The Executive Order on Preventing Identity Theft in Public Benefits Programs will include new actions supporting victims of identity fraud and address bias that results in disparate outcomes.

President Biden originally established the initiative in May 2021, consisting of the American Rescue Plan coordinator and Office of Management and Budget working in consultation with the NSC, Pandemic Response Accountability Committee, inspectors general and Government Accountability Office.

“Under my administration the watchdogs are back,” Biden said, during his State of the Union address Tuesday evening. “And we’re going to go after the criminals billions of relief money meant for small businesses and millions of Americans.”

Biden further announced the Department of Justice would appoint a chief prosecutor to its COVID-19 Fraud Enforcement Task Force to focus on the most egregious pandemic fraud including identity theft by large-scale, foreign-based crime syndicates. The task force will receive heightened resources — like next-generation data analytics tools for identifying fraud in the Paycheck Protection Program and unemployment insurance — and enhance penalties for fraudsters.

The task force includes nearly 30 agencies working to recover billions of dollars in stolen funds across more than 200 investigations involving more than 1,800 people and entities. Already more than 1,000 cases have been charged.

Previously the Biden administration directed multi-state data sharing to detect and fight unemployment insurance fraud and has screened a record number of benefits payments.

“The dramatic outpouring of pandemic relief in 2020 saw an expansion of foreign and domestic criminal syndicates defrauding unemployment insurance and other benefits programs to rob American taxpayers of billions of dollars that should have gone to support deserving small businesses and workers who had lost their jobs,” reads the White House announcement. “The Federal Trade Commission reported a 3000% increase in reports of identity theft involving public benefits from 2019 to 2020.”

The post NSC cyber team joins fight against pandemic fraud appeared first on FedScoop.

“Although the Login.gov team is researching facial recognition technology and conducting equity and accessibility studies, GSA has made the decision for now not to use facial recognition, liveness detection, or any other emerging technology in connection with government benefits and services until rigorous review has given us confidence that we can do so equitably and without causing harm to vulnerable populations,” said Dave Zvenyach, director of TTS, in a statement provided to FedScoop.

“There are a number of ways to authenticate identity using other proofing approaches that protect privacy and ensure accessibility and equity.”

Login.gov ensures users are properly authenticated for agencies’ services and verifies identities, and the Technology Transformation Services team that manages it is also studying facial recognition equity and accessibility.

GSA‘s methodical evaluation of the technology contrasts with that of the IRS, which announced Monday that it would transition away from using ID.me‘s service for verifying new online accounts after the company disclosed it lied about relying on 1:many facial recognition — a system proven to pose greater risks of inaccuracy and racial bias.

Login.gov currently collects a photo of a state-issued ID and other personally identifiable information, which are validated against authoritative data sources. The last step involves either sending a text message to the user’s phone number or a letter to their address containing a code that must be provided to Login.gov to complete identity verification.

More than 60 applications across 17 agencies — including USAJOBS at the Office of Personnel Management and the Paycheck Protection and Disaster Loan Application programs at the Small Business Administration — use Login.gov, encompassing more than 17 million users.

GSA’s rejection of facial recognition for Login.gov was first reported by The Washington Post, but the technology is most certainly in the agency’s, and the government’s, future.

The White House Office of Science and Technology Policy is crafting an Artificial Intelligence Bill of Rights to protect people from technology infringements and focused its initial request for information on biometrics like facial recognition.

While OSTP’s definition of biometrics needs refining, not all facial recognition algorithms are prejudicially biased. Technical and operational bias also exist and don’t necessarily lead to inequitable outcomes.

“There are not direct correlations between technical and operational biases and prejudicial bias,” Duane Blackburn, science and technology lead at MITRE‘s Center for Data-Driven Policy, told FedScoop in January. “Even though in a lot of policy analyses they’re treated as equivalent.”

The post GSA won’t use facial recognition with Login.gov for now appeared first on FedScoop.

The Pandemic Analytics Center of Excellence, created by the Pandemic Response Accountability Committee (PRAC), will provide the federal inspectors general (IG) community with fraud-fighting tools allowing them to share data analytics and practices to assist with their audit and investigative work.

So far IGs have only managed to return or seize $2.5 billion of the $84 billion in potential fraud committed between the Small Business Administration‘s Paycheck Protection Program (PPP) and Economic Injury Disaster Loan (EIDL) program, according to a memo released by the House Select Subcommittee on the Coronavirus Crisis on Thursday.

“In order to fulfill the PRAC’s mission we need better technological tools for IGs and our oversight partners, including the use of advanced data analytics,” said PRAC Chair Michael Horowitz, IG of the Department of Justice, during a subcommittee hearing the same day.

The Coronavirus Aid, Relief, and Economic Security (CARES) Act created PRAC, which is comprised of 22 IGs from across government who are charged with seeing to it that federal funds, like those in the CARES Act and the American Rescue Plan Act, are spent properly. The committee is working with the Office of Management and Budget and other agencies to address fraud data gaps.

Despite the $84 billion potentially lost to fraud, Republicans on the House subcommittee touted the fact SBA used the PPP and EIDL programs to quickly give $910 billion in COVID-19 relief to small businesses.

“[T]his subcommittee is focused on attempting to tear down a bipartisan program that kept the economy afloat during the early and toughest days of the pandemic,” said Rep. Jim Jordan, R-Ohio, the ranking member. “We all agree fraud is bad. But we should all agree that a 99% success record is unprecedented, and we have President Trump to thank for that.”

But $84 billion in fraud would be more than 9% of the money SBA distributed, and the agency’s IG found the Trump administration ignored fraud flags, awarded loans with little to no vetting and abandoned a rule that two employees approve applications in the case of EIDL. Proper controls were added to SBA’s electronic loan application system, E-Tran, too late in the case of PPP.

Then-Treasury Secretary Steve Mnuchin cited the need for speedy loan delivery for the inevitable problems that arose at the time.

“Let me be clear: That is a false choice,” said Rep. Jim Clyburn, D-S.C., chair of the subcommittee. “Americans should not have to and did not have to choose between quickly getting aid during a crisis and preventing the theft or waste of billions of tax dollars.”

SBA has yet to conduct a formal fraud risk assessment for PPP or EIDL.

COVID-19 relief fraud investigations will continue for a decade because that’s how long the loans will be in SBA’s portfolio, said Mike Ware, IG at SBA.

“As we continue to address our processing backlog, we will employ data analytics to further triage and guide these efforts,” Ware said. “Data analytics have made a difference in our office’s ability to keep our stakeholders currently and fully informed in a timely manner.”

The SBA Office of Inspector General overlaid its data with the Treasury Department‘s Do Not Pay list and found “quite of bit of money” went to people who should never have been paid, Ware said. Analytics also helped catch duplicate PPP payments.

A problem with lists is that the fraudsters on them quickly learn to steal other people’s identities in order to continue their work. And identity theft was prevalent in EIDL fraud cases and reared its head with PPP loans as well, Ware said.

Some in the tech industry have advocated for automated screening as a fraud deterrent, in lieu of lengthy, inefficient investigations after the fact.

But the first three supplemental appropriations SBA OIG received to improve COVID-19 relief oversight were put toward recruiting auditors, analysts and criminal investigators; EIDL fraud investigative staff and data analytics; and increasing investigative capacity, Ware said.

A total of $142 million was allocated to the oversight community in the American Rescue Plan Act passed earlier this month.

“The Biden administration and Congress have also worked together to ensure that critical oversight bodies like the PRAC, [Government Accountability Office] and IG community have the resources and tools they need to do their jobs,” Clyburn said.

The post Pandemic Analytics Center of Excellence will help IGs investigate fraud appeared first on FedScoop.

E-Tran didn’t always prevent duplicate Paycheck Protection Program (PPP) loans made between April 3 and Aug. 9, when the loans were disbursed. Reasons included the computer script for detection stopped working, lender submissions used employer identification numbers and Social Security Numbers interchangeably, and some buyers applied via multiple lenders, according to SBA OIG‘s report.

The House Select Subcommittee on the Coronavirus Crisis requested the report, in part, because it wants to ensure E-Tran vulnerabilities are addressed before the remaining $150 billion in PPP loans are disbursed.

“Loans given to ineligible borrowers place taxpayer funds at risk of financial loss and delayed the amount of available critical capital needed for eligible businesses to withstand the effects of the pandemic during the first round of PPP funding,” reads the report.

Congress appropriated $659 billion, all told, for PPP loans intended to cover struggling small businesses’ payroll, rent and utilities.

About 4,260 borrowers received multiple PPP loans, despite SBA working with lenders to implement E-Tran controls in May. OIG found SBA temporarily turned off those controls between June 23 and 30 to resolve duplicate loans already identified with lenders, leading to more duplicate loans being made during that time.

OIG recommended SBA review potential duplicate loans and recover improper payments, review E-Tran controls to ensure those loans aren’t forgiven, strengthen controls for future PPP-type programs, and improve guidance for lenders — all of which SBA agreed to do.

“The inspector general’s report is consistent with the select subcommittee’s findings last year that billions of dollars in PPP loans issued by the prior administration may have been diverted to fraud, waste and abuse,” Rep. Jim Clyburn, a Democrat from South Carolina who chairs the subcommittee, said in a statement. “Today’s report is yet more evidence of the Trump Administration’s poor implementation of PPP, which ignored the intent of Congress by failing to get vital assistance to the neediest small businesses.”

SBA argued it was unlikely that borrowers intentionally exploited E-Tran’s initial vulnerabilities because only lenders have access, but OIG was quick to point out fraud still occurred.

The agency’s loan review plan states PPP loans are subject to automated screening. But software company Giant Oak ran the Department of Justice‘s first 57 PPP loan fraud defendants through its GOST screening platform and found 25% of them had committed fraud previously that should have barred them from receiving relief, CEO Gary Shiffman, who’s also a Georgetown professor, told FedScoop.

“That’s a very strong indication that they weren’t doing screening,” Shiffman said. “And in their statements, they were trying to get the money out quickly, so they were relying on the investigation as the deterrent.”

Most fraudsters assume the odds of an investigation into a loan less than $150,000 is low, and investigating fraud after the fact is “incredibly inefficient” compared to deterring it all together with screening, he added.

SBA did not respond to multiple requests for comment.

Fraud occurred 16% of the time when the Federal Emergency Management Agency disbursed relief after hurricanes Katrina and Rita, which in PPP’s case could mean as much as $105.4 billion in jeopardy, Shiffman said.

If SBA is committed to screening now, it will need to abandon static lists of past criminal convictions in favor of machine learning that examines patterns of fraudulent behavior, he said.

Machine-learning models can create prioritized lists of the highest to lowest threats, and if SBA vets the top 1%, then they’ve done a “phenomenal job,” Shiffman said.

The post Missing E-Tran controls saw SBA issue $692M in duplicate pandemic relief loans appeared first on FedScoop.

The Biden administration announced a two-week window starting Wednesday where only small businesses with less than 20 employees may apply for Paycheck Protection Program (PPP) forgivable loans to keep their workforces employed during the pandemic.

As new legislation and executive mandates attempt to provide relief where it hasn’t yet been granted, SBA is scrambling to make changes to its E-Tran loan system and program portals.

“We’ve been obviously faced with a tremendous scaling challenge…in terms of the volume of transactions we are processing,” said Sanjay Gupta, chief technology officer at SBA, during an ATARC event Thursday. “But also more importantly the velocity at which we are processing this higher volume.”

Businesses went under because initial PPP loans dragged into the summer as SBA struggled to process requests for $400 billion in relief funds and adjust E-Tran to shifting rules for eligibility, financial institutions, terms and conditions, and transferring loans into grants.

SBA also responds to disasters, and President Biden declared Texas’ snowstorm a major disaster earlier this week. The declaration will mean a workload surge for SBA on top of dealing with PPP and Economic Injury Disaster Loans for the pandemic, Gupta said.

Fortunately, SBA’s cloud migration began in 2017, allowing it to scale with increased employees better than it would otherwise. But in March the agency accelerated implementation of a cloud-based secure connector, in lieu of its traditional virtual private network, to improve security and visibility into traffic and performance.

Conditional access — which throttles users’ access if they fail to meet certain conditions related to things like where they’re connecting to the network — has proven helpful during the pandemic. The same is true for geofencing, which took six hours to implement in March and took care of traffic from foreign countries trying to access pandemic loan portals, Gupta said.

SBA is relying on native capabilities more heavily when it comes to cybersecurity tools, anomaly detection and machine learning.

“We are automating these things,” Gupta said. “So a year from now you’ll see a higher resilience posture.”

Uniquely identifying virtual machines on SBA’s network continues to be a challenge however, Gupta said. He led SBA’s 90-day Continuous Diagnostics and Mitigation modernization effort in coordination with the Cybersecurity and Infrastructure Security Agency, and together they developed a model for identification.

Virtual machines are instantiated as needed and may need to be created and destroyed in microseconds. SBA’s model attempts to track and manages those machines in a cloud environment and was published in a report, but the CDM team has yet to release guidance.

“I’m sure it’s in the works,” Gupta said.

The post SBA adapting IT systems providing COVID-19 relief amid program changes appeared first on FedScoop.

SBA made technical improvements to lessen the demand on its overloaded E-Tran loan system, Deputy CIO Guy Cavallo told the Committee on Small Business’ Oversight Subcommittee Wednesday. But those changes aren’t a substitute for modernizing E-Tran, which SBA planned to replace back in 2015, said Rep. Judy Chu, D-Calif., the subcommittee chair.

“The agency can’t rely on a system that is incapable of meeting high demand in a crisis,” Chu said.

SBA’s Office of the CIO doubled E-Tran’s network connectivity a week or two before the agency began accepting Paycheck Protection Program (PPP) applications for forgivable loans up to $10 million to keep workforces employed during the pandemic.

The office also approved a “significant” hardware investment to improve E-Tran’s “horsepower” and built a lender gateway as a cloud-based app to lessen the front-end load — allowing small banks to apply for PPP loans more easily, Cavallo said.

“For something like E-Tran, that we can’t modernize overnight, what we’re trying to do is put a new front-end in front of it so that the small business owner or the citizen is able to more easily interact with the system,” Cavallo said. “We were able to do that successfully for a number of these programs.”

Still, the PPP portal went down for four hours during launch and crashed again when it reopened in late April. The Government Accountability Office foresaw such an occurrence in a 2014 report, where it warned SBA was “unprepared” for a large number of disaster loan applications at the beginning of a response.

SBA also ran into trouble with its Economic Injury Disaster Loan (EIDL) portal, when the personally identifiable information (PII) of about 8,000 applicants was potentially exposed for several hours. The overwhelming demand for EIDL loans, $1,000 per employee for up to 10 employees, also led to outages, so OCIO developed an interim, cloud-based solution to intake applications until the finalized portal was ready.

“However — while making multiple system changes in the middle of the night in such a short time — a mistake was made in one of the system’s configuration, which actually exposed PII data for some individuals,” Cavallo said.

The 6 a.m. error was discovered within three hours, reported to the U.S. Computer Emergency Readiness Team an hour after that, and fixed. The General Services Administration completed free credit monitoring for potential victims on March 29 and 30, with offer letters sent out once addresses could be validated.

Some recipients thought the letters themselves were a scam, and affected businesses were forced to reapply for EIDL loans and shut out of the program when SBA leadership decided to limit applications to agricultural businesses, Chu said.

‘Questionable’ investments

E-Tran is handling loan applicant traffic currently, but lawmakers wanted to know how SBA intends to avoid outages in the future.

SBA received an additional $2.1 billion to staff up during the pandemic, much of which has gone toward the IT help desk and network and security operations centers, Cavallo said.

“SBA has made some questionable IT investments into its contracting and business development programs, making various attempts to streamline application processes and enhance staff oversight and management of these programs,” said Rep Ross Spano, R-Fla., the subcommittee’s ranking member.

The agency also spent $27 million on its new certify.sba.gov identity authentication platform, which has yet to be “fully realized,” Spano said.

In its 2019 Federal Information Technology Acquisition Reform Act scorecard, SBA received a C grade for IT portfolio management and a D grade for cybersecurity.

Cavallo argued SBA still has the third-highest cumulative score in government. The agency is further helping the Department of Homeland Security implement the Continuous Diagnostics and Mitigation program in a new, cloud-based solution.

“We think the combination of those scores do not accurately reflect where we are today,” Cavallo said. “Otherwise DHS would not have selected us to pilot two critical cybersecurity pilots with them that have changed federal policy.”

The post Lawmakers question SBA technology investments after loan system outages appeared first on FedScoop.

Login.gov was tasked with providing authentication and identity verification services to agencies that are allocating funding under the Coronavirus Aid, Relief, and Economic Security (CARES) Act. That includes SBA’s Paycheck Protection Program, a loan initiative for small businesses, although in that instance only banks are using login.gov.

Login.gov is a single sign-on project, spearheaded by the 18F and the U.S. Digital Service teams, that allows users to log in to multiple government websites with the same email address and password combination.

The CARES Act provision allowed SBA to shorten its timeline for bringing 16 legacy systems under the central authentication of login.gov. Legacy systems with their own, separate modes of authentication can be an impediment to adopting login.gov. So instead of forcing everything over individually, SBA created a middle layer called an “identity broker” in-house.

As the single point of contact with login.gov, the identity broker allowed SBA to control how it integrated systems.

Anti-spoofing ‘liveness detection’

Technology Transformation Services is also vetting a “liveness detection” solution for login.gov, with plans for it to be fully certified under the National Institute of Standards and Technology’s Digital Identity Guidelines by the fall.

TTS has experimented with liveness detection — algorithms used to catch attempts to spoof biometrics like fingerprints or facial images during login — previously. But the last solution was pulled due to too many false matches.

The new solution is being certified through Kantara’s identity assurance framework.

Login.gov authenticates as many as half a million users a day across 24 agencies, including the Office of Personnel Management, U.S. Customs and Border Protection, and USDS itself.

Correction: May 22, 2020. An original version of this story incorrectly stated 18F is vetting liveness detection for login.gov. Technology Transformation Services is doing the experimentation.

The post Login.gov is adding a new agency, and also vetting ‘liveness detection’ technology appeared first on FedScoop.

Several people interviewed for the job, and OMB had to finalize the selection.

Roat takes over for Margie Graves, who retired from government at the start of the year.

“We’re thrilled to have Maria join OFCIO and the OMB team,” said Federal CIO Suzette Kent in the announcement. “The experience and leadership Maria brings to the role of deputy federal chief information officer will be an asset to efforts to shape a secure, modern, and data driven government.”

Previously Roat served as CIO of the Small Business Administration since October 2016, where she took on more leadership in interagency federal IT functions like the CIO Council, where she co-chairs the Innovation Committee. She also sits on the board of the Technology Modernization Fund.

Roat comes to the White House with first-hand experience with the pressures that the coronavirus pandemic has put on federal IT. SBA’s its E-Tran loan system timed out multiple times during the second round of Paycheck Protection Program (PPP) applications in April. Earlier that month, personally identifiable information from about 8,000 Economic Injury Disaster Loan applicants was potentially exposed, a fact SBA made public.

Roat’s successor at SBA is Guy Cavallo, who has been deputy CIO since late 2016.

The post Maria Roat officially named deputy Federal CIO appeared first on FedScoop.

Lenders applying on behalf of small business clients for the second round of Paycheck Protection Program (PPP) loans on its E-Tran system saw it time out multiple times Monday.

The separate, bulk submissions, consisting of 5,000 applications minimum, that big banks favor worked better.

“You have very fast-moving legislation, and then there’s a lot of interpretation that’s going on,” Marty Puranik, CEO of cloud hosting company Atlantic.net, told FedScoop. “SBA has a lot of challenges because it’s having to do things it’s never done before.”

While SBA quickly stood up a portal for PPP — which provides forgivable loans of up to $10 million to keep small businesses’ workforces employed during the pandemic — part of it either isn’t working or being overtaxed, Puranik said.

SBA did not respond to a request for comment on the cause or extent of E-Tran’s issues.

Smaller lenders and fintech companies like PayPal successfully used E-Tran to apply for loans for the initial $342 billion in stimulus funds made available to small businesses, while big banks took longer to set up their systems because of how quickly PPP was introduced.

In response, SBA attempted to introduce a pacing system — limiting lenders to 350 applications an hour on E-Tran — for the second round of $310 billion in PPP funds released Monday. This time big banks were the beneficiaries of system issues, Puranik said.

“Our member banks across the country are deeply frustrated at their inability to access [SBA’s] E-Tran system,” tweeted Rob Nichols, president and CEO of the American Bankers Association, on Monday. “We have raised these issues at the highest levels. Until they are resolved [America’s banks] will not be able to help more struggling small businesses.”

While smaller lenders and fintech companies fared better during the first round of PPP, that meant the loans skewed toward wealthy, private client groups and large companies — not small businesses using major banks.

JPMorgan Chase & Co.’s average loan was valued at about $500,000, and the Los Angeles Lakers received a $4.6 million loan, despite being valued at $4.4 billion and only 45% of Los Angeles County residents being employed. The NBA team has since returned the money.

“Virtually no small businesses got any loans,” Puranik said.

A better process might be for SBA to accept all loan applications and then make awards via a lottery, or else a reverse lottery where portions of the pot go to employers with certain ranges of employees, he added.

SBA will need to work out the kinks with E-Tran because PPP will only fund businesses for about two months.

Part of PPP loan forgiveness is that small businesses must hire employees back, but some workers might not return if they’re making more on unemployment and the coronavirus is still a threat to them at, say, their restaurant job. In that situation the business could become burdened with the low-interest loan, unless future stimulus legislation forgives loans if businesses merely remain open or retain a certain amount of employees, Puranik said.

That means more work for SBA, and there’s also the Economic Injury Disaster Loan (EIDL) program to consider. EIDL also received stimulus funding and was originally intended to be a $10,000 loan for applicants, but SBA interpreted the law to mean $1,000 per employee for up to 10 employees — meaning the smallest businesses won’t receive the full amount.

“The little guys have the least margin for error,” Puranik said, and every adjustment changes portal business rules.

Crashes haven’t been that portal’s only issue, as earlier this month personally identifiable information from about 8,000 EIDL applicants was potentially exposed, according to SBA.

SBA disabled the portion of the website at issue and relaunched the portal. But the cause of the problem, data exposed and length of time it was available were unclear.

“Nobody’s claiming to have all that data out there,” Puranik said. “So I think they were just releasing that as a government agency, which in a way if that’s what happened, that’s great they would be forthcoming because in corporate America it’s usually the other way.”

The post SBA loan system woes may persist with more stimulus legislation likely appeared first on FedScoop.