadvertently caused the duplicate
payments. However, they provided no supporting documentation.
Controls over Debit Cards Were Ineffective in Preventing Duplicate
Payments and Improper Use:
In the days following hurricane Katrina, FEMA experimented with the use
of debit cards to expedite payments of $2,000 to about 11,000 disaster
victims at three Texas shelters[Footnote 10] who, according to FEMA,
had difficulties accessing their bank accounts. Figure 2 is an example
of a FEMA debit card.
Figure 2: FEMA Debit Card:
[See PDF for image]
[End of figure]
The debit card program was an effective means of distributing relief
quickly to those most in need. However, we found that because FEMA did
not validate the identity of debit card recipients who registered over
the telephone, some individuals who supplied FEMA with SSNs that did
not belong to them also received debit cards. We also found that
controls over the debit card program were not effectively designed and
implemented to prevent debit card recipients from receiving duplicate
expedited assistance payments, once through the debit card and again
through check or EFT. Finally, unlike the guidance provided to other
IHP registrants, at the time FEMA distributed the debit cards, FEMA did
not provide instructions informing them that the funds on their cards
must be used for appropriate purposes.
Debit Cards Issued to Individuals Providing Invalid Social Security
Numbers:
As discussed previously, FEMA did not verify the identity of
individuals and/or households who submitted disaster registrations over
the telephone. This weakness occurred in the debit card program as
well. FEMA required the completion of a disaster registration prior to
a household or individual being able to receive a debit card. According
to FEMA officials, registrants at the three centers applied for
assistance via the telephone and Internet. Therefore, to the extent
that registrations for the debit card were taken over the telephone,
FEMA did not subject the identity of the registrants to a verification
process. Consequently, we identified 50 debit cards issued to
registrants listing SSNs that the SSA had no record of issuing, and 12
cards issued to registrants using SSNs belonging to deceased
individuals. For example, one registrant used an invalid SSN to receive
a $2,000 debit card and used about $500 of that money to pay prior
traffic violations to reinstate a driver's license. In another case, a
registrant used the SSN of an individual who died in 1995 to receive a
$2,000 debit card. FEMA subsequently deposited an additional $7,554 in
IHP payments to that debit card account for additional claims submitted
by that individual. This registrant withdrew most of the $9,554
deposited into the debit card account by obtaining ATM cash
withdrawals.
Thousands of Debit Card Recipients Received Multiple Expedited
Assistance Payments:
Based on a comparison of FEMA's IHP payments and the list of debit card
recipients, we found that over 5,000 of the 11,000 debit card
recipients received more than one $2,000 expedited assistance payment
because they received a debit card and another form of payment (check
or EFT). According to FEMA officials, they were aware that several
individuals had already registered for IHP assistance and that some
payments had already been made prior to issuance of a debit card.
However, FEMA officials stated that individuals in the three shelters
in Texas would not have access to their home addresses or bank accounts
and therefore needed immediate assistance in the form of debit cards.
Our review of FEMA data disproved FEMA's belief that only a few
individuals who received debit cards also received other disaster
assistance payments. Instead, thousands, or nearly half, of the
individuals who received debit cards also received checks or EFTs that
were made several days after the debit cards had been issued. The
result was that FEMA paid more than $10 million dollars in duplicate
expedited assistance payments to individuals who had already received
their $2,000 of expedited assistance.
FEMA Debit Card Transactions:
In general, once FEMA receives a disaster registration, FEMA sends a
package containing IHP information and detailed instructions, including
instructions on how to follow up on benefits, how to appeal if denied
benefits, and the proper use of IHP payments. However, FMS and FEMA
officials informed us that FEMA did not specifically provide
instructions on how the debit cards should only be used for necessary
expenses and serious needs related to the disasters at the same time
the debit cards were distributed. We found that in isolated instances,
debit cards were used for adult entertainment, to purchase weapons, and
for purchases at a massage parlor that had been previously raided by
local police for prostitution.
Our analysis of debit card transaction data provided by JP Morgan Chase
found that the debit cards were used predominantly to obtain cash which
did not allow us to determine how the money was actually used. The
majority of the remaining transactions was associated with purchases of
food, clothing, and personal necessities. Figure 3 shows a breakdown of
the types of purchases made by cardholders.
Figure 3: Breakdown of Purchases Made with FEMA Debit Cards:
[See PDF for image]
[End of figure]
We found that in isolated instances, debit cards were used to purchase
goods and services that did not appear to meet serious disaster related
needs as defined by the regulations. In this regard, FEMA regulation
provides that IHP assistance be used for housing-related needs and
items or services that are essential to a registrant's ability to
overcome disaster related hardship. Table 2 details some of the debit
cards activities we found that did not appear to be for essential
disaster related items or services.
Table 2: Purchases that Did Not Appear Necessary to Satisfy Immediate
Emergency Needs:
Vendors: Elliot's Gun Shop;
Location: Jefferson, LA;
Nature of Transaction: .45 caliber pistol;
Amount: $1,300.
Vendors: D Houston;
Location: Houston, TX;
Nature of Transaction: Gentlemen's club;
Amount: 1,200.
Vendors: Friedman's Jewelers;
Location: Plano, TX;
Nature of Transaction: Diamond engagement ring;
Amount: 1,100.
Vendors: Argosy Casino;
Location: Baton Rouge, LA;
Nature of Transaction: 7 ATM withdrawals within one day at a gambling
institution;
Amount: 1,000.
Vendors: Tim Fanguy Bail Bonds;
Location: Houma, LA;
Nature of Transaction: Partial bail bond payment;
Amount: 1,000.
Vendors: Department of Public Safety;
Location: Baton Rouge, LA;
Nature of Transaction: Payment of prior traffic violations for driver's
license reinstatement;
Amount: 700.
Vendors: Cat Tattoo;
Location: Addison, TX;
Nature of Transaction: Tattoo on arm;
Amount: 450.
Vendors: Swedish Institute;
Location: Irving, TX;
Nature of Transaction: Massage parlor;
Amount: 400.
Vendors: Tiger Beer and Wine;
Location: Dallas, TX;
Nature of Transaction: Alcohol beverages;
Amount: 200.
Vendors: Condoms To Go;
Location: Dallas, TX;
Nature of Transaction: Adult erotica products;
Amount: 150.
Source: GAO analysis of debit card transactions and additional
investigations.
[End of table]
Conclusions:
FEMA has a substantial challenge in balancing the need to get money out
quickly to those who are actually in need and sustaining public
confidence in disaster programs by taking all possible steps to
minimize fraud and abuse. Based on our work to date, we believe that
more can be done to prevent fraud through validation of identities and
damage addresses and enhanced use of automated system verification
intended to prevent fraudulent disbursements. Once fraudulent
registrations are made and money is disbursed, detecting and pursuing
those who committed fraud in a comprehensive manner is more costly and
may not result in recoveries. Further, many of those fraudulently
registered in the FEMA system already received expedited assistance and
will likely receive more money, as each registrant can receive as much
as $26,200 per registration.
Another key element to preventing fraud in the future is to ensure
there are consequences for those that commit fraud. For the fraud cases
that we are investigating, we plan to refer them to the Katrina Fraud
Task Force for further investigation and, where appropriate,
prosecution. We believe that prosecution of individuals who have
obtained disaster relief payments through fraudulent means will send a
message for future disasters that there are consequences for defrauding
the government.
Madam Chairman and Members of the Committee, this concludes my
statement. I would be pleased to answer any questions that you or other
members of the committee may have at this time.
Contacts and Acknowledgements:
[End of section]
For further information about this testimony, please contact Gregory D.
Kutz at (202) 512-7455 or kutzg@gao.gov. Contact points for our Offices
of Congressional Relations and Public Affairs may be found on the last
page of this testimony.
[End of section]
Appendix I: Objectives, Scope, and Methodology:
To assess controls in place over the Federal Emergency Management
Agency (FEMA)'s Individuals and Households Program (IHP), we
interviewed FEMA officials and performed walkthroughs at the National
Processing Service Center in Winchester, Va. We reviewed the Stafford
Act, Pub. L. 93-288, the implementing regulations, and FEMA's
instructions to disaster registrants available via the Internet. In
addition, to proactively test controls in place, we applied for
assistance using falsified identities, bogus addresses, and fictitious
disaster stories to determine if IHP payments could be obtained based
on fraudulent information. Because of several key unanswered requests
for documentation from the Department of Homeland Security (DHS),
information needed to fully assess the expedited assistance program was
limited. For example, FEMA and DHS had not provided us documentation to
enable us to conclusively determine the reason that FEMA submitted some
registrations, and did not submit other registrations, to identity
validation prior to issuing expedited assistance payments.
Consequently, our work was limited to our analysis of the FEMA
databases, investigations we conducted, data widely available to the
public via the Internet, and information FEMA officials orally provided
to us.
To determine the magnitude and characteristics of IHP payments, we
obtained the FEMA IHP database as of December 2005. We validated that
the database was complete and reliable by comparing the total
disbursements against reports FEMA provided to the Senate
Appropriations Committee on Katrina/Rita disbursements. We summarized
the amounts of IHP provided by type of assistance and by location of
disaster address.
To determine whether indications existed of fraud and abuse in
expedited assistance and other disbursements, we provided FEMA data to
the Social Security Administration (SSA) to verify against their
records of valid social security numbers (SSNs). We also used data
mining and forensic audit techniques to identify registrations
containing obviously false data, such as multiple registrations
containing the same name, same current or damaged address, but
different SSNs, and registrations containing duplicate information,
such as duplicate names and SSNs. To determine whether registrations
from our data mining resulted in potentially fraudulent and/or improper
payments, we used a nonrepresentative selection of 248 registrations
representing 20 case studies (case studies included multiple
individuals and registrations) for further investigation. We restricted
our case studies to registrations that received payments as of mid-
December 2005, and noted that some registrants within our case studies
also submitted additional registrations--for which they may receive
future payments. We also identified instances where groups of
registrants may have been involved in schemes to defraud FEMA. We found
these schemes because the registrants provided the same SSNs, last
names, current addresses, and/or damaged addresses on their
registrations. Our macro analysis of potentially fraudulent use of SSNs
and other data mining are ongoing, and we plan to report additional
results at a future date. For purposes of this testimony, we did not
conduct sufficient work to project the magnitude of potentially
fraudulent and improper payments of IHP. We also visited over 200 of
the claimed damaged addresses related to our case studies to determine
whether or not the addresses were valid.
To assess the types of purchases made with FEMA debit cards distributed
at relief centers, we reviewed a database of transactions provided by
JP Morgan Chase, the administrating bank for the debit cards. SSA also
assisted us to compare cardholder data with SSA records to determine
whether registrants receiving debit cards had provided valid
identities. We performed data mining on debit card transactions to
identify purchases that did not appear to be indicative of necessary
expenses as defined by the Stafford Act's implementing regulations.
Finally, we validated specific transactions identified in the database
by obtaining information on actual items purchased from the vendors.
In the course of our work, we made numerous written requests for key
documents and sets of data related to the IHP, most dating back to
October 2005. While FEMA officials promptly complied with one key part
of our request--that is FEMA made available databases of IHP
registrants and payments--the majority of items requested have not been
provided. On January 18, 2006, the Department of Homeland Security
Office of General Counsel provided us with well less than half of the
documents that were requested. For example, FEMA and the DHS had not
provided us documentation to enable us to conclusively determine the
reason that FEMA submitted some registrations, and did not submit other
registrations, to identity validation prior to issuing expedited
assistance payments. While the database and other data provided by FEMA
enabled us to design procedures to test the effectiveness of the FEMA's
system of internal controls, it did not enable us to comprehensively
determine the root causes of weak or non-existent controls.
During the course of our audit work, we identified multiple cases of
potential fraud. For cases that we investigated and found significant
evidence of fraudulent activity, we plan to refer our cases directly to
the Hurricane Katrina Fraud Task Force. Except for scope limitations
due to a lack of documentation provided by DHS, we performed our work
from October 2005 through January 2006 in accordance with generally
accepted government auditing standards and quality standards for
investigations as set forth by the President's Council on Integrity and
Efficiency.
FOOTNOTES
[1] Pub. L. 93-288, 88 Stat. 143 (1974) (amended 2000).
[2] The expedited assistance process is not specifically authorized in
the Stafford Act. However, FEMA previously has asserted, and we have
agreed, that it has legal authority under the act to implement
expedited, or fast track, procedures. Disaster Assistance: Guidance
Needed for FEMA's "Fast Track" Housing Assistance Process, GAO-RCED-98-
1 (Washington, D.C.: Oct. 1997).
[3] The Act's implementing regulations define a household as all
persons (including adults and children) who lived in the predisaster
residence, as well as any other persons not present at the time but who
are expected to return during the assistance period. 44 C.F.R. §
206.111.
[4] Current address refers to the address at which the disaster victim
is currently residing. Damaged addresses are the addresses which were
affected by the hurricanes.
[5] The debit card program is a pilot program implemented primarily to
provide expedited assistance to individuals and households housed at
three Texas shelters. The debit cards, which resemble credit cards and
bear the MasterCard logo, can be used at ATMs and at any commercial
outlet that accepts MasterCard.
[6] We are also releasing today the results of our limited
investigation into allegations that Military Meals, Ready-To-Eat
rations intended for use in the hurricane relief efforts were instead
sold to the public on the Internet auction site eBay. See GAO,
Investigation: Military Meals, Ready-To-Eat Sold on eBay, GAO-06-410R
(Washington, D.C.: Feb. 13, 2006).
[7] In 2002, FEMA became part of the Department of Homeland Security
(DHS). DHS officials required GAO to submit written requests for all
documentation to DHS Office of General Counsel.
[8] Under the Act's implementing regulations, FEMA may recover funds
that it determines were provided erroneously, that were spent
inappropriately, or were obtained through fraudulent means. 44 C.F.R. §
206.116 (b)
[9] We used various indicators such as identical names, SSNs, damaged
addresses, and current addresses to link multiple registrations
together into the 20 case studies.
[10] The shelters were located in Dallas, Houston, and San Antonio.
[End of section]
Appendix II: Comments from the Federal Emergency Management Agency:
U.S. Department of Homeland Security:
Washington, DC 20528:
Homeland Security:
May 19, 2006:
Mr. Gregory Kutz:
Managing Director Forensic Audits and Special Investigations:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Kutz:
Re: Draft Report GAO-06-655 "Expedited Assistance for Victims of
Hurricanes Katrina and Rita: FEMA's Control Weaknesses Exposed the
Government to Significant Fraud and Abuse."
Thank you for the opportunity to review the draft report. The GAO
report gives great detail as to the amount of work their staff did in
order to uncover weaknesses in FEMA's issuance of Expedited Assistance.
It is useful also to note that some of the findings were already
uncovered by FEMA's internal review and FEMA's review with the Office
of Inspector General of potentially fraudulent cases. FEMA is going to
great lengths to ensure that it is a good steward of taxpayer dollars;
allowing applicants who are in serious need of assistance to get it
quickly and appropriately, while deterring or eliminating fraud. FEMA
has already made significant improvements in this arena and is already
well into the recoupment phase of the disaster response for hurricanes
Katrina and Rita. Below are a collection of comments from FEMA
following a careful review of the GAO report and recommendations.
It should be noted that the GAO utilized a non-representative sample of
248 registrations from the NEMIS system. The sample seems to have been
geared specifically towards those applications that were duplicates and
did get multiple payments. Additionally it seems that the sample was
geared towards those applicants with more than one duplicate
registration associated with them. Since the majority of our applicants
were not duplicates with other applicants, this is obviously not a
representative sample of the implementation of the IHP or the Expedited
Assistance program. It's worth noting that for Hurricane Katrina, FEMA
took more than 1.7 million registrations.
Also of note, it is unclear whether what may appear to GAO as
duplicative payments under the IHP program, were instead payments
authorized under the "Separated Households" policy for hurricanes
Katrina and Rita. In general, without access to the GAO case studies,
we cannot comment fully on what FEMA could have done better to prevent
duplication or fraud in these instances. Specifically, we were unable
to locate the applicant they claimed received four Expedited Assistance
(EA) payments under a single registration ID (page 28) via our
reporting mechanisms. This applicant does not exist in our files.
In several places in the document, GAO contends that all applicants
eligible for $2,000 are eligible for up to $26,200 for the IHP,
describing "expedited assistance" as a gateway to further IHP payments
(see page 17). This is simply untrue. Expedited Assistance was given to
individuals applying for assistance under hurricanes Katrina and Rita,
based on a damaged address located in the disaster area and the answers
to specific questions concerning their disaster-related needs. All
other payments, including the $2,358 scripted Transitional Housing
payments, scripted Geospatial payments, and traditional IHP payments
were subject to much more stringent requirements. In all instances,
applicants had to demonstrate that they occupied the damaged dwelling
at the time of the disaster. This could be done in several ways,
including:
* Automated verification of primary residence (and therefore validation
that an address exists) via a FEMA data contractor:
* Traditional, on-site inspection verification of both address and
primary residency:
* Submitted, verifiable primary residency documentation submitted from
the applicant via mail or fax:
For those that received EA, and for this disaster only, "Transitional
Housing Assistance" (THA) of $2,358 was provided to those registrants
that lived in one of the five hardest hit Louisiana parishes or three
counties in Mississippi. Verification of occupancy at a valid address
was established utilizing a FEMA contractor. Many people were found
ineligible for this THA because a contractor (Myriad) was unable to
verify occupancy at the presented address and additional verification
documents were required to be submitted prior to providing assistance.
Any additional 408 assistance was provided only after an in-person
inspection was performed at an actual address, and additional documents
were verified by FEMA and signed by the applicant.
Since the 2005 hurricane season began, FEMA has been proactively
implementing more stringent controls concerning fraud and identity
verification. Controls already implemented include:
* Deployment in October 2005 of a new Internet registration application
that disallows any duplicate registrations:
* Adding identity proofing to the call center registration application
in February 2006 so that all IHP registrations are subjected to the
same stringent criteria that includes verification that the SSN exists,
that the SSN belongs to the name, and that the SSN is not for a
deceased person * Amending automated scripts to ensure no scripted
payments are sent to applicants who failed identity proofing:
* Sending, via batch, all applications taken on the call center
application from August 2005 until February 2006 to FEMA's data
contractor for identity proofing:
* Data-marking any applications in NEMIS that fail identity proofing so
they may be flagged for review and denied automated payment later *
Real-time interaction between the FEMA Service Representative and the
applicant to ensure that the data entered that resulted in a failed
identity check is correct before accepting the application.
With these new processes in place, we still need to need to take into
consideration those families and individuals that may not have
traditional means of identity and occupancy verification so that
assistance is not delayed to the population that may have the greatest
immediate need. For those registrations sent to a "duplicate
investigation queue" for additional review and resolution, there were
significant delays (sometimes additional months) in FEMA providing them
with "emergency expedited" assistance. FEMA must strike the delicate
balance of providing timely assistance to disaster victims in need
while taking the necessary precautions to ensure against fraud, waste
and abuse.
The following changes are being made to the NEMIS software and will be
available by the start of the 2006 hurricane season on June 1:
* NEMIS will no longer allow any registration to be accepted when that
registrant has the same SSN as another registrant in the same disaster
* NEMIS will conduct verification of ownership and occupancy through
FEMA's data contractor during the application process:
All software changes and data scripts are functionally tested before
being implemented in the production environment. Before deployment, a
software change must pass a developer test, an end-user test, a
throughput test, and be approved by the IT Technical Review Committee
(TRC).
The report also notes what it refers to as "isolated incidents" where
EA Debit cards were used to purchase goods and services that did not
appear to meet serious disaster-related needs. Though' isolated", these
purchases did make their way to the first highlight page of the draft
report and apparently warranted their own chart on page 32, though
totaling just under $8,000. While such purchases may represent
questionable judgment on the part of the recipient, highlighting those
expenditures in the midst of this report, and this event, is similarly
questionable. The real issue here is providing appropriate guidelines
for the use of the assistance received. FEMA continues to develop
guidance and control measures to prevent the inappropriate use of these
funds.
Response to GAO Recommendations:
Recommendation:
Establish an identify verification process for Individuals and
Households Program (IHP) registrants applying via both the Internet and
telephone, to provide reasonable assurance that disaster assistance
payments are made only to qualified individuals.
Response:
FEMA has already implemented identity proofing on the call center
application, including verification that the SSN is valid, verification
that the SSN matches the name, and verification that the SSN does not
belong to a deceased individual.
When a registration fails identity proofing, the FEMA registrar is
instructed to verify the data entered with the applicant. If the data
is correct, the registrar continues with the application. At this time,
it is considered unwise to have a registrar get into a potentially
difficult situation with the applicant pertaining to failed identity
verification. Instead, applicants will not be eligible for any scripted
payments and will be subjected to additional review before payment.
These applicants will have to substantiate their identities via other
means before receiving FEMA assistance. The applicants receive a letter
telling them what information they need to provide in order to verify
their identity.
It is not necessary to ask a registrant to enter their name as it
appears on their social security card. Unlike the SSA, FEMA's data
contractor is able to use logic to find aliases and nicknames
associated with an SSN. This includes married and maiden names, as well
as the typical "Bill vs. William" scenario.
Recommendation:
Develop procedures to improve the existing review process of duplicate
registrations containing the exact same Social Security Numbers (SSN)
and to identify the reasons why registrations flagged as invalid or as
potential duplicates have been overridden and approved for payment.
Response:
FEMA deployed a new Internet application in October 2005 that does not
accept any duplicate applications. The majority of duplicate
applications in Katrina and Rita came from the Internet application,
usually because an applicant was not sure if their registration had
been accepted and re-registered immediately after submitting their
first registration. The closing screens on the Internet application
have also been amended to help assure applicants that their application
has been received and is being processed. Elimination of duplicate
applications up front helps eliminate errors on the back end of
processing. Additionally, the call center application will no longer
accept duplicate applications with the same SSN in the same disaster.
These changes eliminate duplicate SSN applications and greatly reduce
the fraud potential in the IHP.
Recommendation:
Establish an address verification process for IHP registrants applying
via both the Internet and telephone, to provide reasonable assurance
that disaster assistance payments are made only to qualified
individuals.
Response:
Although Expedited Assistance ($2,000) payments in 2005 were not
subject to address verification, all subsequent payments for the IHP
were. Before becoming eligible for additional payments, applicants had
to validate primary residence at the damaged address via one of three
mechanisms detailed above. Starting June 1, this process will occur
during registration (at the same time as the identity verification
process). Therefore, all Expedited Assistance payments will go only to
those applicants who pass identity proofing and who verify occupancy at
the address provided.
With respect to the uniform method of inputting addresses, the NEMIS
software has an address standardization component built in. Based on
the address provided, NEMIS will "correct" it to the most acceptable
form based on USPS data. Addresses are coded in the system with a
degree of accuracy from being accurate to the street and number; to
only being accurate to the zip code (the address could not be found,
but the zip code and state match). FEMA management could consider
limiting Expedited Assistance payments to those addresses with a high
degree of confidence to alleviate this concern.
When an address is not recognized by the address correction software,
NEMIS provides a pop-up with a corrected address (if any) or a null
address if the address provided simply cannot be found. FEMA registrars
then verify the address with the applicant, and proceed with the
address the applicant claims is correct. Additional instruction could
be provided to the registrars to ensure they are using the NEMIS-
provided address whenever possible. At this time, NEMIS records which
addresses were over-ridden by the registrar and which were accepted
with the USPS data in the registrant's record.
During traditional processing, an inspector performs an on-site
inspection. If the address is not valid or cannot be found, the
inspection is withdrawn and returned to FEMA. No awards are made to
applicants in these circumstances. If the address is valid, but the
data is slightly incorrect, the inspector makes the appropriate changes
to the address and returns it to FEMA. FEMA accepts the data into the
NEMIS system and uses that address for processing.
Recommendation:
Explore entering into an agreement with other agencies, such as the
Social Security Administration, to periodically authenticate
information contained in IHP registrations.
Response:
FEMA has already conducted a conference call with the SSA and is in the
process of sharing data in order to explore a real-time verification
relationship. FEMA has also been interested in exploring data available
from other agencies or commercial vendors pertaining to income and
insurance, though this data has proven difficult to obtain at best.
This research is ongoing.
Recommendation:
Establish procedures to collect duplicate expedited assistance payments
or to offset these amounts against future payments.
Response:
GAO contends that allowing applicants to receive both a debit card and
another form of expedited assistance was an error. To the contrary,
FEMA management was keenly aware that this "duplication" could exist
but was compelled to allow the debit cards to go to applicants in spite
of their EA status. FEMA felt that these applicants would certainly be
eligible for more than $4,000 through the 18 month assistance period,
and that these applicants did not have access to their banking
institution since they were homeless and living in shelters for
extended periods following the event.
Although applicants received more than one type of Expedited Assistance
payment in approximately 5,000 cases, this does not mean that all
applications should be subject to recoupment. If any application was
eligible for the maximum IHP grant, their grant was offset by any
Expedited Assistance already received. Therefore, an applicant who was
eligible via the traditional program for $26,200 but already received
both a debit card and a $2,000 check would only receive another $22,200
in assistance.
For any applicant that was not eligible for a max grant and did not
have other payments offset by expedited assistance, FEMA is conducting
recoupments. A detailed recoupment process has been put into place and
has been vetted with the senior officials in FEMA, DHS, and DOJ, and
the process has been shared with the OIG and GAO. As of April 2006,
nearly all duplicative EA payments have been processed for recoupment,
and debit card collection is pending. FEMA is using its long-standing
Recovery of Funds procedures for the 2005 hurricane season as it has in
previous years.
Recommendation:
Ensure that any future distribution of IHP debit cards includes
instructions on the proper use of IHP funds, similar to those
instructions provided to IHP check and EFT recipients, to prevent
improper usage.
Response:
FEMA agrees with this recommendation and also suggests that debit cards
not be pre-loaded, but be given to applicants and then filled only when
the applicant is determined eligible for assistance rather than
presuming eligibility based on being located in a shelter.
Just as with our own staff, we appreciate the time and effort the GAO
staff has put into this project. Their suggestions have helped both to
underline the value and to sharpen some of the work already underway in
this area. But we could also have found more benefits from the report
if the information-sharing inherent in such a process had been
reciprocal.
Thank you for the opportunity to review the report and provide
comments.
Sincerely,
Signed by:
Steven J. Pecinovsky:
Director:
Departmental GAO/OIG Liaison Office:
[End of Section]
(192209):
FOOTNOTES
[1] GAO, Expedited Assistance for Victims of Hurricanes Katrina and
Rita: FEMA's Control Weaknesses Exposed the Government to Significant
Fraud and Abuse, GAO-06-403T (Washington, D.C.: Feb. 13, 2006).
[2] 42 U.S.C. §§ 5121-5206.
[3] We used various indicators such as identical names, SSNs, damaged
addresses, and current addresses to link multiple registrations
together in the 20 case studies.
[4] Under the Act's implementing regulations, FEMA may recover funds
that it determines were provided erroneously, that were spent
inappropriately, or were obtained through fraudulent means. 44 C.F.R. §
206.116 (b).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
