Cover article

Running a marathon at a sprinter's pace

How U.S. oversight agencies are racing to fight fraud in the age of COVID-19

The U.S. Congress has approved a record $5 trillion in aid packages so far to help Americans survive the pandemic, opening up new territory for fraudsters to ply their trade. Fraud Magazine talks to two of the top professionals leading the government’s fight against fraud and finds out why CFEs are required more than ever.

When Joshua Bellamy, a former NFL wide receiver for the New York Jets, was charged last year for his role in a $24 million COVID-relief fraud scheme, his alleged crimes soon became national news.

Bellamy allegedly conspired with others to obtain millions of dollars in fraudulent loans from the Paycheck Protection Program (PPP) administered by the Small Business Administration (SBA) to help businesses keep their workforces employed during the pandemic. (See NFL Player Charged for Role in $24 Million COVID-Relief Fraud Scheme, press release, U.S. Department of Justice, Sept. 10, 2020.)

The Department of Justice (DOJ) accused Bellamy of fraudulently obtaining a $1.25 million PPP loan through his company Drip Entertainment LLC and then spending hundreds of thousands of dollars on luxury items at Dior and Gucci, as well as on trips to casinos and hotels.

“We hope that the public will give him the benefit of the doubt at this time,” Bellamy’s attorney said in September of 2020. “All too often, professional athletes are taken advantage of by people who are purportedly acting on their behalf as agents or advisors.” (See NFL player charged with fraud in coronavirus relief scheme, by Christina Carrega and Paul LeBlanc, CNN, Sept. 10, 2020.)

Yet while Bellamy’s alleged crimes were certainly newsworthy, they were not necessarily unusual. Indeed, it is one of many fraud cases tied to COVID-relief packages that have come to light in recent months and it underscores the challenges faced by government agencies like the SBA in preventing the theft of massive amounts of aid money.

Those challenges soon became evident early last year when the U.S. Congress first tasked the SBA to distribute and oversee $350 billion of loans as part of the $2.2 trillion Coronavirus Aid, Relief, and Economic Security (CARES) Act.

Not only was this a record amount of money for a government agency whose normal operations encompassed about $200 billion in guaranteed loans and federal contracting dollars, but SBA was also under the gun. Lawmakers wanted the money distributed at lightning speed to Americans desperate for support as the health crisis started to take its toll on the economic well-being of the nation.

The SBA quickly got to work, processing more loans in just 14 days than it had done in the last 14 years. (See Testimony of Inspector General Hannibal “Mike” Ware before the House Committee on Small Business, Subcommittee on Investigations, Oversight and Regulations, Oct. 1, 2020.) That was an impressive feat. But it was only the start of a longer-term project requiring a delicate balancing act of preventing fraud, potentially on a massive scale, without slowing the disbursal of relief funds to Americans in immediate need of help.

Government bodies charged with distributing aid money — and the agencies that oversee them — have been grappling with the question of which of those two options to prioritize as the pandemic relief package has grown to record levels over the last year or so.

Enormous fraud potential

“It can’t be easy for the SBA,” says Hannibal “Mike” Ware, CFE, inspector general for the SBA. “They are running at a sprinter’s pace during what is essentially a marathon."

The job is fraught with pitfalls, and the stakes are high, to say the least. The potential for fraud is enormous not just from SBA programs but across agencies. The Office of Inspector General for the U.S. Department of Labor, for instance, said in a report last year that at least $36 billion of the $360 billion in CARES Act unemployment benefits could’ve been paid improperly, mostly because of fraud. (See Semiannual Report to Congress, Office of Inspector General for the U.S. Department of Labor, April 1-Sept. 30, 2020.)

Indeed, the gargantuan stimulus packages the U.S. Congress passed this year and last are putting extraordinary demands on state offices that oversee how the money is deployed and ensure the prevention and detection of fraud. They’re also prompting a rethink of how government oversight bodies should conduct their jobs during a time of unparalleled government stimulus.

“The pandemic has laid bare many of the systemic weaknesses across government benefits administration programs and their limitations in preventing fraud,” says Linda Miller, deputy executive director at the Pandemic Response Accountability Committee (PRAC), one of several independent bodies created to oversee the emergency spending bills tied to the health crisis.

Fraud Magazine recently spoke to Ware and Miller about their experiences and the challenges they’ve faced at the forefront of the government’s fight to keep record amounts of stimulus money out of the hands of fraudsters.

Ware, who also chairs the subcommittee on audits at the PRAC, has had a career that’s spanned over 30 years in the inspector general community, where he started as an intern and worked his way up to his current position. He’s been a CFE for over 20 years and is a new member of the ACFE’s Board of Regents.

“Having risen through the ranks, I view part of my role on the Board of Regents as an opportunity to give back and bring forth the IG community’s role in combating fraud across government,” Ware says. “I think this is a great platform to do that.”

Miller also has vast experience in fighting fraud. She now helps oversee an agency that —  with the help of 22 inspectors general — conducts, supports and coordinates oversight of all pandemic spending. Before joining the PRAC last year, Miller was a principal at auditing and advisory firm Grant Thornton, where she managed the design and implementation of effective antifraud programs for government and commercial clients.

Prior to that, the former Olympic rower worked at the U.S. Government Accountability Office (GAO), where she led the evaluation of federal programs, specializing in fraud risks and program integrity.

“I have been passionate about combating fraud for most of my career,” says Miller. “So, when the pandemic hit, and the magnitude of the federal response became clear, it was honestly a no-brainer for me to take a role helping lead a federal agency in the fight against fraud in pandemic spending.”

Building the plane while flying it

Skills and experience like Ware’s and Miller’s are vital for a government seeking to administer what has been the largest-ever aid push by the U.S. government. Both are coming off a grueling year or so, and the scale of the task at hand has been daunting for the agencies charged with fighting fraud under exceptional circumstances.

Miller equates serving as the de facto chief operating officer of the PRAC as a quintessential “build the plane while flying it” endeavor. The agency, which didn’t exist before March 27, 2020, is akin to a government start-up. “The fact that we are building this brand-new organization during the global pandemic in an entirely virtual setting just magnifies the challenge,” says Miller.

She notes that the enormous influx of money combined with the economic fallout from the health crisis have only increased the presence of the three driving factors for fraud to occur — perceived unshareable financial need, perceived opportunity and rationalization — the components of the iconic Fraud Triangle.

PRAC funds jurisdiction infographic

“That is why I believe in addition to the devastating health and economic consequences, the pandemic will end up causing the largest fraud event in American history,” she says.

The numbers speak for themselves. Including the nearly $2 trillion stimulus passed by Congress in March, the U.S. federal government has so far approved an eye-popping $5 trillion in aid money since the outbreak of the COVID-19 pandemic in early 2020.

That represents the largest federal spending program in U.S. history, by far eclipsing earlier aid packages such as the American Recovery and Reinvestment Act passed in the wake of the Great Recession, the New Deal following the Great Depression and the Marshal Plan — the U.S. aid program that helped Europe recover from the devastation of World War II. (See The record-breaking stimulus, by Felix Salmon, Axios, Dec. 23, 2020, and The $5 trillion in pandemic-era stimulus is more than triple Great Recession-era aid — and suggests a permanent shift in the way Congress spends, by Ben Winck, Insider, March 10.)

“The mission to oversee, what … is now over $5 trillion, is enormous,” Miller says. “We have to get it right and we have to do it fast.”

Record amounts of COVID-relief money in 2020 and more to come this year has created a veritable playground for fraudsters to ply their trade, not to mention an abundance of work for CFEs and other professionals charged with uncovering wrongdoing.

“There is a lot of great work being done by CFEs across the nation, and we have never been more relevant because the amount of fraud we are seeing with this kind of money is way up there,” Ware says.

SBA’s experience

The SBA, as the agency responsible for distributing the largest chunk of money stemming from the CARES Act, is a good example of some of the difficulties faced by government agencies working to protect taxpayer money from fraudsters during the pandemic.

Of the $3.3 trillion in government coronavirus funding included in legislation as of December 2020, $1 trillion has been dedicated to small business. (See Funding Overview, PRAC.) In the first round of the CARES Act, the agency had about $349 billion in lending capacity for the creation of the Paycheck Protection Program (PPP) — the amount that it disbursed in 14 days.

The rest of the $1 trillion comprised a second round of $310 billion in PPP funding and another $373 billion for Economic Injury Disaster Loan (EIDL) program. (See Inspection of SBA’S implementation of the Paycheck Protection Program, SBA Office of Inspector General, Jan. 14, and Inspection of small business administration’s initial disaster assistance response to the coronavirus pandemic, SBA Office of Inspector General, Oct. 28, 2020.)

This was something entirely new for the agency. SBA disbursed more than three times as many funds for the EIDL alone ($211 billion) than it had for all the disasters in the agency’s 67-year history, according to the associate administrator for SBA’s office of disaster assistance James Rivera. (See SBA Achieves Historic Small Business Lending for Fiscal Year 2020, SBA, Oct. 28, 2020.)

While the SBA was given additional funding to manage the onslaught of lending and the potential upswing in fraudulent activity, it had little if any time to hire new personnel before it had to disburse the funding.

Under those circumstances, it was inevitable that fraudsters would do their best to poke holes in a system they could exploit. Some colorful cases involving the SBA have already come to light, including that of David T. Hines buying a super-luxury Lamborghini Huracan Evo with a $4 million PPP loan. Fraudsters are trying every angle.

The SBA IG, using the U.S. Department of the Treasury’s Do Not Pay Business Center, which identifies high-risk transactions, discovered in January that about $3.6 billion in PPP loans had gone to potentially ineligible recipients.

While that was just 1.1% of the $525 billion in approved PPP loans, it was enough for Ware to call for “immediate action to limit improper payments by strengthening existing controls.” (See Paycheck Protection Program Loan Recipients on the Department of Treasury’s Do Not Pay List, SBA Inspector General, Jan. 11.)

It didn’t take long for the agency’s hot-lines to start flashing. Ware told the ACFE earlier this year that in just five months in 2020 the SBA received over 26,000 online complaints and 42,000 phone calls, which forced it to reassign staff. And from April to September of last year, the hotline received 104,913 complaints — up from 742 complaints it received for all of 2019. (See Semiannual Report to Congress April 1, 2020 – September 30, 2020, SBA, Office of Inspector General.)

“These hotlines are the life blood of the OIG and a lot of our work has gone to directly address these tips,” says Ware. “It is almost like we have deputized an entire nation to help the fight against fraud.”

Recognizing that no inspector general’s office could handle this type of oversight alone, Ware sought what he calls an “whole-of-government approach” before the money went out the door.

He partnered with the PRAC, where he’s a statutory member along with 21 other IGs, and teamed up with law enforcement across the nation, including the DOJ. The SBA also started to send out reports about a lending process that few people initially understood, and informing the public about possible scams.

He also looked to the past for help, namely the American Recovery and Reinvestment Act — the approximately $800 billion aid package that President Obama signed into law in 2009 following the Great Recession. (See White Paper: Risk Awareness and Lessons Learned From Prior Audits of Economic Stimulus Loans, SBA Inspector General, April 3, 2020.)

“We issued three white papers based on the work [we did] surrounding the Recovery Act because it was kind of similar,” says Ware. “This was important because SBA had never experienced this degree of stimulus and we were able to pull numerous lessons from the Recovery Act."

Ware said the agency drew two big lessons from that experience. SBA needed to establish: (1) clear and complete guidance prior to distributing funding (2) a robust internal control environment.

The need for strong controls

As Ware says, those controls are necessary proactive steps and play an important part in preventing fraud — one of the major tenets ACFE Chairman Dr. Joseph T. Wells, CFE, CPA, espoused when he founded the ACFE in 1988.

“Like Dr. Wells says, strong internal controls are an antidote to fraud, and it is important to underscore that,” he says. “Fraudsters are going to do what fraudsters are going to do. But upfront controls mitigate fraud exposure and save everyone a whole lot of heartache on the back end.”

Amid the urgency to disburse funds to Americans in need, however, some of those upfront guardrails to prevent fraud were missing, at least in the initial stages of the CARES Act. But Ware argues that setting up preventative measures upfront pays off in time and expenses saved in chasing wrongdoing once the money has been released into the economy.

“These controls have to stand up in the same way whether it is for a billion dollars or a trillion,” says Ware. “We keep finding cases of rampant fraud, which we are continuing to work to combat at the back end. From my perspective that is a little unfortunate … but, of course, we can all play Monday morning quarterback.”

In October, the SBA IG released a report critical of the lax oversight and highlighted the need for more controls in SBA’s EIDL program amid pressures to get money into the hands of people most in need as quickly as possible.

In the rush to distribute the loans, the SBA abandoned its rule of two reviewers for each application amid stringent production goals that called for loan officers to make final decisions on at least four applications per hour, or one every 15 minutes. (See Inspection of Small Business Administration’s Initial Disaster Assistance Response to the Coronavirus Pandemic, Oct. 28, 2020.)

“They met the mandate in terms of getting money out to an economy that desperately needed it,” Ware says. “But if you are going to take that route, let’s have certain parameters in place."

In the report, Ware’s team recommended the need for several controls to prevent fraud, such as more thorough checks on different loan applications using the same IP addresses, emails, bank accounts and/or business addresses; and the reviewing of loans that had bank accounts changed after approval. (See the graphic, “Raising the guardrails again,” below.)

The report underscored how fraudsters have learned that sending a “shower” of applications increases their chances of getting past existing controls, noting that 10 applications were submitted and approved for $1.136 million using the same house address.

“If somebody has a single IP address and that IP address applied for 100 loans, maybe you could ask some follow-up questions. There might be a reason that is the case, but more likely there isn’t,” Ware says.

Through its EIDL program, the SBA approved $14.3 billion to accounts that differed from the bank account on the original application and $62.7 billion in multiple loans to applicants using the same IP addresses, email addresses, bank accounts or businesses listed at the same addresses, according to the October report. All this potentially resulted in billions of dollars of loans going to ineligible businesses.

Who? Me?

Identity theft has been a big problem for EIDL, which is SBA’s direct lending and grant program, as opposed to its PPP program, which disburses loans through financial institutions such as credit unions and banks.

Fraudsters use other people’s identities to apply for multiple loans and grants, which magnifies the amount of money they can steal from the government and hinders tracking frauds back to them.

Across the country, media has reported on individuals who received letters from the SBA that explained when they should start repaying EIDL loans they’d purportedly received from the agency. The problem was none of these people had asked for the money.

A common scam involves a fraudster applying and receiving a loan to support a fake farm using the identity of a person who often lives in a town or a city. (See Fake farms and fraud tied to SBA disaster loan program in Rhode Island, by Eli Sherman and Tim White, Target 12, Dec. 21, 2020, and Nearly $1 million in fraudulent pandemic relief loans leave Johnson County victims searching for answers, by Celia Hack, Shawnee Mission Post, Feb. 11.)

“Many people who have contacted our office said they had no business with the SBA on any level, but they got a letter from the SBA about when a loan had to be repaid,” Ware says.

Fraud involving identity theft is the predominant complaint on its hotlines. The SBA’s IG is preparing an in-depth report on this topic and how to deal with it, Ware says.

Getting the right data

Indeed, obtaining the correct data from recipients of pandemic funds has been a challenge for all agencies overseeing pandemic spending. “Recipients of pandemic-related funds are supposed to report to the government on how they are using the money, but we found that the government isn’t always sure that recipients report the required data,” Miller says.

IGs, state audit and unemployment offices, as well as the PRAC, have raised concerns about the use of self-certification for loan eligibility and its contribution to fraud as well as agencies’ lack of due diligence into applicants’ true identities. (See Self-Certification Procedures May Increase Fraud Risk in Pandemic Response Programs, PRAC, Nov. 13, 2020.)

“A lack of due diligence and controls allowed $280 million in approved PPP funds to go to individuals on the Do Not Pay list and allowed $1.1 billion in EIDL to be provided to businesses with a registration date after the deadline,” Miller says.

“While there is almost a year’s worth of lessons learned that agencies can use to help administer the new funding, government entities remain challenged by the fact that many of these programs are intended to disburse funds as quickly as possible and, as a result, they are still relying on limited controls, such as self-certification."

Last fall, the PRAC commissioned a study to determine if existing data was sufficient to satisfy data transparency under the CARES Act. The report found multiple concerns about the quality and accuracy of the data available to the PRAC, including mismatching ZIP codes between data on the federal government spending site and the SBA’s PPP data, for instance. (See PRAC Releases Commission Study on Data Gaps that Impact Transparency in Federal Pandemic-Relief Spending, PRAC, Nov. 19, 2020.)

The report identified various actions that could be taken to mitigate these data gaps, including ones that can require new policy, legislation or information technology system modifications, Miller says.

The importance of data sharing

Given the sweeping nature of the massive COVID-relief packages, government agencies have recognized the increasing importance of sharing data among themselves not only to correct inaccuracies, but also to catch fraudsters who exploit vulnerabilities across multiple programs.

In one such case, an Arlington, Virginia, businessman, Robert S. Stewart, Jr., duped multiple federal agencies to fraudulently obtain multimillion-dollar government contracts, COVID-19 emergency relief loans and military service benefits. Stewart lied to the Federal Emergency Management Agency and the Department of Veterans Affairs. He falsely claimed that he’d served in the U.S. Marine Corps, which helped him win lucrative contracts to provide COVID-19 personal protective equipment. He also fraudulently obtained PPP and EIDL loans. (See CEO Pleads Guilty to Defrauding Multiple Federal Agencies, U.S. DOJ, Feb. 3, and Contractor Who Was Awarded $34.5 Million in Government Money and Provided Zero Masks Pleads Guilty to Fraud, by J. David McSwane, ProPublica, Feb. 3.)

“Fraud doesn’t stop at the PPP and EIDL. It is hitting all programs, so we are getting more laser-focused on connecting the dots and bringing folks to justice,” Ware says.

This goes back to Ware’s “whole-of-government response” to a crisis that no one agency can handle alone. He says that relationships built over the years with different entities such as the Federal Deposit Insurance Corporation, the Postal Service and the FBI are now bearing fruit.

“We are getting to the point where we can overlay data from other agencies such as the Department of Labor,” he says.

Even so, this type of cooperation and data sharing is often easier said than done.

“Data sharing is an enormous challenge across the federal government,” Miller says. “Many agencies lack access to others’ data and gaining access is riddled with legal challenges due to strict privacy laws and concerns about data loss.”

Technology transfer

Against that backdrop, government agencies are recognizing they need to improve their data analytics and use of technology, and catch up with a private sector that’s already using these tools to prevent fraud.

Miller says few government agencies use authentication technologies to help verify an applicant’s identity, and many lack the ability to carry out sophisticated data analytics on past payment histories to predict the likelihood of possible fraudulent applications.

The banking sector is successfully using artificial intelligence to sift through large data sets to recognize fraudulent indicators, while other private sector entities are using link analysis to identify relationships to uncover potential fraudsters and dark web tools to find bad actors operating underground, she says.

“Most of these technologies are not in use across the federal government today, which limits fraud prevention,” Miller says.

Ware says his office was fortunate enough to get additional funding for data analytics just before the outbreak of the pandemic, and it has put this to good use. Data analytics has allowed Ware’s office to be more targeted in its approach, he says. “We are not scrambling all over the place. There is so much data that comes in, but with data analytics we are able to say ‘Wait a minute, there are trends here. … Let’s go after these.’

“I sat in on a lot of data analytic sessions at ACFE conferences, and one of the key points that come out of them was ‘move slow,’ so we took our time and were intentional in our approach."

Ware started by hiring one data scientist to interpret the data and explain the trends to the agency’s stakeholders. The data scientist was instrumental in identifying the patterns indicating rampant fraud in the EIDL program, which was reported on in July and again in November.  Data analysis also has underpinned OIG’s oversight of the PPP, providing much more insight into the program than just public reporting of the loan data. Ware is now poised to further leverage data analytics, and he’s ready to hire a third person to the team.

The PRAC is also working with leading academic institutions with data science programs to recruit talent for the OIG community. It also plans to establish a Pandemic Analytics Center of Excellence to conduct data analysis and provide fraud-fighting tools that can be shared with the IG community.

Better prepared

The job of overseeing the largest stimulus aid package in U.S. history is likely to last years as fraudsters continue to try to find ways to game the system. “The SBA is better positioned than they were at the beginning,” says Ware. “Its fraud models are working a lot better now, and they have done a lot to address what we have asked them to.”

Thanks to budget approvals, Ware has also been able to build his team, by hiring dozens of additional auditors, investigators and attorneys — some of them CFEs — since the passage of the first stimulus packages.

“We know what the CFE designates and now more than ever before we can use people with this credential,” he says.

Miller too puts considerable value in the credential as she built her staff over the last year or so, and she sees more demand for CFEs in the future. “Much of the work in the future will center on forensic investigations. Given the volume of potential fraud cases, CFEs will likely be in high demand in the response to pandemic spending for years to come.”

Oversight agencies like the PRAC and inspector generals, as well as the CFEs working for them, will have to remain vigilant ahead of another round of pandemic relief disbursals this year at a time when speed remains a priority.

“Given that speed in providing relief is still a key metric for agencies, the focus likely will skew towards speed over fraud prevention,” Miller says.

“Post-disaster environments always result in a higher tolerance for fraud, as the understandable focus is on providing relief to people in need as quickly as possible. … [But] I am confident that scrutiny of these emergency relief funds by the inspector generals, the PRAC and the GAO will continue to be rigorous.”

Paul Kilby is editor-in-chief of Fraud Magazine. Contact him at