Welcome to the Pondera FraudCast, a weekly blog where we post information on fraud trends, lessons learned from client engagements, and observations from our investigators in the field. We hope you’ll check back often to stay current with our efforts to combat fraud, waste, and abuse in large government programs.
This week, my company is responding to an RFP for SaaS fraud detection services. While we are thankful for the opportunity to respond, the RFP and its process also illustrates the need for governments to adjust their procurement processes with the advent of cloud computing. After all, we responded to the RFI for this procurement over two years ago!
This means that the current solicitation is at least partly based on product capabilities from early 2014. While this might not be a big problem for traditional IT projects, this is a lifetime in SaaS. In fact, if a SaaS solution offered mostly similar functionality over a two-year period, I’d recommend not selecting that solution. Effective SaaS solutions push new features in days and weeks, not months or years.
With this background in mind, I’d like to propose that governments consider the following three modifications to their procurement policies. Some of these changes may require assistance from legislative bodies and funding organizations in addition to procurement professionals.
1. Reduce the time between RFI and RFP: This will help governments avoid building their requirements on functionality that has long since been replaced. SaaS functionality is a moving target – it’s supposed to be.
2. Smooth out funding over multiple years: Traditional IT projects required large upfront implementation costs followed by lower ongoing support, maintenance, and operations costs (assuming the initial implementation was successful). SaaS solutions spread the cost more evenly over time as the solution continues to improve.
3. Make sure your staff is ready when you award: True SaaS solutions can be implemented quickly, often in as few as 120 days. By the time you award a project, you should be ready to discuss security plans, access the required program data, assign staff (not just project staff but system users), and address many other details that could often be delayed in lengthy IT projects.
I bet you cna’t bvleiee taht you can uesdtannrd waht you are rdnaieg. Unisg the icndeblire pweor of the hmuan mnid, aocdcrnig to rseecrah at Cmabrigde Uinervtisy, it dseno't mttaer in waht oderr the lterets in a wrod are, the olny irpoamtnt tihng is taht the frsit and lsat ltteer be in the rhgit pclae. The rset can be a taotl mses and you can sitll raed it whoutit a pboerlm. Tihs is bucseae the huamn mnid deos not raed ervey ltteer by istlef, but the wrod as a wlohe.
The preceding paragraph, which has made its way around the Internet for years, can be really fun to share with friends. However, it also serves as a caution to anyone involved in fraud detection. In many ways, bad actors, knowingly or unknowingly, have depended on how the human mind works to perpetrate fraud schemes. Like the old expression goes, sometimes the best place for fraud to hide is in plain sight.
This is especially true in government programs that process massive amounts of transactions and must adhere to a staggering number of program regulations. Traditional “top down” systems can analyze large data sets and find nothing wrong (after all, the first and last letters are in the right place). “Bottom Up” systems, on the other hand, will identify individual problems (the word is scrambled) but may miss the patterns in the data (this entire paragraph is scrambled). A common example of this is the medical provider that always “flies just below the radar” by maximizing claim amounts and frequencies.
The best detection processes take both a “top down” and “bottom up” approach. They can identify individual transaction problems as well as identify patterns of bad behavior over time. In this way, you can make the old “80-20” rule work in your favor. 80% of improper payments are likely caused by 20% of program participants. If you only address each individual transaction, you’ll never run out of work but you also never really improve your program integrity efforts.
Click here for an infographic on the "80-20 rule".
Remember back to last year when the IRS announced that cyber thieves stole personal data from 100,000 taxpayers? This sophisticated scheme accumulated personal data from other sites and used it to answer identity validation questions on the IRS web site to gain access to taxpayer accounts.
The 100,000 taxpayers affected? The IRS revised that number later in the year to 334,000 Last week they raised the number again to more than 700,000! Combine this with the high-profile hacks at Sony, Target, Anthem, and other organizations and one thing becomes very clear: bad actors are rapidly improving their identity theft methods.
In response, government agencies need to prepare for an onslaught of fraudulent tax returns, unemployment claims, Medicaid treatments, and other services. In 2015, the IRS paid out $5.8 billion in fraudulent returns. Several of Pondera’s clients also saw dramatic increases in “ghost” beneficiaries, often paired with fictitious businesses, set up solely to defraud government programs. 2016 promises to be even more problematic.
As program integrity experts, we have to recognize that we are moving into a new age of identity theft problems. We can log on to YouTube and watch a music video about Unemployment Insurance Fraud. CNN has run stories on street gangs trading liquor store holdups for benefits fraud. The barbarians are at the gate and it’s our responsibility to strengthen the defenses.