It’s December 2019, and Lindsey Graham, the Republican senator from South Carolina, is questioning Michael Horowitz, the inspector general (IG) of the U.S. Department of Justice (DOJ), about a 434-page report on the FBI’s investigation into Russian
interference in the 2016 presidential election. The FBI probe, which examined possible foreign links to the Trump campaign during his run for the White House, has been a lightning rod for the politically polarized country. And Graham, a former
prosecutor, is intensely making his case that the FBI inquiry was biased and unlawful. (The IG report had concluded that the FBI had made fundamental errors. See “Review of Four FISA Applications and Other Aspects of the FBI’s Crossfire Hurricane
Investigation,” DOJ IG, December 2019.)
Surrounded by cameras and dressed in a gray suit, white shirt and red tie, Horowitz has the facts at hand and takes a measured approach in his responses, carefully adding details that Graham may have missed. The senator nods in silence, and then occasionally
cracks a friendly smile. The gesture seems somewhat out of place in such a serious setting, but it’s perhaps telling of Horowitz’s high standing as an investigator. Finally, Graham says, “I would feel very comfortable with you investigating anybody
because I think you know the difference between getting somebody and finding the truth. This is what this is all about.” (See “Michael Horowitz testifies before the Senate Judiciary Committee,”
CBS News, Dec. 11, 2019.)
Horowitz and his team’s investigative conclusions may not be exactly what either Democrats or Republicans want to hear, but no matter what side of the political divide they stand, most people, like Lindsey Graham, typically deem those reports factual.
Called the “gold standard” of inspectors general, Horowitz has earned a reputation as a fair-minded straight shooter and an adept investigator who sticks to the facts of the case — all qualities of a good fraud examiner. (See “DOJ watchdog Michael
Horowitz is a career straight shooter, colleagues say,” by Sarah N. Lynch, Reuters, Dec. 9, 2019 and “An Introduction to Inspector General Michael Horowitz,” by Jeff Carlson, themarketswork,
Dec. 23, 2017.)
Image Source: [Samuel Corum]/[Getty Images News] via Getty Images.
“It does become more challenging as the atmosphere becomes more politicized but when that occurs, we have even greater responsibilities as inspectors general to do our jobs by the book, effectively and thoroughly. There is even greater demand
and respect for our work if we do it the right way.”
The amiable and avuncular Horowitz, who’s held the DOJ inspector general post since President Barack Obama appointed him in 2012, is used to the hot seat and has a knack for keeping cool under fire. Indeed the 60-year-old, who’s a native of New York
state, has found himself at the center of intense media scrutiny in recent years not only for the report on Russian interference but also for other controversial investigations, including the watchdog’s assessment of law enforcement’s probe into
Hillary Clinton’s use of private email servers.
Horowitz’s experience in fighting fraud and other types of wrongdoing spans decades from his time as a prosecutor in the Southern District of New York investigating police corruption in the 1990s to his most recent appointment as head of the Pandemic
Response Accountability Committee (PRAC). [See sidebar: “Chasing corrupt cops”.] Horowitz, who wins this year’s ACFE Cressey Award for a lifetime of achievement in the detection and deterrence
of fraud, talked to Fraud Magazine about lessons learned, mistakes made in the disbursing of pandemic-relief funding, what preventive measures the U.S. government should take to avoid a repeat performance of the resulting fraud fiasco
and how he’s kept above the political fray in America’s deeply polarized capital.
“It creates a challenge for people to understand that what we are doing as inspectors general is in fact completely nonpartisan,” says Horowitz.
“It does become more challenging as the atmosphere becomes more politicized but when that occurs, we have even greater responsibilities as inspectors general to do our jobs by the book, effectively and thoroughly. There is even greater demand and
respect for our work if we do it the right way.”
Mistakes made
If that’s not hard enough, as chair of PRAC, Horowitz now finds himself faced with the enormous task of overseeing $5 trillion in pandemic-related government relief and helping law enforcement detect and claw back the astounding amounts stolen during
its disbursement.
PRAC was created in 2020 through the Coronavirus Aid, Relief and Economic Security (CARES) Act to oversee emergency funding used to provide relief to Americans during the pandemic. “When you combine estimates [from different agencies], you are looking
far in excess of $100 billion in improper payments,” he says. “Not every improper payment is a fraud, but we are seeing those numbers just continue to grow.”
Indeed, the billions of dollars in pandemic-relief money potentially lost to fraud is shocking, stirring a national debate over what should’ve been done to avert what one former U.S. attorney has called the “biggest fraud in a generation.” (See “
‘Biggest fraud in a generation’: The looting of the Covid relief plan known as PPP,” by Ken Dilanian and Laura Strickler, NBC News, March 28, 2022.)
Horowitz and Gene Dodaro, the head of the U.S. Government Accountability Office (GAO) who’s worked closely with PRAC, have been vocal about mistakes made in the way the money was hastily disbursed with no controls and how ill-prepared the country
was to prevent fraud during this extraordinary emergency.
When you combine estimates [from different agencies], you are looking far in excess of $100 billion in improper payments,” he says. “Not every improper payment is a fraud, but we are seeing those numbers just continue to grow.
“The one thing you don’t do, which is what was done here at the outset [of the pandemic], is to say: ‘Hey folks, if you represent to us that you are truly entitled to the money, we will give you the money and won’t check if your representation is
true. We will simply accept it.’ This is an open door for fraudsters to walk right in,” says Horowitz. “There was minimal effort to determine whether the individuals who were applying were in fact the individuals they said they were.”
That the government had no choice but to rush money out the door — without any controls — is a false narrative, say critics. True, this was a national emergency, and funds needed to quickly get into the hands of Americans suffering from the sudden
economic slowdown. But some minimal checks wouldn’t have significantly slowed money distributions and would’ve greatly helped prevent fraud, says Horowitz. “We compared it to going through a metal detector at the airport,” he says. “You are not
stopped from getting on the plane. You are pulled aside for secondary screening.”
That second screening could’ve involved something as simple as checking if a paycheck protection program applicant’s date of birth and Social Security number matched their name. “It could be a fat-finger error, or they wrote it wrong. But you would
prove that this really is the person with that Social Security number and date of birth,” says Horowitz.
That may be the bare minimum and won’t necessarily deter sophisticated criminals, but most fraudsters aren’t particularly sophisticated, says Horowitz, and these types of controls provide an off-ramp for those more amateur criminals who might consider
stealing what seems like easy money. “The choices weren’t to either do nothing or do everything,” says Horowitz. “As all of us in the anti-fraud business know, there are varying degrees of controls you can put in place far short of everything,
but certainly more than nothing.”
Lack of foresight
Beyond the unfettered way agencies provided pandemic relief, faults also lie with a government that has shown little foresight, say fraud experts. A notable mistake was the U.S. Treasury’s decision in 2015 to dismantle the Recovery Operations Center
(ROC), the data analytics platform attached to the Recovery Act Accountability and Transparency Board, which was created in 2009 to prevent fraud, waste and abuse of the $800 billion federal stimulus package passed by Congress to prop up the economy
during the Great Recession. The Treasury’s logic? Taking on ROC wouldn’t have been cost-effective or have added value to its operations. (See “Fighting fraud, waste, and abuse—the 2009 Recovery Act,”
by Glenn Fine, Brookings, Feb. 11, 2022.)
“It was one of the significant failures: not recognizing the obvious need for a [fraud prevention] platform and the ability to keep it,” says Horowitz.
Among other things, ROC allowed IGs to mine data linked to contractors and grantees, quickly identify applicants with criminal records and cross-check relationships between individuals and entities that had previously committed fraud. Those capabilities
would’ve made all the difference in preventing fraud had they still existed during the outbreak of the COVID-19 medical emergency. (See “Fighting fraud, waste, and abuse—the 2009 Recovery Act.”)
But when the pandemic hit U.S. shores in 2020 and Congress subsequently passed a series of record-sized relief packages, ROC no longer existed, leaving the agencies tasked with fighting fraud in a weakened state. “When we started in 2020, we had no
database. We had to build it from scratch,” says Horowitz. “Taxpayers were worse off for it because money was spent to build and maintain ROC and then it went out of existence. Five years later when it was needed again, we had to spend millions
to rebuild it.”
The year that was spent reassembling databases on fraudsters and other vital information was a year wasted, and a lost opportunity to prevent the theft of relief funds. “I am confident that we could have prevented fraud had we had that tool,” says
Horowitz. “Everyone in this space knows it is far more effective to put controls in place before to stop fraud happening. Most studies I have seen show that you collect 10% to 20% of money stolen to fraud. Maybe we will hit a much higher number
— hopefully we will. But if you stop fraud, 100% of the money doesn’t leave.”
PRAC has made headway in building back ROC’s data analytics capabilities and improving on them. Through its Pandemic Analytics Center of Excellence (PACE) platform, PRAC now has several tools to facilitate the prevention and detection of pandemic-relief
fraud, including data matching, anomaly detection, risk modeling, social network analysis, robotic process automation, geospatial analysis, link analysis, business intelligence and open-source intelligence. [See “Pandemic Analytics Center of Excellence
(PACE) Drives Analysis of Pandemic Response Funds to Identify Risks and Fight Fraud, Waste, and Abuse,” PRAC, Aug. 24, 2021.]
Image Source: [Win McNamee]/[Getty Images News] via Getty Images.
“The one thing you don’t do, which is what was done here at the outset [of the pandemic], is to say: ‘Hey folks, if you represent to us that you are truly entitled to the money, we will give you the money and won’t check if your representation
is true. We will simply accept it.’ This is an open door for fraudsters to walk right in,” says Horowitz.
A new oversight model
Horowitz has called PRAC a new model for conducting oversight, thanks to its data analytics platform but also because it takes a more all-encompassing approach than the Recovery Board. It brings together the 20 IGs whose agencies received most of
the relief money and regularly meets with another 40 who also oversee portions of pandemic-relief money, albeit smaller amounts.
But perhaps more important is how PRAC is trying to form a cohesive and collaborative form of oversight among local, state and federal agencies that don’t necessarily share data or communicate with each other — and often lack recourses.
This is particularly true among states, which manage their own unemployment benefits programs but struggled to deal with the surge of claims as the economy came to a standstill amid lockdowns. States’ unemployment insurance (UI) programs had long
been susceptible to fraud, not least because of outdated technology that tended to result in improper payment rates of 10%. Worst of all, in the past there was little or no communication among local agencies, allowing fraudsters to file claims
in multiple states where authorities were unaware that this was happening elsewhere in the country. (See “Fraud in Federal Unemployment Insurance Programs,” statement of Michael E. Horowitz
before U.S. House of Representatives Committee on Ways & Means, Feb. 8, 2023.)
And the free and easy access to such programs during the pandemic only exacerbated those problems. While Congress amended the CARES Act in December 2020 to require documentation to prove UI eligibility, the nine months before then — when applicants
could self-certify with no documentation — proved to be a massive opportunity for fraudsters. The U.S. Department of Labor’s (DOL) IG estimated in 2022 that one in five dollars likely went to fraudsters participating in the Pandemic Unemployment
Assistance (PUA) program alone. Unsurprisingly, the DOL IG has found itself opening more and more investigations into UI fraud, 100 to 300 new ones each week over the past two years versus just 100 annually before the pandemic, according to Horowitz’s
testimony in February. (See “Fraud in Federal Unemployment Insurance
Programs.”)
To address these problems, PRAC has increased collaboration across federal, state and local levels. It’s brought on former California State Auditor Elaine Howle as a special advisor for state, local and tribal oversight, as well as two auditors from
the Tennessee comptroller’s office as part of a new state-auditor-in-residence program. “We have made tremendous progress in working with our state and local counterparts,” says Horowitz. “That is something we had not effectively done as federal
oversight officials.”
Importance of data sharing
But broader oversight for the patchwork of federal, state and local agencies is tricky, given the difficulties and legal restrictions of data sharing and access. Early in his tenure, Horowitz fought back efforts to limit IGs’ ability to retrieve information
at agencies such as the DOJ, and he played a pivotal role in Congress passing the Inspector General Empowerment Act in 2016. That piece of legislation ensured that IGs had timely access to agency records and stopped any foot-dragging from those
reluctant to relinquish data. It also exempted them from the Computer Matching and Privacy Protection Act, legislation designed to prevent the abuse of personally identifiable information. This allowed IGs to share information more easily among
themselves to identify individuals defrauding multiple government agencies. (See “Give inspectors general access to the records they need to do their jobs,” by Michael Horowitz, The Washington
Post, Opinion, Oct. 18, 2015; “IG Independence Protected by Passage of Empowerment Act,” by Nicholas Pacifico, Pogo, Jan. 23, 2017; and “Computer Matching and Privacy Protection Act of 1988,”
The IT Law Wiki.)
Despite the passage of the Inspector General Empowerment Act, IGs continued to struggle to get hold of even the most basic data during the pandemic. PRAC butted heads with the executive branch and the Small Business Administration, which tried but
failed to deny IGs access to the names of beneficiaries receiving Paycheck Protection Program loans. (See “Watchdogs, White House at odds over scrutiny of pandemic aid,” by Chris Prentice,
Reuters, June 18, 2020 and “Explore
updated SBA data on businesses that received PPP loans,” by Alyssa Fowers, Andrew Van Dam, Jonathan O’Connell and Aaron Gregg, The Washington Post, Oct. 4, 2021.)
During the pandemic, DOL’s IG also faced challenges in garnering the information it needs to conduct oversight. Thinking it had no authority to access UI data because it was administered by states, DOL IG decided to take the unprecedented step of
issuing subpoenas to 50 states and four U.S. territories to obtain this information. It wasn’t until August 2021 that it finally got its hands on UI data — but only as a temporary measure. The DOL’s IG then was only able to regain admittance to
the data as part of the American Rescue Plan Act, one of several stimulus packages issued in the wake of the pandemic, but only until the end of 2023. Permanent access to the data will likely require Congressional action, according to Horowitz’s
February testimony. (See “Fraud in Federal Unemployment Insurance Programs.”)
“We are not looking for a master Social Security download. We understand the sensitivity and issues with that. But the death master file index simply tells who died and what day they died. That is not a particularly sensitive piece of information.”
Awaiting Congressional action
Horowitz says he’s still awaiting Congressional action on allowing IGs to gain full access to the Social Security Administration’s death master file, which would help them cross-check if fraudsters were using a Social Security number of a dead person,
for example.
“We are not looking for a master Social Security download. We understand the sensitivity and issues with that,” he says. “But the death master file index simply tells who died and what day they died. That is not a particularly sensitive piece of information.”
Indeed, often all PRAC’s data analysts need to do is cross-check information with the Social Security Administration (SSA) and other organizations rather than hold sensitive information on their databases. PRAC’s data analytics team did just that
earlier this year when it garnered public information on 27 million Social Security numbers submitted in the pandemic relief program and found 2.7 million with anomalies. They sent those to the SSA and asked some very basic questions: 1) Is this
a real Social Security number? 2) Is the person dead or alive? and 3) Does the number match the real name and date of birth of the person? PRAC identified 69,000 who either used a fake Social Security number or one that didn’t match the name
or date of birth of the real person, and combined they received $5.4 billion in pandemic relief funds. PRAC also found $38 million in potentially improper or fraudulent pandemic loans linked to the Social Security numbers of dead people. (See
“Improved Sharing of Death Records and Use of the Do Not Pay System Would Strenthen Program Integrity and Better Protect the Public,” PRAC, May 11, 2023.)
Between asking the SSA for feedback on the 2.7 million numbers and the subsequent analysis, PRAC took about four weeks to reach these conclusions, says Horowitz. Artificial intelligence, which PRAC is also starting to use, may speed up the process
and permit IGs and other agencies to quickly ascertain those transactions that are potentially fraudulent. Those kinds of data analytics tools will make all the difference, not only for their speed, but for their ability to bring together national
and cross-border data in what remains a very fractured and siloed network of government agencies, each trying to deter fraud.
PACE and the fate of fraud detection
The question now is what will happen to PACE when PRAC’s statute is due to expire in September 2025? Will it meet the same fate as ROC or will Congress extend its life or even decide to keep it permanently? For Horowitz, it’s clear how lawmakers should
proceed. The return on investment just makes sense. He says the government allocated $40 million to set up PACE and cover operating costs through Sept. 30, 2025. Horowitz argues that PACE will more than pay for itself. Take the single case above
of the $5.4 billion in potentially fraudulent loans. If the government set aside 100 years of annual PACE costs, it still wouldn’t be near that amount, says Horowitz. “If Congress not only lets [PACE] continue to exist and supports funding it,
but also allows us to get more datasets, it can be an even more effective tool in the fight against fraud,” he adds.
Sticking to your knitting
On the wall behind Horowitz’s desk in the DOJ building sit two portraits that he selected when he first got the job of inspector general in 2012. One is of Harry M. Daugherty, the disgraced attorney general who turned a blind eye to corruption during
the administration of President Warren G. Harding and was accused of taking bribes from bootleggers in the 1920s. The other is of William Henry Harrison Miller, who served as attorney general in the late 1880s and was viewed as incorruptible.
“I bought the two of them to show, incorruptible and corruptible,” says Horowitz.
A lot has changed since Horowitz first started in the post. Fraud schemes, thanks in part to technology, have become more sophisticated and abundant, but data platforms like PACE have also acted as a strong countermeasure. “When I came on board, we
didn’t really have an analytics platform, and since then we have been able to build one, and it has been invaluable in rooting out fraud,” he says. “It has been a game changer.”
But like the corruptibility and incorruptibility of humans represented by the two portraits in Horowitz’s office, some things are immutable. This includes certain tried-and-true investigative techniques. And Horowitz has this advice for CFEs. “Always
stay on the yellow line in the middle of the road. You’re not there to make policy or do someone else’s job other than to follow the facts, figure out what happened and fairly investigate,” he says.
Those tools have served Horowitz well in a job that he says he continues to enjoy immensely. Inspectors general either step down or are let go by the standing president. Barring the latter situation, Horowitz has no immediate plans to leave, although
as a sports fan there’s one exception. “If I get a call tomorrow to be the commissioner of baseball, that will be my last day here,” he laughs. “But I am not waiting for that phone to ring.”
Paul Kilby is editor-in-chief of Fraud Magazine. Contact him at pkilby@ACFE.com.
* Hero Image Source: [Graeme Jennings - Pool]/[Getty Images News] via Getty Images.