Use the links below to skip to the section you wish to view:
- EDD’s Fraud Prevention Approach During the Pandemic Was Marked by Significant Missteps and Inaction
- EDD’s Lack of Preparation Left it Unable to Effectively Address Two High‑Profile Situations
- EDD Has Relied on Uninformed and Disjointed Techniques to Prevent Impostor Fraud
EDD’s Fraud Prevention Approach During the Pandemic Was Marked by Significant Missteps and Inaction
- EDD failed to take fast enough action at the beginning of the pandemic to bolster its UI fraud detection efforts. As a result, from March through December 2020, out of $111 billion in UI benefits, EDD paid about $10.4 billion on claims that it later determined might be fraudulent.
- EDD paid $1 billion of the $10.4 billion in part due to a problematic decision to streamline its processes by removing a safeguard against paying individuals with unconfirmed identities. EDD issued payments to those claimants with unconfirmed identities before discovering it had inadvertently removed the safeguard for more than a four‑month period.
- EDD faces an impending workload to assist the victims of identity theft whose personal information was used to file fraudulent claims. Given the high levels of potentially fraudulent claims and its processes for addressing them, EDD is underprepared to handle this work.
EDD’s Failure to Act Promptly to Reduce Fraud Resulted in About $10.4 Billion in Potentially Fraudulent UI Benefit Payments During the Pandemic
EDD’s data show that out of a total $111 billion paid during the pandemic, from March 2020 through December 2020, it paid about $10.4 billion for claims that it has since determined could be fraudulent. These payments happened despite warnings from the U.S. Department of Labor (Department of Labor) to states at least twice in the early months of the pandemic that it had not relaxed its expectations related to fraud prevention in light of the pandemic. First, in its April 2020 instructions for implementing and operating the PUA program, it reminded states that they were required to take reasonable and customary precautions to deter and detect fraud, such as conducting a random audit of a sample of claims. Then, in May 2020, it issued another letter to remind states of their need to ensure the integrity of the UI program. This letter advised that states should perform essential ongoing reviews meant to detect improper payments throughout the UI program, including new benefits that the federal government had established in March 2020. Also in May 2020, when it requested data from EDD to identify fraud trends, the Department of Labor’s Office of the Inspector General warned EDD that California was likely to see at least $1.2 billion in potential fraud based on the 2.9 million new claims that EDD had received in March and April 2020.
Despite these repeated warnings, EDD did not take prompt action to enhance safeguards against illegitimate benefit payments. As Figure 1 shows, EDD did not make any substantive changes to its fraud detection practices until late July 2020—four months after the pandemic‑related shutdowns led to a surge in UI claims. That July 2020 change automated EDD’s process for stopping payment on claims that EDD believed were suspicious. Previously, EDD’s staff needed to perform a manual review of daily reports of thousands of possibly fraudulent claims and manually stop payment on each. Because it delayed this automation, EDD likely allowed fraudulent claimants to collect benefits through the first four months of the pandemic. For example, we reviewed the reports from just two days each of April, May, and June 2020 and found that these reports had identified more than 1,000 claims as suspicious or potentially fraudulent on each of these days. EDD asserted that two staff members were responsible for reviewing these reports each day and stopping payment by initiating the identity verification process for all current claims that this report identified as suspicious. However, EDD’s reliance on this manual process gave claimants the opportunity to collect UI benefits before staff were able to stop payment on the claims. Given that these reports can contain more than a thousand claims each day, EDD may have allowed many more fraudulent claims to collect payments without impediment before it automated this process.
EDD Responded Slowly to Fraud Risks as Claims Surged
Source: Analysis of EDD’s claims data and its fraud tools and modifications made during the pandemic.
Additionally, EDD delayed responding to instances in which an unusually high number of claims under different names were filed from a single address, despite having substantial evidence that fraudsters were using this approach to defraud the UI program during the pandemic. According to EDD, multiple claims from the same address, such as a vacant building or house, can be a sign that fraudsters are trying to intercept or gather the mail associated with this address. However, EDD did not identify suspicious addresses associated with these claims until September 2020. Further, at that time EDD performed two separate analyses of the suspicious address issue, it took action on only a portion of the cases it identified. One of its assessments identified 26,000 suspect addresses that were associated with a total of more than 555,000 claims. However, EDD stated that it did not stop payment on all of these claims because it considered this list informational. Rather, it performed another assessment to determine addresses that may have been associated with fraudulent claims, which identified only 10,000 suspicious addresses associated with 250,000 claims. Most of these 10,000 addresses also appeared on the larger informational list of 26,000 addresses. EDD asserted that it stopped payment on this set of 250,000 claims and required these claimants to verify their identities. The most egregious example from this analysis was a case of more than 1,700 claims going to a single address.
It is almost certain that because of its lax approach, EDD missed stopping payment on fraudulent claims during the pandemic. As Figure 2 shows, we selected three addresses that appeared only on EDD’s list of 26,000 addresses. In other words, EDD identified claims from these three addresses as potentially fraudulent but did not take any action to stop payments on claims from those addresses (unblocked addresses). More than 80 UI claims were filed at one of these unblocked addresses. Moreover, because EDD was unable to verify the identities of claimants for more than 70 of those claims, it is likely that impostors used this address to file fraudulent claims. However, EDD’s fraud detection tools failed to detect 12 of the more than 80 claims as suspicious, allowing those 12 claims to remain active. As of mid‑December 2020, EDD has paid more than $300,000 in UI benefits related to these 12 active claims. One of the other two unblocked addresses that we reviewed, which had more than 20 claims associated with it, raised similar concerns. Our review illustrates that EDD continues to pay claims despite having evidence that they are very likely fraudulent. After we shared our concerns with EDD, it performed another analysis identifying more than 572,000 claims at more than 30,000 addresses it identified as indicative of fraud. Most of these 30,000 addresses were included on EDD’s larger informational list of 26,000 addresses identified in September. EDD asserted that it stopped payment on some of those fraudulent claims in mid‑December. However, EDD still had not stopped payments on the claims associated with two of the three unblocked addresses we selected, including the address with 12 active claims. We made other observations about EDD’s efforts to address problematic numbers of claims at a single address and, to avoid publishing information that could expose EDD to additional fraud, we shared those observations with EDD’s management in a confidential letter.
EDD Has Not Stopped Payments on Claims at Addresses It Identified as Suspicious
Source: Review of EDD’s analysis of suspicious addresses and claim information.
EDD took another action that compounded the effect of its slow and inadequate reaction to potential fraud. As part of its temporary COVID‑19 procedures, EDD instructed staff to automatically backdate new UI claims to the date the claimant said they became unemployed. In other words, staff were told to enter an effective date for a claim that could be weeks before the date the claimant actually filed, allowing that individual to be paid benefits for those weeks. The Department of Labor provided guidance instructing states to backdate pandemic related claims to the week in which claimants first became unemployed. According to EDD, it automatically backdated new claims to comply with this guidance. EDD asserted that automatically backdating claims reduced the manual workload that would have otherwise been required to pay claimants. However, since early September 2020, in response to suspected fraud in the PUA program, EDD has required claimants to submit a separate request, aside from their UI claim, to obtain backdated payment. Since EDD took that action, claims for PUA have fallen considerably. Although we cannot establish a direct link between EDD’s actions and the drop in PUA claims, it is possible that by ceasing its practice of automatic backdating, EDD has deterred fraudulent claims from occurring.
A Key Process for Detecting Fraud Has Been Overwhelmed During the Pandemic
Under normal circumstances, some of EDD’s benefit fraud detection efforts might have allowed it to detect impostor fraud. Benefit fraud can occur when individuals continue to receive benefits by failing to report that they have returned to work. To detect such fraud, EDD performs daily reviews using California employer data and weekly reviews using nationwide employer data. Because these reviews use SSNs to identify overlap between EDD’s benefit data and employer databases, the reviews would detect when impostors filed claims using the identities of people who were earning wages. When an overlap is detected, EDD generates and mails documents to the employers of the claimants whom the system detected as both continuing to work and receiving UI benefits, asking for further information about the claimant. EDD staff must then review the returned documents to assess whether fraud has occurred and take appropriate action.
However, during the pandemic, the amount of work generated by these matches overwhelmed the unit responsible for performing these reviews—the Benefit Overpayment Section within the UI Integrity and Accounting Division. Between March and November 2020, this process generated more than 840,000 matches, illustrating that hundreds of thousands of claimants were either collecting UI benefits while working or had had their identities stolen and impostors were using those identities to collect benefits. These 840,000 reviews generated during the pandemic were quadrupled from the number generated for this section to complete in 2019. This process relies on employers to provide details about whether an employee who matches a claimant in EDD’s system is earning wages. EDD staff explained that this process can enable EDD to learn about potential impostor fraud because employers often notify EDD that the employees are continuing to earn wages and have attested to the employer that they are not collecting UI benefits. Complaint data we reviewed indicated that employees tell their employer that they are not receiving UI benefits after being questioned by their employer. However, because of the significant increase in the number of reviews generated, as of the end of November 2020, the section responsible for performing them had completed only 113,000 of the 840,000 reviews generated during the pandemic. This process is entirely paper‑based and, as of the end of November 2020, the section was still processing documents received in August 2020. Staff do not stop payment on these claims until they process these documents, meaning that EDD has likely continued to pay on these potentially fraudulent claims, despite having identified them through this process. As a result of these workload challenges, EDD has been unable to effectively leverage this practice of relying on existing cross‑match reviews to quickly detect fraud.
EDD’s Slow Response Has Led to About $10.4 Billion in Payments to Suspicious Claims
As of late‑December 2020, EDD had more than 2.2 million claims submitted during the pandemic for which it could not confirm the identity of the claimant—24 percent of the 9.5 million claims filed from the time the CARES Act became law in March. EDD issued at least one benefit payment on about 597,000 of those claims before identifying them as potentially fraudulent. This figure does not include approximately 10,000 additional claims for which EDD could not verify the identity of the claimant but issued at least one payment, and for which the claimant has appealed EDD’s determination that their identity was unverified. In total, EDD paid about $10.4 billion for these claims, as Figure 3 summarizes. Although EDD explained that it is not able to confirm that all of these claims are fraudulent—some of the claimants may have legitimate reasons for ignoring EDD’s request for identity information—it does not know how many are legitimate and how many are fraudulent. More than 534,000 of the claims were paid UI benefits in excess of EDD’s traditional dollar threshold for pursuing a criminal investigation of an impostor. As we explain in the Introduction, EDD reported that in 2019, its Investigation Division investigated only 14 cases of UI impostor fraud representing more than $5.5 million paid in fraudulent benefits. EDD’s Investigation Division told us that as of December 10, 2020, it had opened more than 250 criminal cases related to potentially fraudulent claims filed during the pandemic and estimated an initial loss totaling greater than $30 million on these cases. However, considering that EDD’s data show many more potentially fraudulent claims and the difficulty of identifying the perpetrators of the impostor fraud in 2020, it seems highly unlikely that EDD will be able to investigate more than a small fraction of these fraudulent claims, let alone recover a significant portion of the lost funds.
EDD Paid About $10.4 Billion in Benefits to Claimants With Unconfirmed Identities
Source: EDD data on payments and identity alerts, and Department of Labor estimated fraud rates for UI programs.
We asked EDD for its perspective on the slow and reactive approach that it took to combating fraud in 2020. EDD asserted that its fraud tools effectively identified and stopped potentially fraudulent claims throughout the pandemic and that it enhanced its existing processes and tools as needed. However, an estimate of the total UI benefit payments EDD prevented through these fraud prevention tools demonstrates that EDD paid almost as much to suspicious claims as it prevented. Using the number of claims associated with individuals with unconfirmed identities to which EDD had not issued payment and an estimated benefit amount based on Department of Labor data for 2020, we estimated that EDD stopped about $12.8 billion in payment to potentially fraudulent claims. Although any amount of fraudulent payment that EDD stops is a benefit to the UI program, a thorough analysis of the effectiveness of EDD’s fraud prevention efforts needs to compare the amount of fraud prevented to the amount paid to potentially fraudulent accounts. As we note in the next paragraph, the total amount EDD paid to fraudulent claims is likely to continue growing as it completes upcoming work, further showing that EDD’s fraud prevention methods have not been adequate to stop it from paying on fraudulent claims during the pandemic.
The $10.4 billion is likely not the full amount of improperly paid benefits. As we describe earlier in this section, we observed instances in which EDD continued to pay on suspicious claims that its fraud detection methods had not yet identified. During our audit, the number of claimants for which EDD could not confirm identity grew. Further, EDD’s pending reviews of employment data mean it is likely that more claims will be called into question. As of early January 2021, EDD has requested identity information from more than 1.2 million claimants to whom it has already paid $19.5 billion in benefits. It is unlikely that EDD will verify the identity for all of these claimants with pending identity issues. Therefore, it is highly probable that EDD will ultimately determine that it improperly paid significantly more than the $10.4 billion we identify in this report as potentially fraudulent.
EDD Suspended a Critical Fraud Prevention Safeguard During the Pandemic Because of Its Poor Planning
Early in the pandemic, EDD altered a critical fraud prevention mechanism, resulting in it paying more than $1 billion of the $10.4 billion in benefits we discuss in the previous section to suspicious claimants. Figure 4 summarizes this problem. As we describe in the Introduction, EDD stops payment on claims while it verifies claimants’ identities, ensuring that it pays benefits only to legitimate and verified claimants. However, early in the pandemic, EDD decided to remove a key safeguard against paying claims for which staff had identity concerns because of the mistaken belief that other safeguards would stop payments on these claims. However, because the EDD leadership who made these decisions did not adequately understand how the stop payments worked, EDD waived the barriers to payment for almost 77,000 claims and paid more than $1 billion on claims that it has determined are potentially fraudulent.
EDD Removed a Key Fraud Safeguard and Paid $1 Billion to Individuals With Unconfirmed Identities
Source: Analysis of EDD’s claims database and interviews with EDD staff.
EDD explained that the early months of the pandemic presented challenges in balancing prompt payments for claims against its fraud prevention efforts. In the effort to respond to the overwhelming volume of unemployment claims, EDD leadership decided to identify and remove certain barriers to payment. EDD management asserted that it removed these barriers to streamline its processes. Nevertheless, this decision had significant consequences: EDD incorrectly believed that other safeguards in its claims processing system would stop all payments to claimants with unconfirmed identities. As Figure 4 shows, this incorrect belief was costly. We found that EDD continued to waive this payment barrier into August 2020—meaning it was not until four months after its decision to waive the barrier that EDD reversed its decision and ceased the practice.
The decision to waive this safeguard could have had even more significant consequences. At the time EDD waived the safeguard, it paid an additional 93,000 claims an additional $490 million in benefits before knowing that the claimant identities were confirmed. Although EDD eventually confirmed the identity of these claimants, it did not have that assurance when it issued these payments. Had EDD evaluated the risk of removing barriers to payment, it may have determined the need to streamline other processes in its system that would not have exposed it to so much potential fraud.
We found that the majority of claims with unconfirmed identities for which EDD waived the payment safeguard had future payments prevented by other safeguards. In fact, most of the 77,000 claims received payments only for backdated benefit weeks. For example, one claimant filed a claim on August 3, 2020, but reported having become unemployed due to the pandemic on February 2, 2020—26 weeks prior to filing the claim. EDD immediately stopped payment on the claim on the same day it was filed. However, when it waived the safeguard for this claim, its data show that it paid benefits for the backdated weeks—totaling almost $22,000. Secondary safeguards stopped any future payments on the claim. Subsequently, EDD was unable to confirm this claimant’s identity and disqualified the claim from any additional payments.
EDD could have avoided this misstep through more careful planning and preparation. As we explain in more detail in our earlier review of EDD, the department was unprepared for an economic downturn. EDD’s Poor Planning and Ineffective Management Left It Unprepared to Assist Californians Unemployed by COVID‑19 Shutdowns, Report 2020‑128/628.1, January 2021. Its planning deficiencies extend to the area of fraud prevention. As shown by the decision we describe above to remove a claim payment safeguard, EDD leadership made a critical misstep because it had an inadequate understanding of its fraud prevention mechanisms—a gap in understanding that is more easily discovered and dealt with when planning in advance of a crisis moment. In addition to the key features of sound recession planning that we identified in our previous report, EDD’s recession planning must include descriptions of the available adjustments to fraud prevention practices that EDD could make while continuing to best mitigate risk. Identifying the types of tasks it determines it is able to stop or delay during a recession while maintaining acceptable fraud detection and prevention efforts would minimize the need for less informed steps like the decision we describe above.
In the Near Future, EDD Will Likely Need to Dedicate Considerable Resources to Assisting Victims of Identity Theft
EDD will likely face a significant workload in the future to support the many individuals whose identities were stolen by impostors who filed fraudulent claims during the pandemic. Between March 2020 and early January 2021, more than 2.2 million claimants did not satisfactorily answer EDD’s request that they provide identity documentation. According to EDD, fraudsters are often not able to provide documents to confirm identity; therefore, EDD considers claims that are disqualified due to nonresponse as evidence that it has effectively deterred fraud. Although not every one of these 2.2 million claims made it far enough in the process to be paid, EDD’s data indicate that it paid benefits totaling about $10.4 billion on almost 597,000 of these claims, suggesting that these individuals may have obtained benefits fraudulently. However, these are only the cases EDD has identified; the actual number of claims filed with other people’s personal information may be higher because people who have not yet learned that they were victims of identity theft have not yet reported it to EDD. Further, we do not believe that EDD’s fraud detection tools have yet detected every fraudulent claim filed during the pandemic.
When EDD pays benefits on claims involving stolen identities, the victims of that identity theft may be asked to pay taxes on the benefits or to pay back the benefits. A victim’s interactions with EDD to resolve the theft will depend upon the circumstances under which the fraud is discovered, as we show in Figure 5. For example, victims of identity theft may not know they are victims until they receive a tax form notifying them to report income from benefits, are contacted by EDD, or try to collect UI benefits themselves. In each of these cases, the work EDD will need to perform to assist these identity theft victims represents a potentially significant increase in its workload.
EDD Will Likely Need to Assist Victims of Identity Theft in Several Ways
Source: Analysis of EDD’s data, workload, and fraudulent claims processes.
EDD’s main process for addressing complaints of identity theft has been overwhelmed during the pandemic. If individuals discover that their identity has been used to file a fraudulent claim with EDD, they can notify EDD through its online fraud reporting portal or through its telephone hotline. EDD’s data show that by July 1, 2020, EDD was receiving hundreds of these reports each day, growing to consistently receiving more than 1,000 a day in September 2020 and peaking at more than 1,800 reports on a single day that month. By comparison, EDD only received 6,000 UI fraud reports in all of calendar year 2019. EDD has dedicated only a single staff position to receive and assess these reports, and that position became vacant in July 2020. As a result, from April through October 2020, EDD responded to less than 2 percent of the UI fraud reports it received through its online portal. Further, it had yet to address more than 77,000 fraud reports as of November 2020. Many of these reports likely involve victims of identity theft who will need EDD’s help to resolve their situations.
To successfully resolve each case of suspected identity theft, EDD must first investigate the complaint to determine whether it can substantiate that identity theft has likely occurred. Once it completes that analysis, EDD can perform the work necessary to clear the reported income from the victim’s name. According to data EDD provided, as of mid‑December 2020, it had performed this work for about 21,000 victims of identity theft for claims that had been filed from March through November 2020. This process will prevent the victims of identity theft from receiving incorrect tax forms. However, if EDD did not complete this process for an identity theft victim before reporting income to the IRS—a likely outcome given the volume of potentially fraudulent claims and the number of outstanding fraud reports that EDD has received but not yet addressed—the victims will need to contact EDD to resolve their cases. EDD will need to respond to fraud reports as identity theft victims submit them. EDD anticipates these submissions will represent a large workload in the future.
EDD could be better situated if it modified its existing practices to handle this upcoming work. Specifically, instead of continuing to receive complaints of identity theft through its regular fraud report mechanisms, EDD would provide faster and better service to identity theft victims by setting up a dedicated communication channel for those individuals. Further, to better understand the level of work it needs to accomplish, EDD should establish a working group specifically to coordinate the work needed to resolve each complaint of identity theft and make decisions about staffing levels necessary to accomplish that work. Without a concentrated focus, EDD risks unnecessarily delaying assistance to victims of identity theft, who will remain in precarious tax situations until EDD completes its work.
To ensure that its recession planning encompasses its fraud prevention efforts, EDD should identify the fraud prevention and detection efforts it can adjust during periods of high demand for UI benefits. It should ensure that it accounts for all probable consequences of the adjustments and design procedures that appropriately balance the need to provide prompt payment during a recession with the need to guard against fraud in the UI program.
To prepare to respond to victims of identity theft who receive incorrect tax forms, EDD should, by mid‑February 2021, provide information on its website and set up a separate email box for such individuals to contact EDD and receive prompt resolution.
To ensure that it provides appropriate assistance to victims of identity theft who report fraud through its online fraud reporting portal, EDD should, by March 2021, establish a working group to coordinate the work needed to resolve each complaint of identity theft, make decisions about staffing levels necessary, and add staffing to accomplish the work.
EDD’s Lack of Preparation Left it Unable to Effectively Address Two High‑Profile Situations
- In September 2020, EDD directed Bank of America to freeze 344,000 debit cards (accounts) because of concerns about UI fraud. Since then, EDD has not acknowledged its responsibility for this action, and it did not have a plan or take action to ensure that it could unfreeze those accounts belonging to legitimate claimants.
- EDD left itself especially vulnerable to UI fraud associated with incarcerated individuals—which it estimates has reached about $810 million—because it has not had a system to regularly cross‑match UI claims with information from state and local correctional facilities.
When EDD Directed the Freezing of Accounts for 344,000 Claims, It Did Not Take Sufficient Action to Help Legitimate Claimants
EDD’s reactive response to its discovery of potentially fraudulent activity appears to have harmed legitimate claimants. Bank of America—the State’s vendor for distributing UI benefit payments—identified more than 309,000 of its UI accounts that it believed to be fraudulent and notified EDD of its plans to freeze—or shut down to prevent cardholders from accessing the funds—these accounts in mid to late September 2020. EDD reviewed the accounts the bank identified and confirmed that Bank of America should freeze 271,000 of the accounts. EDD also directed Bank of America to freeze another set of 73,000 accounts that Bank of America had not identified as accounts it planned to freeze. Therefore, in late September 2020, EDD directed Bank of America to freeze about 344,000 benefit accounts, which Bank of America did, effectively stopping anyone in possession of the debit cards aligned with these accounts from spending the benefit payments deposited into them. Bank of America froze 53,000 additional benefit accounts in the same week because the accounts exhibited certain fraud indicators established by Bank of America. However, because those fraud indicators differed from EDD’s fraud criteria, Bank of America quickly unfroze the majority of these accounts in early October 2020 in an effort to align its fraud efforts with EDD’s. Figure 6 summarizes key exchanges between EDD and Bank of America.
EDD and Bank of America Have Repeatedly Corresponded About Fraudulent Accounts
Source: Analysis of EDD’s correspondence records with Bank of America and public documents.
Several elements of EDD’s role in these events are troubling. First, EDD did not initiate the request to freeze these potentially fraudulent accounts on its own, indicating that its fraud detection and prevention methods were not functioning optimally. Second, EDD mishandled the aftermath of this incident. Following public outcry in early October 2020 from legitimate claimants who could not access their benefits, EDD requested that Bank of America unfreeze all 344,000 accounts it had originally directed the bank to freeze—including the 73,000 claims it had independently identified as potentially fraudulent. In effect, EDD’s response was to permit potentially fraudulent activity to continue to ensure that legitimate claimants received their benefits. However, it had no analysis supporting its decision to make such a swift change to its previous direction. In the end, Bank of America disregarded EDD’s request to unfreeze the accounts. In a subsequent letter to the Legislature, Bank of America cited its obligation to prevent fraud under federal law as its reason for freezing accounts without EDD’s approval. This series of events reveals flaws in EDD’s response to fraud: it erred in its initial analysis and request that Bank of America freeze the 344,000 accounts, and it reacted poorly once it realized that accounts of legitimate claimants had been frozen.
EDD’s Director Did Not Acknowledge EDD’s Role in Freezing 344,000 Accounts
Assemblymember: I know my district office has continued to receive several constituent calls more recently regarding the Bank of America cards that have been suddenly frozen. Can you give us a sense as to why are they being frozen? And whose accounts are being frozen? Is that something that the department directed them to do or is this something that the bank is doing?
EDD Director: This is part of the Bank of America’s fraud protection services, I guess. And that’s what I mentioned, that B of A and our—EDD and Labor Agency—we’re meeting this afternoon to walk through exactly what was going on, what makes sense. And look at that balance again between paying claims versus fighting fraud. So we’re aggressively taking a look at that.
Source: Director’s testimony at a hearing of the Assembly Budget Subcommittee on State Administration on October 7, 2020.
In addition, EDD’s lack of transparency throughout this exchange damages the public’s trust in its statements. When it became apparent that legitimate claimants had been included in the listing of frozen accounts—leading to media reports of people being unable to pay their bills or feed their families—EDD was slow to provide information. In fact, we found no public statements that acknowledged that EDD had directed the freezing of the 344,000 accounts. About a week after EDD directed Bank of America to freeze those accounts, the director of EDD testified to the Legislature that EDD and Bank of America were coordinating “additional review” of more than 350,000 suspicious claims. As the text box shows, when one assemblymember asked the director who froze the accounts, the director did not describe EDD’s responsibility and identified Bank of America as the responsible party. A letter from 59 members of the Legislature in November 2020 to the chief executive officer of Bank of America shows that the Legislature believed that EDD had far less of a role in freezing accounts than it actually did. The letter indicates that EDD informed the Legislature that frozen accounts were solely the result of Bank of America’s efforts. Although it is true that Bank of America froze some accounts without direction from EDD, the department played a significant role in directing that 344,000 accounts be frozen.
Subsequent coordination between EDD and Bank of America about potentially fraudulent accounts has also been problematic. First, EDD has been slow to respond to another list of questionable accounts that the bank identified. In early November 2020 Bank of America sent EDD a list of more than 104,000 accounts that it identified as suspicious and requested guidance from EDD about what to do with the accounts. EDD delayed providing direction to Bank of America until one month later, risking that some fraudulent claimants would continue to collect benefits while EDD performed its analysis on those accounts. Further, when it did respond, EDD informed Bank of America that it had already stopped payment to more than 99,000 of the accounts, but failed to provide explicit instructions to Bank of America as to whether it should freeze those accounts. Therefore, EDD did not direct the bank to protect the money that it had already deposited into those accounts. Moreover, EDD neglected to mention what it had determined—if anything—about the remaining 5,000 accounts that Bank of America originally provided for review. EDD explained to us that it was still verifying the identities of the majority of these claimants as of December 10, 2020.
Still more problematic have been difficulties that EDD and Bank of America have had in agreeing how to unfreeze accounts that belong to legitimate claimants. One complicating factor has been that, during our review, EDD did not know which accounts were frozen or needed to be unfrozen. In fact, EDD confirmed that it does not have a centralized process for tracking and monitoring these frozen accounts, making it unclear how many accounts in total were frozen. Therefore, it does not have a systematic way to ensure that it reviews all frozen accounts to determine whether the accounts should be unfrozen and returned to legitimate claimants. Without such a process, any attempt that EDD makes to address the problem of legitimate claimants with frozen accounts may be incomplete and potentially flawed. Further, Bank of America has required EDD to individually verify the identities of the claimants associated with the 344,000 frozen accounts that EDD identified before it will unfreeze the accounts. An external consultant determined that 72,000 of the 344,000 frozen accounts were at low risk of being fraudulent claimants; however, EDD will need to manually verify these claims as legitimate before Bank of America will unfreeze those accounts. As of December 10, 2020, EDD had verified the identities of only about 7,500 affected claimants. Although EDD may find that it disqualifies some of these claimants—potentially from both the low‑risk group of 72,000 accounts and the remaining population of the original 344,000 frozen accounts—for failing to respond to its requests for identity documentation, there will likely be a significant number still to be addressed. Therefore, it will be important for EDD to explore using ID.me or another type of expedited identity verification to avoid prolonging the process by which it resolves frozen benefit accounts that belong to legitimate claimants.
When we presented EDD with our concerns about its interactions with Bank of America, EDD explained that it was concerned about correspondence it had received from the bank that predated the September freezing of 344,000 accounts. EDD cited examples of Bank of America contacting EDD with eight lists of problematic accounts from mid‑July through mid‑September 2020. However, our review shows that EDD also handled some of these cases poorly. Specifically, Bank of America shared a list of almost 66,000 potentially fraudulent accounts with EDD in mid‑July 2020 and requested EDD’s review of these accounts. However, EDD was unable to provide any correspondence that demonstrated it ever answered Bank of America’s request. In August 2020, Bank of America notified EDD that it was freezing approximately 5,700 accounts due to fraudulent activity. Records show that EDD knew about those frozen accounts and no record we reviewed shows that EDD expressed concern that the bank had frozen the accounts without first consulting the department. In early September 2020, Bank of America again sent EDD a list of more than 150,000 accounts that the bank identified as having suspicious activity, requesting EDD to review the accounts and determine if any are fraudulent and should be frozen by Bank of America. Again, EDD was unable to provide any correspondence that demonstrated that it ever answered Bank of America’s request. These earlier requests are evidence of yet another warning about potential fraud that EDD does not appear to have comprehensively addressed.
EDD Was Unprepared to Detect and Handle the Hundreds of Millions of Dollars in Fraudulent Claims Associated With Incarcerated Individuals
As we show in Figure 7, EDD left itself especially vulnerable to fraud associated with incarcerated individuals—which law enforcement officials have said has totaled hundreds of millions of dollars in fraudulent payments during the pandemic. In late November 2020, nine county district attorneys signed a letter announcing that the Department of Labor identified roughly 35,000 unemployment claims filed from March 2020 through August 2020 using data that matched individuals incarcerated in state prisons against UI information. According to November 2020 correspondence from the deputy secretary of communications at the California Labor and Workforce Development Agency, 21,000 of these claims received payments that totaled $400 million. EDD later estimated that between January 2020 and November 2020, it paid about $810 million in benefits to roughly 45,000 claimants with information that matched incarcerated individuals, based on both state prison data and a December 2020 analysis by a private vendor that used data from state and local correctional facilities across the country. EDD noted that most of the problematic claims were for PUA; as we note in the Introduction, the CARES Act relaxed some requirements for receiving these benefits, such as extending the benefits to individuals who had been self‑employed and therefore would not have had a third‑party employer to report their wages. EDD was unprepared to guard against inmate fraud in this program because it lacked a system to cross‑match all incoming claims against incarceration data.
Because It Delayed Obtaining Critical Information, EDD Was Unprepared for UI Fraud by Incarcerated Individuals
Source: Emails from and interviews with staff at EDD, EDD claims data and vendor analysis, EDD’s annual fraud reports to the Legislature, a letter from nine district attorneys, EDD’s data sharing agreement and contract information, and a national survey of state unemployment programs.
EDD’s failure to institute this type of cross‑match is of special concern given the wide use of this approach throughout the rest of the country. According to a 2016 report on the results of a survey from the National Association of State Workforce Agencies, 35 states were cross‑matching unemployment claims with state prison data and 28 states were cross‑matching claims with county jail data at that time. For example, Washington state’s Employment Security Department reported in December 2016 that it was cross‑matching electronic jail records against its database of unemployment benefits three times per week and that it was examining the feasibility of creating a more robust cross‑match using real‑time data. In that report, Washington’s department noted that since it had begun cross‑matching these records, from March 2015 through July 2016 it denied benefits on nearly 1,500 such cases and recovered almost $250,000 in related overpayments.
Given the prevalence and usefulness of the incarceration data cross‑match, it is troubling that EDD failed to implement this fraud prevention tool previously. According to EDD’s annual report to the Legislature on fraud deterrence from June 2020, it already had processes to cross‑match its records against other types of data, such as a monthly cross‑match with mortality data and a real‑time verification of claimants’ SSNs with the Social Security Administration. By contrast, the report noted that EDD was “considering” new options for sharing data, such as incarceration data, with government agencies—language that it had also included in its 2018 and 2019 reports. However, according to the chief of EDD’s Investigation Division, since starting his position in April 2016 and until recent conversations on this topic in 2020, he was not part of or aware of discussions with the California Department of Corrections and Rehabilitation (CDCR) about sharing state prison data to cross‑match against UI claims. During the pandemic, when EDD became aware that this gap in its safeguards was allowing a substantial amount of fraud to occur, EDD spent months negotiating access to CDCR’s state prison data after an EDD investigator initially reached out to CDCR in August 2020 about sharing information to identify potential fraud. CDCR originally took a stance that, except in limited circumstances, it was prohibited from providing the information to EDD, but it indicated that the Attorney General authorized it to provide the inmate information to EDD in early December 2020.
Since it became apparent during the pandemic that its failure to cross‑match claims against incarceration data was allowing illegitimate benefits payments, EDD has pursued two solutions to address this gap in its fraud prevention efforts. First, according to EDD’s chief information officer, EDD has recently expanded its cross‑checking capabilities through a private vendor to cross‑reference inmate data from prisons and jails in multiple states. This vendor provided the December 2020 analysis that contributed to EDD concluding that it had paid about $810 million in benefits associated with incarcerated individuals. A contract between EDD and this vendor with a term of October 2020 through June 2021 includes access to what the vendor calls “real‑time incarceration and arrest records.” An EDD IT Branch staff member confirmed that, although the vendor’s analysis for EDD has largely been retrospective, EDD is considering using the vendor in the future to perform more timely checks of new incoming claims against incarceration records. The chief information officer noted that she had not been in her position before May 2020 and, therefore, could not speak to why EDD had not pursued this option before the pandemic. Second, in early December 2020, EDD and CDCR established a data sharing agreement for CDCR to provide inmate data to EDD’s investigators at least monthly for two years. State law authorizes the Office of the Attorney General (Attorney General) to share criminal offender information with EDD when there is a compelling need and allows CDCR to provide this information on the Attorney General’s behalf.
Despite these new efforts, the Legislature should take action to help ensure that the State prevents future fraud by inmates. Although EDD has established a data sharing agreement with CDCR and a contract with a private vendor that likely will provide additional local data, such as from county jails, the CDCR partnership is dependent on the Attorney General determining that EDD has a compelling need for the information. Because of EDD’s fraud prevention deficiencies that we discuss here and elsewhere in this report, and because EDD must rely on other entities such as CDCR to provide inmate data, legislative action is necessary to ensure that EDD can regularly access and use data from state and local correctional facilities to prevent future fraud. A mandate to share information and use that information to check incoming UI claims for potential fraud related to incarcerated individuals would address what has been a longstanding gap in EDD’s fraud prevention approach that allowed significant fraud to occur during the pandemic.
To ensure that EDD prevents fraud associated with incarcerated individuals, the Legislature should amend state law to do the following:
- Require EDD to regularly cross‑match UI benefit claims against information about individuals incarcerated in state prisons and county jails to ensure that it does not issue payments to people who are ineligible for benefits. The Legislature should specify that EDD perform the cross‑matches as quickly as possible after individuals file claims and with as little disruption of legal and eligible claims as possible.
- Require CDCR and any other necessary state or local government entities to securely share information about incarcerated individuals with EDD to enable EDD to prevent fraud.
- Require EDD to include, in its annual report to the Legislature about fraud, an assessment of the effectiveness of its system of cross‑matching claims against information about incarcerated individuals. The assessment should include how regularly EDD performs the cross‑matches, how successful the cross‑matches are in detecting and preventing fraud, and whether the cross‑matches negatively affect eligible claimants attempting to legally obtain benefits.
To ensure that it provides legitimate claimants with benefits but does not pay benefits related to fraudulent claims, EDD should immediately obtain from Bank of America a comprehensive list of claimants’ accounts that are frozen. EDD should immediately thereafter evaluate the list—including considering using ID.me to verify claimants’ identities—to identify accounts that should be unfrozen. By March 2021, it should direct Bank of America to take action to freeze or unfreeze accounts as appropriate.
To ensure that it reviews each account that Bank of America reports to it as suspicious or potentially fraudulent, by February 2021, EDD should establish a centralized tracking tool that allows it to review and stop payment on claims, as appropriate. EDD should use this tool to monitor its own internal decisions and track whether the claimant responds to its requests for identity information and should, therefore, have their account unfrozen.
EDD Has Relied on Uninformed and Disjointed Techniques to Prevent Impostor Fraud
- EDD’s disjointed approach to fraud prevention has placed its UI program at a higher risk for fraudulent activity. It has not established a centralized unit to manage its fraud detection efforts, and it does not reliably track suspicious claims to ensure that it is taking appropriate action to resolve any issues, including those that suggest fraud has occurred.
- Best practices for fraud prevention suggest that government agencies should have a dedicated unit to mitigate the risk of fraud. Until EDD designates such a unit and develops a comprehensive approach to preventing and detecting fraud, it is at a greater risk for paying benefits on fraudulent claims.
- EDD does not measure or monitor any of its fraud prevention or detection tools to determine how effectively each one detects fraud. As a result, it may be using ineffective fraud prevention and detection techniques that fail to prevent fraudulent payments or delay payments to legitimate claimants.
EDD’s Approach to Fraud Prevention Is Disjointed and Ineffective
In nonrecessionary years, EDD is responsible for the oversight and administration of a UI program that pays more than $5 billion annually in benefits to Californians who qualify for assistance. An essential element of effective management of such a program is prevention of attempts to receive benefits fraudulently. Not only is maintaining the integrity of the UI program a federal expectation, it is critical to ensuring that it provides assistance only to those who genuinely need it rather than those who misrepresent themselves to obtain money illegally. Given the importance of fraud prevention, we expected that EDD would have a cohesive and centrally managed fraud prevention effort, that it would track potential fraudulent activity from detection to resolution, and that it would ensure coordination between the fraud prevention and detection initiatives it uses. Because these practices are lacking, EDD’s UI program is at a higher risk for fraud. Federal law requires EDD to perform regular audits of randomly selected claims in an effort to determine its improper payment rate. Those audits also identify the causes for EDD’s improper payments. However, those efforts differ from a focused attention on individual claims and are, therefore, only part of the solution to preventing fraud in the UI program.
EDD has not assigned responsibility to any single departmental unit for ensuring that its fraud detection efforts operate as intended, contributing to its disjointed approach to stopping fraud. As we note in the Introduction, many different divisions and offices have roles related to detecting fraud. These individual EDD units forward reports or allegations of fraud to one another and—in the process—do not remain involved in the resolution of the allegations. Figure 8 shows key units within EDD and the independent responsibilities they have related to fraud. As the figure shows, EDD’s fraud detection approach is highly dependent on a variety of units all coordinating effectively with one another. Separation of responsibilities may be an appropriate way for EDD to divide its labor. However, that separation also increases the risk that units will not coordinate effectively with one another. For example, EDD has assigned primary responsibility for receiving and reviewing fraud allegations to the Criminal Intelligence Unit within its Investigation Division. However, the chief of the Investigation Division stated that the Criminal Intelligence Unit cannot stop payment on claims that it identifies as suspicious. It must refer any potentially fraudulent claims to other units or divisions for further investigation or administrative action. This delay may allow EDD to continue paying UI benefits on fraudulent claims, even after EDD staff have identified them.
EDD Has Convoluted Its Fraud Prevention and Detection Approach by Spreading Key Efforts Among Its Different Units
Source: Review of EDD’s organizational chart, EDD’s policy and procedure documents, and interviews with EDD staff.
We observed that a key mechanism EDD’s units use to communicate about potentially fraudulent claims is dedicated email accounts that are managed by multiple staff. Referral and tracking of potential fraud by email increases the risk that EDD will mishandle a fraud report. For example, the Criminal Intelligence Unit’s hotline operator monitors and receives reports of fraud from the public. If the hotline operator finds that an allegation has merit, the operator forwards the report to a dedicated email address for the UI Integrity and Legislation Unit. The UI Integrity and Legislation Unit reviews the claim associated with the fraud report and then passes the fraud report to the UI Identity Verification and Technical Support Section for further work. We attempted to follow two fraud reports that the hotline operator emailed to the UI Integrity and Legislation Unit in April and July 2020 to determine what action the unit took. In neither case could the UI Integrity and Legislation Unit locate the original emailed referral from the hotline operator, and the unit could only demonstrate that it had reviewed one of the two fraud reports. These examples demonstrate the gaps in the way EDD manages reports of potential fraud.
In another example, EDD has not coordinated its identity verification efforts, leading to duplicated effort with no discernible benefit. Since its implementation in October 2020, EDD has touted ID.me—an identity verification program that we describe in the Introduction—as one of its primary methods for preventing identity thieves from filing false claims. However, EDD confirmed that it continues to implement fraud detection tools that require claimants to verify their identities even after successfully completing ID.me verification, essentially requiring claimants to verify their identities twice. During a single day in November 2020, for instance, one of its other fraud detection tools flagged 352 claims for identity verification. When we asked EDD why it continued to require secondary identity verification even after implementing ID.me, staff asserted that ID.me may have verified an individual’s identity, but that individual may have exhibited indicators of fraud that ID.me was not designed to detect. However, as of mid‑November 2020, EDD stated that it had not performed any analyses to determine whether this secondary verification step detects fraud that ID.me missed. Further, this secondary verification tool initially requires claimants to provide identity information similar to what they used for ID.me before EDD then further evaluates their eligibility. As such, EDD’s secondary tool may delay payments to legitimate claimants by requiring them to verify their identities twice.
During our review, EDD asserted that it was taking steps to improve coordination between the different units that take action to prevent and detect fraud. In mid‑November 2020, EDD hired a new deputy director to oversee its Policy, Accountability, and Compliance Branch. This deputy director has been tasked with establishing a fraud working group across the department. However, as of December 30, 2020, this group had not yet held its initial meeting or fully formed a charter to define its purpose. Because best practices for fraud prevention and detection suggest that government agencies should have a dedicated unit to identify fraud risk and determine the activities that the agency will engage in to mitigate that risk, we have concerns that EDD’s approach does not seem headed in this direction. The U.S. Government Accountability Office (GAO) recommends that fraud prevention units have sufficient authority, be the central repository for knowledge about the agency’s fraud prevention activities, and be the central coordinator of those activities. EDD’s new working group may be an improvement to its current approach to preventing fraud, but it would be an even greater improvement for EDD to centralize fraud prevention into a single unit with proper authority to adopt and manage a fraud prevention strategy. Although the scope of our review was limited to fraud prevention practices within the UI program, it would be consistent with GAO guidance and efficient use of resources for EDD to centralize its fraud mitigation efforts in one unit for all of its major programs.
EDD Has Not Determined the Effectiveness of Its Fraud Prevention and Detection Methods
Although EDD employs a variety of tools to prevent and detect potential fraud—such as matching claims against employment records and death records—it has not conducted any analysis of the effectiveness of these tools to determine how well they detect fraud. State law requires EDD’s director to periodically review its policies and practices to identify, in part, those that provide little or no value in preventing fraud or abuse in the UI program. However, EDD could not demonstrate that it had performed any such reviews since it reported the results of its first review to the Legislature in 2015. State law also requires EDD to report to the Legislature annually on its fraud detection and deterrence efforts, which it has done. Because of these two requirements, we expected that EDD would measure the effectiveness of each of its fraud prevention and detection tools to ensure that it is balancing its need to provide prompt payments to legitimate claimants with its need to prevent fraudulent payments. Although EDD annually reports on its fraud detection and deterrence efforts to the Legislature, it has not determined how reliably its tools and methods actually detect fraud. EDD’s lack of a single unit with the authority to oversee its fraud prevention and detection activities may be one of the reasons that no one at EDD has measured or assessed these tools’ effectiveness.
Understanding the effectiveness of its fraud detection tools is paramount to EDD’s success at balancing timely payment of benefits with reduced risk of fraud. For example, if EDD knew that most of the claims one tool flagged were indeed fraudulent, it would be reasonable for EDD to continue to rely on that tool. However, if another tool flagged many potentially fraudulent claims that turned out to be legitimate, it would be advisable to alter or remove it since the tool would delay payments to real claimants without detecting actual fraud as well as perhaps wasting valuable EDD resources.
EDD’s chief information officer asserted that EDD has collaborated with other departments, such as the California Department of Technology, to assess the effectiveness of EDD’s fraud prevention efforts. However, EDD was unable to provide any evidence of such an analysis or of any efforts to comprehensively understand the effectiveness of EDD’s fraud prevention and detection efforts. Such an analysis is critical to informing and continuously improving EDD’s approach. By evaluating outcomes of UI claims it identifies as having increased fraud risk, as well as identifying claims it did not flag as suspicious but later learned to be fraudulent, EDD can assess the frequency with which individual fraud detection efforts are successful. This will allow the department to update its fraud prevention strategy to prioritize the tools and techniques that prove most effective at stopping fraud and reduce or eliminate those that cause claimants unnecessary delays and yield little benefit.
EDD recently received additional federal funding to bolster its fraud prevention and detection efforts. In September 2020, the Department of Labor awarded EDD $2.4 million in grant funding to prevent and detect fraud in the UI programs implemented in response to the pandemic. Guidance associated with the grant provides examples of uses for these funds, including data mining and analysis. The guidance also suggests the use of the National Association of State Workforce Agencies’ Integrity Data Hub, a centralized, multistate data system that allows states to perform cross‑matches of claims, provides a national fraud alert system, and supports data analytics on multistate claims. In December 2020, EDD developed a draft spending plan with possible uses for the $2.4 million grant. Regardless of what it decides to do with the newly allocated funds, EDD must ensure that its fraud prevention and detection approach aligns with best practices. Until it does so, it cannot ensure that it appropriately protects the funding intended for qualified unemployed Californians from those who would defraud the State.
As we describe throughout this report, EDD’s approach to fraud prevention and detection demonstrates the weaknesses caused by its poor planning and program management. Had it implemented a centralized fraud unit responsible for overseeing its overall fraud approach, it would not have needed to rely on its several units to balance the decision‑making process and modifications it made early in the pandemic. It would have already had a dedicated unit responsible for advising it about and implementing those program changes to bolster its approach. Similarly, in nonpandemic times, this unit could likely have ensured that EDD’s approach to fraud was informed by evidence of effectiveness, which would provide greater assurances to the public and Legislature that delays in payments to legitimate claimants were appropriate delays. However, because EDD neglected to employ these best practices to mitigate fraud, its weaknesses in detecting and preventing fraud have been exposed during the pandemic. To address these weaknesses, EDD will need to take strategic and urgent steps to coordinate and strengthen its approach moving forward.
To ensure that EDD effectively protects the integrity of the UI program, the Legislature should amend state law to require EDD to do the following:
- By January 2022 and biannually thereafter, assess the effectiveness of its fraud prevention and detection tools and determine the degree to which those tools overlap or duplicate one another without providing any additional benefit. EDD should then eliminate any fraud prevention and detection approach for which it lacks clear evidence of effectiveness. It should include this assessment in its annual report to the Legislature on fraud detection and deterrence efforts.
- By July 2021, provide the Legislature with an update on its progress in performing this analysis.
To ensure that it maintains a robust set of safeguards against fraud, EDD should do the following:
- By March 2021, designate a unit as responsible for coordinating all UI fraud prevention and detection. EDD should assign that unit sufficient authority to carry out its responsibilities and align the unit’s duties with the GAO’s framework for fraud prevention.
- By May 2021, develop a plan for how it will assess the effectiveness of its fraud prevention and detection tools.
We conducted this performance audit in accordance with generally accepted government auditing standards and under the authority vested in the California State Auditor by Government Code 8543 et seq. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on the audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
ELAINE M. HOWLE, CPA
California State Auditor
January 28, 2021