Flood Insurance: Forgone Premiums Cannot Be Measured and FEMA Should Validate and Monitor Data System Changes
What GAO Found
The actual forgone premiums—the difference between subsidized and full-risk premiums—to the National Flood Insurance Program (NFIP) due to subsidies cannot be measured. The Federal Emergency Management Agency (FEMA) does not collect flood risk information for all subsidized policies, which is needed to calculate their full-risk premium rates. GAO recommended in July 2013 that FEMA develop and implement a plan to obtain this information. FEMA agreed with the recommendation, but has not yet fully implemented it. Although FEMA is phasing out subsidies through statutorily required rate increases, collecting this information remains important because the number of subsidized policies—and associated financial impacts—could grow over time with the restoration of certain subsidies under the Homeowner Flood Insurance Affordability Act of 2014 that previous legislation had eliminated. Working with available data and FEMA's published statements describing the size of the subsidies, GAO estimated forgone premiums in the range of $16–25 billion for 2002–2013 but estimates vary based on the calculation used. As FEMA would have incurred additional expenses if it had been able to collect the forgone premiums, GAO estimated that FEMA might have had $11–17 billion in premiums net of expenses, or as much as $1 billion a year, for losses or debt repayment.
Estimated Range of National Flood Insurance Program (NFIP) Premiums Forgone during 2002-2013, in 2014 Dollars
FEMA did not have sufficient controls or monitoring in place to validate system changes (made because of the Biggert-Waters Flood Insurance Reform Act of 2012 (Biggert-Waters Act)) before they became effective, and some premium data were unreliable. Federal internal control standards suggest that agencies have controls, such as validating implementation of changes, to help ensure the accuracy of transactions. A FEMA contracting handbook also calls for monitoring a contractor's progress toward completion of specified requirements. However, FEMA did not validate that its contractor fully implemented changes and system checks, or verify the changes in vendors' software, before program changes became effective in October 2013. FEMA's monitoring reports also did not capture critical information to oversee the contractor's progress toward completion of the required changes. As a result, premium data on policies GAO analyzed are unreliable in the time period studied, some policyholders were charged inaccurate rates, and the full extent of delays and errors went undetected for nearly a year. Without better monitoring and controls over future changes, FEMA risks further inaccuracies in its data system.
Why GAO Did This Study
As of September 30, 2013, FEMA, which administers NFIP, had more than 1.1 million subsidized flood insurance policies—about 21 percent of all of its policies. Because their premiums do not reflect the full risk of losses, subsidized policies have been a financial burden on the program. Due to NFIP's financial instability and operating and management challenges, GAO placed the program on its high-risk list in 2006. The Biggert-Waters Act mandated GAO to report on the forgone premiums from subsidies in NFIP.
This report examines the forgone premiums associated with subsidies during 2002–2013 along with data reliability issues discovered in GAO's examination. Data for earlier periods were unavailable. GAO analyzed NFIP premium data, published statements about the size of the subsidies, and expenses associated with premiums. GAO also interviewed FEMA officials.
GAO recommends that FEMA institute controls to validate implementation of data system changes and track progress toward completion in its monitoring reports. GAO also maintains its position that a recommendation made in July 2013 ( GAO-13-607 ) that FEMA develop and implement a plan to obtain flood-risk information needed to determine full-risk rates for properties with subsidized rates is valid and should be fully implemented. FEMA agreed with the new recommendations and discussed its approach for addressing the July 2013 recommendation.
Recommendations for Executive Action
|Department of Homeland Security||To better ensure that future data system changes are fully and accurately implemented before they become effective, the Secretary of the Department of Homeland Security (DHS) should direct the FEMA Administrator to institute internal controls, such as testing a sample of policies, to validate that the data system contractor fully implemented changes and edit checks before program changes become effective.||
In March 2015, the Federal Emergency Management Agency (FEMA) instituted the use of a new procedure manual, including a testing plan, for data system programming changes required to implement National Flood Insurance Program rate and rule changes. This procedure manual outlines the steps and approvals needed to plan, develop, test, and deploy data system changes. According to the procedure manual, the purpose of the test phase is to verify that the functionality of the data system meets established requirements. The test phase includes three types of testing. First, data system contractor staff will perform tests to verify that the new or modified data system functions are complete before release. FEMA will review this testing plan. Second, for major data system changes that impact FEMA business rules and requirements, the contractor and FEMA will identify a sub-population of impacted data records and the contractor will conduct a targeted review to verify that the software changes are executing and performing as required. Third, the contractor will conduct a comprehensive sampling validation. This random sample testing will be conducted before and after changes become effective to validate that the results are in accordance with expected norms for errors. The procedure manual also calls for periodic checkpoint reviews between the data system contractor and FEMA to ensure that FEMA has approved the work being produced. For example, the contractor will conduct a Production Readiness Review to obtain FEMA's approval that the system is ready for deployment. According to FEMA, the contractor conducted sample testing of the April 2015 program changes and will conduct a comprehensive validation. The complete procedure manual is being implemented with the November 2015 program changes.
|Department of Homeland Security||To better ensure that future data system changes are fully and accurately implemented before they become effective, the Secretary of the Department of Homeland Security (DHS) should direct the FEMA Administrator to require the data system contractor to include detailed information on the progress toward completion of major data system changes in regular monitoring reports, such as weekly status updates and monthly reports.||
In March 2015, the Federal Emergency Management Agency (FEMA) completed a new standard operating procedure manual to monitor progress toward completion of major data system changes. This procedure manual outlines the steps and approvals needed to plan, develop, test, and deploy data system changes. The manual also includes a sample monitoring report that includes a list of key milestones, three status categories (on schedule, closely monitor, or critical watch item), and space to record other activities or comments related to each milestone. FEMA also provided an example of a report that its data system contractor currently uses to track progress on implementing data system changes. This report identifies program changes being tracked and specific steps the contractor has taken on each. The contractor enters updated comments about the status of implementing data system changes and points to discuss with FEMA. According to FEMA, this contractor-produced report is updated weekly and discussed in a weekly meeting between contractor and FEMA staff.
|Department of Homeland Security||To better ensure that future data system changes are fully and accurately implemented before they become effective, the Secretary of the Department of Homeland Security (DHS) should direct the FEMA Administrator to obtain information verifying the status of software vendors' implementation of program changes in their systems before program changes become effective. For example, this could include instructing Write-Your-Own and the direct agent to include controls or status updates in the terms of work or contracts with their software vendors.||
FEMA has implemented a new validation process, which includes obtaining samples of updated forms and data that vendors generate before program changes are effective. In July 2015, FEMA sent a notice to Write Your Own (WYO) companies and the direct servicing agent requesting that they implement all system changes at least 60 days prior to the effective date of program changes and submit sample files demonstrating implementation 30 days before the effective date of program changes. The information submitted in sample files is generated by vendors if a WYO company uses one. FEMA's process for validating this information includes both manual review of sample files and automated data testing. FEMA implemented this process with the November 2015 program changes and identified and corrected errors during the validation. FEMA is continuing to follow these steps with the April 2016 program changes. FEMA staff said they would also follow these steps in other future program changes.