January 11, 2021
Elaine M. Howle, CPA
California State Auditor
621 Capitol Mall, Suite 1200
Sacramento, CA 95814
Dear Ms. Howle:
Thank you for working with our team to complete a thorough review of the challenges EDD has faced since the COVID-19 pandemic. We appreciate the recommendations offered, as this has been a public health and economic event without precedent in American history. EDD is prepared to implement all seven of the fraud recommendations put forward in the audit report.
Like many states, California was unprepared for the impact the COVID-19 pandemic had on both unemployment claims and fraud. California went from record employment rates to record unemployment rates -- seemingly overnight.
The new federal Pandemic Unemployment Assistance (PUA) program presented particular challenges, as it did not have the same safeguards as California’s unemployment program. While in a September letter from the Department of Labor acknowledged that the new program is a “target for criminal enterprises and other bad actors deploying advanced technologies, stolen or synthetic identities, and other sophisticated tactics,” the Trump Administration provided insufficient support to states to address the aggressive attacks by domestic and international criminal syndicates.
In 2010, the worst full year of the Great Recession, EDD paid $22.9 billion in benefits on 3.8 million processed claims. Since March 2020 more than $112 billion in unemployment benefits has been paid on 18.8 million processed claims. Of the $112 billion in benefits paid out, the state has identified $10.4 billion as fraudulent of which approximately 92% of which are PUA claims. EDD has put new safeguards in place flagging an additional $19.5 billion as suspicious, triggering stop payments and outreach to more than 1.2 million claimants to verify identity and over 150,000 to verify other eligibility criteria. In addition, during that same time frame, EDD successfully identified 1.6 million claims as potentially fraudulent and stopped them from proceeding. Based on an average weekly benefit amount and the average number of weeks of benefits, this represents $7 billion in average fraudulent payment prevented to date, which does not take into account PEUC or Fed-Ed extensions or the Lost Wages Assistance program ($17.4 billion - $10.4 billion)).
In the face of such a drastic increase in claims and unprecedented fraud, EDD undeniably struggled to timely distribute benefits to the millions of newly unemployed Californians and simultaneously prevent fraudulent claims.
This year, EDD took additional steps to detect and prevent fraud including:
- Stopping 1.6 million fraudulent claims before being paid; identified through EDD’s manual identity verification process.
- Stopping the automatic backdating of PUA claims in September 2020 – an action the Trump Administration later advised all states to take.
- Worked with the California Cybersecurity Integration Center to adopt additional cybersecurity protocols.
- Deploying a Strike Team to look at recommendations and solutions to transform the customer experience of applying for and receiving UI benefits with a focus on addressing the backlog of claims.
- One of the top recommendations of the Strike Team, launched ID.me a third-party identify verification program that helps stop 30% identity fraud at the beginning of the process and helps process claims more quickly compared to the previous manual verification process.
- Working with a contractor, initiated additional fraud detection criteria to weed out fraudulent claims which have flagged 1.4 million claimants as high risk for fraud.
- Creating a new task force led by the Governor’s Office of Emergency Services (Cal OES) that includes the State’s District Attorney’s, the US Attorney’s Office, the Employment Development Department, the California Department of Corrections and Rehabilitation (CDCR), the California Department of Justice focused on investigating fraud, holding people accountable and identifying resource needs including:
- Data sharing agreements between EDD and the Departments of Corrections and Rehabilitation and State Hospitals.
- $5 million to support and enhance investigative efforts of the regional District Attorney task forces.
- Collaborating with the California Cybersecurity Integration Center to leverage the State cyber security threat intelligence, big data analysis and threat assessment capabilities to support investigative efforts.
- Coordinating with other states through the National Association of State Workforce Agencies (NASWA) for a unified voice in Washington DC and contracting with NASWA’s UI Integrity Center to identity, detect and prevent fraud.
EDD will use all seven fraud related recommendations provided by the State Auditor to continue making improvements and strengthening protection of our unemployment system. We look forward to implementing these recommendations, providing updates as requested, and our continued collaboration.
Public Release Date: January 28, 2021
CSA Audit: EDD Significant Weaknesses in EDD’s Approach to Fraud Prevention Has Led to Billions of Dollars in Improper Benefit Payment
CSA (JLAC) Recommendations – Fraud Report 2
To ensure its recession planning encompasses its fraud prevention efforts, EDD should develop an evaluation of the fraud prevention efforts that it can adjust during periods of high demand for UI benefits. It should ensure that it accounts for all probable consequences of the adjustments, and design procedures that appropriately balance the need to provide prompt payment during a recession and the need to guard against fraud in the UI program.
EDD Response to Recommendation #1:
The EDD agrees with this recommendation.
During the COVID-19 pandemic, EDD has experienced unprecedented attacks on the unemployment programs– including from domestic and international crime rings. These attacks primarily targeted the federal PUA program In response to the significant fraud, the EDD has initiated additional fraud prevention and detection efforts, such as the implementation of ID.me in October 2020 and cross matching CDCR and DSH inmate and patient records, as well as contracting with Thomson Reuters to review EDD data against industry-standards fraud measures in December 2020. EDD will continue to evaluate, monitor, and if needed implement new tools as fraud continues to evolve. It is the goal of the EDD to be proactive and nimble as necessary to stop fraud before claims are paid while also continuing to investigate fraud that has occurred. EDD is also committed to applying lessons learned during the pandemic to the future.
To prepare to respond to victims of identity theft who receive incorrect tax forms, EDD should, by mid-February 2021, provide information on its website and set up a separate email box for such individuals to contact EDD and receive prompt resolution.
EDD Response to Recommendation #2:
The EDD agrees with this recommendation and is confident that we will meet the proposed mid-February 2021 date. In preparation for calls related to the tax form that claimants receive (Form 1099G) and mailings related to potential fraud, the department is updating the EDD website and enabling the ability for customers to submit a question online through the public-facing Ask EDD portal and on their UI Online account. The EDD will also temporarily increase staffing in the Integrity and Accounting Division (IAD) contact center by 300 agents by February 1, 2021.
In addition, all UI Contact Center agents will receive training regarding 1099G calls. Any reports of fraud will be identified and analyzed through the Identity Verification process, ID.me and Thomson Reuters tools, or elevated to the Investigations Division. Claims with reported identity theft that are identified and confirmed as imposters will have re-computations completed and an amended 1099G will be provided. Additional hiring is in place to build resources in the Identity Verification and Re-computation areas to meet the increase in workload.
Additionally, the EDD is committed to ensuring victims of identity theft in our benefit programs are provided information and resources to assist them in reporting fraud and dealing with the aftermath of identity theft. Customers who wish to report fraud visit our EDD public website at https://edd.ca.gov/ and select “Report Fraud” under our Ask EDD link.
The EDD is committed to reviewing our online services to improve the customer experience, especially during the unprecedented outbreak of fraud associated with the federal Pandemic Unemployment Assistance program.
To ensure that it provides appropriate assistance to victims of identity theft who report fraud through its online fraud reporting portal, EDD should, by March 2021, establish a working group to coordinate the work needed to resolve each complaint of identity theft and make decisions about staffing levels necessary and add staffing to accomplish the work.
EDD Response to Recommendation #3:
EDD agrees with this recommendation. An enterprise Fraud Workgroup has been formed with representation of all benefit program areas of the EDD. The purpose of this workgroup is to document and evaluate current fraud prevention processes and fraud policies, including how individuals can report and resolve identity theft related to a benefit program. As part of the Fraud Workgroup, a subcommittee will be established to evaluate the resources and expertise needed to resolve complaints of identity theft and make recommendations to accomplish the work.
To ensure that it provides legitimate claimants with benefits but does not pay benefits related to fraudulent claims, EDD should immediately obtain from Bank of America a comprehensive list of claimants’ accounts that are frozen and unfrozen. EDD should immediately thereafter evaluate the list—including considering using ID.me to verify claimants’ identities—to identify accounts that should be unfrozen or frozen. By March 2021, it should direct Bank of America to take action to freeze or unfreeze accounts as appropriate.
EDD Response to Recommendation #4:
The EDD agrees with this recommendation. The EDD remains committed to ensuring that legitimate UI claimants timely receive the benefits for which they are eligible.
EDD has been working with Bank of America to determine appropriate actions on lists of frozen accounts received from Bank of America. As the vendor for the prepaid debit cards, Bank of America has its own obligations to prevent fraud. Bank of America has access to cardholders’ transactional history data, which is an additional fraud detection tool. Because EDD and Bank of America have different tools and information for identifying fraud, we have engaged in many conversations to understand how to leverage each set of tools to enhance our collective fraud detection efforts. These communications continue.
EDD is in the process of reconciling all of the lists it has received from Bank of America to date. A centralized tracking tool has also been created to track action taken on each of the frozen cards and the status of the account. To ensure accountability and completion in review of these lists, procedures have been documented with specific roles and responsibilities and completion timeframes. EDD is also in the process of contacting claimants whose accounts were flagged for identity verification through a separate data cross-match, to verify their identity through ID.me for any claim filed prior to October 1, 2020, including those who may have a frozen debit card.
To ensure it reviews each claim that Bank of America reports to it as suspicious or potentially fraudulent, by February 2021, EDD should establish a centralized tracking tool that allows it to review and stop payment to claims, as appropriate. EDD should use this tool to monitor its own internal decisions and track whether the claimant responds to its requests for identity information and should, therefore, have their account unfrozen.
EDD Response to Recommendation #5:
EDD agrees with this recommendation and in December 2020, the Information Technology Branch created a central repository to store, track and maintain the lists provided to and from the Bank of America. These lists and their status will be updated regularly to enable EDD to track the appropriate action taken on each account and the outcome of each claim. To ensure accountability and completion in review of these lists, procedures have been documented with specific roles and responsibilities and completion timeframes.
By March 2021, designate a unit as responsible for ensuring coordination of all UI fraud prevention. EDD should assign that unit sufficient authority to carry out its responsibilities and align the unit’s duties with the GAO’s framework for fraud prevention.
EDD Response to Recommendation #6:
The EDD agrees with the recommendation in principle and will explore how best to address this recommendation through the Fraud Workgroup. Part of the Fraud Workgroup’s charge will be to identify opportunities and provide recommendations to centralize fraud prevention efforts, where appropriate, including the creation of a unit whose duties are aligned with the U.S. Government Accountability Office’s framework for fraud prevention.
By May 2021, develop a plan for how it will assess the effectiveness of its fraud prevention tools.
EDD Response to Recommendation #7:
The EDD agrees with this recommendation. Despite challenges, the EDD was able to prevent a significant amount of fraudulent benefits from being paid in 2020. During the year EDD successfully identified 1.6 million claims as potentially fraudulent and stopped them prior to payment which represents an estimated $7 billion in fraudulent payments prevented (using an average of 16.1 weeks and an average benefit amount of $282.39, plus $600 in Federal Pandemic Unemployment Compensation for a third of the weeks, minus the $10.4 billion paid out). Additionally, based on an independent review of all 9.7 million unique claims in December 2020, EDD put a stop payment on 1.4 million claims that were flagged for high probability of fraud.
Throughout this pandemic EDD has taken additional steps to detect and prevent fraud using a layered approach including:
- Launching ID.me – a third party identity verification tool that helps stop fraud at the front door.
- Contracting with a vendor to assess and apply industry standard fraud criteria to EDD claims.
- Entering into MOUs with CDCR and DSH to share and crossmatch identifying information.
These are new tools initiated in response to the unprecedented fraud seen over the course of the pandemic. EDD is currently evaluating the inventory of these, and other, tools and organizational resources to align our efforts in improving reporting metrics through benchmarking and continual analysis, including historical analysis and trending reports that can provide quantitative analysis of the effectiveness of our fraud prevention tools. Our goal is by May 2021, to have developed a plan on how to assess the effectiveness of our fraud prevention tools.
CALIFORNIA STATE AUDITOR’S COMMENTS ON THE RESPONSE FROM EDD
To provide clarity and perspective, we are commenting on EDD’s response to the audit. The numbers below correspond to the numbers we have placed in the margin of its response.
EDD does not acknowledge earlier warnings about potential fraud and its own failure to respond quickly to those warnings. We note how the Department of Labor warned states about fraud in the early months of the pandemic and reminded states to take reasonable and customary precautions to deter and detect fraud. We also note that in May 2020, the Department of Labor’s Office of the Inspector General warned EDD that—based on fraud trends in the UI program—California was likely to see at least $1.2 billion in potential fraud from 2.9 million new claims that EDD had received in March and April 2020. Further, we describe how in July 2020 Bank of America shared with EDD a list of almost 66,000 potentially fraudulent accounts. However, because EDD did not take prompt action to enhance its safeguards against fraudulent benefit payments, it paid about $10.4 billion for claims from March through December 2020 that it has since determined could be fraudulent.
To clarify, we requested that EDD analyze its data to determine very specific information about the total paid to potentially fraudulent claims. EDD did not attempt to determine this amount until we asked about it. Absent our request, it is not clear whether EDD would have identified this amount. EDD did not provide us with support for its claim that 92 percent of the $10.4 billion was for PUA claims, and therefore we do not opine on that figure.
This action is indicative of EDD’s slow approach to bolstering its fraud detection efforts during the pandemic. EDD states that it has placed new safeguards in place that have flagged an additional $19.5 billion in claim payments going to over 1 million claimants as suspicious and clarifies later in its response that it identified these claimants by working with a contractor. However, EDD did not take action to identify these claims as potentially fraudulent or stop payment to them until December 2020—almost eight months into the pandemic and four months after EDD asserts it observed an increase in fraudulent PUA claims. That EDD identified so many claimants as potentially fraudulent only after paying them $19.5 billion in benefits is troubling and a sign that EDD’s fraud prevention approach was lacking the rigor it needed at the start of the pandemic.
On the day EDD’s response to our draft report was due, it shared its estimate that it had prevented an estimated $7 billion in potential fraud. After reviewing EDD’s estimate, we determined that the method we used to develop a $12.8 billion estimate was preferable because it allowed for a direct comparison to the amount EDD paid to potentially fraudulent claims. We shared our estimate with EDD after it submitted its response and it agreed that it should be reflected in the report. Further, we explain that we expect the $10.4 billion that EDD has paid to potentially fraudulent claims to continue to grow as EDD performs additional work to verify questionable claimant identities. As we note here, analysis of the effectiveness of EDD’s fraud prevention approach should compare the amount paid to potentially fraudulent claims to the amount of improper payments prevented. Accordingly, EDD cannot know at the time whether it stopped more potentially fraudulent payments than it issued because it is still accounting for all potential fraud.
Although EDD identified 1.6 million potentially fraudulent claims before paying those claimants, its fraud prevention efforts failed to stop payments totaling $10.4 billion to about 597,000 claims, as we explain here. Further, we state here, and as EDD acknowledges in its response, EDD has flagged an additional 1.2 million claimants to whom it has already paid $19.5 billion in benefits as suspicious. It is unlikely that EDD will verify the identity of all of these claimants. Therefore, although the 1.6 million claims represent some level of success, it cannot yet be compared to the rate at which EDD failed to prevent fraud because it is still verifying the identities of some claimants it has already paid, leaving open the possibility that the number of claimants with unconfirmed identities to whom EDD paid benefits will grow.
EDD cites its partnership with CDCR as a positive step it took to combat fraud during the pandemic. However, it is troubling that EDD failed to implement a cross-match between claim data and incarceration data well before the pandemic began. We describe how EDD spent months during the pandemic negotiating access to CDCR’s state prison data. However, we note a national survey showed that 35 states were cross-matching unemployment claims with state prison data in as early as 2016. Further, EDD has reported to the Legislature that it was “considering” new options for obtaining incarceration data since at least 2018. Finally, as we state here, the CDCR partnership is dependent on the State Attorney General determining that EDD has a compelling need for the information. Because of EDD’s fraud prevention deficiencies that we discuss in this report and because EDD must rely on other entities such as CDCR to provide inmate data, legislative action is necessary to ensure that EDD can regularly access and use data from state and local correctional facilities to prevent future fraud. Had EDD taken action before the pandemic, as many other states had done, this critical safeguard would have already been in place and would have prevented some of the $810 million in fraudulent payments in claims associated with incarcerated individuals.
EDD describes the actions it took to combat the “unprecedented attacks” on the UI program. However, EDD began taking the actions it describes in October 2020, more than six months into the pandemic, despite earlier warnings about this fraud. Further, these steps—though laudable—evidence how unprepared EDD was to combat fraud at the outset of the pandemic as each of these steps would have reasonably benefited EDD in the years before 2020 and better prepared it to respond to the pandemic-related surge in claims.
EDD describes actions it is in the process of implementing. We expected that, before our audit began, EDD would have a method for comprehensively tracking the status of benefit accounts that have been frozen. However, as we note here, during our review EDD did not appear to know the status of all of the claimant accounts that have been frozen and confirmed that it did not have a centralized tracking process for the status of these accounts. EDD now asserts that it has established a centralized way to track these matters. We look forward to reviewing its progress as part of our regular recommendation follow up process.
EDD indicates that it will use its recently formed work group to explore how to implement our recommendation. EDD should act quickly to address the problems we highlight in Figure 8 on page 35 where we show the fragmented responsibility for fraud prevention at EDD. Because EDD’s approach does not align with best practices for fraud prevention, we recommended that it centralize fraud prevention responsibility and authority in a single entity. Moreover, as we note here, the working group had not yet held its initial meeting or fully formed a charter to define its purpose as of December 30, 2020. Therefore, its progress in exploring our recommendation to date has been minimal. We look forward to seeing the progress EDD makes in addressing our recommendation as part of our regular recommendation follow up process.