Implementing Best Practices for Combating Fraud in Government

This blog was authored by Richard (Rick) Hoehne, Advisory Board Member with the Maurice R. Greenberg School of Risk Science at Georgia State University with expertise in the area risk, fraud, and financial crime. 

Ann Lewis’ blog, Six Best Practices to Stop Waste, Fraud, and Abuse, was first published on the Niskanen Center’s website, and examines the complexities of implementing the administration's executive order aimed at eliminating data silos and fraud in the federal government. Acknowledging the challenges posed by federal structure and IT contracting, Lewis proposes adopting private sector best practices, including secure APIs, continuous anti-fraud investments, robust identity management, balanced security, comprehensive audit logging, and strategic personnel placement. She underscores the importance of viewing fraud prevention as an ongoing process, not a one-time project. The government can draw valuable lessons from both its own past initiatives and established best practices used by large private-sector companies facing similar challenges. Inspired by this analysis and a recent report I co-authored, Enhancing Government Payment Integrity: Leveraging AI and Other Emerging Technologies, in this blog I explore the practical aspects of implementing these best practices in a government setting, focusing on the role of APIs, sustained investment in anti-fraud technologies, and effective ways to apply data at scale to identify bad actors and bad behaviors in order to stop improper payments. 

Best practice 1: Focus on APIs

API’s are a very powerful tool in providing and consuming data. In addition to publishing API’s, we should also consume data from API’s. Organizations should consider using API’s internally to promote sharing of information across agency departments. The Department of Treasury provides a good example of providing API’s that can be consumed by any agency to gain insight on payment and payment behaviors. APIs allow teams to maintain control over their systems while both sharing and consuming data with other teams. This modern data-sharing practice lets teams control what is shared, with whom, and when, balancing independence, speed, user privacy, and scalability.

Best practice 2: Move from single purpose point solutions to enterprise platforms

Over time, with one year budget cycles, fraud systems have typically been deployed to address a single risk. Over time, agencies with multiple threat vectors have endedup with multiple payment integrity solutions that rarely share data, are expensive to operate, and do little to protect against the next threat. Leading financial institutions have begun evolving to a platform approach where a single platform is able to identify anomoulous behavior can be applied to any threat vector. This ensures that data is shared across different use cases while also lowering operating costs, retiring technical debt, and ensuring a more secure future as threat vectors evolve.

Best practice 3: Combine identity management with role-based authentication

The first layer of defense in any comprehensive counter-fraud or program integrity program is “keeping the bad guys out”.  This can be a challenge given advances in deep fakes, the availability of stolen identities, and more customer friendly “digital” access.  Successful organizations recognize identity management as a cornerstone of fraud prevention and seek to unify and leverage the behavioral data captured by identity management solutions to apply more sophisticated protections – while streamlining the experience for normal operations. The data in modern identity management systems enable more advanced internal and external fraud protection including “step-up” authentication, zero-trust architectures, role based authentication, and API’s to share defined risks. Advanced financial institutions seek to unify their access controls via a Single Sign-On approach that centralizes access control, often partnering with proven identity verification providers. This also should be applied to internal users and combined with role-based authentication and minimal required privilidge protocols.

Best practice 4: Move from pay and chase to continuous monitoring

For decades, pay and chase has become the standard due to limitations and costs of technology combined with the shear scale of data across government agencies. However, technology advances now allow agencies to leverage what modern financial institutions have been doing for years by moving fraud identification and mitigation to “pre-payment”, inline with established payment authorization workflows. Decision models based on AI scoring of transactional data can stop suspicious transactions and quickly detect new fraud schemes. Additionally, by using transactional data and moving to more robust, long-term anti-fraud capabilities that leverage continuous monitoring of transactions with AI-based detection and adaptive risk modeling, we can stop improper payments before they start. .

Best practice 5: Modernize logging functions

If fraud is a study in behaviors and relationships, system logs generated by the technologies that process benefits and disbursements provide a panacea of data to understand behaviors at a very granular level. They can uncover every behavior down to the very mouse clicks that the bad guys are using to originate their improper payments. The challenge is in finding the “needle” of an improper behavior in the vast haystack of data created by modern system logs. Advances in highspeed signal processing, generative AI, and AI analytics allow organizations to find the preoverbial needle in the haystack of log data. Logs can also provide invaluable details for investigators as they trace every action leading up to a fraudulent event, regardless of whether the fraud originated internally or externally. When coupled with best practice 2 and 4, system logs are an untapped source of data to help identify fraud as it is developing so it can be stopped early and investigated quickly.

Best practice 6: Prioritize needed skills, including in procurement

The challenge with stopping fraud is that most people do not “think like bad guys”. They don’t know how to ask the right questions to ensure that a system or operation is protected by design. Successful organizations will have program integrity experts with domain knowledge, counter-fraud experience, and data science skills, including procurement, to help identify weaknesses that can be exploited by fraudsters. This includes knowing how to apply the data from systems and operations to spot the behaviors and relationships that indicate fraud, and ensure systems and processes are not created with vulnerabilities that can be exploited. Successful private-sector companies recognize that having the right mix of skills and people is essential to detecting, discovering, and investigating fraud. Operationally, “digital workers” based on generative AI can enhance human skills by making them more productive in curating data and highlighting risks.  Behind the scenes, having the right data skills can help prevent the creation of new data silos in government. Specifically, agencies must improve IT procurement by actively involving personnel with technical,fraud, and data science expertise within the procurement process.

In summary

Moving from point solutions to platforms (as a service), applying AI everywhere (especially in log analysis), fusuing security and fraud (to share data and insights), having a modern data strategy (that leverages API’s), and shifting fraud processing to the left (by analyzing raw transactional data within the process) are fundamental best practices for a next generation integrity program. Collecting, accessing, using, and protecting data is the key to being able to understand the behaviors and relationships needed to identify and stop fraud, waste, and abuse. Our best practices can help agencies make better use of data stored across a complex organizational ecosystem to reach decisions sooner with less effort and to stop improper payments. This needs to be a continuous improvement approach, as stopping a fraud scheme should never be considered a one-time initiative – it’s an ongoing necessity as threats evolve.