A Playbook for Improving Unemployment Insurance Delivery

Fraud

Fraud

In our 50+ interviews with states, state partners, and advocacy partners, more often than not we heard some version of “our mission is fraud prevention.” Due to the recent increase in fraud, this is understandable. Unfortunately, many current strategies for fraud prevention hurt the very people who need help the most.

A fraud-focused operation assumes that the more difficulty a person has with the process, the higher the chance of them being a fraudster. In reality, it often means that the benefits program — the application and recertification processes — hasn’t been designed with this person in mind.

This report encourages states not to punish users for faults in system design. In this section, we:

  • Define the types of UI fraud and their historical scope and impact
  • Explain the recent surge in fraud
  • Describe how current fraud-prevention strategies do more harm than good
  • Recommend a path to fraud-prevention strategies that work while improving the system’s ability to meet the legitimate needs of underserved populations

There are 2 types of UI fraud

In the context of unemployment insurance, fraud is when applicants supply false information to get unemployment benefits they’re not legally entitled to. There are 2 main types of fraud:

  • Benefit theft is when a person provides false information (a false claim) to increase the amount of benefit they receive in their own name.
  • Identity theft is when a criminal impersonates a different person to obtain benefits. The impersonated person, who is generally not aware of the claim, may or may not rightfully qualify for the benefits drawn by the fraudster.

People who commit either type of fraud are called “fraudsters,” and cases are often a combination of both — using a stolen identity to file a false claim.

The vast majority of fraud cases since the pandemic have involved identity theft.1 Prior to the pandemic, only around one percent of unemployment fraud was identity theft.2

Benefit theft has existed as long as UI has existed.

Before the pandemic, a significant percentage of claims were technically associated with fraud. “For the last eight years, the Department’s Office of the Inspector General (OIG) has determined that the UI program is out of compliance with the Improper Payment Elimination and Recovery Act of 2010 due to an improper payment rate over 10 percent.”3

The vast majority — 99% — of this fraud was benefit theft, not identity theft. Real individuals conducted benefit theft in their own name, by doing things like:

  • Continuing to collect unemployment after they returned to work
  • Over-representing their former wages in order to qualify for a higher benefit amount
  • Claiming unemployment benefits for a week when they were too sick to be available to work

Given the complexity of the unemployment application process, some of these thefts may have been the result of honest mistakes. And many times, these overpayments could have amounted to just a few dollars.

States were fairly good at catching benefits fraud early.

If an individual returned to work but lied to continue to collect unemployment, they might have collected benefits for a certification period or two. But the agency would soon get an alert as to their new employment status and shut off benefits. This is an overpayment and counts as benefits theft, but compared to the scale of today’s fraud, it was miniscule — and states were relatively well equipped to catch and stop it.

The frequency and scale of identity theft has recently exploded.

Since the pandemic, UI fraud has changed dramatically. It’s now:

  • Enormous in volume
  • Initially associated mostly with PUA and not with “traditional” unemployment payments, although this has changed as criminals have become more familiar with how to exploit both kinds.
  • Perpetrated by criminal actors conducting large-scale fraud, not individuals claiming an extra hundred dollars here and there

And in contrast to benefits theft, states aren’t at all prepared to catch and stop it.

Policy changes during the pandemic have made identity theft much easier

Preventing identity theft fraud requires effective identity verification. States have always had ineffective identity verification methods. State identity verifications for unemployment benefits have never been subject to any standards or oversight.

But this weakness was rarely exposed, because in order to qualify for unemployment prior to the pandemic, you also had to prove your connection to your former employer, including wage verification records. This verification step effectively served to strengthen identity verification, since it was difficult and cumbersome to:

  • Steal identities at scale and
  • Fake their employment histories and
  • Get the former employers to corroborate the verification

PUA removed the need to verify a claimant’s former employer.4

Pandemic Unemployment Assistance (PUA) opened the door to rampant fraud by removing the need to verify someone’s connection to an employer or wages. Applicants simply self-certified that they had been employed.

Now, all that was standing between imposters obtaining benefits payments fraudulently was states’ identity verification systems. And because these identity verification methods didn’t work, there was nothing standing between criminals and the benefits.

Easy access to personally identifiable information makes large-scale identity theft possible.

Thanks to decades of data breaches, criminals can buy large databases of high-quality personally identifiable information (PII) such as names, social security numbers, addresses, and passwords. This makes it very easy for fraud syndicates to submit large numbers of false claims.

Fraudsters who use data stolen from government sources are more likely to pass automated checks than legitimate applicants.

Real people mistakenly enter their name as “Kathy” when their legal name is “Kathryn” and get flagged, but fraudsters have the correct legal name in their files from the start. It is easy for criminals with spreadsheets of stolen data to fraudulently apply for and receive billions in benefits. Meanwhile, real claimants often cannot get past the front door.

States are currently using fraud-prevention strategies that do more harm than good

Almost all anti-fraud measures make legitimate applications more difficult in some way for some claimants. Poorly designed ones can reject more legitimate applications than they ever stop in fraud. While the current focus on fraud prevention and reduction is understandable, even more emphasis and resources are needed to increase access for eligible and legitimate workers in need.

Some of the issues that can lead to a legitimate claim getting flagged as fraud today include:

  • Sharing an IP address, mailing address, or bank account with another claimant
  • Having a name that is misrepresented in state databases
  • Making mistakes in gathering the required documentation, which may have been haphazardly supplied or incorrectly filed by their employer in the first place.

In cases where there is no criminal intent and the issue is caused by poorly conceived requirements, weekly certification questions, or data errors, it’s disingenuous and harmful to categorize the applicants as “fraudsters.”

Common anti-fraud methods are based on false assumptions.

Addresses

  • There will never be more than 2 claimants living at one address. (In fact, households with more than 2 working adults are common.)
  • A lot of mail going to one address must be fraud. (It may be general delivery, a reservation, a shelter, or an apartment building.)
  • People don’t move, and address changes are suspicious. (People experiencing unemployment are all the more likely to be experiencing housing insecurity, and may be crossing state lines to find stable housing and/or childcare.)
  • Legitimate claimants work in one place, file a claim from the same place, and receive their mail and benefits at the same place. (Especially during the pandemic, people moved for a variety of more- and less-voluntary reasons.)
  • Claimants from Canadian IP addresses are OK, but claims from Mexican IP addresses are fraudulent. (This is racist.)

Bank accounts

  • No one shares a bank account with another person. (They do.)
  • Everyone has a bank account. (They don’t.)
  • People rarely change bank accounts. (Some people move their bank account frequently to take advantage of bonuses and promotions.)

And some others

  • A real last name has more than 2 letters. (There are around 100,000 Americans with the surname ‘Wu’ alone.)
  • Real employment histories consist of a sequence of jobs in the same industry or profession. (In real life, workers are displaced from industries all the time. In fact, the same workforce agencies often provide just such retraining and placement services.)
  • Some states mark an application as fraudulent simply because it is incomplete, or if the claimant simply did not respond to an identity verification request, or if a piece of mail is returned as undeliverable.

Going back to processing all claims manually isn’t the solution.

Manual claims processing, at scale, harms the populations who most need unemployment benefits:

  • If all claims are processed manually, claim processing time will be unacceptably slow. This means real claimants who need help today would have to wait months for a decision.5
  • Manual claims processing is directly contradictory to other North Star goals like same-day benefits payments for the unemployed, which can make the difference between putting food on the table, avoiding eviction, and even preventing suicide.
  • The identity verification step was entirely manual up until the pandemic. It was demonstrably slow, with backlogs measuring hundreds of days, and openly racist.6
  • Most importantly, there’s no reason to believe that manually reviewing claims is any more effective at catching fraud.

Instead, we should focus on ways to design effective, and largely (but not entirely) automated, identity verification and claims processing methods that serve all populations, and actively measure whether all populations are achieving equitable outcomes.7

Many real people will not be able to get benefits unless we start fighting fraud effectively.

As of this writing, the majority of states have withdrawn from the PUA program, many citing fraud as a reason to discontinue delivering these benefits. This leaves many gig and freelance workers struggling to make ends meet as the pandemic grinds to its end. Some vendors, including large banks, have withdrawn from participating in unemployment benefits programs, citing fraud, which limits states’ ability to deliver the benefits even if they want to.

Paying fraudulent claims is obviously not good for taxpayers, or for the employees and employers who paid into unemployment insurance accounts. But fraud has cast a shadow over unemployment benefits as a whole.

We already know how to fight this massive increase in identity fraud.

The federal government has already largely solved the issue of identity verification for preventing identity theft. Federal agencies must follow NIST guidelines8 for building secure online accounts for applying for and managing benefits like taxes9, Social Security benefits, Veteran disability compensation, and more. These agencies aren’t suffering newsworthy breaches every day, because these standards for preventing identity theft fraud work.

If states adhered to federal guidelines for identity verification, identity theft fraud would all but stop.

When individual states have adopted federal identity verification standards, their fraud rates fell significantly. Colorado calculated that 87.4% of its PUA claims were fraudulent after adopting a NIST-compliant identity verification process.10 In Arizona, a staggering 99% of PUA claims may have been fraudulent,11 a trend which reversed immediately after adopting a federally-compliant identity solution.

Once we stop the firehose of identity theft, we can then measure the next highest buckets of fraud and implement measures to identify those bad actors (including those who operate across state lines). For example, identity verification alone wouldn’t prevent a prisoner (who is really themselves–not an identity thief) from committing benefits theft, even if the law says unemployment benefits cannot go to a prisoner. But this volume will be a small fraction of the current identity theft fraud.

While this is addressed in NIST guidelines already, we want to particularly call out how laughably ineffective it is to use Social Security Numbers for identity verification. They have all been stolen–multiple times. The criminals have them in well-organized spreadsheets. They are not private information any longer, and to continue to treat them as such complicates matters. Any state using social security numbers as a means of identity verification should stop, immediately.12

Stricter identity verification doesn’t need to prevent real claimants from getting through.

As we explain in the identity verification section, federal guidelines provide significant flexibility for serving claimants who:

  • Are unbanked or underbanked
  • Lack digital access
  • Can’t pass automated identity verification steps for legitimate reasons and require a higher level of service

The way forward is fair, effective identity verification

Our recommended balance is to follow federal guidelines, but actively design for underserved populations,13 and then measure how effectively these groups are able to accurately pass identity verification. If issues are discovered, work to design solutions.

We need an accurate way to measure the effectiveness of fraud prevention efforts.

The only way to prevent all fraud is to stop the distribution of all benefits. All real-life financial systems tolerate some amount of risk. Unemployment systems need to weigh the amount of risk of overpayment they are willing to tolerate, relative to other risks, like underpaying real claimants or not paying desperately needy people for months.

Reports of how many fraudulent claims have been filed and how many have been successfully blocked are murky due to a lack of a standard, or transparent, means of measurement. Some states block all foreign IP addresses (including Mexico and Canada, where plenty of legitimate claimants live) and declare all claims attempted from foreign IP addresses to be fraud. Others count all incomplete applications as fraud. This isn’t accurate.

The variables contributing to a risk score must:

  • Be transparent — no “black box” algorithms that just cloud racism
  • Consider all populations (e.g., unbanked/underbanked)
  • Weigh the risk of not serving real claimants in need
  • Incorporate a wide variety of variables, not simply blocking foreign IP addresses

Demonstration projects can help states refine national tools for fighting UI fraud.

The National Association of State Workforce Agencies (NASWA) operates the Integrity Data Hub14 on behalf of the U.S. Department of Labor. NASWA operates multiple mandatory services within the Integrity Data Hub that likely prevent some fraud, such as the National Directory of New Hires Cross-Match and the Quarterly Records Cross-Match. As of this writing, they are credited with preventing $243 million in improper payments. But current estimates are that more than $400 billion in fraudulent claims were paid out.15

To better understand existing fraud-prevention tools, we recommend state demonstration projects. These projects would determine:

  • How effective existing NASWA tools are, and where they can be replaced or improved to deliver improved outcomes
  • Benchmark measures for determining where and how these tools impact fraud
  • Ensure that they aren’t negatively impacting benefits delivery to real claimants

Prioritize fraud detection and prevention when designing new benefits.

The people behind PUA believed they were doing a good thing for millions of Americans. But they didn’t anticipate how decoupling unemployment benefits from wage verification would also make it trivial for criminals to extract billions of dollars.

As policymakers design benefits in the future, the early design process should consider how to equitably detect and prevent fraud.

If we don’t put this sort of planning into the design of future benefits, the perceived threat of fraud may prevent the very existence of critical benefits during difficult times.


Go to the next section: Identity Verification


Notes

  1. “The OIG has opened over 15,000 investigative matters related to the pandemic. The vast majority of these matters involve identity theft related UI fraud. In response to this unprecedented amount of potential UI fraud, the OIG hired 22 additional special agents, a 20 percent increase in field investigative staff. In addition, our special agents prioritized their case inventory so that 75 percent of the investigative workload was focused on UI fraud. Prior to the pandemic, UI fraud made up approximately 10 percent of the investigative workload. The OIG’s investigative efforts have directly resulted in the identification and recovery of over $100 million in fraud involving the UI program. In addition, OIG special agents assisted in the identification and recovery of over $565 million in fraudulent UI benefits.” Pandemic Response Oversight Plan, p2 https://www.oig.dol.gov/public/oaprojects/DOL_OIG_Updated_Pandemic_Response_Oversight_Plan.pdf 

  2. “A new phenomenon created more confusion. Before the pandemic, most cases of fraud in the UI system consisted of claimants misrepresenting the facts in order to get a larger benefit amount. During the pandemic, the predominant type of fraud has been false identification: as of this report, there are approximately 50,000 UI claims with questionable identity characteristics. The federal rules require that notice be given to these individuals, but it is not possible to contact a claimant who is fraudulent or is a bot. This is just one example where state and federal laws were not up to the unprecedented challenges of the pandemic. As context, in the regular UI system, the employer serves as a deterrent to fraudulent benefit claims. If an employer disagrees with a claimant’s eligibility for the program or a false claim is filed, they can file an appeal. In the PUA system, there is no employer of an independent contractor to review the claim and disagree with the application for benefits. Also, Nevada has no state income tax, and so the state had no way to validate to see whether an individual had self-employment income or not.” - Nevada Strike Force Report https://cms.detr.nv.gov/Content/Media/Strike_Force_Report_2021_FIN.pdf 

  3. https://wdr.doleta.gov/directives/attach/UIPL/UIPL_23-20.pdf 

  4. While there are examples of unemployment benefits in the past that were not tied to wages, these amounts were very small: $25 per week. During the COVID-19 pandemic, $600 per week over an extended period of time made it very profitable to invest in filing fraudulent claims. 

  5. No state has enough trained claims processors to process all claims manually in an acceptable time period. In reviewing GAO and IG reports from past recessions, every employment agency cites inadequate staffing to meet increased demand. In fact, in reports during non-recession times, agencies also report long-standing training, staffing, and retention challenges. There is no evidence that employment agencies can achieve the staffing levels necessary to process all claims manually in a timeframe that also delivers benefits quickly to those who need them most. 

  6. https://www.newamerica.org/pit/reports/unpacking-inequities-unemployment-insurance/a-focus-on-fraud-over-accessibility-the-punitive-design-of-ui 

  7. “Human equity is when outcomes are not predictable based on someone’s identities or characteristics (e.g. race, sexual orientation, gender identity, ability status, etc.).” - Equity-Centered Community Design Field Guide 

  8. https://pages.nist.gov/800-63-3/sp800-63-3.html 

  9. The IRS account breach involved user accounts that were not compliant with these standards. The IRS has since adopted them. 

  10. https://sites.google.com/state.co.us/uidailydashboard/home?authuser=0 

  11. https://des.az.gov/sites/default/files/media/newsrelease-11-19-2020-DES-Expands-ID-me-Identity-Verification.pdf?time=1622851639590 

  12. Using SSNs to verify that a claimant is not deceased may still be a valid use, but not for identity verification. The key here is that knowledge of a SSN is not a secret, so it should be treated similarly to a phone number: fine to ask and use it where needed, but knowledge of your phone number should not be all that’s needed to get into your bank account or redirect your IRS tax refund. 

  13. EO requires: The head of each agency, or designee, shall conduct such review and within 200 days of the date of this order provide a report to the Assistant to the President for Domestic Policy (APDP) reflecting findings on the following:
    (a) Potential barriers that underserved communities and individuals may face to enrollment in and access to benefits and services in Federal programs;
    (b) Potential barriers that underserved communities and individuals may face in taking advantage of agency procurement and contracting opportunities;
    (c) Whether new policies, regulations, or guidance documents may be necessary to advance equity in agency actions and programs; and
    (d) The operational status and level of institutional resources available to offices or divisions within the agency that are responsible for advancing civil rights or whose mandates specifically include serving underrepresented or disadvantaged communities.
    AND
    (a) Within 1 year of the date of this order, the head of each agency shall consult with the APDP and the Director of OMB to produce a plan for addressing:
    (i) any barriers to full and equal participation in programs identified pursuant to section 5(a) of this order; and
    (ii) any barriers to full and equal participation in agency procurement and contracting opportunities identified pursuant to section 5(b) of this order.
    (b) The Administrator of the U.S. Digital Service, the United States Chief Technology Officer, the Chief Information Officer of the United States, and the heads of other agencies, or their designees, shall take necessary actions, consistent with applicable law, to support agencies in developing such plans. 

  14. https://www.naswa.org/integrity-center/integrity-data-hub 

  15. https://www.axios.com/pandemic-unemployment-fraud-benefits-stolen-a937ad9d-0973-4aad-814f-4ca47b72f67f.html 

© 2021 NEW AMERICA

Supported by

The Families & Workers Fund