520 likes | 746 Views
Your Role in Preventing Fraud and Abuse Dr. Linda Wilbanks Chief Information Security Officer U.S. Department of Education. Agenda:. Introduction Defining Fraud Sources of Fraud Identify losses relating to Fraud Reporting Fraud Preventing and Deterring Fraud Resources
E N D
Your Role in Preventing Fraud and AbuseDr. Linda WilbanksChief Information Security OfficerU.S. Department of Education
Agenda: • Introduction • Defining Fraud • Sources of Fraud • Identify losses relating to Fraud • Reporting Fraud • Preventing and Deterring Fraud • Resources • Cyber Crime terminology 2
Introduction: • Despite efforts to minimize fraud, student financial aid fraud is a "rapidly growing problem," according to the Semi-Annual Report to Congress #66, October 1, 2012 –March 31, 2013 from the U.S. Department of Education's Office of Inspector General. • The inspector general estimates that, between 2009 and 2012, federal student aid fraud increased 82%. • For that time period, the OIG identified more than 85,000 federal aid recipients who may have participated in fraud ring activity. The education agency believes these students may have illegally received more than $187 million in federal student aid.
Fraud Defined • An intentional distortion of the truth in an attempt to obtain something of value. Does not have to result in monetary loss. • Layman’s terms: Lying, cheating, and/or stealing.
This is REALLY Happening Sept. 18, 2012 - 21 individuals have been indicted for participating in Federal student aid fraud schemes that preyed on at least 15 schools across California. The indictments are a result of ED’s Office of Inspector General’s (OIG) criminal investigations aimed at shutting down student aid “fraud rings”—groups of criminals that seek to exploit distance education programs to fraudulently obtain federal student aid. The defendants allegedly fraudulently obtained more than $770,000 in federal student aid. The U.S. Attorney’s Office provided summaries of the seven schemes, which include a fraud ring that not only relied on participating family and friends, but also allegedly used stolen personal identifiers of individuals with disabilities to fraudulently obtain more than $285,000 in federal student aid and grants. Leaders of another ring allegedly recruited more than 50 straw students— including prison inmates—to fraudulently receive $200,000 in student aid. 5
Types of Fraud • Title IV fraud – single student • Fraud Rings • Occupational fraud • Social engineering FSA Focus – Financial Fraud! Schools Individuals Fraud Rings
Who Commits Fraud Involving Education Funds? • School employees, officials, owners, financial managers, and instructors • Lenders and lender servicers • Guarantee Agencies • Award recipients • Grantees and contractors • ED employees • Others
Examples of Title IV Fraud Schemes Leasing of eligibility Loan theft/forgeries Fraud/theft by school employees Default rate fraud 90/10 rule Financial statement falsification Falsified last date of attendance Obstruction of a federal audit or program review • FAFSA fraud – enrollment • Falsification of entrance exams • Falsification of GEDs/HS Diplomas • Falsification of attendance • Falsification of grades • Failure to make refunds • Ghost students
Title IV Fraud Schemes Related to Students or Other Individuals • FAFSA Fraud: • Social Security Number • Alien Registration Status • Dependency Status • Income and Assets • Number of Family Members in College • Falsification of GEDs/HS Diplomas • Intent to attend • Intent to repay • Identity Theft • Distance Fraud Schemes • Fraud Rings (Distance Fraud is not only perpetrated by rings it is many types committed by individual(s) or schools)
Title IV Fraud Schemes Related to Schools • FAFSA fraud- enrollment • Falsification of GEDs/HS Diplomas • Falsification of attendance and Satisfactory Academic Progress • Falsification of grades • Failure to make refunds Loan theft/ forgeries • Fraud Rings • Ghost students • Leasing of eligibility • Default rate fraud • 90/10 Rule manipulation scheme • Financial statement falsification • Falsified last date of attendance • Obstruction of a federal audit or program review. • Fraud/Theft by School Employees
Individual Fraud Parents Tells Tells Non- Students School Personnel 11
Example – Fraud! When Sussette Sheree Timmons, of Dallas, enrolled in several online colleges, she had no intention of becoming educated, federal authorities said. Timmons, 30, instead kept the financial aid she applied for and withdrew from the colleges and universities, which offered “distance learning” programs on the Internet, the U.S. attorney’s office said. She was indicted Tuesday on six counts of financial aid fraud. The indictment said Timmons received financial aid from the following schools: New Mexico State University; Western New Mexico University; Ashford University; Northern New Mexico College; Coconino Community College; and Pima Community College. “She enrolled in classes at the schools and the awarded financial aid was applied to her tuition and fees,” the U.S. attorney’s office said. “She did not complete any of the classes for which she enrolled, and she did not intend to pursue an education at the schools.” Timmons also received checks that she cashed, although she had no plans to use it for educational expenses, according to the indictment. When the schools asked her for the money back, she refused. Timmons even appealed when one of the schools suspended her financial aid in 2011. “That school rejected her appeal, stating that she had withdrawn from 13 colleges or universities since 2009,” federal authorities said. If convicted of all counts, Timmons faces up to 30 years in prison and a maximum fine of $1.5 million. The U.S. Department of Education Office of Inspector General investigated the case. Source – news releases
Fraud Rings 13
Benjamin Franklin “There is no kind of dishonesty into which otherwise good people more easily and frequently fall than that of defrauding the government.”
Profile of an Occupational Fraudster The Perpetrator’s Department Fraud offenders were most likely to be found in one of six departments: • Accounting (22%) • Operations (17%) • Sales (13%) • Executive/upper management (12%) • Customer service (7%) • Purchasing (6%)
Profile of a Fraudster The most common behavioral red flags displayed by perpetrators: • Living beyond one’s means • Experiencing financial difficulties • Unusually close association with vendor/customer • Control issues; unwillingness to share duties • “Wheeler-dealer” attitude • Divorce/family problems • Irritability, suspiciousness or defensiveness • Addiction problems • Refusal to take vacations
Cressey’s Fraud Triangle Theory Why People Commit Fraud • Weak controls • Little or no oversight • Lax rules • Debt • Addictions • Status Opportunity Perceived Pressure Fraud Triangle Rationalization • Everyone does it • I was only borrowing the money • I was underpaid and deserve it
Fraud Indicators • One person in control • No separation of duties • High turnover of personnel • Unexplained entries in records • Unusually large amounts of payments for cash • Inadequate or missing documentation • Altered records (white-out, copies of documents, etc.) • Non-serial number transactions • Inventories and financial records not reconciled • Lack of internal controls/ignoring controls • Repeat audit findings • Unauthorized transactions
Office Manager Fraud NEW BRUNSWICK, N.J. - After an office manager for New Jersey City University admitted embezzling $486,000 in student funds three years ago, the U.S. Department of Education began auditing the use of all federal money by the state college. It soon discovered that $608,766 in federally subsidized loans and grant money had been improperly awarded by the school - in some cases to students who flunked out or never showed up to class, making them ineligible for financial assistance. An examination of federal Department of Education records by The Star-Ledger of Newark shows that NJCU was not the only state college in New Jersey cited for giving too much money to students who were either ineligible for the aid or whose financial need was overestimated. Those records show at least three universities are on the hook for $868,000 in improperly awarded loans or grants - or in some cases, undercutting student wages paid under federally subsidized work-study programs. The schools - Kean University in Union Township, Rutgers University, and New Jersey City University in Jersey City - did not contest the findings and either repaid the financial aid money, or are currently paying it off over time. No students were penalized. According to the audits, Kean owed $255,920 in aid inappropriately awarded between 2001 and 2003. Unlike the audit at New Jersey City University, the review at Kean was not sparked by any warning bells. A spokeswoman for the U.S. Department of Education said it typically conducts program reviews of schools every five years.
Social Engineering Social Engineering is the art of prying information out of someone else to obtain access or gain important details about a particular system through the use of deception. Social Engineering Loss of PII Fraud
Personally Identifiable Information (PII) “PII is information that can be used to distinguish a person’s identity, e.g., name, social security number, biometric data, etc., alone, or when combined with other personal data, linked or linkable to a specific person, such as date and place of birth, mother’s maiden name, etc.” • Some PII is always sensitive and requires a high level of protection because of the substantial harm to an individual that could occur if it were wrongfully disclosed. • The level of protection should reflect the sensitivity of the data – data that is determined by the owner to be of high value or that represents a high risk to the individual if it were wrongfully disclosed requires increased protection. OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007
Common Identity Theft Practices • Obtain or take over financial accounts • Take out loans for large purchases • Open new lines of credit • Sign lease agreements • Establish services with utility companies • Write fraudulent checks • Purchase goods and services on the Internet
Who is Responsible for Reporting Fraud? • Everyonewho deals with Federal Student Aid funding has a responsibility to help control fraud.
OIG Sources of Allegations • OIG Hotline 1-800-MIS-USED • ED Program Offices • School Employees and Officials • Guarantee Agencies • Citizens and Students • Competing Vendors/Schools • Other Federal Agencies • U.S. Attorney’s Offices • Other ED OIG Investigations • Federal Bureau of Investigation • State and Local Education Agencies
Is Your System a Victim? • Yes? Maybe? Not Sure? • Immediate reporting is necessary! • Have the facts • Why you think there is an issue • Date/Time of the Incident • System information • Location • Type and Purpose of the System • Point of Contact • Actions all ready taken
Examples of What to Report • Compromise of systems privileges • Compromise of information protected by law • Unauthorized access of IT systems or data • Exceeding authorized access • Denial of service of major IT resources • Malicious destruction or modification of data/information
Examples of What to Report Applicable to students/schools • Abuse of professional judgment • Coaching students when filling out the FAFSA • Altering attendance records
How You Can Help • Ensure that staff receive necessary training • Review documents thoroughly • Question documents/Verify authenticity • Request additional information from the vendors or administration • Compare information on different documents • Contact ED-OIG • A Guide to Grant Oversight and Best Practices for Combating Grant Fraud http://www.usdoj.gov/oig/special/s0902a/ final.pdf
Why Report Fraud? • Ethical responsibility • Statutory and regulatory requirements • To deter others from committing fraud and abuse • To protect the integrity of the Title IV Programs • To avoid being part of a fraud scheme • To avoid administrative action • To avoid civil penalties • To avoid criminal prosecution • To protect the children’s future
Don’t Try To Investigate Suspicious Activity Yourself! You may have the missing piece of the puzzle needed!
FSA – Preventing/Deterring Fraud • Fraud prevention involves actions taken to discourage the commission of fraud and limit fraud exposure when it occurs • The principal mechanism for preventing fraud is to ensure an appropriate control environment • Primary responsibility for establishing and maintaining internal control should rest with management • Each of us at FSA has a fiduciary responsibility to assist in preventing fraud
Fraud Prevention = Education • Government workers must be trained in the required duties of the position. This helps to safeguard the assets of the organization by having knowledgeable staff that can spot unusual or red flag transactions • Administrators must be trained to recognize potential fraud by coworkers and to student accounts • Students must be trained to keep their information secure and to identify when their financial information may have been accessed • Organizations with anti-fraud training programs experience lower losses and shorter durations
Deterrence -Schools/FSA/State/Federal Proactive Fraud Prevention - Audits • Proactive internal audit/review policies are generated from the top of the operation involved • A proactive policy simply means that internal auditors/reviewers will aggressively seek out inappropriate conduct, instead of waiting for instances to come to their attention during normal audits (external)
Actions to Defer Fraud • Formal policies addressing fraud • Targeted Fraud Awareness Training (research shows lower losses & shorter durations) • Effective Internal Controls (as opposed to lack of internal controls and the ability to override existing controls) • Management Review • Competent personnel in oversight roles • Independent checks/audits • Clear lines of authority • IT Controls (Access Controls, etc.) • Ethics Policy • Tone at the Top (employees will be more likely to act unethically if management does) • Putting controls in place to minimize fraud before it can occur
Identity Theft Prevention • Properly handle documents • Shred sensitive information • Use key identifiers instead of the SSN • Password protect sensitive information • Audit access • Review access privileges • Verify who you are talking to
Avoiding Identity Theft Don’t carry your SSN card with you! • Request a drivers license number • Shred sensitive information • Only carry what you use • Photo copy all cards in your wallet • Select hard to guess PINs and passwords • Don’t leave mail sitting in an unprotected box • Don’t give out private information over the phone • Order your credit reports • Use caution when providing ANY sensitive information • Verify your personal computer has strong and updated computer anti-virus protection and your network provider is secure
FSA Two-Factor Authentication (TFA) • Objective – prevent unauthorized access which can result in stolen information • Physical tokens issued to be used with passwords to provide two-factor sign on • Privileged Users - (schools and financial institutions) access PII data on FSA systems • Over 57,535 privileged user accounts are TFA enabled • The privileged user population includes: • Department of Education employees and contractors • Postsecondary School financial aid staff • Guaranty Agencies • Servicers, Private Collection Agencies, and Not-For-Profits • Call Center staff • Non-Privileged Users - Aid Recipients (students) • Next Step • Developing migration strategy from key fob token to soft tokens, leveragingsmart phone technology, will support privileged and non-privileged users USE IT
OIG – Fraud Rings Since 2010, OIG has highlighted the vulnerability of distance education programs to fraud and abuse, including releasing a report on fraud rings in September 2011. OIG investigations into student loan fraud rings have grown substantially over the last few years. In 2005, the OIG opened 16 distance education fraud ring investigations; in 2012, that figure grew to 119. To date, more than 300 people have been indicted for participating in fraud rings. "The bottom line is scams like this steal money from hardworking taxpayers and legitimate students and that is unacceptable," continued Tighe. "OIG is committed to fighting student financial aid fraud and we will continue to aggressively pursue those that participate in these types of crimes."
Office of the Inspector General - OIG Red Flags to Investigators • Vices such as substance abuse and gambling. • Extravagant purchases or lifestyle. • Lack of documents (the ‘big flood’ destroyed…) • Common Addresses (mailing, e-mail, and IP) • Pin number and password information the same. • Personal information that does not fit the norm. • Bank information that is the same.
FSA – Potential Fraud Ring Identification Statistical model • Utilizes a combination of application data • Identifies indicators of potential fraud • Utilizes weighting for total score • Identifying factor examples: • Utilize e-mail address and IP address information • Received Pell Grant funding from multiple institutions over short period of time • Received Pell Grant funding from more than two institutions in same award period
FSA Fraud Ring Identification(cont.) Uses Fraud Potential Algorithm Based on Fraud indicators such as # times same phone number used Indicator 1 x assigned weight + Indicator 2 x assigned weight + Indicator 3 x assigned weight + …. = Fraud Risk Level Red Orange Yellow
Fraud Ring Identification (cont.) Identify Fraud patterns Use rule based filter, set of qualifying determinants Identify those who meet minimum thresholds for fraud patterns Distance Education high vulnerability, all aspects online (administration, aid, instruction) Easier for criminal to assume identities, students never present in person at any time FSA FY13-14 Application process Require at risk students to present proof of identify in person or through notary public
Students at Risk for Fraud • Identify applicants, based on statistical risk model, attempting to obtain student aid funds fraudulently or without serious educational intent • Require to: • Present themselves in person with government ID • Execute Statement of Educational Purpose with school official or notary public • Those with unusual enrollment history • Require institution to determine if prior academic record support serious academic intent 45
Perception of Detection • Controls with the greatest associated reduction in fraud are those credited with increasing the perpetrator’s perception of detection: • Fraud awareness programs • Job rotation and mandatory vacation policies • Rewards for whistleblowers • Surprise (INTERNAL) audits detected frauds more than twice as quickly as organizations lacking such controls
Cost for Data Loss • Investigations average $300 per user impacted • FSA hosts at least 80 million records • 1% of those records were leaked • Financial exposure would be approximately $240 million reduction in funds for student aid
Summary • Fraud cannot be totally prevented • Fraud prevention is less expensive and more effective than detection • Fraud prevention starts with being informed!! • Fraud prevention, detection, and reporting is EVERYONE’s responsibility!
Additional Resources Find more information about preventing and detecting fraud at the following websites: • The Association of Certified Fraud Examiners (www.ACFE.com) • The Federal Bureau of Investigation (www.FBI.gov) • The National White Collar Crime Center (www.nwc3.org) • U.S. Government Accountability Office (www.GAO.gov) • Internal Revenue Service (www.IRS.gov) • Department of Education Office of the Inspector General (http://www2.ed.gov/about/offices/list/oig/hotline.html)