This is the accessible text file for GAO report number GAO-06-403T entitled 'Expedited Assistance for Victims of Hurricanes Katrina and Rita: FEMA's Control Weaknesses Exposed the Government to Significant Fraud and Abuse' which was released on February 13, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Senate Committee on Homeland Security and Governmental Affairs: United States Government Accountability Office: GAO: For Release on Delivery Expected at 10 a.m. EST: Monday, February 13, 2006: Expedited Assistance for Victims of Hurricanes Katrina and Rita: FEMA's Control Weaknesses Exposed the Government to Significant Fraud and Abuse: Statement of Gregory D. Kutz, Managing Director, Forensic Audits and Special Investigations: GAO-06-403T: GAO Highlights: Highlights of GAO-06-403T, a testimony before the Senate Committee on Homeland Security and Governmental Affairs: Why GAO Did This Study: As a result of widespread congressional and public interest in the federal response to hurricanes Katrina and Rita, GAO conducted an audit of the Individuals and Households Program (IHP) under Comptroller General of the United States statutory authority. Hurricanes Katrina and Rita destroyed homes and displaced millions of individuals. In the wake of these natural disasters, FEMA faced the challenge of providing assistance quickly and with minimal “red tape,” while having sufficient controls to provide assurance that benefits were paid only to eligible individuals and households. In response to this challenge, FEMA provided $2,000 in IHP payments to affected households via its Expedited Assistance (EA) program. Victims who received EA may qualify for up to $26,200 in IHP assistance. As of mid- December 2005, IHP payments totaled about $5.4 billion, with $2.3 billion provided in the form of EA. These payments were made via checks, electronic fund transfers, and a small number of debit cards. GAO’s testimony will provide the results to date related to whether (1) controls are in place and operating effectively to limit EA to qualified applicants, (2) indications exist of fraud and abuse in the application for and receipt of EA and other payments, and (3) controls are in place and operating effectively over debit cards to prevent duplicate EA payments and improper usage. What GAO Found: We identified significant flaws in the process for registering disaster victims that leave the federal government vulnerable to fraud and abuse of EA payments. For Internet applications, limited automated controls were in place to verify a registrant’s identity. However, we found no independent verification of the identity of registrants who registered for disaster assistance over the telephone. To demonstrate the vulnerability inherent in the call-in applications, we used falsified identities, bogus addresses, and fabricated disaster stories to register for IHP. Below is a copy of one of the $2,000 checks that we received to date for our bogus telephone applications. [See PDF for image] [End of figure] We also found that FEMA’s automated system frequently identified potentially fraudulent registrations, such as multiple registrations with identical social security numbers (SSN) but different addresses. However, the manual process used to review these registrations did not prevent EA and other payments from being issued. Other control weaknesses include the lack of any validation of damaged property addresses for both Internet and telephone registrations. Given the weak or non existent controls, it is not surprising that our data mining and investigations to date show the potential for substantial fraud and abuse of EA. Thousands of registrants misused SSNs, i.e., used SSNs that were never issued or belonged to deceased or other individuals. Our case study investigations of several hundred registrations also indicate significant misuse of SSNs and the use of bogus damaged property addresses. For example, our visits to over 200 of the case study damaged properties in Texas and Louisiana showed that at least 80 of these properties were bogus—including vacant lots and nonexistent apartments. We found that FEMA also made duplicate EA payments to about 5,000 of the nearly 11,000 debit card recipients—once through the distribution of debit cards and again by check or electronic funds transfer. We found that while debit cards were used predominantly to obtain cash, food, clothing, and personal necessities, a small number were used for adult entertainment, bail bond services and weapons purchase, which do not appear to be items or services that are essential to satisfy disaster related essential needs. www.gao.gov/cgi-bin/getrpt?GAO-06-403T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Gregory Kutz at (202) 512- 7455 or kutzg@gao.gov. [End of section] Chairman and Members of the Committee: Thank you for the opportunity to discuss our ongoing forensic audit and related investigations of assistance provided to individuals and households related to hurricanes Katrina and Rita. The Individuals and Households Program (IHP), a major component of the federal disaster response efforts established under the Robert T. Stafford Disaster Relief and Emergency Assistance Act (Stafford Act),[Footnote 1] is designed to provide financial assistance to individuals and households who, as a direct result of a major disaster, have necessary expenses and serious needs that cannot be met through other means. As of mid- December 2005, the Federal Emergency Management Agency (FEMA) had distributed nearly $5.4 billion in IHP assistance on more than 1.4 million registrations. Hurricanes Katrina and Rita destroyed homes and displaced individuals across the gulf coast region. In the wake of these massive natural disasters, FEMA faced the formidable challenge of providing at least some initial assistance to over a million registrants quickly with minimal "red tape," while having sufficient controls in place to provide assurance that benefits were paid only to eligible individuals and households. Disaster relief covered by IHP includes temporary housing assistance, real and personal property repair and replacement, and other necessary expenses related to a disaster. IHP assistance is generally delivered after an inspection has been conducted to verify the extent of loss and determine eligibility. Because of the tremendous devastation caused by hurricanes Katrina and Rita, FEMA activated expedited assistance to provide fast track money[Footnote 2]--in the form of $2,000 in expedited assistance payments--to eligible disaster victims to help with immediate, emergency needs of food, shelter, clothing, and personal necessities. This swift response was vital in helping victims of hurricanes Katrina and Rita. FEMA specified that expedited assistance payments were to be provided only to individuals and households who, as a result of hurricanes Katrina and Rita, were displaced from their predisaster primary residences and were in need of shelter. Typically a household[Footnote 3] can only receive one expedited assistance payment. Exceptions are made in situations where household members are displaced to separate locations, in which case more than one member of the household may be eligible for payments. FEMA provided expedited assistance payments related to hurricanes Katrina and Rita predominantly through electronic funds transfer (EFT) and checks sent to the registrants' current addresses.[Footnote 4] In addition, FEMA provided a limited amount of expedited assistance via debit cards[Footnote 5] distributed at three locations in Texas. As of mid-December 2005, FEMA data showed that the agency had delivered 44 percent ($2.3 billion) of the $5.4 billion in IHP aid through expedited assistance to hurricanes Katrina and Rita registrants across at least 175 counties in 4 different states. Almost $1.6 billion went to individuals with damaged addresses in Louisiana, more than $400 million to individuals in Texas, and over $300 million to individuals in Alabama and Mississippi. Registrants determined to be eligible for expedited assistance may also be eligible to receive additional IHP payments up to the overall IHP cap of $26,200. Our current audit and investigation is being performed under the statutory authority given to the Comptroller General of the United States. Our audit and investigation is conducted under the premise that while the federal government needs to provide swift and compassionate assistance to the victims of natural disasters, public confidence in an effective disaster relief program that takes all possible steps to minimize fraud, waste, and abuse needs to be preserved. Today, we will summarize the results from our ongoing forensic audit and related investigations of the IHP program.[Footnote 6] This testimony will provide the results of our work related to whether (1) controls are in place and operating effectively to limit expedited assistance to qualified registrants, (2) indications exist of fraud and abuse in the registration for and receipt of expedited assistance and other payments, and (3) controls are in place and operating effectively over debit cards to prevent duplicate payments and improper usage. We plan to issue a detailed report with recommendations on the results of our audit. Thus far, our work has focused primarily on the IHP registration process because individuals whose registrations are approved have access to expedited assistance payments and subsequently the full range of IHP benefits. To assess the design of controls, we performed walkthroughs of FEMA's processes for accepting registrations and awarding expedited assistance funds. To determine whether indications existed of fraud and abuse in expedited assistance and other disbursements, we provided FEMA data to the Social Security Administration (SSA) to verify against their records of valid social security numbers (SSNs), and reviewed the FEMA database of IHP registrations for other anomalies using data mining techniques. To determine whether registrations resulted in potentially fraudulent or improper payments, we selected a nonrepresentative selection of 248 registrations from our data mining results for further investigations. The 248 registrations represented 20 case studies--some involving multiple registrants--that we linked together through identical names, SSNs, damaged addresses and/or current addresses. Our analysis of potentially fraudulent use of SSNs and other data mining efforts are ongoing, and we plan to report on additional results in the future. For purposes of this testimony, we did not conduct sufficient work to project the magnitude of potentially fraudulent and improper IHP payments. We also proactively tested the adequacy of controls over the registration process for disaster assistance by submitting claims for relief using falsified identities, bogus addresses, and fabricated disaster stories. These tests were performed before FEMA provided us any information related to the processes used to screen IHP registrations and preclude some fraudulent registrations. Additional details on our scope and methodologies are included in appendix I. In the course of our work, we made numerous written requests for key documents and sets of data related to the IHP, most dating back to October 2005. While FEMA officials promptly satisfied one key part of our request--databases of IHP registrants and payments--the majority of what we requested has not been provided. On January 18, 2006, the Department of Homeland Security (DHS)[Footnote 7] Office of General Counsel did provide us with well less than half of the documents that were requested. While the database and other data provided by FEMA enabled us to design procedures to test the effectiveness of FEMA's system of internal controls, it did not enable us to fully determine the root causes of weak or non-existent controls and formulate detailed recommendations. For example, as will be discussed later, FEMA and the DHS had not provided us documentation to enable us to conclusively determine the reason that FEMA submitted some registrations, and did not submit other registrations, to identity validation prior to issuing expedited assistance payments. We conducted our audit and investigations from October 2005 through January 2006. Except for restrictions discussed previously related to the limitations that DHS placed on the scope on our audit work, we conducted our audit work in accordance with generally accepted government auditing standards and conducted investigative work in accordance with the standards prescribed by the President's Council on Integrity and Efficiency. Our findings today focus primarily on the results to date from of our data mining and investigative techniques. Summary: We found weaknesses in the process that FEMA used to review registrations for disaster relief and approve assistance payments. These weaknesses leave the government vulnerable to fraud and abuse. Our work indicates that FEMA put in place limited procedures designed to prevent, detect, and deter certain types of duplicate and potentially fraudulent disaster registrations. However, FEMA did not apply these limited procedures to most registrations, thus leaving a substantial number of registrations without any protection against fraud and abuse. Specifically, individuals could apply for disaster assistance via the Internet or telephone. FEMA subjected Internet registrations to a limited verification process whereby a FEMA contractor used credit and other information to validate the identity of registrants. Those who failed the Internet verification process were advised to contact FEMA via telephone to reregister. However, FEMA did not apply the identity validation process to any of the 1.5 million registrants who contacted FEMA and applied for assistance over the telephone. Our data mining and investigations confirmed FEMA's representation. For example, using falsified identities, bogus addresses, and fabricated disaster stories, we applied for disaster assistance over the telephone and obtained $2,000 expedited assistance payments. Other control weaknesses further increased the government's exposure to fraud and abuse. We found that FEMA instituted automated checks that flagged hundreds of thousands of potentially duplicate registrations in the computer system FEMA used to process and approve IHP registrations for payments. FEMA officials informed us that these flagged registrations were subjected to additional reviews to conclude whether they were, in fact, duplicates. However, while the additional review process may have prevented many potentially fraudulent and improper payments, it did not prevent what appear to be other potentially fraudulent and improper payments based on duplicate registrations. We also found that FEMA did not implement procedures to validate whether damaged addresses used to register for assistance were bogus, for either Internet or telephone registrations. With limited or nonexistent validation of registrants' identities and damaged addresses, it is not surprising that our data mining and investigations found substantial indicators of potential fraud and abuse related to false or duplicate information submitted on disaster registrations. For example, according to SSA data, FEMA made millions of dollars in payments to thousands of registrants who submitted SSNs that have not been issued or belonged to deceased individuals. Our data mining also detected that FEMA made tens of thousands of payments to registrants who provided other false or duplicate information on their registrations. Specifically, in the 20 case studies we investigated, a majority--165 of 248--of registrations contained SSNs that according to the SSA were never issued, belonged to deceased individuals, or did not match the name provided. In addition, about 80 of the over 200 alleged disaster addresses that we attempted to validate were bogus addresses. Also, our case study registrants did not live in many of the remaining valid addresses. In one specific case example, 17 individuals, some of whom shared the same last name and current addresses, used 34 different SSNs that did not belong to them and addresses that were bogus or not their residences to receive more than $103,000 in FEMA payments. In addition, because the hurricanes had destroyed many homes, we could not determine if approximately 15 of the alleged disaster addresses had ever existed. Similar to the control weaknesses over expedited assistance payments distributed through checks and electronic funds transfers, we found that FEMA did not validate the identities of debit card recipients at three relief centers in Texas who registered via the telephone. Consequently, FEMA issued $2,000 debit cards to over 60 registrants who provided SSNs that were never issued or belonged to deceased individuals. We also found that FEMA made multiple expedited assistance payments to over 5,000 of the 11,000 debit card recipients. That is, FEMA provided the registrant both a $2,000 debit card and a $2,000 check or electronic fund transfer. Further, at the time of debit card issuance, unlike the recipients who received expedited assistance payments via checks or EFTs, FEMA did not issue specific instructions to debit card recipients on the use of the cards. We found that debit cards were used predominantly to obtain cash and thus are unable to determine how the money was actually used. The majority of the remaining debit card purchases were for food, clothing, and personal necessities. However, in isolated instances, a few debit cards were used for to pay for items or services that, on their face, do not seem essential to satisfy disaster related needs. For example, these debit cards were used in part to purchase adult entertainment, a .45 caliber hand gun, jewelry, bail bond services, and to pay for prior traffic violations.[Footnote 8] FEMA's Controls to Prevent Potentially Fraudulent Payments Were Not Effective: We found weak or nonexistent controls in the process that FEMA used to review disaster registrations and approve assistance payments that leave the federal government vulnerable to fraud and abuse. In the critical aftermath of hurricanes Katrina and Rita, FEMA moved swiftly to distribute expedited assistance payments to allow disaster victims to mitigate and overcome the effects of the disasters. In this context, the establishment of an effective control environment was a significant challenge. Specifically, we found that FEMA had implemented some controls prior to the disaster to provide automated validation of the identity of registrants who applied for assistance via the Internet. Our work thus far indicates that this resulted in FEMA rejecting some registrants who provided names and SSNs that did not pass the validation test. However, FEMA did not implement the same preventive controls for those who applied via the telephone. Our use of fictitious names, bogus addresses, and fabricated disaster stories to obtain expedited assistance payments from FEMA demonstrated the ease with which expedited assistance could be obtained by providing false information over the telephone. Because expedited assistance is a gateway to further IHP payments (up to $26,200 per registration), approval for expedited assistance payments potentially exposes FEMA, and the federal government, to more fraud and abuse related to temporary housing, home repair and replacement, and other needs assistance. Pressure to Swiftly Deliver Aid Led to Approval of Expedited Assistance Payments with Minimal Verification: During the course of our audit and investigation, FEMA officials stated that they did not verify whether registrants had insurance and whether registrants were unable to live in their home prior to approving expedited assistance payments. According to FEMA officials, the unprecedented scale of the two disasters and the need to move quickly to mitigate their impact led FEMA to implement expedited assistance. Expedited assistance differs from the traditional way of delivering disaster assistance in that it calls for FEMA to provide assistance without requiring proof of losses and verifying the extent of such losses. Consequently, FEMA implemented limited controls to verify eligibility for the initial expedited assistance payments. According to FEMA officials, these controls were restricted to determining whether the damaged residence was in the disaster area and limited validation of the identity of registrants who used the Internet. Registrants who FEMA thought met these qualifications based on their limited assessments were deemed eligible for expedited assistance. FEMA Did Not Validate Identity of Registrants Who Applied for Assistance via Telephone: FEMA implemented different procedures when processing disaster registrations submitted via the Internet and telephone calls. Of the more than 2.5 million registrations recorded in FEMA's database, i.e., registrations that were successfully recorded--60 percent (more than 1.5 million) were exempt from any identity verification because they were submitted via the telephone. Prior to sending out expedited assistance payments, FEMA did not have procedures in place for Internet or telephone registrations that screened out registrations where the alleged damaged address was a bogus address. The lack of identity verification for telephone registrations and any address validation exposed the government to fraud and abuse of the IHP program. For registrations taken through FEMA's Web site, registrants were required to first provide a name, SSN, and date of birth. This information was immediately provided (in electronic format) to a FEMA contractor to compare against existing publicly available records. While registrants were waiting on the Internet, the FEMA contractor took steps to verify registrants' identities. The verification steps involved confirming that the SSN matched with a SSN in public records, that the name and SSN combination matched with an identity registered in public records, and that the SSN was not associated with a deceased individual. The FEMA contractor was responsible for blocking any registrations for which any of these three conditions was not met. Additionally, registrants who passed the first gate had to provide answers to a number of questions aimed at further corroborating the registrants' identities. Registrants who were rejected via the Internet were advised to contact FEMA via telephone. Our audit and investigative work indicated that this verification process helped deter obviously fraudulent Internet registrations using false names and SSNs. However, FEMA kept no record of the names, SSNs, and other information related to the rejected registrations, and no record of the reasons that the FEMA contractor blocked the registration from going forward. FEMA acknowledged that it was conceivable that individuals who were rejected because of false information submitted via the Internet could get expedited assistance payments by providing the same false information over the telephone. Although the identity verification process appeared to have worked for most Internet registrations, it did not identify a small number of registrations with invalid SSNs. According to information we received from the SSA, nearly 60 Internet registrants who received FEMA payments provided SSNs that were never issued or belonged to individuals who were deceased prior to the hurricanes. Results indicate that these individuals may have passed the verification process because public records used to verify registrants' identities were flawed. For example, one credit history we obtained indicated that a registrant had established a credit history using an invalid SSN. Unlike the Internet process, FEMA did not verify the identity of telephone registrants who accounted for over 60 percent of disaster registrations recorded in FEMA's system. For registrants who registered only via telephone, or registrants who called FEMA subsequent to being denied on the Internet, FEMA did not have controls in place to verify that the SSN had been issued, that the SSN matched with the name, that the SSN did not belong to a deceased individual, or whether the registrants had been rejected on prior Internet registrations. Because the identity of telephone registrants was not subjected to basic verification, FEMA did not have any independent assurance that registrants did not falsify information to obtain disaster assistance. According to FEMA officials, FEMA had a request in place to modify its computer system to allow for identity verification for telephone registrations similar to those used for the Internet. FEMA also represented to us that due to budget constraints and other considerations, the change was not implemented in time to respond to hurricanes Katrina and Rita. However, to date we have not received documentation to validate these representations. Control Weaknesses Enabled GAO to Obtain $2,000 Expedited Assistance Checks: The lack of identity verification of phone registrants prior to disbursing funds makes FEMA vulnerable to authorizing expedited assistance payments based on fraudulent information submitted by registrants. Prior to obtaining information on the control procedures FEMA used to authorize expedited assistance payments, we tested the controls by attempting to register for disaster relief through two portals: (1) the Internet via FEMA's Web site and (2) telephone calls to FEMA. For both portals, we tested FEMA's controls by providing falsified identities and bogus addresses. In all instances, FEMA's Web site did not allow us to successfully finalize our registrations. Instead, the Web site indicated that there were problems with our registrations and advised us to contact the FEMA toll-free numbers if we thought that we were eligible for assistance. This is consistent with FEMA's representation that Internet registrations were compared against third-party information to verify identities. Our investigative work also confirmed that the lack of similar controls over telephone registrations exposed FEMA to fraud and abuse. Specifically, in instances where we submitted via the telephone the same exact information that had been rejected on the Internet, i.e., falsified identities and bogus addresses, the information was accepted as valid. Subsequently, the claims were processed and $2,000 expedited assistance checks were issued. Figure 1 provides an example of an expedited assistance check provided to GAO. Figure 1: $2,000 Expedited Assistance Check Provided to GAO Based on Bogus Registration: [See PDF for image] [End of figure] Additional case study investigations, which we discuss later, further demonstrated that individuals not affected by the disasters could easily provide false information to obtain expedited assistance and other IHP payments from FEMA. Convictions obtained by the Department of Justice also show that others have exploited these control weaknesses and received expedited assistance payments. For example, one individual in a College Station, Texas relief center pleaded guilty to false claims and mail fraud charges related to IHP and expedited assistance. Despite never having lived in any of the areas affected by the hurricane, this individual registered for and received $4,358 ($2,000 in expedited assistance and $2,358 in rental assistance) in hurricane Katrina IHP payments. Other Control Weaknesses Exacerbated Government Exposure to Fraud and Abuse: We also found that FEMA instituted limited pre-payment checks in the National Emergency Management Information System (NEMIS) to automate the identification of duplicate registrations. However, the subsequent review process used to resolve these duplicate registrations was not effective in preventing duplicate and potentially fraudulent payments. We also found that FEMA did not implement procedures to provide assurance that the disaster address was not a bogus address, either for Internet or telephone registrations. FEMA's controls failed to prevent thousands of registrations with duplicate information from being processed and paid. Our work indicates that FEMA instituted limited automated checks within NEMIS to identify registrations containing duplicate information, e.g., multiple registrations with the same SSNs, duplicate damaged address telephone numbers, and duplicate bank routing numbers. Data FEMA provided enabled us to confirm that NEMIS identified nearly 900,000 registrations--out of 2.5 million total registrations--as potential duplicates. FEMA officials further represented to us that the registrations identified as duplicates by the system were "frozen" from further payments until additional reviews could be conducted. The purpose of the additional reviews was to determine whether the registrations were true duplicates, and therefore payments should continue to be denied, or whether indications existed that the registrations were not true duplicates, and therefore FEMA should make those payments. It appeared from FEMA data that the automated checks and the subsequent review process prevented hundreds of thousands of payments from being made on duplicate registrations. However, FEMA data and our case study investigations also indicate that the additional review process was not entirely effective because it allowed payments based on duplicate information. We also found that FEMA did not implement effective controls for telephone and Internet registrations to verify that the address claimed by registrants as their damaged address existed. As will be discussed further below, many of our case studies of potential fraud show that payments were received based on claims made listing bogus damaged addresses. Our undercover work also corroborated that FEMA provided expedited assistance to registrants with bogus addresses. Potentially Fraudulent Activities Resulting from Weak or Nonexistent FEMA IHP Controls: With limited or nonexistent validation of registrants' identities and the reported damaged addresses, it is not surprising that our data mining and investigations found substantial indicators of potential fraud and abuse related to false or duplicate information submitted on disaster registrations. Our audits and investigations of 20 cases studies comprising 248 registrations that received payments, and the undercover work we discussed earlier, clearly showed that individuals can obtain hundreds of thousands of dollars of IHP payments based on fraudulent and duplicate information.[Footnote 9] These case studies are not isolated instances of fraud and abuse. Rather, our data mining results to date indicate that they are illustrative of the wider internal control weaknesses at FEMA--control weaknesses that led to thousands of payments made to individuals who provided FEMA with incorrect information, e.g., incorrect SSNs and bogus addresses, and thousands more made to individuals who submitted multiple registrations for payments. Case Study Examples Show That Control Weaknesses Have Been Exploited: Our audits and investigations of 20 case studies demonstrate that the weak or nonexistent controls over the registration and payment processes have opened the door to improper payments and individuals seeking to obtain IHP payments through fraudulent means. Specifically, a majority of our case study registrations--165 of 248--contained SSNs that were never issued or belonged to deceased or other individuals. About 20 of the 248 registrations we reviewed were submitted via the Internet. Further, of the over 200 alleged damaged addresses that we tried to visit, about 80 did not exist. Some were vacant lots, others turned out to be bogus apartment buildings and units. Because the hurricanes had destroyed many homes, we were unable to confirm whether about 15 additional addresses had ever existed. We also identified other fraud schemes unrelated to the weak and nonexistent validation and prepayment controls previously discussed, such as registrants who submitted registrations using valid addresses that were not their residences. In total, the case study registrants of whom we conducted investigations have collected hundreds of thousands of dollars in payments based on potentially fraudulent activities. These payments include money for expedited assistance, rental assistance, and other IHP payments. Further, as our work progresses, we are uncovering evidence of larger schemes involving multiple registrants that are intended to defraud FEMA. We found these schemes because the registrants shared the same last names, current addresses, and/or damaged addresses--some of which we were able to confirm did not exist. While the facts surrounding the case studies provided us with indicators that potential fraud may have been perpetrated, further testing and investigations need to be conducted to determine whether these individuals were intentionally trying to defraud the government or whether the discrepancies and inaccuracies were the results of other errors. Consequently, we are conducting further investigations into these case studies. Table 1 highlights 10 of the 20 case studies we identified through data mining that we investigated. In addition, some individuals in the cases cited below submitted additional registrations but had not received payments as of mid December 2005. Table 1: Examples of Potential Fraudulent and Duplicate Registrations That Received FEMA Payments: Case: 1; Number of Registrations with Payments/SSNs: 36/36; Payments Received[A]: $103,000; Number of Bogus Properties Used to Receive Payments[B]: At least 10; Case Details: * Seventeen individuals received payments on 36 registrations using 34 SSNs that were not theirs; * Of the 17 addresses we visited, 13 were from the same apartment building, of which 6 did not exist; * 4 additional addresses were also invalid; * Payments included 31 expedited assistance payments totaling $62,000, and 18 in other payments, including rental payments. Case: 2; Number of Registrations with Payments/SSNs: 15/15; Payments Received[A]: $41,000; Number of Bogus Properties Used to Receive Payments[B]: At least 8; Case Details: * One individual received payments on 15 different SSNs--only one of which belonged to that person; * Investigative work also showed that 3 addresses were valid but were not addresses of the registrant; * Payments included 13 expedited assistance payments totaling $26,000 and $15,000 in other assistance, including housing; * The individual may have committed bank fraud by using an invalid SSN to open an account; * The individual had established credit using 2 SSNs that did not belong to the individual. Case: 3; Number of Registrations with Payments/SSNs: 8/1; Payments Received[A]: $16,000; Number of Bogus Properties Used to Receive Payments[B]: None; Case Details: * One individual received 8 expedited assistance payments using the same name, SSN, and current address; * Of the 8 addresses declared as damaged, two appeared to belong to the individual; * FEMA's automated edits identified at least 7 registrations as duplicates, nevertheless payments were issued. Case: 4; Number of Registrations with Payments/SSNs: 23/23; Payments Received[A]: $46,000; Number of Bogus Properties Used to Receive Payments[B]: At least 14; Case Details: * Two individuals received expedited assistance payments on 23 SSNs - 21 of which were not theirs; * Public records indicate that the individuals did not live at any of the 9 valid addresses; * Payments included 22 expedited assistance payments and 1 housing assistance payment. Case: 5; Number of Registrations with Payments/SSNs: 38/38; Payments Received[A]: $76,000; Number of Bogus Properties Used to Receive Payments[B]: At least 10; Case Details: * Six individuals received 38 payments on different SSNs--only 1 of which was traced back to them; * Payments included 37 expedited assistance payments totaling $74,000 and over $2,000 in other assistance. Case: 6; Number of Registrations with Payments/SSNs: 18/18; Payments Received[A]: $36,000; Number of Bogus Properties Used to Receive Payments[B]: At least 12; Case Details: * Individual received 18 expedited assistance payments using the same name and 18 different SSNs--only 1 of which belonged to the person; * Investigative work and public records also indicate that the individual had never lived at any of the 6 remaining valid addresses. Case: 7; Number of Registrations with Payments/SSNs: 31/30; Payments Received[A]: $92,000; Number of Bogus Properties Used to Receive Payments[B]: At least 22; Case Details: * A group of 8 individuals received payments on 31 registrations using 26 SSNs that did not belong to them; * 22 of the registrations were for addresses that did not exist. The remaining addresses were not validated; * Payments include 32 payments for expedited assistance and over $28,000 for other assistance including housing assistance. Case: 8; Number of Registrations with Payments/SSNs: 6/6; Payments Received[A]: $23,000; Number of Bogus Properties Used to Receive Payments[B]: None; Case Details: * Six apparent members of the same household registered 6 times using the same damaged addresses; * Five of the 6 individuals also shared the same current address; * Payments included 5 expedited assistance payments and $13,000 in other payments including housing assistance. Case: 9; Number of Registrations with Payments/SSNs: 7/7; Payments Received[A]: $15,000; Number of Bogus Properties Used to Receive Payments[B]: None; Case Details: * Seven apparent members of the same household received payments using the same damaged address; * One family member used a SSN that did not belong to the family member; * Six of the 7 individuals also shared the same current address; * Payments included 7 payments for expedited assistance. Case: 10; Number of Registrations with Payments/SSNs: 7/7; Payments Received[A]: $80,000; Number of Bogus Properties Used to Receive Payments[B]: None; Case Details: * Seven apparent members of the same household registered using the same damaged address; * Payments included 6 expedited assistance payments and $68,000 in other assistance. Source: GAO analysis and investigation of FEMA data. [A] Amount reflects total payments for IHP, which includes expedited assistance, temporary housing assistance, payments for repair and replacement of real and personal property, and payments for other needs such as medical, transportation, and other necessities. [B] One address could be associated with multiple registrations. [End of table] The following provides illustrative detailed information on several of the cases. * Case number 1 involves 17 individuals, several of whom had the same last name, who submitted at least 36 registrations claiming to be disaster victims of both Katrina and Rita. All 36 registrations were submitted through the telephone, using 36 different SSNs and 4 different current addresses. These individuals used their own SSNs on 2 of the registrations, but the remaining 34 SSNs were never issued or belonged to deceased or other individuals. The individuals received over $103,000 in IHP payments, including $62,000 in expedited payments and $41,000 in payments for other assistance, including temporary housing assistance. Our analysis shows that the individuals claimed 13 different damaged addresses within a single apartment building, and 4 other addresses within the same block in Louisiana. However, our physical inspection of these addresses revealed that 10 of the addresses were bogus addresses. Further audit and investigative work also shows that these individuals may not have lived at any of the valid disaster addresses at the time of hurricanes Katrina and Rita. We are conducting additional investigations on this case. * Case number 2 involves an individual who used 15 different SSNs--one of which was the individual's own--to submit at least 15 registrations over the telephone. The individual claimed a different damaged address on all 15 registrations, and used 3 different current addresses-- including a post office box, where the individual received payments. The individual received 16 payments totaling over $41,000 on 15 of the registrations. In all, the individual received 13 expedited assistance payments, 2 temporary housing assistance payments, and another payment of $10,500. Further investigative work disclosed that the individual may have committed bank fraud by using a false SSN to open a bank account. Other publicly available records indicate that the individual had used 2 SSNs that were issued to other people to establish credit histories. * Case number 3 relates to a group of 8 registrations that resulted in 8 payments totaling $16,000. According to FEMA data, an individual registered for Rita disaster assistance at the end of September 2005. About 10 days later, the same individual submitted at least 7 additional registrations claiming 7 different disaster addresses, 2 of which we were able to confirm belonged to the individual and may be rental properties that the individual owns. However, because the FEMA database showed that these addresses were entered as the individual's primary residence--a primary requirement for IHP--the individual received 8 expedited assistance payments instead of just the one that he may have qualified for. We also found that the automated edits established in NEMIS identified these registrations as potential duplicates. In spite of the edit flags, FEMA cleared the registrations for improper expedited assistance payments. * Case number 4 involves 2 individuals who appear to be living together at the same current address in Texas. These 2 individuals received payments for 23 registrations submitted over the telephone using 23 different SSNs--two of which belonged to them--to obtain more than $46,000 in disaster assistance. The information the registrants provided related to many of the disaster addresses appeared false. The addresses either did not exist, or there was no proof the individuals had ever lived at these addresses. * Case number 8 relates to 6 registrants with the same last name who registered for disaster assistance using the same damaged address, with 5 of the 6 using the same current address. FEMA criteria specify that individuals who reside together at the same address and who are displaced to the same address are entitled to only one expedited assistance payment. However, all 6 possible family members received 12 payments totaling over $23,000--$10,000 in expedited assistance and more than $13,000 in other assistance, including rental assistance. Data Mining Indicates Potential Fraud and Abuse Beyond Our Case Studies: The case studies we identified and reported are not isolated instances of potential fraud and abuse. Rather, our data mining results show that they are indicative of fraud and abuse beyond these case studies, and point directly to the weaknesses in controls that we have identified. The weaknesses identified through data mining include ineffective controls to detect (1) SSNs that were never issued or belonged to deceased or other individuals, (2) SSNs used more than once, and (3) other duplicate information. Misuse of Social Security Numbers on Registrations: Our data mining and case studies clearly show that FEMA's controls over IHP registrations provided little assurance that registrants provided FEMA with a valid SSN. Under 42 U.S.C. § 408, submitting a false SSN with the intent to deceive in order to obtain a federal benefit or other payment is a felony offense. Based on data provided by the SSA, FEMA made expedited assistance payments to thousands of registrants who provided SSNs that were never issued or belonged to deceased individuals. Further, SSA officials who assisted GAO in analyzing FEMA's registrant data informed us that tens of thousands more provided SSNs that belonged to other individuals. This problem is clearly illustrated in case 2, where FEMA made payments totaling over $41,000 to an individual using 15 different SSNs. According to SSA records, the individual received payments on 4 SSNs that belonged to deceased individuals and 10 SSNs that did not match with the names provided on the registrations. As previously discussed, further testing and investigations need to be conducted to determine whether this individual was intentionally trying to defraud the government or whether the discrepancies and inaccuracies were the results of other errors. Same Social Security Numbers Used on Multiple Registrations: Our data mining and case studies clearly show that FEMA's controls do not prevent individuals from making multiple IHP registrations using the same SSN. We found thousands of SSNs that were used on more than one registration associated with the same disaster. Because an individual can receive disaster relief only on his or her primary residence and a SSN is a unique number assigned to an individual, the same SSN should not be used to receive assistance for the same disaster. This problem is illustrated in case 3 above, where an individual registered for IHP 8 times using the same name, same SSN, and same current address--and thus could have qualified for only 1 expedited assistance payments--but instead received expedited assistance payments of $2,000 for 8 different registrations. Multiple Payments Made to Different Registrations Containing the Same Key Information: Our data mining and case studies also show that the IHP controls to prevent duplicate payments did not prevent FEMA from making payments to tens of thousands of different registrants who used the same key registration information. FEMA's eligibility criteria specify that individuals who reside together at the same address and who are displaced to the same address are typically entitled to only one expedited assistance payment. FEMA policy also provides for expedited assistance payments to more than one member of the household in unusual circumstances, such as when a household was displaced to different locations. However, both our investigations and data mining found thousands of instances where FEMA made more than one payment to the same household that shared the same last name and damaged and current addresses. As illustrated in case 8, 5 of 6 individuals with the same last name, the same damaged address, and the same current address received multiple expedited assistance payments, instead of just one for which they qualified. While not all of the registrations that used the same key information were submitted fraudulently, additional investigations need to be conducted to determine whether or not the entire family was entitled to expedited and other IHP assistance. Similarly, our data mining also determined that FEMA made payments to tens of thousands of IHP registrants who provided different damaged addresses but the same exact current address. As shown in case study 4 above, some registrations that fell into this category contained bogus addresses or addresses that were not the registrants' residences. Under 18 U.S.C. § 1001, a person who knowingly and willfully makes any materially false, fictitious, or fraudulent statement or representation shall be fined or imprisoned up to 5 years, or both. Our data mining also found that FEMA made duplicate expedited assistance payments to tens of thousands of individuals for the same FEMA registration number. FEMA policy states that registrants should only receive one expedited assistance payment. However, in some cases, FEMA paid as many as four $2,000 expedited assistance payments to the same FEMA registration number. As discussed later, we also found that FEMA issued expedited assistance payments to more than 5,000 registrants who had already received debit cards. FEMA officials represented to us that they traced some of these obviously duplicate payments to a computer error that inadvertently caused the duplicate payments. However, they provided no supporting documentation. Controls over Debit Cards Were Ineffective in Preventing Duplicate Payments and Improper Use: In the days following hurricane Katrina, FEMA experimented with the use of debit cards to expedite payments of $2,000 to about 11,000 disaster victims at three Texas shelters[Footnote 10] who, according to FEMA, had difficulties accessing their bank accounts. Figure 2 is an example of a FEMA debit card. Figure 2: FEMA Debit Card: [See PDF for image] [End of figure] The debit card program was an effective means of distributing relief quickly to those most in need. However, we found that because FEMA did not validate the identity of debit card recipients who registered over the telephone, some individuals who supplied FEMA with SSNs that did not belong to them also received debit cards. We also found that controls over the debit card program were not effectively designed and implemented to prevent debit card recipients from receiving duplicate expedited assistance payments, once through the debit card and again through check or EFT. Finally, unlike the guidance provided to other IHP registrants, at the time FEMA distributed the debit cards, FEMA did not provide instructions informing them that the funds on their cards must be used for appropriate purposes. Debit Cards Issued to Individuals Providing Invalid Social Security Numbers: As discussed previously, FEMA did not verify the identity of individuals and/or households who submitted disaster registrations over the telephone. This weakness occurred in the debit card program as well. FEMA required the completion of a disaster registration prior to a household or individual being able to receive a debit card. According to FEMA officials, registrants at the three centers applied for assistance via the telephone and Internet. Therefore, to the extent that registrations for the debit card were taken over the telephone, FEMA did not subject the identity of the registrants to a verification process. Consequently, we identified 50 debit cards issued to registrants listing SSNs that the SSA had no record of issuing, and 12 cards issued to registrants using SSNs belonging to deceased individuals. For example, one registrant used an invalid SSN to receive a $2,000 debit card and used about $500 of that money to pay prior traffic violations to reinstate a driver's license. In another case, a registrant used the SSN of an individual who died in 1995 to receive a $2,000 debit card. FEMA subsequently deposited an additional $7,554 in IHP payments to that debit card account for additional claims submitted by that individual. This registrant withdrew most of the $9,554 deposited into the debit card account by obtaining ATM cash withdrawals. Thousands of Debit Card Recipients Received Multiple Expedited Assistance Payments: Based on a comparison of FEMA's IHP payments and the list of debit card recipients, we found that over 5,000 of the 11,000 debit card recipients received more than one $2,000 expedited assistance payment because they received a debit card and another form of payment (check or EFT). According to FEMA officials, they were aware that several individuals had already registered for IHP assistance and that some payments had already been made prior to issuance of a debit card. However, FEMA officials stated that individuals in the three shelters in Texas would not have access to their home addresses or bank accounts and therefore needed immediate assistance in the form of debit cards. Our review of FEMA data disproved FEMA's belief that only a few individuals who received debit cards also received other disaster assistance payments. Instead, thousands, or nearly half, of the individuals who received debit cards also received checks or EFTs that were made several days after the debit cards had been issued. The result was that FEMA paid more than $10 million dollars in duplicate expedited assistance payments to individuals who had already received their $2,000 of expedited assistance. FEMA Debit Card Transactions: In general, once FEMA receives a disaster registration, FEMA sends a package containing IHP information and detailed instructions, including instructions on how to follow up on benefits, how to appeal if denied benefits, and the proper use of IHP payments. However, FMS and FEMA officials informed us that FEMA did not specifically provide instructions on how the debit cards should only be used for necessary expenses and serious needs related to the disasters at the same time the debit cards were distributed. We found that in isolated instances, debit cards were used for adult entertainment, to purchase weapons, and for purchases at a massage parlor that had been previously raided by local police for prostitution. Our analysis of debit card transaction data provided by JP Morgan Chase found that the debit cards were used predominantly to obtain cash which did not allow us to determine how the money was actually used. The majority of the remaining transactions was associated with purchases of food, clothing, and personal necessities. Figure 3 shows a breakdown of the types of purchases made by cardholders. Figure 3: Breakdown of Purchases Made with FEMA Debit Cards: [See PDF for image] [End of figure] We found that in isolated instances, debit cards were used to purchase goods and services that did not appear to meet serious disaster related needs as defined by the regulations. In this regard, FEMA regulation provides that IHP assistance be used for housing-related needs and items or services that are essential to a registrant's ability to overcome disaster related hardship. Table 2 details some of the debit cards activities we found that did not appear to be for essential disaster related items or services. Table 2: Purchases that Did Not Appear Necessary to Satisfy Immediate Emergency Needs: Vendors: Elliot's Gun Shop; Location: Jefferson, LA; Nature of Transaction: .45 caliber pistol; Amount: $1,300. Vendors: D Houston; Location: Houston, TX; Nature of Transaction: Gentlemen's club; Amount: 1,200. Vendors: Friedman's Jewelers; Location: Plano, TX; Nature of Transaction: Diamond engagement ring; Amount: 1,100. Vendors: Argosy Casino; Location: Baton Rouge, LA; Nature of Transaction: 7 ATM withdrawals within one day at a gambling institution; Amount: 1,000. Vendors: Tim Fanguy Bail Bonds; Location: Houma, LA; Nature of Transaction: Partial bail bond payment; Amount: 1,000. Vendors: Department of Public Safety; Location: Baton Rouge, LA; Nature of Transaction: Payment of prior traffic violations for driver's license reinstatement; Amount: 700. Vendors: Cat Tattoo; Location: Addison, TX; Nature of Transaction: Tattoo on arm; Amount: 450. Vendors: Swedish Institute; Location: Irving, TX; Nature of Transaction: Massage parlor; Amount: 400. Vendors: Tiger Beer and Wine; Location: Dallas, TX; Nature of Transaction: Alcohol beverages; Amount: 200. Vendors: Condoms To Go; Location: Dallas, TX; Nature of Transaction: Adult erotica products; Amount: 150. Source: GAO analysis of debit card transactions and additional investigations. [End of table] Conclusions: FEMA has a substantial challenge in balancing the need to get money out quickly to those who are actually in need and sustaining public confidence in disaster programs by taking all possible steps to minimize fraud and abuse. Based on our work to date, we believe that more can be done to prevent fraud through validation of identities and damage addresses and enhanced use of automated system verification intended to prevent fraudulent disbursements. Once fraudulent registrations are made and money is disbursed, detecting and pursuing those who committed fraud in a comprehensive manner is more costly and may not result in recoveries. Further, many of those fraudulently registered in the FEMA system already received expedited assistance and will likely receive more money, as each registrant can receive as much as $26,200 per registration. Another key element to preventing fraud in the future is to ensure there are consequences for those that commit fraud. For the fraud cases that we are investigating, we plan to refer them to the Katrina Fraud Task Force for further investigation and, where appropriate, prosecution. We believe that prosecution of individuals who have obtained disaster relief payments through fraudulent means will send a message for future disasters that there are consequences for defrauding the government. Madam Chairman and Members of the Committee, this concludes my statement. I would be pleased to answer any questions that you or other members of the committee may have at this time. Contacts and Acknowledgements: [End of section] For further information about this testimony, please contact Gregory D. Kutz at (202) 512-7455 or kutzg@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this testimony. [End of section] Appendix I: Objectives, Scope, and Methodology: To assess controls in place over the Federal Emergency Management Agency (FEMA)'s Individuals and Households Program (IHP), we interviewed FEMA officials and performed walkthroughs at the National Processing Service Center in Winchester, Va. We reviewed the Stafford Act, Pub. L. 93-288, the implementing regulations, and FEMA's instructions to disaster registrants available via the Internet. In addition, to proactively test controls in place, we applied for assistance using falsified identities, bogus addresses, and fictitious disaster stories to determine if IHP payments could be obtained based on fraudulent information. Because of several key unanswered requests for documentation from the Department of Homeland Security (DHS), information needed to fully assess the expedited assistance program was limited. For example, FEMA and DHS had not provided us documentation to enable us to conclusively determine the reason that FEMA submitted some registrations, and did not submit other registrations, to identity validation prior to issuing expedited assistance payments. Consequently, our work was limited to our analysis of the FEMA databases, investigations we conducted, data widely available to the public via the Internet, and information FEMA officials orally provided to us. To determine the magnitude and characteristics of IHP payments, we obtained the FEMA IHP database as of December 2005. We validated that the database was complete and reliable by comparing the total disbursements against reports FEMA provided to the Senate Appropriations Committee on Katrina/Rita disbursements. We summarized the amounts of IHP provided by type of assistance and by location of disaster address. To determine whether indications existed of fraud and abuse in expedited assistance and other disbursements, we provided FEMA data to the Social Security Administration (SSA) to verify against their records of valid social security numbers (SSNs). We also used data mining and forensic audit techniques to identify registrations containing obviously false data, such as multiple registrations containing the same name, same current or damaged address, but different SSNs, and registrations containing duplicate information, such as duplicate names and SSNs. To determine whether registrations from our data mining resulted in potentially fraudulent and/or improper payments, we used a nonrepresentative selection of 248 registrations representing 20 case studies (case studies included multiple individuals and registrations) for further investigation. We restricted our case studies to registrations that received payments as of mid- December 2005, and noted that some registrants within our case studies also submitted additional registrations--for which they may receive future payments. We also identified instances where groups of registrants may have been involved in schemes to defraud FEMA. We found these schemes because the registrants provided the same SSNs, last names, current addresses, and/or damaged addresses on their registrations. Our macro analysis of potentially fraudulent use of SSNs and other data mining are ongoing, and we plan to report additional results at a future date. For purposes of this testimony, we did not conduct sufficient work to project the magnitude of potentially fraudulent and improper payments of IHP. We also visited over 200 of the claimed damaged addresses related to our case studies to determine whether or not the addresses were valid. To assess the types of purchases made with FEMA debit cards distributed at relief centers, we reviewed a database of transactions provided by JP Morgan Chase, the administrating bank for the debit cards. SSA also assisted us to compare cardholder data with SSA records to determine whether registrants receiving debit cards had provided valid identities. We performed data mining on debit card transactions to identify purchases that did not appear to be indicative of necessary expenses as defined by the Stafford Act's implementing regulations. Finally, we validated specific transactions identified in the database by obtaining information on actual items purchased from the vendors. In the course of our work, we made numerous written requests for key documents and sets of data related to the IHP, most dating back to October 2005. While FEMA officials promptly complied with one key part of our request--that is FEMA made available databases of IHP registrants and payments--the majority of items requested have not been provided. On January 18, 2006, the Department of Homeland Security Office of General Counsel provided us with well less than half of the documents that were requested. For example, FEMA and the DHS had not provided us documentation to enable us to conclusively determine the reason that FEMA submitted some registrations, and did not submit other registrations, to identity validation prior to issuing expedited assistance payments. While the database and other data provided by FEMA enabled us to design procedures to test the effectiveness of the FEMA's system of internal controls, it did not enable us to comprehensively determine the root causes of weak or non-existent controls. During the course of our audit work, we identified multiple cases of potential fraud. For cases that we investigated and found significant evidence of fraudulent activity, we plan to refer our cases directly to the Hurricane Katrina Fraud Task Force. Except for scope limitations due to a lack of documentation provided by DHS, we performed our work from October 2005 through January 2006 in accordance with generally accepted government auditing standards and quality standards for investigations as set forth by the President's Council on Integrity and Efficiency. FOOTNOTES [1] Pub. L. 93-288, 88 Stat. 143 (1974) (amended 2000). [2] The expedited assistance process is not specifically authorized in the Stafford Act. However, FEMA previously has asserted, and we have agreed, that it has legal authority under the act to implement expedited, or fast track, procedures. Disaster Assistance: Guidance Needed for FEMA's "Fast Track" Housing Assistance Process, GAO-RCED-98- 1 (Washington, D.C.: Oct. 1997). [3] The Act's implementing regulations define a household as all persons (including adults and children) who lived in the predisaster residence, as well as any other persons not present at the time but who are expected to return during the assistance period. 44 C.F.R. § 206.111. [4] Current address refers to the address at which the disaster victim is currently residing. Damaged addresses are the addresses which were affected by the hurricanes. [5] The debit card program is a pilot program implemented primarily to provide expedited assistance to individuals and households housed at three Texas shelters. The debit cards, which resemble credit cards and bear the MasterCard logo, can be used at ATMs and at any commercial outlet that accepts MasterCard. [6] We are also releasing today the results of our limited investigation into allegations that Military Meals, Ready-To-Eat rations intended for use in the hurricane relief efforts were instead sold to the public on the Internet auction site eBay. See GAO, Investigation: Military Meals, Ready-To-Eat Sold on eBay, GAO-06-410R (Washington, D.C.: Feb. 13, 2006). [7] In 2002, FEMA became part of the Department of Homeland Security (DHS). DHS officials required GAO to submit written requests for all documentation to DHS Office of General Counsel. [8] Under the Act's implementing regulations, FEMA may recover funds that it determines were provided erroneously, that were spent inappropriately, or were obtained through fraudulent means. 44 C.F.R. § 206.116 (b) [9] We used various indicators such as identical names, SSNs, damaged addresses, and current addresses to link multiple registrations together into the 20 case studies. [10] The shelters were located in Dallas, Houston, and San Antonio.