Improper Payments in Pandemic Assistance
January 19, 2024
Programs
Garrett Hatch
Congress provided approximately $4.6 trillion to individuals, businesses, and state and local
Specialist in American
governments to mitigate the impact of the COVID-19 pandemic on the nation’s health system
National Government
and economy. The federal agencies that administer those funds are subject to the Payment

Integrity Information Act (PIIA, P.L. 116-117), which requires them to develop and implement
Natalie R. Ortiz
internal controls that prevent and detect fraud and other improper payments. One requirement is
Analyst in Government
agencies must verify the identities and eligibility of individuals and organizations seeking
Organization and
pandemic funding prior to issuing payments, specifically by accessing the Department of the
Management
Treasury’s Do Not Pay (DNP) resource. In addition, PIIA requires agencies to implement the

fraud control principles and leading practices outlined in A Framework for Managing Fraud
Risks in Federal Programs, which was published by the Government Accountability Office

(GAO) in 2015. The leading practices include performing timely program risk assessments,
maximizing the use of data analytics to prevent and identify fraud, and establishing an office within each agency that leads its
anti-fraud efforts. PIIA also mandates that agencies determine the risk of significant improper payments associated with each
program, estimate the amount of improper payments for each risk-susceptible program, and publicly report those estimates
and other improper payments information. Audits of pandemic programs have found that many agencies did not meet PIIA
requirements, resulting in hundreds of billions of dollars in fraud and other improper payments.
Among the most widespread weaknesses in pandemic programs was the lack of effective pre-payment controls. Several
agencies allowed businesses and individuals to self-certify their information—meaning the agencies did not verify the
identities or eligibility of applicants through DNP or other means prior to issuing payments. Similarly, many state agencies
that administered federal pandemic funds, such as with the Unemployment Insurance program, did not conduct pre-payment
verification of claimants. Some agencies also did not implement effective post-payment controls, such as reviewing
documentation to verify that payments had been made to eligible entities for covered costs or establishing procedures to
recover overpayments. Several agencies that administered some of the largest pandemic programs did not meet the anti-fraud
standards of the framework. Among the most common weaknesses were a lack of timely fraud risk assessments and the
absence of a dedicated anti-fraud entity within the agency. In addition, some agencies incorrectly determined that pandemic
programs they administered were not susceptible to significant risk of improper payments or reported invalid estimates of
improper payments for programs that were deemed at risk.
The consequences of large-scale fraud extend beyond the loss of funds. American businesses and individuals who were
eligible for loans or benefits were unable to obtain assistance because the programs ran out of funding. Street gangs and
transnational criminal organizations that fraudulently obtained billions in dollars in pandemic assistance used those funds to
commit crimes and expand their operations. Finally, the public may lose confidence in the government’s ability to safeguard
program funds and meet the challenges posed by a nationwide emergency.
Congress may consider policies to address the weaknesses in fraud and improper payment controls revealed by audits of
pandemic programs. Consistent with H.R. 8322 from the 117th Congress, legislation might be introduced that would establish
a central anti-fraud entity to share leading practices and oversee implementation of cutting-edge data analytic tools across the
government. An anti-fraud entity might be located within the Office of Management and Budget (OMB), which issues
government-wide guidance on improper payments and fraud, or within the oversight community, which has the most direct
experience with agency anti-fraud efforts. Congress may also consider whether to require agencies to develop internal
controls designed specifically for emergency spending programs, as GAO has recommended. These controls, based on
guidance issued by OMB, could be implemented quickly to mitigate the risk of fraud and improper payments when agencies
need to expedite the disbursement of funds. H.R. 877 would require agencies to deem programs with outlays of at least $100
million to be susceptible to significant levels of improper payments, thereby subjecting them to PIIA estimating and reporting
requirements. Congress provided at least $100 million in pandemic funding to 173 different programs, but many of those
programs are not subject to PIIA because they fall below the current spending threshold.

Congressional Research Service

Improper Payments in Pandemic Assistance Programs

Background
In an effort to mitigate the impact of the COVID-19 pandemic on the nation’s public health and
economy, Congress passed a series of emergency spending bills.1 Enacted between March 2020
and March 2021, these bills provided more than $4.6 trillion to individuals, businesses, and
domestic government bodies to prepare for and respond to the pandemic.2 The largest categories
of pandemic expenditures were payments to individuals (including tax credits and rebates);
business loans; payments to state, local, tribal, and territorial governments; unemployment
compensation; and public health and social services.3 While the federal COVID-19 Public Health
Emergency declaration ended May 11, 2023,4 billions of dollars in pandemic funding remained
unexpended months later.5
Improper Payments Requirements
Programs that receive pandemic funding, like all federal programs, are subject to the
requirements of the Payment Integrity Information Act (PIIA, P.L. 116-117).6 PIIA mandates that
agencies implement internal controls7 that mitigate the risk of improper payments.8 Among other
things, PIIA requires agencies to
• establish pre- and post-payment review procedures that help prevent and detect
improper payments,
• recover overpayments when cost-effective,
• assess the risk of significant9 improper payments for each program they manage,
• develop and report estimates of improper payments for programs deemed to be at
risk,
• publish and implement corrective action plans to address weaknesses in payment
integrity, and
• report improper payments estimates of less than 10% for each program.

1 There were six pandemic funding bills: the Coronavirus Preparedness and Response Supplemental Appropriations Act
of 2020 (P.L. 116-123); Families First Coronavirus Response Act of 2020 (P.L. 116-127); Coronavirus Aid, Relief, and
Economic Security Act of 2020 (P.L. 116-136); Paycheck Protection Program and Health Care Enhancement Act of
2020 (P.L. 116-139); Supplemental Appropriations Act of 2021, div. M and N (P.L. 116-260); and the American
Rescue Plan Act of 2021 (P.L. 117-2).
2 U.S. Government Accountability Office, COVID-19 Relief: Funding and Spending as of January 31, 2023, GAO-23-
106647, p. 1, https://www.gao.gov/assets/820/817807.pdf.
3 USASpending.gov, “The Federal Response to COVID-19,” https://www.usaspending.gov/disaster/covid-19.
4 U.S. Centers for Disease Control and Prevention, “End of the Federal COVID-19 Public Health Emergency (PHE)
Declaration,” September 2023, https://www.cdc.gov/coronavirus/2019-ncov/your-health/end-of-phe.html.
5 Pandemic Response Accountability Committee, “Total Funding Data for All Agencies,”
https://www.pandemicoversight.gov/data-interactive-tools/agencies.
6 PIIA requirements are incorporated into OMB Circular No. A-123, Appendix C, Requirements for Payment Integrity
Improvement.
7 Internal controls are the policies and procedures that an agency follows to achieve an objective, such as ensuring that
program funds are used as intended.
8 An improper payment is a payment that should not have been made or was made in the wrong amount.
9 PIIA defines “significant” improper payments as an amount equal to either (1) $10 million and 1.5% of program
outlays or (2) $100 million.
Congressional Research Service

1

Improper Payments in Pandemic Assistance Programs

PIIA specifies that federal agencies, as well as state governments and contractors that administer
federal funds, must utilize the Department of the Treasury’s Do Not Pay Initiative (DNP) prior to
issuing payments or making awards. DNP allows a user to check multiple databases at one time to
verify the eligibility or identity of a vendor, grantee, loan recipient, or beneficiary. Prepayment
reviews are generally considered essential internal controls, because identifying and attempting to
recover improper payments after they are made—often referred to as the “pay and chase”
approach—is inefficient and costly.10
Fraud Risk Management
The Fraud Reduction and Data Analytics Act of 2015 (FRDAA, P.L. 114-186), which was
enacted in June 2016, mandated additional controls for reducing the risk of a particular subset of
improper payments: fraud. Fraud occurs when applicants obtain funds by willfully
misrepresenting themselves. The FRDAA required agencies to establish a fraud risk management
framework that incorporated the standards and leading practices established by the Government
Accountability Office (GAO) in its publication, “A Framework for Managing Fraud Risks in
Federal Programs.”11 Under the framework, agencies must do the following:
1. Create an organizational structure and culture conducive to fraud risk management. In
particular, each agency should designate an entity to lead fraud risk management
activities and ensure it has the resources to do so.
2. Plan regular fraud risk assessments and assess risks to determine fraud risk profiles. The
assessments should be tailored to each program and should consider the suitability of
existing controls.
3. Design and implement strategies with specific control activities to mitigate assessed fraud
risks and collaborate to help ensure effective implementation. Strategies should focus on
preventive control activities and involve both subject matter and data analysis experts.
4. Evaluate outcomes using a risk-based approach and adapt activities to improve fraud risk
management. Agencies should collect and analyze data on potential and detected fraud
and use the results to improve fraud management activities. Data analytic tools should be
employed to the maximum extent possible.
Leveraging Data for Payment Integrity12
The GAO framework emphasizes the need for fraud analytics. Analyzing data has long been
viewed as a tool in both the prevention and the detection of improper payments. Over time,
federal agencies have expanded the types of analytic methods used for this purpose to include
data matching and data mining.13 These methods range from being used to detect “common

10 U.S. Government Accountability Office, A Framework for Managing Improper Payments in Emergency Assistance
Programs, GAO-23-105876, July 2023, p. 27, https://www.gao.gov/assets/830/827993.pdf.
11 GAO, A Framework for Managing Fraud Risks in Federal Programs, GAO-15-593SP, pp. 6-7,
https://www.gao.gov/assets/gao-15-593sp.pdf.
12 This section was authored by Natalie Ortiz, Analyst in Government Organization and Management.
13 GAO, Data Mining: Federal Efforts Cover a Wide Range of Uses, GAO-04-548, May 27, 2004, pp. 38-39,
https://www.gao.gov/assets/gao-04-548.pdf. See also GAO, “Big Data 101: Using Large-Scale Data Mining to Find
Fraud,” https://www.gao.gov/blog/2015/03/10/big-data-101-using-large-scale-data-mining-to-find-fraud, March 10,
2015; and GAO, Data Analytics for Oversight and Law Enforcement, GAO-13-680SP, July 2013,
https://www.gao.gov/assets/gao-13-680sp.pdf.
Congressional Research Service

2

Improper Payments in Pandemic Assistance Programs

fraud” to “organized fraud.”14 The increasing volume of data available for analysis—including
from electronic records, bank transfers, and electronic communications—may contribute to the
use of artificial intelligence techniques in payment integrity efforts.15 In addition to machine
learning and natural language processing, among other possible techniques, agencies may also
use predictive analytics to prevent and detect improper payments.16
Data Matching
Since at least the 1970s, federal agencies have shared, “matched,” and compared data to identify
possible improper payments. Matching data in this context may assist in identifying
inconsistencies or irregularities among separate sources of information. Various statutes require
agencies to exchange and match data on individuals for specific purposes, such as determining
eligibility for a federal benefit program.17
The Computer Matching and Privacy Protection Act of 1988 (CMPPA; P.L. 100-503) has enabled
some of this matching by establishing administrative requirements for agencies that conduct
matching programs.18 While the CMPPA is sometimes cited as a hinderance to using data to
ensure payment integrity,19 Congress has permitted some modifications to the CMPPA’s
requirements to explicitly enable the prevention and detection of improper payments.20
Access to some data in DNP requires compliance with the CMPPA’s provisions related to
“matching agreements.”21 However, Treasury, in consultation with the Office of Management and
Budget (OMB), can waive the requirement for matching agreements.22

14 Chief Financial Officers Council and U.S. Department of the Treasury, Bureau of the Fiscal Service, Program
Integrity: The Antifraud Playbook, October 17, 2018, p. 41, https://www.cfo.gov/assets/files/Interactive-Treasury-
Playbook.pdf.
15 Darrell M. West, “Using AI and Machine Learning to Reduce Government Fraud,” Brookings Institution, September
10, 2021, https://www.brookings.edu/articles/using-ai-and-machine-learning-to-reduce-government-fraud/.
16 GAO, Medicare Fraud Prevention: CMS Has Implemented a Predictive Analytics System, but Needs to Define
Measures to Determine Its Effectiveness, GAO-13-104, October 2012, https://www.gao.gov/assets/gao-13-104.pdf.
17 For more information, see CRS Report R47325, Computer Matching and Privacy Protection Act: Data Integration
and Individual Rights, by Natalie R. Ortiz, pp. 1, 7.
18 A matching program is defined as any computerized comparison of two or more automated systems of records or a
system of records with nonfederal records for the purposes of (1) establishing or verifying the eligibility of, or
continuing compliance with statutory and regulatory requirements by, applicants for, beneficiaries of, participants in, or
providers of services under federal benefit programs that provide cash or in-kind assistance or payments; or (2)
recouping payments or delinquent debts under such federal benefit programs (5 U.S.C. §552a(a)(8)(A)(i)). A matching
program may also be any computerized comparison of two or more automated federal personnel or payroll systems of
records or a system of federal personnel or payroll records with nonfederal records (5 U.S.C. §552a(a)(8)(A)(ii)). For
more on matching programs and the CMPPA, see CRS Report R47325, Computer Matching and Privacy Protection
Act: Data Integration and Individual Rights, by Natalie R. Ortiz.
19 U.S. Congress, House Committee on Ways and Means, Subcommittee on Human Resources, On the Use of Data
Matching to Improve Customer Service, Program Integrity, and Taxpayer Savings, committee print, 112th Cong., 1st
sess., March 11, 2011, Serial 112-HR2, pp. 63, 70; GAO, A Framework for Managing Fraud Risks in Federal
Programs, GAO-15-593SP, July 2015, p. 7, https://www.gao.gov/assets/gao-15-593sp.pdf.
20 31 U.S.C. §3354(d).
21 Office of Management and Budget, Transmittal of Appendix C to OMB Circular A-123, Requirements for Payment
Integrity Improvement, M-21-19, March 5, 2021, p. 32, https://www.whitehouse.gov/wp-content/uploads/2021/03/M-
21-19.pdf.
22 The requirement for a matching agreement, including the content it is to specify, is enumerated in Title 5, Section
552a(o), of the U.S. Code. These requirements can be waived under Title 31, Section 3354(b)(3)(B)(i), of the U.S.
Code.
Congressional Research Service

3

Improper Payments in Pandemic Assistance Programs

Data Analytics and Automation
Beyond matching data, there are other approaches to how data can be used in the prevention of
improper payments. OMB’s Circular No. A-123, “Requirements for Payment Integrity
Improvement,” advises agencies to use data analytics to identify trends, patterns, anomalies, and
exceptions within data to identify indicators of improper payments.23 These analytic methods
include rule-based analytics, anomaly detection, predictive analytics, network/link analytics, and
text analytics.24 Please see the Appendix for more detail on these methods.
In addition to the methods outlined in Circular No. A-123, some agencies use intelligent
automation and robotic process automation (also called robotic processing automation) in
payment processes.25 In general, this method is designed to automate usually rule-based processes
that may have been performed manually across multiple information systems, such as performing
calculations, validating information, and matching data that corresponds to eligibility criteria. The
joint alert points to some roles within an agency that may implement automation and analytic
methods, including the chief information officer, the chief data officer, and program managers, as
well as staff with analytics and data science skills.26
Recovery Operations Center
The American Recovery and Reinvestment Act of 2009 (ARRA; P.L. 111-5) led to the
establishment of one of the first multi-agency data analytics platforms. ARRA provided $862
billion to stimulate the job economy during the recession that followed the 2008 financial crisis. A
central body comprised of more than a dozen agency inspectors general was created to coordinate
oversight of ARRA funding, called the Recovery and Accountability Transparency Board.27 A
component of the board was the Recovery Operations Center (ROC), which used data analytics to
monitor ARRA spending. ROC staff shared their data and tools with the inspector general (IG)
community and applied data matching, text mining, and other techniques to review 1.7 million
entities that received federal funds and successfully identify a range of fraudulent activities.28
While some members of the oversight community argued that the ROC could serve as the basis
for a centralized data analytics agency that could support IGs’ anti-fraud efforts beyond the
ARRA, the ROC was shuttered when the board sunset in 2015.29
Widespread Weaknesses Identified in Pre-Pandemic Audits
In the years leading up to the pandemic, auditors reported widespread, persistent non-compliance
with improper payments requirements at the 24 agencies subject to the Chief Financial Officers

23 OMB, M-21-19, p. 28.
24 OMB, M-21-19, p. 35.
25 OMB, M-21-19, p. 2.
26 OMB, M-21-19, pp. 2, 6.
27 Testimony of Pandemic Response Accountability Committee Chair Michael E. Horowitz, in U.S. Congress, House
Committee on Oversight and Reform, Examining Federal Efforts to Prevent, Detect, and Prosecute Pandemic Relief
Fraud and Safeguard Funds for All Eligible Americans, 117th Cong., 2nd sess., June 14, 2022, H.Hrg. 117-86,
https://www.govinfo.gov/content/pkg/CHRG-117hhrg47805/pdf/CHRG-117hhrg47805.pdf.
28 GAO, Federal Data Transparency: Opportunities Remain to Incorporate Recovery Act Lessons Learned, GAO-13-
871T, September 13, 2013, pp. 5-6, https://www.gao.gov/assets/gao-13-871t.pdf.
29 GAO, Federal Spending Accountability: Preserving Capabilities of Recovery Operations Center Could Help Sustain
Oversight of Federal Expenditures, GAO-15-814, September 2015, p. 21, https://www.gao.gov/assets/gao-15-814.pdf.
Congressional Research Service

4

Improper Payments in Pandemic Assistance Programs

Act (P.L. 101-576), which have historically accounted for 99% of annual improper payments.30
Every year between FY2011 and FY2018, except for one, at least-half of these agencies were
non-compliant with improper payments requirements.31 Among the weaknesses that auditors
identified were that some agencies:
• Lacked internal controls to address known risks. The Unemployment
Insurance (UI) program was repeatedly deemed vulnerable to fraud from identity
thieves and organized criminal groups that apply for benefits using stolen
personally identifiable information.32
• Did not publish improper payments estimates for all programs and activities
deemed at risk. Some multi-billion-dollar federal programs, such as Temporary
Assistance to Needy Families and the Premium Tax Credit, did not consistently
report improper payments estimates.33
• Published invalid improper payments estimates. The Department of Defense
has published unreliable improper payments estimates for all of its programs for
12 consecutive years, starting in FY2010.34 The Department of Labor (DOL)
underestimated the amount of improper payments in the UI program for four
consecutive years, starting in FY2017.35
• Had not performed required fraud risk assessments. The Department of
Health and Human Services had not conducted a comprehensive fraud risk
assessment of the Head Start program by 2019, heightening the risk of fraud and
improper payments.36
As a consequence of these and other weaknesses, government-wide improper payments increased
45% during the 2010s, peaking at $175 billion in FY2019.37

30 GAO, Payment Integrity: Federal Agencies’ Estimates of FY2019 Improper Payments, GAO-20-344, March 2020, p.
4, https://www.gao.gov/assets/gao-20-344.pdf.
31 GAO, Payment Integrity, p. 14; GAO, Additional Guidance Could Provide More Consistent Compliance
Determinations and Reporting by Inspectors General, GAO-17-484, May 2017, p. 8, https://www.gao.gov/assets/gao-
17-484.pdf.
32 U.S. Department of Labor, Office of Inspector General, Investigative Advisory Report: Weaknesses Contributing to
Fraud in the Unemployment Insurance Program, July 2015, p. 13, https://www.oig.dol.gov/public/Press%20Releases/
UI%20Program%20Letter%2050-15-001-03-315.pdf.
33 GAO, Payment Integrity, p. 11.
34 U.S. Department of Defense, Office of Inspector General, Audit of the Department of Defense’s FY2022 Compliance
with Payment Integrity Information Act Requirements, May 2023, p. 8, https://media.defense.gov/2023/May/23/
2003227925/-1/-1/1/DODIG-2023-075.PDF.
35 Testimony of Department of Labor Inspector General Larry D. Turner, in U.S. Congress, Senate Committee on
Homeland Security and Governmental Affairs, Reducing Fraud and Expanding Access to COVID-19 Relief through
Effective Oversight, 117th Cong., 2nd sess., March 17, 2022, S.Hrg. 117-564, https://www.hsgac.senate.gov/wp-content/
uploads/imo/media/doc/Testimony-Turner-2022-03-17-REVISED.pdf.
36 GAO, Head Start: Action Needed to Enhance Program Oversight and Mitigate Significant Fraud and Improper
Payment Risks, GAO-19-519, September 2019, p. 25, https://www.gao.gov/assets/gao-19-519.pdf.
37 GAO, Emergency Relief Funds: Significant Improvements are Needed to Address Fraud and Improper Payments,
GAO-23-106556, February 2023, p. ii, https://www.gao.gov/assets/gao-23-106556.pdf.
Congressional Research Service

5

Improper Payments in Pandemic Assistance Programs

Control Weaknesses in Emergency Spending Programs
For decades, auditors have reported that weak internal controls over emergency funding have left
the government vulnerable to improper payments, especially fraud.38 Disaster situations are
unique in that there may be a perceived conflict between expediting the disbursal of funds and
implementing safeguards to ensure that funds are used as intended by Congress.39 In 2018, the
Small Business Administration (SBA) IG described the challenges SBA faced in implementing
disaster relief programs:
Unfortunately, the need to disburse such loans quickly poses many complications and may
create opportunities for dishonest applicants to commit fraud. OIG and GAO audits have
identified that SBA’s disaster loans have been vulnerable to fraud and losses in the past
because loan transactions are often expedited in order to provide quick relief to disaster
survivors, and disaster lending personnel, who are brought into the workforce quickly, lack
sufficient training or experience. Additionally, the volume of loan applications may
overwhelm SBA’s resources and its ability to exercise careful oversight of lending
transactions.40
In this environment, agencies may not accurately identify all of the risks to program funding, and
therefore their internal controls may not adequately protect against fraud and improper
payments.41 For example, in the 2000s and 2010s, some agencies that administered disaster
funding:
• Did not establish internal control plans that fully identify and mitigate
programmatic risks. The Additional Supplemental Appropriations for Disaster
Relief Requirements Act of 2017 (P.L. 115-72) required each agency that
received funds to submit an internal control plan specific to disaster spending.
One agency did not submit a plan, one agency’s plan did not address the risk of
fraud, and another agency’s plan was one paragraph—too incomplete to ensure
that effective policies were outlined.42
• Lacked effective pre-payment verification processes. SBA failed to implement
adequate preventive controls to ensure that only eligible borrowers obtained
certain emergency loans—the eligibility of nearly 85% of borrowers could not be
confirmed in post-payment reviews.43
• Did not ensure state and local entities that administer federal emergency
programs met federal standards. Some state education agencies that received

38 GAO, Catastrophic Disasters: Enhanced Leadership, Capabilities, and Accountability Controls Will Improve the
Effectiveness of the Nation’s Preparedness, Response, and Recovery Systems, GAO-06-618, September 2006, p. 8,
https://www.gao.gov/assets/gao-06-618.pdf.
39 GAO, Catastrophic Disasters.
40 U.S. Small Business Administration, Office of Inspector General (SBA OIG), Semiannual Report to Congress: April
1, 2018 to September 30, 2018, October 2018, p. 11, https://www.oversight.gov/sites/default/files/oig-sa-reports/
archive/17418/SBA-OIG-Fall-2018-Semiannual-Report.pdf.
41 GAO, Hurricane Sandy Relief: Improved Guidance on Designing Internal Control Plans Could Enhance Oversight of
Disaster Funding, GAO-14-58, November 2013, pp. 21-22, https://www.gao.gov/assets/gao-14-58.pdf.
42 GAO, 2017 Disaster Relief Oversight: Strategy Needed to Ensure Agencies’ Internal Control Plans Provide
Sufficient Information, GAO-19-479, June 2019, pp. 9-17, https://www.gao.gov/assets/gao-19-479.pdf.
43 SBA OIG, White Paper: Risk Awareness and Lessons Learned from Prior Audits of Economic Stimulus Loans, April
2020, p. 4, https://www.sba.gov/sites/sbagov/files/2020-04/SBA_OIG_WhitePaper_20-11_508.pdf.
Congressional Research Service

6

link to page 10 Improper Payments in Pandemic Assistance Programs

disaster recovery funding from the Department of Education lacked proper
processes to detect fraud.44
Throughout the 2010s, GAO issued a series of “priority” recommendations to OMB that would
mitigate the risks associated with fraud, improper payments, and internal control weaknesses in
emergency programs.45 Seven of those priority recommendations remained open in April 2019,
just months before the onset of COVID-19.
Improper Payments in Pandemic Programs
The scale of funding provided in response to the pandemic significantly exceeded that of previous
federal emergency relief initiatives. Agencies received more than five times as much funding for
pandemic relief—$4.6 trillion—than they did under ARRA. Overall, 66 programs received at
least $1 billion in pandemic funding, and 173 programs received at least $100 million.46 Funding
was provided both to new programs that were established as part of the federal response to
COVID-19 and to programs that existed prior to the pandemic. The funding for several programs,
such as UI, is jointly administered by federal and state agencies. Table 1 shows the largest
pandemic spending areas, the federal agency that administers each program, and the amount of
funding each program received.
Table 1. Select Pandemic Relief Programs
Total Funding
Program
Administering Agency
(Billions)
Economic Impact Payments
Department of the Treasury
$858.6
Business Loan Programs
Small Business Administration
$833.0
Unemployment Insurance
Department of Labor
$701.6
Coronavirus State and Local Fiscal Recovery Fund
Department of the Treasury
$350.0
Public Health and Social Services Emergency Fund
Department of Health and Human
$345.7
Services
Education Stabilization Fund
Department of Education
$277.7
Coronavirus Relief Fund
Department of the Treasury
$150.0
Supplemental Nutrition Assistance Program
Department of Agriculture
$121.1
Other Areas (over 300 accounts)
Various
$976.8
Total

$4,614.5
Source: U.S. Government Accountability Office, COVID-19 Relief: Funding and Spending as of January 31, 2023,
GAO-23-106647, p. 1, https://www.gao.gov/assets/820/817807.pdf.
Notes: Data are from January 31, 2023.

44 U.S. Department of Education, FY2019 Agency Financial Report, November 2019, p. 109, https://www2.ed.gov/
about/reports/annual/2019report/agency-financial-report.pdf.
45 GAO, Priority Open Recommendations, GAO-19-323SP, April 2019, pp. 4-5, https://www.gao.gov/assets/700/
698787.pdf.
46 Pandemic Response Accountability Committee, “Program Funding Data,” https://www.pandemicoversight.gov/data-
interactive-tools/programs.
Congressional Research Service

7

Improper Payments in Pandemic Assistance Programs

Federal and state agencies were tasked with getting pandemic funds out quickly while also
ensuring that proper safeguards were in place.47 Agencies generally disbursed funds rapidly for
most pandemic programs.48 SBA issued the equivalent of 14 years’ worth of lending in 14 days,49
for example, and the Internal Revenue Service (IRS) issued 157 million economic impact
payments (EIPs) less than two months after the EIP program was established under the
Coronavirus Aid, Relief, and Economic Security Act (CARES Act).50
In addition to providing funding for relief programs, the CARES Act established the Pandemic
Response Accountability Committee (PRAC), a body of 21 IGs that was to play an oversight role
similar to that of the Recovery and Accountability Transparency Board. PRAC and the Office of
Federal Financial Management within OMB jointly issued an “alert” on using automation and
data analytics to reduce payment integrity risks, noting that the pandemic highlighted preexisting
issues.51 The alert also encouraged IGs to make use of a data analytics center established within
PRAC a little more than a year after agencies began distributing relief funds, the Pandemic
Analytics Center of Excellence (PACE).52
At the outset of the pandemic, many pandemic programs lacked fundamental pre-payment, post-
payment, and fraud management controls, and some agencies responded slowly to the need to
rectify these weaknesses.53 As a consequence, hundreds of billions of dollars may have been lost
to fraud and other improper payments,54 including billions to transnational criminal organizations
and violent street gangs within the United States.55
Lack of Effective Pre-Payment Controls
PIIA requires agencies to establish effective pre-payment controls, including the use of DNP.
Several agencies, in order to expedite the disbursal of funds, allowed applicants to self-certify
their eligibility for pandemic assistance. For example, under the Emergency Rental Assistance
program, Treasury awarded grants to state and local governments, which in turn awarded the
funds for rent, utilities, and home energy costs to renters under financial stress. Treasury did not

47 GAO, Emergency Relief Funds: Significant Improvements Are Needed to Ensure Transparency and Accountability
for COVID-19 and Beyond, GAO-22-105715, March 2022, p. 1, https://www.gao.gov/products/gao-22-105715.
48 GAO-22-105715, p. 19.
49 SBA OIG, COVID-19 Pandemic EIDL and PPP Loan Fraud Landscape, June 2023, p. 3, https://www.sba.gov/sites/
sbagov/files/2023-06/SBA%20OIG%20Report%2023-09.pdf. For more information about SBA pandemic programs,
see CRS Report R47694, SBA as a Vehicle for Crisis Relief: Lessons from the COVID-19 Pandemic, coordinated by
Adam G. Levin.
50 Treasury Inspector General for Tax Administration, Implementation of Economic Impact Payments, May 2021, p. i,
https://www.oversight.gov/sites/default/files/oig-reports/TIGTA/202146034fr.pdf.
51 OMB and PRAC, “Payment Integrity Alert: The Use of Automation and Data Analytics,” July 21, 2021, p. 1,
https://www.pandemicoversight.gov/media/file/joint-payment-integrity-alert-use-automation-and-data-analytics-omb-
and-prac. OMB and PRAC note that the alert is not official guidance nor does it establish any requirement on an
agency to undertake specific activities “beyond consideration of appropriate steps to address ongoing or future issues
related to payment integrity.”
52 OMB and PRAC, Payment Integrity Alert.
53 PRAC, Lessons Learned in Oversight of Pandemic Relief Funds, June 2022, pp. 4-8,
https://www.pandemicoversight.gov/media/file/prac-lessons-learned-update-june-2022pdf.
54 SBA OIG, COVID-19 Pandemic EIDL and PPP Loan Fraud Landscape, p. 8; GAO, Unemployment Insurance,
Estimated Amount of Fraud during Pandemic Likely Between $100 Billion and $135 Billion, GAO-23-106696,
September 2023, p. 8, https://www.gao.gov/assets/870/861289.pdf.
55 Testimony of Grant Thornton Principal Lina Miller, in U.S. Congress, House Committee on Oversight and Reform,
Following the Money: Tackling Improper Payments, 117th Cong., 2nd sess., March 31, 2022, H.Hrg. 117-75,
https://www.govinfo.gov/content/pkg/CHRG-117hhrg47264/pdf/CHRG-117hhrg47264.pdf.
Congressional Research Service

8

Improper Payments in Pandemic Assistance Programs

require any documentation from applicants that would verify either that they had rental
agreements in place or that they met the financial need criteria for the program. The eligibility
information was self-certified.56 While allowing self-certification reduced the administrative
burden on applicants, it also exposed the program to significant risks of fraud and improper
payments.
Similarly, SBA did not verify the information that applicants provided when they sought loans
from two of the largest pandemic programs: Economic Injury Disaster Loans (EIDL) and the
Paycheck Protection Program (PPP). EIDL offered low-interest loans to small businesses
(including nonprofits) to help cover their operating expenses. To qualify for EIDL assistance, a
business had to have been operating on or before January 31, 2020—information that the
applicant was allowed to self-certify on the application. Similarly, applicants for SBA’s PPP
loans, which were intended to incentivize businesses to retain their workers, could self-attest that
their organizations qualified for assistance. Michael Horowitz, the IG for the Department of
Justice and the chair of PRAC, said the lack of verification directly contributed to the $200 billion
of estimated fraud in the EIDL and PPP programs:57
If you open up the bank window and say, give me your application and just promise me
you are who you say you are, you attract a lot of fraudsters, and that’s what happened
here.58
In one example, a fraud ring of 14 individuals submitted 75 applications for PPP loans in 2020.59
By providing falsified data, bank records, and tax forms—none of which SBA verified—the ring
obtained more than $20 million in assistance.60
Many of the state agencies that determine UI eligibility—often called state workforce agencies—
allowed UI applicants to self-certify their information for pandemic funds. The CARES Act
provided first-time UI benefits to an expanded pool of eligible workers, supplemented the UI
benefits of all unemployed workers, and extended the time workers were eligible for
unemployment compensation. State agencies were quickly overwhelmed with applications. Initial
claims jumped from 282,000 on March 20, 2020, to 57.4 million five months later.61 According to
the DOL IG, state agencies were unprepared to process so many claims and did not initially apply
standard internal controls, such as verifying eligibility and identity information before issuing
payments.62 As a consequence of allowing applicants to self-certify their information, fraudsters
stole between $100 billion and $135 billion in UI pandemic funds.63
Pre-payment controls also failed due to inadequate services provided by federal contractors. The
Health Resources and Services Administration (HRSA), a component of the Department of
Health and Human Services, managed the Uninsured Program, which reimbursed health care
providers for provision of COVID-19-related services to uninsured individuals. A contractor was

56 GAO, Emergency Rental Assistance: Additional Grantee Monitoring Needed to Manage Known Risks, GAO-22-
105490, p. 5, https://www.gao.gov/assets/gao-22-105490.pdf.
57 SBA OIG, COVID-19 Pandemic EIDL and PPP Loan Fraud Landscape, p. 8.
58 Associated Press, “The Great Grift: How billions in COVID-19 relief aid was stolen or wasted,” June 12, 2023,
https://www.cbsnews.com/philadelphia/news/the-great-grift-five-things-to-know-about-how-covid-19-relief-aid-was-
stolen-or-wasted-3/.
59 U.S. Department of Justice, Office of Public Affairs, “Leader of $20M COVID-19 Relief Fraud Ring Sentenced to
15 Years,” October 2023, https://www.justice.gov/opa/pr/leader-20m-covid-19-relief-fraud-ring-sentenced-15-years.
60 Ibid.
61 Turner, Reducing Fraud and Expanding Access to COVID-19 Relief through Effective Oversight, p. 5.
62 Turner, Reducing Fraud and Expanding Access to COVID-19 Relief through Effective Oversight, p. 3.
63 GAO, Unemployment Insurance, p. 17.
Congressional Research Service

9

Improper Payments in Pandemic Assistance Programs

responsible for confirming that a patient did not have insurance prior to reimbursing a provider.
The contractor, however, tried to verify a patient’s insurance status only when the provider
submitted a Social Security Number. If no such number was provided, the contractor
automatically issued a payment.64 Moreover, the contractor misidentified some patients who did
have insurance as being uninsured and paid providers for services that private insurance should
have covered.65 Due in large part to weaknesses in data quality and pre-payment eligibility
assessments, the Uninsured Program issued an estimated $784 million in improper payments, the
equivalent of a 19% error rate.66
In one instance, an agency issued millions of payments to individuals whom it had identified as
deceased.67 The CARES Act established a refundable tax credit, the 2020 Recovery Rebates for
Individuals program, which provided a refundable tax credit of up to $1,200 for eligible
individuals and an additional $500 for each dependent minor in an eligible individual’s
household. The IRS was authorized to issue advance payments for the tax credit, referred to as
EIPs. Four months after the program was established, the IRS had issued 2.2 million EIP
payments worth $3.5 billion to individuals whom the IRS knew were deceased.68 The IRS
initially argued that the payments were proper because the CARES Act did not specify that dead
people were ineligible, although it later issued guidance clarifying that deceased individuals did
not qualify for EIPs.69 In this instance, the agency performed a pre-payment review but
interpreted the statute in such a way as to allow millions of improper payments to be issued.
Lack of Effective Post-Payment Controls
Post-payment controls, such as reviewing supporting documentation and payment data, are
important tools for detecting and recovering improper payments. They are particularly important
for detecting fraud and improper payments in programs that permitted applicants to self-certify
identity or eligibility. However, some agencies did not establish and implement effective post-
payment controls in a timely manner. For example, the CARES Act, enacted in March 2020,
established both the ERA program and the Provider Relief Fund, a HRSA-managed program that
reimbursed health care providers for costs associated with diagnosing, testing, or treating
COVID-19. Twenty months after the CARES Act was passed, Treasury had issued more than $28
billion under ERA but had not established post-payment procedures to verify the eligibility and
accuracy of payments to renters and identify and recover overpayments.70 Similarly, by
September 2021, HRSA had issued over $132 billion from the Provider Relief Fund but had not
developed plans to identify or recover overpayments.71
State agencies that implemented federal pandemic programs also did not implement effective
post-payment controls in some cases. DOL’s Employment and Training Administration, which

64 U.S. Department of Health and Human Services, Office of Inspector General, HRSA Made COVID-19 Uninsured
Program Payments to Providers on Behalf of Individuals Who Had Health Insurance Coverage and for Services
Unrelated to COVID-19, A-02-21-01013, July 2023, p. 9, https://oig.hhs.gov/oas/reports/region2/22101013.pdf.
65 Ibid., p. 10.
66 Ibid., p. 7.
67 Treasury Inspector General for Tax Administration, Implementation of Economic Impact Payments. p. 5.
68 Treasury Inspector General for Tax Administration, Implementation of Economic Impact Payments, p. 5.
69 Treasury Inspector General for Tax Administration, Implementation of Economic Impact Payments, pp. 5-6.
70 GAO, COVID-19: Significant Improvements Are Needed for Overseeing Relief Funds and Leading Responses to
Public Health Emergencies, GAO-22-105291, p. 3, https://www.gao.gov/assets/gao-22-105291.pdf.
71 GAO, COVID-19: Additional Actions are Needed to Improve Accountability and Program Effectiveness of Federal
Response, GAO-22-105051, October 2021, p. 3, https://www.gao.gov/assets/gao-22-105051.pdf.
Congressional Research Service

10

Improper Payments in Pandemic Assistance Programs

oversees federal funds for UI, issued guidance in May 2020 that specified the post-payment
controls states must implement to verify that payments were being made to eligible individuals
and to recover overpayments.72 Under this guidance, states must (1) verify eligibility information
provided by beneficiaries by cross-matching it with employment and income data sources, and (2)
recover overpayments through various offset programs.73 The DOL IG determined that non-
compliance with this guidance was widespread—40% of state agencies did not perform the
required cross-matches and 38% did not attempt to recover overpayments through offset
programs.74
Related to the recovery of overpayments is the collection of delinquent loans. Agencies
commonly attempt to collect loan debts by repossessing the collateral (if any) used for the loan,
litigation, or offset programs managed by Treasury.75 The Debt Collection Improvement Act of
1996 (P.L. 104-134) requires credit granting agencies to refer delinquent debt to Treasury for
collection, unless it would cost more to recover the funds than the amount that would be charged
off. SBA managed two of the largest pandemic loan programs, EIDL and PPP, and chose not to
pursue collection on delinquent loans under $100,000. SBA justified this decision, in large part,
by arguing that it would not be cost effective to attempt to collect on the loans, which the SBA IG
estimates to total $1.1 billion for PPP76 and as much as $62 billion for EIDL.77 The SBA IG
argued that the agency’s decision was not justified because it did not perform an adequate cost-
benefit analysis on collecting debt for either program.78
Lack of Fraud Risk Management Controls
Agencies were required to begin implementing the standards and leading practices of the GAO
framework in 2016. The lack of progress in subsequent years meant some agencies “were not
adequately prepared to prevent fraud when the pandemic began.”79 This is particularly true for the
two agencies with the largest fraud losses: SBA (PPP and EIDL) and DOL (UI). According to
auditors, SBA and DOL shared three significant weaknesses in their fraud controls.
Each agency is required to identify or create an office to lead its fraud risk management activities.
This entity is meant to oversee and coordinate the agency’s fraud risk prevention, detection, and
response activities. SBA did not establish its Fraud Risk Management Board until April 2022,80

72 DOL OIG, COVID-19: States Struggled to Implement CARES Act Unemployment Insurance Programs, May 2021, p.
8, https://www.oig.dol.gov/public/reports/oa/2021/19-21-004-03-315.pdf.
73 DOL OIG, COVID-19, p. 9.
74 DOL OIG, COIVD-19, pp. 8-10.
75 SBA OIG, Ending Active Collections on Delinquent COVID-19 Economic Injury Disaster Loans, September 2023, p.
1, https://www.sba.gov/sites/sbagov/files/2023-09/SBA%20OIG%20Report%2023-16.pdf.
76 SBA OIG, SBA’s Guaranty Purchases for Paycheck Protection Program Loans, September 2023, p. 2,
https://www.sba.gov/sites/sbagov/files/2022-09/SBA%20OIG%20Report%2022-25.pdf.
77 SBA OIG, Ending Active Collections on Delinquent COVID-19 Economic Injury Disaster Loans, p. 7.
78 SBA OIG, Ending Active Collections, pp. 3-4. SBA’s Guaranty Purchases for Paycheck Protection Program Loans,
p. 4.
79 GAO, COVID-19: Key Elements of Fraud Schemes and Actions to Better Prevent Fraud, GAO-24-107122, October
2023, p. 12, https://www.gao.gov/assets/d24107122.pdf.
80 SBA, “Administrator Guzman Announces Expanded Efforts to Aggressively Crack Down on Bad Actors and Prevent
Fraud in Programs,” press release, April 1, 2022, https://www.sba.gov/article/2022/apr/01/administrator-guzman-
announces-expanded-efforts-aggressively-crack-down-bad-actors-prevent-fraud.
Congressional Research Service

11

Improper Payments in Pandemic Assistance Programs

and DOL had not designated an anti-fraud entity by January 2023.81 It is not clear if DOL has
done so since.
Agencies must also perform fraud risk assessments as soon possible to identify vulnerabilities in
program operations. These assessments are the basis for developing effective internal controls
that mitigate the risk of fraud and improper payments. SBA completed its fraud risk assessments
for PPP and EIDL in October 2021, when PPP had already stopped accepting applications and
two months before EIDL would follow suit.82 As of January 2023, DOL had not performed a
fraud risk assessment of the UI program, and it is not clear if it has done so since.83 One important
duty of a DOL anti-fraud entity might be to collaborate with state workforce agencies to ensure
that states have effective fraud controls in place. The California Employment Development
Department was required by state law to review its anti-fraud policies annually, but it had not
done so between January 2016 and January 2021.84 As a consequence, the agency relied on
“uninformed and disjointed techniques” to detect fraud and paid an estimated $10.4 billion to
potential fraudsters between March and December of 2020.85
The GAO framework requires agencies to outline the specific actions they will take to monitor
and manage fraud risks. The most effective strategies emphasize pre-payment controls, but
information gained by monitoring all fraud controls can help agencies determine whether those
controls are effective and how they may be adjusted to achieve better results. By January 2023,
SBA and DOL had both partially completed their anti-fraud strategies.86
Non-Compliance with Improper Payments Requirements
PIIA requires agencies to assess all of the programs that they administer to determine if they are
susceptible to significant amounts of improper payments. OMB Circular A-123,87 which provides
guidance to agencies on how to implement PIIA requirements, specifies that for newly established
programs an assessment should be performed after the first 12 months of the program. Risk
assessments must consider a number of factors, including whether the program is new to an
agency or has experienced significant funding changes and the volume of payments the agency
must review. Once a program is determined to be at risk, the agency must report a valid improper
payment estimate for it, among other requirements.
Because PIIA requirements are not mandatory until 12 months after a program has been
established, most agencies did not report on improper payments in new pandemic programs in
FY2021.88 In FY2022, several agencies performed inadequate risk assessments or reported
unreliable improper payments estimates.
At least two agencies were determined to be non-compliant with PIIA in FY2022 because they
performed inadequate risk assessments on pandemic assistance programs. SBA, for example,
used flawed methodologies to conclude that there was no significant risk of improper payments

81 GAO-22-105715, pp. 15-16.
82 GAO-22-105715, p. 15.
83 GAO-22-105715, p. 16.
84 California State Auditor, Employment Development Department: Significant Weaknesses in EDD’s Approach to
Fraud Prevention Have Led to Billions of Dollars in Improper Benefit Payments, January 2021, pp. 9, 37,
https://www.auditor.ca.gov/pdfs/reports/2020-628.2.pdf.
85 California State Auditor, Employment Development Department, p. 33.
86 GAO-22-105715, pp. 15-16.
87 OMB M-21-19, p. 16.
88 GAO-22-105715, p. 25.
Congressional Research Service

12

Improper Payments in Pandemic Assistance Programs

for the $28.5 billion Restaurant Revitalization Fund (RRF) and the $14.6 billion Shuttered Venues
Operator Grant (SVOG) program.89 Similarly, the Federal Emergency Management Agency
determined that the Funeral Assistance program, which provided billions of dollars to cover burial
costs for people who died of COVID-19, was not at risk for significant improper payments, but it
did not account for the program’s weak internal controls or the volume of claims the agency
would need to review.90
Several agencies were non-compliant with PIIA requirements in FY2022 for reporting unreliable
improper payments estimates for pandemic programs. The improper payments estimate for the
Education Stabilization Fund at the Department of Education was inaccurate because the
department lacked sufficient documentation to support its classification of sampled payments as
improper, unknown, or proper.91 The Department of Housing and Urban Development reported an
unreliable improper payment estimate for the Tenant Based Housing Assistance program because
it did not test a wide enough range of payments.92 SBA did not use reliable samples for
developing improper payment estimates for PPP and EIDL, and so neither program had valid
estimates for FY2022.93 Similarly, DOL did not provide a full estimate of improper payments for
UI in FY2022, as it did not incorporate samples from all pandemic funding streams.94
Additional Consequences of Fraud and Other Improper Payments
As noted, effective internal controls facilitate the objectives of a program by ensuring, among
other things, that funds are spent in the manner intended. During the pandemic, federal and state
agencies often disbursed funds without appropriate controls in place in order to get assistance out
as quickly as possible. Some stakeholders argue that the idea that there is a tradeoff between
speed and security “is a false premise.”95 PRAC Chairman and Justice Department IG David
Horowitz argued that agencies should have run verified payments through DNP, as required, and
that doing so would not have caused significant delays in issuing funds:
It’s a false narrative that has been set out, that there are only two choices. One choice is get
the money out right away, and that the only other choice is to spend weeks and months
trying to figure out who was entitled to it. [Screening payments would have taken] 24

89 SBA OIG, Independent Auditor’s Report on SBA’s Fiscal Year 2022 Compliance with the Payment Integrity
Information Act of 2019, May 2023, pp. 3-5, https://www.sba.gov/sites/sbagov/files/2023-05/
SBA%20OIG%20Report%2023-07.pdf.
90 U.S. Department of Homeland Security, Office of Inspector General, DHS’ Fiscal Year 2022 Compliance with the
Payment Integrity Information Act of 2019, May 2023, p. 24, https://www.oig.dhs.gov/sites/default/files/assets/2023-
05/OIG-23-25-May23.pdf.
91 U.S. Department of Education, Office of Inspector General, U.S. Department of Education’s Compliance with
Payment Integrity Information Reporting Requirements for FY2022, July 2023, pp. 19-24, https://oig.ed.gov/sites/
default/files/reports/2023-08/Final-Audit-Report-Department-Education-PIIA-FY-2022-A23NY0119-508-
compliant.pdf.
92 U.S. Department of Housing and Urban Development, Office of Inspector General, Compliance with Payment
Integrity Information Act of 2019, June 2022, p. 7, https://www.hudoig.gov/sites/default/files/2022-06/2022-FO-
0005.pdf.
93 SBA OIG, Independent Auditor’s Report on SBA’s Fiscal Year 2022 Compliance with the Payment Integrity
Information Act of 2019, p. 2.
94 DOL OIG, The U.S. Department of Labor Did Not Meet the Requirements for Compliance with the Payment
Integrity Information Act for FY 2022, June 2023, p. 8, https://www.oig.dol.gov/public/reports/oa/2023/22-23-006-13-
001.pdf.
95 NBC News, “Biggest Fraud in a Generation: The Looting of the Covid Relief Plan Known as PPP,” Ken Dilanian
and Laura Strickler, March 28, 2022, https://www.nbcnews.com/politics/justice-department/biggest-fraud-generation-
looting-covid-relief-program-known-ppp-n1279664.
Congressional Research Service

13

Improper Payments in Pandemic Assistance Programs

hours? 48 hours? Would that really have upended the program? I don’t think it would have.
And it was data sitting there. It didn’t get checked.96
The lack of effective internal controls not only undermined the effectiveness of pandemic
programs but led to outcomes that were contrary to broader federal objectives. Notably, funds that
were lost to fraud were not available to support the individuals and businesses that Congress
intended. Had the billions in loans intended for businesses not been lost to fraud, for example,
fewer stores may have closed and laid off workers. In addition, internal control weaknesses over
pandemic programs compromised some agencies’ financial statements. SBA received a
disclaimer97 on its FY2022 financial statements because it could not provide documentation to
support transactions and balances for four pandemic programs: PPP, EIDL, RRF, and SVOG.98
DOL received a qualified opinion99 on its FY2022 financial statements due to concerns with UI
pandemic funding accounts.100
Some pandemic assistance was stolen by domestic street gangs and transnational criminal
organizations that used those funds for criminal activity. Members of the Milwaukee street gang
called the “Wild 100s” or “Shark Gang” were indicted for fraudulently obtaining pandemic
unemployment assistance funds and using the money to purchase firearms, narcotics, jewelry, and
vacations and to solicit murder for hire.101 In Shreveport, LA, members of the Step or Die gang
were indicted for fraudulently obtaining PPP and EIDL loans,102 and in Brooklyn, NY, members
of the Woo Gang were charged with stealing millions in UI funds.103 In 2021, after the fraud
scheme had been launched, Woo Gang members posted a music video on YouTube entitled
“Trappin” that included the lyrics, “Unemployment got us workin’ a lot.”104 By some estimates,
foreign crime syndicates—such as those in Russia, China, and Nigeria—stole tens of billions of
dollars from pandemic programs.105 Criminal groups used stolen pandemic funds to further their
activities, according to Jeremy Sheridan, former assistant director of the Office of Investigations
at the U.S. Secret Service:

96 Associated Press, “The Great Grift.”
97 A disclaimer is when an auditor concludes that it cannot reach an opinion on an entity’s financial statements.
98 SBA OIG, Independent Auditor’s Report on Fiscal Year 2022 Financial Statements, November 2023, p. 1,
https://www.sba.gov/sites/sbagov/files/2023-11/SBA%20OIG%20Report%2024-03.pdf.
99 A qualified opinion is when an auditor concludes that it cannot reach an opinion because misstatements may be
material but not necessarily pervasive.
100 DOL OIG, FY2022 Independent Auditor’s Report on the Department of Labor’s Consolidated Financial Statements,
December 2022, pp. 29-30, https://www.oversight.gov/sites/default/files/oig-reports/DOL/22-23-002-13-001-FY-2022-
Independent-Auditorson-DOLs-Consolidated-Financial-Statements.pdf.
101 U.S. Department of Justice, Eastern District of Wisconsin, “Thirty Individuals Associated with Milwaukee Street
Gang Charged with Federal Offenses Ranging from Fraud to Murder for Hire,” press release, May 10, 2023,
https://www.justice.gov/usao-edwi/pr/thirty-individuals-associated-milwaukee-street-gang-charged-federal-offenses-
ranging.
102 U.S. Department of Justice, Western District of Louisiana, “U.S. Attorney Brandon B. Brown Announces
Indictment of 24 Individuals Associated with Shreveport Gang on Charges Related to CARES Act Fraud Scheme,”
press release, July 18, 2023, https://www.justice.gov/usao-wdla/pr/us-attorney-brandon-b-brown-announces-
indictment-24-individuals-associated-shreveport.
103 U.S. Department of Justice, “11 Members and Associates of Brooklyn-Based Woo Gang Charged with Mult-Million
Dollar COVID-19 Unemployment Insurance Fraud,” press release, February 17, 2022, https://www.justice.gov/usao-
edny/pr/11-members-and-associates-brooklyn-based-woo-gang-charged-multi-million-dollar-covid-19.
104 Ibid.
105 Testimony of Grant Thornton Principal Lina Miller, in U.S. Congress, House Committee on Oversight and Reform,
Following the Money: Tackling Improper Payments, 117th Cong., 2nd sess., March 31, 2022, H.Hrg. 117-75,
https://www.govinfo.gov/content/pkg/CHRG-117hhrg47264/pdf/CHRG-117hhrg47264.pdf.
Congressional Research Service

14

Improper Payments in Pandemic Assistance Programs

These groups are profiting so greatly from these types of schemes, they engage in a host of
other crimes. Drug trade, crimes against children, more sophisticated cyber-related fraud.
And this money is basically an investment to them to conduct more extensive criminal
operations…some of which include crimes that will compromise national security.106
There may be a cyclical effect to high levels of fraud and criminality: As public awareness of
fraud spreads, it may create the perception that relief funds can be easily stolen and therefore
make emergency programs a target for further exploitation.107 Moreover, as the public becomes
aware of high levels of fraud, it may lose trust in government in general, and specifically in the
government’s ability to safeguard taxpayer funds.108
Considerations for Congress
There are policy options that Congress might wish to consider that may mitigate the risk of fraud
and improper payments in federal programs, including emergency spending programs.
Establishing a Central Anti-Fraud Entity
Some agencies have been slow to implement comprehensive, effective anti-fraud controls. Audits
of pandemic programs found that, despite the mandate of the FRDAA, “federal agencies did not
strategically manage fraud risks in alignment with the GAO framework and were not adequately
prepared to prevent fraud when the pandemic began.”109 Some agencies remain vulnerable to
fraud: As of August 2023, agencies had 95 open GAO recommendations for better aligning their
fraud practices with the leading practices and standards in the Framework, including 25
recommendations for enhancing the use of data analytics to manage fraud risks.110
H.R. 8322, the Strengthening Tools to Obstruct and Prevent Fraud Act of 2022, would have
established, among other things, a dedicated anti-fraud office within OMB.111 This proposed
office, the Federal Real Anti-fraud Unified Directorate (FRAUD), was to coordinate activities
related to reducing and preventing fraud and improper payments, including
• sharing leading practices and tools with agencies;
• providing technical assistance to agencies in implementing the fraud risk
management activities of the GAO framework; and
• assisting agencies with the collection and use of data, including working to
reduce barriers to data sharing.
A central anti-fraud entity might facilitate the implementation of effective fraud controls at
federal agencies. By disseminating leading practices and sharing lessons learned across the
government, the entity might help agencies be aware of, and prepare for, emerging fraud threats
and possibly provide solutions to agencies facing challenges in selecting and implementing

106 Ken Dilanian, Kit Ramgopal, and Chloe Atkins, “Easy Money: How International Scam Artists Pulled Off an Epic
Theft of COVID Benefits,” NBC News, August 15, 2021, https://www.nbcnews.com/news/us-news/easy-money-how-
international-scam-artists-pulled-epic-theft-covid-n1276789.
107 GAO-22-105715, p. 11.
108 GAO-22-105715, p. 11.
109 GAO, COVID-19: Insights and Actions for Fraud Prevention, GAO-24-107157, November 2024, p. 5,
https://www.gao.gov/assets/d24107157.pdf.
110 GAO, COVID-19, p. 14.
111 H.R. 8322 was introduced on July 11, 2022, and referred the same day to the House Committee on Oversight and
Reform. It was ordered to be reported in the nature of a substitute on July 20, 2023. No further action was taken.
Congressional Research Service

15

Improper Payments in Pandemic Assistance Programs

appropriate data analysis tools. In addition, GAO has suggested that such an entity might serve as
a successor to PACE, assisting IGs with their efforts to assess and identify fraud on a permanent
basis.112 If Congress chooses to create a central anti-fraud entity, it may wish to consider where it
should be located. H.R. 8322 proposed placing FRAUD within OMB, which issues government-
wide guidance on fraud and improper payments. There might also be benefits to placing it within
the Council of the Inspectors General on Integrity and Efficiency (CIGIE), an independent entity
within the executive branch that is composed of more than two dozen agency IGs and has, as its
mission, to “continually identify, review, and discuss areas of weakness and vulnerability in
Federal programs with respect to waste, fraud, and abuse.”113 Placing an anti-fraud entity within
the CIGIE might ensure that the investigative work of federal IGs is readily incorporated into the
entity’s guidance and that the entity’s data analytics capabilities are supporting IGs’ fraud
detection efforts.
Require Emergency Spending Internal Control Plans
Congress has, at times, included in disaster funding legislation a requirement for OMB to
establish criteria for agencies to follow when developing disaster relief internal control plans. The
Disaster Relief Act of 2013 (P.L. 113-2), passed in response to Hurricane Sandy, included such a
provision, as did the Additional Supplemental Appropriations for Disaster Relief Requirements
Act of 2017 (P.L. 115-72), which provided funding to address the damage caused by a series of
hurricanes and wildfires. The objective of having OMB establish criteria for disaster programs is
to ensure that agencies establish effective controls for the payment integrity risks of emergency
relief programs, some of which are unique, such as the emphasis on expedited disbursal.114 GAO
has recommended that Congress require OMB to issue guidance to agencies to develop internal
control plans for emergency programs that could be quickly implemented or adapted in response
to a future disaster.115 Such a requirement might enable agencies to put into place effective pre-
payment and post-payment controls in a more timely manner, thereby potentially reducing fraud
and improper payments. The value of OMB’s guidance might be limited by how carefully the
guidance is drafted. For example, GAO criticized OMB’s guidance for implementing internal
controls over disaster funding as required by P.L. 115-72, noting that the guidance did not include
sufficient direction to ensure that agencies would develop adequate control plans in a timely
manner.116
Lowering the PIIA Threshold
H.R. 877, the Preventing Improper Payments Act of 2023, would require any program making
more than $100 million in payments in a fiscal year to be deemed susceptible to significant
improper payments.117 One issue Congress may wish to consider is whether to lower the threshold
for programs subject to PIIA. As noted, 173 programs received at least $100 million in pandemic
funding. Not all of these programs, however, were subject to all PIIA requirements. Currently,
PIIA reporting and corrective action requirements apply only to programs with estimated

112 GAO-22-105715, p. 33.
113 CIGIE, “Mission,” https://www.ignet.gov/content/mission-0.
114 GAO, Hurricane Sandy Relief, pp. 5-6.
115 GAO, Fraud Risk Management: Key Areas for Federal Agency and Congressional Action, GAO-23-106567, April
2023, p. 26, https://www.gao.gov/assets/gao-23-106567.pdf.
116 GAO, 2017 Disaster Relief Oversight, p. 18.
117 H.R. 877 was introduced on February 8, 2023, and referred the same day to the House Committee on Oversight and
Accountability. No further action has been taken as of the date of this report.
Congressional Research Service

16

Improper Payments in Pandemic Assistance Programs

improper payments of (1) $10 million when that represents at least 1.5% of program outlays or
(2) $100 million. GAO has recommended that all new federal programs making more than $100
million in payments in any one fiscal year be deemed susceptible to significant levels of improper
payments.118 New programs may be at an elevated risk level because staff are unfamiliar with
program requirements. In addition, agencies have historically not developed and implemented
internal controls for new relief programs in a timely manner.119 Such a mandate would potentially
identify fraud and improper payments that might otherwise not be discovered under current
guidance, thereby expanding the government’s understanding of the scope of the problem and
potentially reducing financial loss from fraud and overpayments. On the other hand, lowering the
threshold might create diminishing returns, as the costs associated with fully implementing PIIA
requirements on some new programs might exceed the amount of overpayments prevented and
recovered.

118 GAO-22-105715, p. 45.
119 GAO-22-105715, p. 17.
Congressional Research Service

17

Improper Payments in Pandemic Assistance Programs

Appendix.
Table A-1. Examples of Data Analytic Techniques in Payment Processing
Discerning trends, patterns, anomalies, and exceptions within data to minimize the risk of an improper
payment
Technique
Description
Use in Payment Process
Rule-Based Analytics
Uses transaction-level data and seeks to identity
May isolate instances where a transaction departs
transactions that depart from expected
from expected rules, including those that govern
procedures or defined rules.
the use of purchase cards, concern procurement
(e.g., in excess of a purchase order), and bar
applicants who may be on an “excluded parties list,”
among other examples. For example, if a “rule” is
that an incarcerated individual is not eligible for a
payment under a benefit program, then a data
match can be conducted to determine if the
applicant is incarcerated before approving the
transaction.
Anomaly Detection
Uses aggregated transaction data and
May allow an agency to quickly review a large
“unsupervised modeling” (may also be called
dataset with transaction data and identity outliers
unsupervised learning or unsupervised machine
within that dataset that can then be “flagged” and
learning) to identify outliers, or abnormal, non-
further reviewed.
conforming patterns in the data. Outliers are
identified through analytic comparisons to “peer
groups” based on unknown patterns in the data
among suspected common and individual
fraudsters.
Network/Link
Identifies patterns within social networks, among
May assist in detecting relational links between
Analytics
associations, and commonalities between
potential fraudsters and uncovering organized fraud.
individuals to detect possible fraud schemes that
For example, an individual may not be suspicious
would not be suspicious based on individual data
based on their information alone, yet suspicion may
alone.
arise when their information is linked or connected
to others through a set of commonalities and
associated attributes, revealing potential schemes
that may have otherwise gone unnoticed.
Predictive Analytics
Uses known improper payment patterns (from
May be used to automatically reject the processing
analysis of past data) to infer that a potential
of a payment when a number of known fraud or
payment features such patterns.
improper payment characteristics are present. May
be most effective when the model is developed
after a program evolves through “more standard,”
cost-effective capabilities.
Text Analytics
Uses natural language processing (NLP) to parse
May be used to review large amounts of text-based
a sequence of text or words and identifies
data. For example, the Office of the Inspector
patterns, such as sentiments, or other indicators,
General (OIG) for the Small Business
such as keywords, that may be suggestive of an
Administration (SBA) used NLP to identify potential
improper payment.
fraud from information provided in phone calls
made to its fraud, waste, and abuse complaint
hotline.

Congressional Research Service

18

Improper Payments in Pandemic Assistance Programs

Author Information

Garrett Hatch
Natalie R. Ortiz
Specialist in American National Government
Analyst in Government Organization and

Management

Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan
shared staff to congressional committees and Members of Congress. It operates solely at the behest of and
under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other
than public understanding of information that has been provided by CRS to Members of Congress in
connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not
subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in
its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or
material from a third party, you may need to obtain the permission of the copyright holder if you wish to
copy or otherwise use copyrighted material.

Congressional Research Service
R47902 · VERSION 1 · NEW
19