Skip to Highlights

What GAO Found

By implementing new controls since the mid-2000s, the Federal Emergency Management Agency (FEMA) improved its ability to detect improper and potentially fraudulent payments, but GAO identified continued weaknesses in the agency's validation of Social Security numbers, among other things. As of August 2014, FEMA stated that it had provided over $1.4 billion in Hurricane Sandy assistance through its Individuals and Households Program (IHP)—which provides financial awards for home repairs, rental assistance, and other needs—to almost 183,000 survivors. GAO identified $39 million, or 2.7 percent, that was at risk of being improper or fraudulent, compared to 10–22 percent of similar assistance provided for Hurricanes Katrina and Rita. GAO identified payments as at-risk if they had characteristics indicating, for example, that ineligible recipients or duplication of assistance could be involved. However, it is not possible to determine whether these payments were definitively improper or fraudulent without inspecting each payment. FEMA officials reviewed GAO's findings and stated that at least $6.1 million of the $39 million were not improper or fraudulent, but GAO could not independently confirm their conclusions for each payment.

In February 2006, FEMA began using a tool to validate the identity of applicants during registration. FEMA also hired contractors to inspect damaged homes to verify the identity and residency of applicants and that reported damage was a result of Hurricane Sandy. However, in this review, GAO found 2,610 recipients with potentially invalid identifying information who received $21 million of the $39 million GAO calculated as potentially improper or fraudulent. GAO's analysis included data from the Social Security Administration (SSA) that FEMA does not use, such as SSA's most-complete death records. Collaborating with SSA prior to providing assistance could give FEMA additional information to further reduce its risk of assisting ineligible applicants.

FEMA and state governments faced challenges in obtaining the data necessary to help prevent duplicative payments from overlapping sources. For example, FEMA was unable to identify potentially duplicative rental-assistance payments to recipients of its Sheltering and Temporary Essential Power pilot program, in part because it did not request the necessary data from states at the program's outset. FEMA recently took steps to make data sharing among programs easier, including initiating a committee to explore ways to maintain and share relevant data needed to evaluate and help prevent potentially duplicative assistance in the future. In addition, FEMA relies on self-reported data from applicants regarding private home insurance—a factor the agency uses in determining benefits, as federal law prohibits FEMA from providing assistance for damage covered by private insurance. By examining data from entities that provide federally backed mortgages, GAO identified 534 individuals receiving over $2.3 million in home repair and personal property assistance who said they did not have private insurance but had mortgages that require such insurance. FEMA reviewed 55 cases and stated that 32 were likely appropriate because the assistance was for damage not covered by private insurance. However, the risk remains that some individuals may have received assistance from FEMA for ineligible expenses. Assessing a variety of methods to verify self-reported data would provide FEMA greater assurance that it has a cost-effective means of obtaining sufficiently accurate and reliable information.

Why GAO Did This Study

Hurricane Sandy struck the United States in October 2012, causing an estimated $65 billion in damages. FEMA provides assistance to survivors through IHP and other programs. Part of its mission is to provide assistance quickly, but GAO previously identified weaknesses in FEMA's ability to do so while protecting government resources. Moreover, GAO's 2006 reports on Hurricane Katrina and Rita showed that FEMA did not consistently validate the identity of applicants or inspect damaged properties.

GAO was asked to review the internal controls FEMA's IHP used in response to the storm. This report discusses (1) the extent to which FEMA implemented controls to help prevent IHP payments that are at risk of being improper or potentially fraudulent and (2) challenges FEMA and states faced obtaining information to help prevent IHP payments from duplicating or overlapping with other sources in its response to Hurricane Sandy.

GAO reviewed FEMA's records for assistance provided to the five states that received IHP following the storm, assessed FEMA's controls to prevent individuals from fraudulently receiving disaster assistance, and interviewed FEMA officials and selected officials from states impacted by the storm.

Skip to Recommendations


GAO recommends, among other things, that FEMA collaborate with SSA to obtain additional data, collect data to detect duplicative assistance, and implement an approach to verify whether recipients have private insurance. FEMA concurred with the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Federal Emergency Management Agency To help FEMA prevent improper payments, the Administrator of FEMA should assess the cost and feasibility of addressing limitations in FEMA's control for identifying duplicate information in applications in high-risk data fields--such as SSN, bank-account information, address, and phone number--that may currently allow individuals or households to improperly receive multiple payments, and if determined to be costbeneficial take steps to address the system design limitation.
Closed - Implemented
In December 2017, FEMA reported that the agency had reviewed its software system's controls for identifying the duplicate information identified by our report, and that the root cause of the duplication was associated with its address correction process. Further, FEMA reported that the agency had worked with its software developers and implemented a fix to capture these duplicates. FEMA also reported that its review of the cases referred by GAO indicated the SSN and EFT cases were not duplicative because these applicants appeared to be survivors of multiple disasters. Additionally, FEMA reported that the agency chose not to develop a system to identify duplicate phone numbers because in many disaster scenarios, multiple applicants will use the same phone number as part of their application, such as when multiple applicants use a single shelter?s contact information. In such situations, multiple applicants may provide the same phone number. By reviewing these cases and revising its software system controls for identifying duplicate or incorrect address information, FEMA can better ensure it prevents improper disaster assistance payments to ineligible applicants.
Federal Emergency Management Agency To prevent assistance that duplicates homeowner insurance benefits, the Administrator of FEMA should evaluate options, including costs and feasibility, to identify an approach for verifying the accuracy of self-reported information FEMA receives on whether applicants have private homeowners insurance. Such options could include posing additional questions to applicants, sharing data with federal agencies to identify federally backed mortgages, or developing a data-sharing approach with private insurance companies.
Closed - Implemented
In our report, we identified 534 Individuals and Households Program (IHP) recipients as receiving potentially duplicative or fraudulent payments after determining that the applicants had federally-backed mortgages on their damaged homes. Federally-backed mortgages require homeowners to hold homeowners insurance, but these 534 recipients reported in their applications that they did not have such insurance. FEMA identified $794,122 in assistance to 424 applicants as payments that should have been paid for through the applicants homeowners insurance instead of through the IHP. FEMA estimated that costs to add a new question to the IHP application form to address this issue were about $25,000. FEMA officials determined that, because the cost of adding a question to the application was less than the $794,122 identified as duplicative payments, it would be cost effective to add the question, "Do you have a mortgage for the damaged residence?" to the IHP application in 2017. FEMA further evaluated the option of sharing data with federal mortgage agencies to identify duplicative payments during future disasters, but found that the mortgage agencies did not have sufficient details about insurance providers or coverage plans to make conclusive determinations about applicants' claims. A memo dated November 10, 2015 from FEMA's Director of the Recovery Programs Technology Division outlines the requirements for the addition of the question to the application in 2017.
Federal Emergency Management Agency To help FEMA prevent improper payments, the Administrator of FEMA should collaborate with SSA to assess the cost and feasibility of checking recipient SSNs against the Enumeration Verification System and the full death file to more accurately identify recipients who used Social Security numbers (SSNs) that were ineligible or belonged to likely deceased individuals, document the results of this assessment, and if determined to be cost-beneficial take steps to implement a partnership to use SSA data.
Closed - Implemented
In March 2018, FEMA reported that the agency had collaborated with SSA to assess the feasibility of a direct data exchange with SSA for the purpose of identifying recipients using SSNS that were ineligible or likely belonged to deceased individuals. Based on its analysis, FEMA reported that it had chosen to maintain its use of the data service provided by Lexis, rather than establish a direct data exchange with SSA, for several reasons. According to FEMA, these reasons include the additional data and transactions costs associated with establishing a new data exchange with SSA; the timing of batch processing associated with SSA's data exchange, which FEMA stated could delay the assistance process "by as much as 24 hours"; as well as other factors. FEMA also provided evidence that it had documented the results of these assessments, in accordance with GAO's recommendation. By taking these steps, FEMA has greater assurance that it has a cost-effective means of obtaining sufficiently accurate and reliable information for ensuring it does not provide assistance to ineligible applicants.
Federal Emergency Management Agency To help FEMA prevent improper payments, the Administrator of FEMA should, as part of updates to legacy systems, redesign the compliance flag in the IHP system to clearly identify and document applicants' compliance with the National Flood Insurance Program requirements at the time when assistance for flood-related damage was provided through IHP.
Closed - Implemented
We identified 1,322 individuals who received about $10.5 million from FEMA in Individuals and Households Program (IHP) assistance while flagged as being non-compliant with a flood-insurance requirement. However, in reviewing a non-generalizable sample of these individuals, FEMA determined that some of the individuals flagged as non-compliant in its system were, in fact, compliant with the requirement at the time of payment. FEMA acknowledged that the compliance flag in its system was unreliable because its value was overwritten with every new transaction, leaving no record of the value at the time payments were made. FEMA noted that this problem made it more difficult for FEMA to identify and correct systemic or individual performance errors in the event that case managers made errors in eligibility determinations. To help FEMA prevent improper payments, we recommended that FEMA redesign the compliance flag in the IHP system to clearly identify and document applicants' compliance with the National Flood Insurance Program requirements at the time when assistance for flood-related damage was provided through IHP. FEMA revised the compliance flag so that it allowed for data to be retained that would identify and document an applicant's compliance with the requirement at the time that assistance was provided through IHP. This change will allow FEMA to more reliably determine eligibility for IHP assistance based on compliance with flood-insurance requirements and enhance FEMA's ability to detect improper payments made to non-compliant IHP applicants.
Federal Emergency Management Agency To facilitate more-effective data sharing with state-level partners and enhance FEMA's ability to prevent duplicative benefits, the Administrator of FEMA should, as part of its committee that is implementing enhanced data-sharing between Public Assistance and Individual Assistance programs, establish data-reporting requirements for states, including specific fields needed and a standard process for comparing information across programs, including IHP and Sheltering and Temporary Essential Power, to better position FEMA to evaluate such pilot programs and to help prevent potential duplicative payments.
Closed - Implemented
In April 2017, FEMA reported that it piloted a process in which a state provided data to FEMA in a format that allowed FEMA to identify non-congruent data suggestive of duplicative assistance. As part of this work, FEMA developed a data sharing process that includes specific data fields and a standard operating procedure for sharing necessary data with the state. FEMA also noted that, while this pilot was for a specific state and specific disaster, in future disasters, FEMA anticipates establishing similarly appropriate data-reporting requirements to better position FEMA to conduct data analysis and evaluate such pilot programs, and to share timely information between Individual Assistance and Public Assistance programs. By taking these steps, FEMA will be better positioned to prevent potential duplicative payments in future disasters.

Full Report

GAO Contacts