Expedited Assistance for Victims of Hurricanes Katrina and Rita: 
FEMA's Control Weaknesses Exposed the Government to Significant  
Fraud and Abuse (16-JUN-06, GAO-06-655).			 
                                                                 
In the wake of Hurricanes Katrina and Rita, the Federal Emergency
Management Agency (FEMA) faced the challenge of providing	 
assistance quickly while having sufficient controls to provide	 
assurance that benefits were paid only to those eligible under	 
the Individuals and Households Program (IHP). On February 13,	 
2006, GAO testified on the initial results of its ongoing work	 
related to whether (1) controls are in place and operating	 
effectively to limit assistance to qualified applicants, (2)	 
indications exist of fraud and abuse in the application for and  
receipt of assistance payments, and (3) controls are in place and
operating effectively over debit cards to prevent duplicate	 
payments and improper usage.					 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-655 					        
    ACCNO:   A55601						        
  TITLE:     Expedited Assistance for Victims of Hurricanes Katrina   
and Rita: FEMA's Control Weaknesses Exposed the Government to	 
Significant Fraud and Abuse					 
     DATE:   06/16/2006 
  SUBJECT:   Accountability					 
	     Check disbursement or control			 
	     Data mining					 
	     Disaster relief aid				 
	     Eligibility determinations 			 
	     Erroneous payments 				 
	     Fraud						 
	     Hurricane Katrina					 
	     Hurricane Rita					 
	     Hurricanes 					 
	     Identity verification				 
	     Internal controls					 
	     Natural disasters					 
	     Program abuses					 
	     Expedited Assistance Program			 
	     Individuals and Households Program 		 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-655

     

     * Report to Congressional Committees
          * June 2006
     * EXPEDITED ASSISTANCE FOR VICTIMS OF HURRICANES KATRINA AND RITA
          * FEMA's Control Weaknesses Exposed the Government to Significant
            Fraud and Abuse
     * Contents
          * Overview of Testimony
          * Conclusions
          * Recommendations for Executive Action
          * Agency Comments and Our Evaluation
     * Testimony on FEMA's Control Weaknesses over Expedited Assistance for
       Victims of Hurricanes Katrina and Rita
     * Comments from the Federal Emergency Management Agency

Report to Congressional Committees

June 2006

EXPEDITED ASSISTANCE FOR VICTIMS OF HURRICANES KATRINA AND RITA

FEMA's Control Weaknesses Exposed the Government to Significant Fraud and
Abuse

Contents

June 16, 2006Letter

Congressional Committees

On February 13, 2006, we testified before the Senate Committee on Homeland
Security and Governmental Affairs on the initial results of our ongoing
forensic audits and related investigations of assistance provided by the
Federal Emergency Management Agency (FEMA) to individuals and households
affected by Hurricanes Katrina and Rita.1 The Individuals and Households
Program (IHP), a major component of the federal disaster response efforts
established under the Robert T. Stafford Disaster Relief and Emergency
Assistance Act (Stafford Act),2 is designed to provide financial
assistance to individuals and households who, as a direct result of a
major disaster, have necessary expenses and serious needs that cannot be
met through other means. In the wake of Hurricanes Katrina and Rita, FEMA
provided $2,000 in IHP payments to affected households via its Expedited
Assistance (EA) program. Victims who received EA may qualify for up to
$26,200 in IHP assistance. As of mid-December 2005, IHP payments totaled
about $5.4 billion, with $2.3 billion provided in the form of EA. These
payments were made via checks, electronic fund transfers, and a small
number of debit cards. Our initial work focused on whether (1) controls
are in place and operating effectively so that expedited assistance
payments are only made to qualified registrants, (2) indications exist of
fraud and abuse in the registration for and receipt of expedited
assistance and other payments, and (3) controls are in place and operating
effectively over debit cards to prevent duplicate payments and improper
usage. This report summarizes our testimony, which is reprinted in
Appendix I, and makes specific recommendations for corrective actions.
These recommendations relate only to the limited scope of work completed
for our testimony and will therefore not prevent all improper and
fraudulent IHP payments. In the future, we will continue to audit and
investigate the assistance provided by FEMA in the aftermath of hurricanes
Katrina and Rita, and we will issue further recommendations designed to
create a more comprehensive fraud prevention program for IHP.

Overview of Testimony

In our testimony, we stated that weaknesses in the process that FEMA used
to review registrations for disaster relief and approve assistance
payments left the government vulnerable to fraud and abuse. Our work
indicated that FEMA put in place limited procedures designed to prevent,
detect, and deter certain types of duplicate and potentially fraudulent
disaster registrations. Specifically, individuals could apply for disaster
assistance via the Internet or telephone. FEMA subjected the Internet
registrations to a limited verification process whereby a FEMA contractor
used credit and other information to validate the identity of registrants.
Those who failed the Internet verification process were advised to contact
FEMA via telephone to reregister. However, FEMA did not apply the identity
validation process to telephone registrations. Of the more than 2.5
million registrations recorded in FEMA's database as of mid-December 2005,
60 percent (more than 1.5 million) were exempt from any identity
verification because they were submitted via the telephone. Our data
mining and investigations confirmed FEMA's representation. For example,
using falsified identities, bogus addresses, and fabricated disaster
stories, we applied for disaster assistance over the telephone and
obtained $2,000 expedited assistance payments.

Other control weaknesses further increased the government's exposure to
fraud and abuse. For example, we found that FEMA instituted automated
checks that flagged hundreds of thousands of potentially duplicate
registrations in the computer system FEMA used to process and approve IHP
registrations for payments. FEMA officials informed us that these flagged
registrations were subjected to additional reviews to conclude whether
they were, in fact, duplicates. However, while the additional review
process may have prevented some potentially fraudulent and improper
payments, it did not prevent other potentially fraudulent and improper
payments based on duplicate registrations. We also found that FEMA did not
implement procedures to validate whether damaged addresses used to
register for assistance were bogus, for either Internet or telephone
registrations.

With limited or nonexistent validation of registrants' identities and
damaged addresses, it is not surprising that our data mining and
investigations found substantial indicators of potential fraud and abuse
related to false or duplicate information submitted on disaster
registrations. For example, according to Social Security Administration
(SSA) data, FEMA made millions of dollars in payments to thousands of
registrants who submitted Social Security Numbers (SSN) that have not been
issued or belonged to deceased individuals. Our data mining also detected
that FEMA made tens of thousands of payments to registrants who provided
other false or duplicate information on their registrations. Specifically,
we investigated 20 case studies with multiple registrations.3 A majority
of these registrations-165 of 248-contained SSNs that, according to the
SSA, were never issued, belonged to deceased individuals, or did not match
the name provided. In addition, about 80 of the over 200 alleged disaster
addresses that we attempted to validate were bogus addresses. Also, our
case study registrants did not live in many of the remaining valid
addresses. In one specific case example, 17 individuals, some of whom
shared the same last name and current addresses, used 34 different SSNs
that did not belong to them and addresses that were either bogus or were
not their residences to receive more than $103,000 in FEMA payments. In
addition, because the hurricanes had destroyed many homes, we could not
determine if approximately 15 of the alleged disaster addresses had ever
existed.

Similar to the control weaknesses over expedited assistance payments
distributed through checks and electronic funds transfers, we found that
FEMA did not validate the identities of debit card recipients at three
relief centers in Texas who registered via the telephone. Consequently,
FEMA issued $2,000 debit cards to over 60 registrants who provided SSNs
that were never issued or belonged to deceased individuals. We also found
that FEMA made multiple expedited assistance payments to over 5,000 of the
11,000 debit card recipients. That is, FEMA provided the registrant both a
$2,000 debit card and a $2,000 check or electronic fund transfer. Further,
at the time of debit card issuance, unlike the recipients who received
expedited assistance payments via checks or EFTs, FEMA did not issue
specific instructions to debit card recipients on the use of the cards. We
found that debit cards were used predominantly to obtain cash and thus are
unable to determine how the money was actually used. The majority of the
remaining debit card purchases were for food, clothing, and personal
necessities. However, in isolated instances, a few debit cards were used
to pay for items or services that, on their face, do not seem essential to
satisfy disaster related needs. For example, these debit cards were used
in part to

purchase adult entertainment, a .45 caliber hand gun, jewelry, bail bond
services, and to pay for prior traffic violations.4

Conclusions

FEMA has a substantial challenge in balancing the need to get money out
quickly to those who are actually in need and sustaining public confidence
in disaster programs by taking all possible steps to minimize fraud and
abuse. Nevertheless, FEMA could reasonably be expected to have mature,
fully tested processes, along with business partners in the federal,
state, and private sector, that can provide it with real time access to
the data required to validate identities and addresses for those seeking
disaster assistance. Once fraudulent registrations are made and money is
disbursed, detecting and pursuing those who committed fraud in a
comprehensive manner is costly and may not result in recoveries. Further,
many of those fraudulently registered in the FEMA system already received
expedited assistance and will likely receive more money, as each
registrant can receive as much as $26,200 per registration.

Another key element to preventing fraud in the future is to ensure there
are consequences for those that commit fraud. We are referring the fraud
cases that we are investigating to the Katrina Fraud Task Force for
further investigation and, where appropriate, prosecution. We believe that
prosecution of individuals who have obtained disaster relief payments
through fraudulent means will send a message for future disasters that
there are consequences for defrauding the government.

Recommendations for Executive Action

We recommend that the Secretary of the Department of Homeland Security
(DHS) direct the Director of the Federal Emergency Management Agency to
take six actions to address the weaknesses we identified in the
administration of IHP. These six recommendations relate only to the
limited scope of work that we have completed to date and will not prevent
all types of improper and fraudulent IHP payments. Consequently, we will
continue to audit and investigate the assistance provided by FEMA in the
aftermath of hurricanes Katrina and Rita and we will issue further
recommendations designed to create a more comprehensive fraud prevention
program for IHP. To address the concerns raised in our February 13, 2006,
testimony, we recommend that DHS and FEMA do the following:

o Establish an identity verification process for Individuals and
Households Program (IHP) registrants applying via both the Internet and
telephone, to provide reasonable assurance that disaster assistance
payments are made only to qualified individuals. Within this process

o establish detailed criteria for registration and provide clear
instructions to registrants on the identification information required,

o create a field within the registration that asks registrants to provide
their name exactly as it appears on their Social Security Card in order to
prevent name and Social Security Number (SSN) mismatches,

o fully field test the identity verification process prior to
implementation,

o ensure that call center employees give real-time feedback to registrants
on whether their identities have been validated, and

o establish a process that uses alternative means of identity verification
to expeditiously handle legitimate applicants that are rejected by
identity verification controls.

o Develop procedures to improve the existing review process of duplicate
registrations containing the exact same SSN and to identify the reasons
why registrations flagged as invalid or as potential duplicates have been
overridden and approved for payment.

o Establish an address verification process for IHP registrants applying
via both the Internet and telephone, to provide reasonable assurance that
disaster assistance payments are made only to qualified individuals.
Within this process

o create a uniform method to input street names and numbers and apartment
numbers into the registration,

o institute procedures to check IHP registration damaged addresses against
publicly available address databases so that payments are not made based
on bogus property addresses,

o fully field test the address verification process prior to
implementation,

o ensure that call center employees can give real time feedback to
registrants on whether addresses have been validated, and

o establish a process that uses alternative means of address verification
to expeditiously handle legitimate applicants that are rejected by address
verification controls.

o Explore entering into an agreement with other agencies, such as the
Social Security Administration, to periodically authenticate information
contained in IHP registrations.

o Establish procedures to collect duplicate expedited assistance payments
or to offset these amounts against future payments. Such duplicate
payments include

o the payments made to IHP recipients who improperly received the $2,000
debit cards and an additional $2,000 EA check or Electronic Funds Transfer
(EFT) and

o the thousands of duplicate EA payments made to the same IHP registration
number.

o Ensure that any future distribution of IHP debit cards includes
instructions on the proper use of IHP funds, similar to those instructions
provided to IHP check and EFT recipients, to prevent improper usage.

Agency Comments and Our Evaluation

In written comments on a draft of this report, which are reprinted in
appendix II, DHS and FEMA made a number of observations that were not
related to any specific recommendation, concurred fully with four of our
six recommendations, and partially concurred with the remaining two
recommendations. In general comments, FEMA and DHS stated that they could
benefit more from the report if information sharing between GAO and FEMA
had been reciprocal. We believe that we employed such an arrangement
throughout this engagement. We regularly briefed DHS and FEMA concerning
the progress of the audit. For example, we notified FEMA management
immediately after we detected that duplicate EA payments were made to
individuals who had received debit cards, and worked closely with FEMA's
Disaster Finance Center to resolve other issues related to payments that
appeared to exceed the $26,200 limit for specific recipients.

DHS and FEMA also expressed concern over the objectivity and fairness of
our report. Specifically, DHS and FEMA noted that our selection of 248
registrations was not a representative sample and was geared specifically
toward identifying and reporting on registrations that had problems. Our
testimony clearly states that the case studies we used were intended to
demonstrate the type of fraud and abuse that occurred because of weak or
nonexistent controls over the registration process and did not represent a
statistical sample of registrations. The primary findings of our work
relate to weak or nonexistent controls that leave the government
vulnerable to substantial fraud and abuse in the IHP. Furthermore, as
represented at the February 13, 2006, hearing, we are continuing our work
in this area. Specifically, we have taken a statistical sample of IHP
payments so that we can statistically estimate the magnitude of improper
and potentially fraudulent claims. We have nearly completed this work and
plan to report our findings later this month.

FEMA and DHS also found problems with our assertion that EA payments were
the gateway to future IHP payments. Specifically, FEMA and DHS noted that
future IHP payments are subjected to additional scrutiny. We did not test
this additional scrutiny as part of our February 13, 2006, testimony.
However, we continue to believe that accepting registrations for
individuals using invalid identity and damaged property information
subjects the federal government to a high risk of fraud and abuse beyond
EA payments. We believe that our ongoing audit and investigative work
sheds further light on whether the additional scrutiny that FEMA asserts
does in fact prevent fraudulent and improper payments related to rental
assistance and other covered losses.

FEMA and DHS further noted that we made several references to isolated
incidents where debit cards were used for purchases that did not appear to
be for disaster needs, and FEMA questioned whether highlighting those
examples was appropriate. We specifically noted in each reference to these
purchases that they were isolated and were not representative of the
general breakdown of known debit card usage. We also clearly stated that
over 60 percent of debit card transactions were used to obtain cash and
could not be tracked further to identify the final use of the IHP funds.
We identified the non-disaster-related purchases to highlight the fact
that FEMA did not provide any instruction to debit card recipients on the
appropriate use of IHP funds.

With regard to specific recommendations, FEMA and DHS concurred fully that
FEMA (1) improve procedures to review registrations containing the same
SSNs and other duplicate information; (2) subject all registration
addresses to verification during the registration process; (3) explore
entering into agreements with other agencies, such as the Social Security
Administration, to periodically authenticate IHP information; and (4)
issue proper instructions to any future debit card recipients. FEMA and
DHS stated that they have already taken actions to address these
recommendations. These actions include instituting an Internet application
process that will prevent all duplicate registrations from the Internet,
implementing procedures so that call centers will no longer accept
duplicate registrations with the same SSN in the same disaster, and
conducting conference calls and conducting data sharing tests with SSA. In
addition, DHS and FEMA stated that, starting in June 2006, all
registration addresses (even phone-in) will be subjected to an online
verification during the registration process. While these are steps in the
right direction,  we will follow up on whether the actions taken fully
address our recommendations.

FEMA and DHS partially concurred with our recommendation concerning
duplicate payments. FEMA and DHS took exception with our categorization of
some payments as being potential duplicates, and with our assessment that
they should initiate actions to collect duplicate EA payments or offset
these amounts in the future, stating that it was unclear whether some of
the of the payments were in fact valid due to the "separated households"
policy instituted for hurricanes Katrina and Rita. With respect to
duplicate registrations, we maintain that these registrations are very
likely duplicates because the payments were made to several individuals
with the same last names, same damaged addresses, and the same current
addresses; FEMA's own database clearly indicates that these were not
separated households. For all our case study examples, we conducted
further investigative work to confirm that the payments were made to
actual duplicates, not covered by the separated household policy, and were
therefore improper payments.

As for initiating actions to collect duplicate payments, DHS and FEMA
stated that they had processed for recoupment nearly all the payments they
believed were duplicates as of April 1, 2006. While we have not assessed
the effectiveness of FEMA's recoupment process, we continue to believe
that FEMA should attempt to recoup as many dollars of improper payments as
possible, including those duplicate payments that we identified that FEMA
questioned.

FEMA also stated that many of what we identified as duplicate payments
effectively will be offset because the registrant will ultimately be
eligible for more than the amount of the duplicate payments, up to a
maximum of $26,200 that a single household can receive. We believe that
FEMA's position is shortsighted because it does not reflect the likelihood
that some individuals are not entitled to, and will not receive,
additional funds regardless of the cap limitations. Thus, FEMA should not
use $26,200 as the aggregate dollar test. Rather, FEMA should follow its
own policy of limiting EA to $2,000; adhere to the statutory caps that are
allowed for specific categories of aid; and promptly recover the amounts
that exceed the category limits. Therefore, we continue to believe that
FEMA should review all the registrations we identified as potential
duplicates to access whether collection is necessary.

We also disagree with FEMA's statement that its "management was keenly
aware" that a recipient could receive more than one EA payment, and that
it knowingly issued these duplicate payments partly because individuals in
shelters did not have access to their banking institution (and thus their
EA payments) and therefore were in need of immediate assistance in the
form of debit cards. While we recognize that providing individuals access
to immediate funds was a priority following the hurricanes, FEMA's data
and its representations made to us months ago do not support its claim
that it knowingly made those payments. For example, when we questioned the
official responsible for managing FEMA's national disaster assistance
processing center about the more than duplicate 5,000 EA payments to
individuals who had already received debit cards, he told us that he was
unaware of the magnitude of the duplicate payments. After researching the
issue, he informed us that the duplicate payments in question were made as
a result of a "system glitch" and not as a result of a deliberate action
on the part of FEMA management. In addition, the more than 5,000 duplicate
payments in question were all made within the span of several hours
roughly a week after FEMA completed issuing all the debit cards. An
analysis of the more than 5,000 duplicate payments indicates that there
was no apparent reason why only about half of the roughly 10,000 debit
card recipients received the duplicate payments. Using FEMA's rationale,
all 10,000 registrants who received a debit card should have received a
duplicate EA payment.

FEMA and DHS partially concurred with our recommendation to establish
identity verification processes for IHP registrants applying via the phone
and Internet. FEMA and DHS stated that they had implemented identity
proofing on call center applications. As noted in our report, FEMA
instituted identity proofing for Internet registrants at the time of the
two hurricanes, and FEMA and DHS response to our report indicates that
FEMA instituted identity proofing for call center registrants. In future
work, we will follow up on whether these actions fully address our
recommendations. FEMA and DHS additionally commented that they did not see
the necessity of requiring registrants to also provide their name exactly
as it appears on their Social Security Card, noting that their data
contractor is able to use logic to find aliases and nicknames. While we do
not object to FEMA collecting the nicknames or aliases of registrants
applying for disaster assistance, we continue to believe that registrants
should be instructed to provide their name as it appears on their Social
Security Card to prevent name and social security mismatches. Instructing
registrants to provide the name that appears on their Social Security Card
can only help-not hinder-the registrant verification process.

FEMA and DHS's responses indicate that they are attempting to address some
of the systemic problems we identified in the IHP program. Going forward
it will be important for FEMA to establish effective controls to prevent
fraudulent and improper payments before they occur, because fraud
prevention is a far more effective control than detecting improper and
potentially fraudulent payments after they are made. Our experience with
organizations that rely on a process that attempts to detect improper and
potentially fraudulent payments after they are made is that the
organization recovers only a fraction of the payments that should not have
been made.

We are sending copies of this report to the Secretary of the Department of
Homeland Security, and the Director of Federal Emergency Management
Agency. We will make copies available to others upon request. In addition,
the report will be available at no charge on the GAO Web site at
http://www.gao.gov . Please contact me at (202) 512-7455 or [email protected] 
if you or your staffs have any questions concerning this report. Contact
points for our Offices of Congressional Relations and Public Affairs may
be found on the last page of this report.

Gregory D. Kutz Managing Director Forensic Audits and Special
Investigations

List of Committees

The Honorable Susan M. Collins Chairman The Honorable Joseph I. Lieberman
Ranking Minority Member Committee on Homeland Security and Governmental
Affairs United States Senate

The Honorable Tom Davis Chairman The Honorable Henry A. Waxman Ranking
Minority Member Committee on Government Reform House of Representatives

The Honorable Harold Rogers Chairman The Honorable Martin Olav Sabo
Ranking Minority Member Subcommittee on Homeland Security Committee on
Appropriations House of Representatives

The Honorable Michael McCaul Chairman The Honorable Bob Etheridge Ranking
Minority Member Subcommittee on Investigations Committee on Homeland
Security House of Representatives

Appendix I  Testimony on FEMA's Control Weaknesses over Expedited Assistance for
Victims of Hurricanes Katrina and Rita 

Appendix II  Comments from the Federal Emergency Management Agency

(192209)

www.gao.gov/cgi-bin/getrpt? GAO-06-655 .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Gregory D. Kutz at 202-512-7455 or
[email protected].

Highlights of GAO-06-655 , a report to congressional committees

June 2006

EXPEDITED ASSITANCE FOR VICTIMS OF HURRICANES KATRINA AND RITA

FEMA's Control Weaknesses Exposed the Government to Significant Fraud and
Abuse

In the wake of Hurricanes Katrina and Rita, the Federal Emergency
Management Agency (FEMA) faced the challenge of providing assistance
quickly while having sufficient controls to provide assurance that
benefits were paid only to those eligible under the Individuals and
Households Program (IHP). On February 13, 2006, GAO testified on the
initial results of its ongoing work related to whether (1) controls are in
place and operating effectively to limit assistance to qualified
applicants, (2) indications exist of fraud and abuse in the application
for and receipt of assistance payments, and (3) controls are in place and
operating effectively over debit cards to prevent duplicate payments and
improper usage.

What GAO Recommends

GAO recommends that the Department of Homeland Security direct FEMA to
take six actions, including establishing both an identity and address
verification process, entering into agreements with other agencies to
authenticate information on IHP registrations, establishing procedures to
collect duplicate payments, and providing assurance that future
distribution of debit cards includes instructions on the proper use of IHP
funds. DHS and FEMA concurred fully with four of the six recommendations,
and partially concurred with the remaining two. In addition, FEMA reported
that it has instituted corrective actions to remedy the weaknesses we
identified.

GAO identified significant flaws in the process for registering disaster
victims that leave the federal government vulnerable to fraud and abuse of
expedited assistance (EA) payments. For Internet applications, limited
automated controls were in place to verify a registrant's identity.
However, there was no independent verification of the identity of those
who applied for disaster assistance via the telephone. GAO demonstrated
the vulnerability inherent in the call-in applications by using falsified
identities, bogus addresses, and fabricated disaster stories to register
for IHP. Below is a copy of one of the $2,000 checks that GAO received in
response to its bogus telephone applications.

FEMA's automated system frequently identified potentially fraudulent
registrations, such as multiple registrations with identical social
security numbers (SSN) but different addresses. However, the manual
process used to review these flagged applications did not prevent EA and
other payments from being issued. Other control weaknesses include the
lack of any validation of damaged property addresses for both Internet and
telephone registrations.

Given these weak or nonexistent controls, it is not surprising that GAO's
data mining and investigations showed substantial potential for fraud and
abuse of EA. Thousands of registrants misused IHP by applying for
assistance using SSNs that were never issued or belonged to deceased or
other individuals. GAO's case study investigations of several hundred
registrations also indicate the use of bogus damaged property addresses.
Visits to over 200 of these damaged properties in Texas and Louisiana
showed that at least 80 of these addresses were bogus-including vacant
lots and nonexistent apartments. FEMA also made duplicate EA payments to
about 5,000 of the nearly 11,000 debit card recipients-once through the
distribution of debit cards and again by check or electronic funds
transfer. In addition, while debit cards were used predominantly to obtain
cash, food, clothing, and personal necessities, a small number were used
for adult entertainment, bail bond services, and weapons purchase, which
do not appear to be items or services required to satisfy disaster-related
needs.
*** End of document. ***