Aviation: FAA Needs to Better Prevent, Detect, and Respond to Fraud and Abuse Risks in Aircraft Registration

GAO-20-164 Published: Mar 25, 2020. Publicly Released: Mar 25, 2020.

Fast Facts

The Federal Aviation Administration manages the U.S. aircraft registry, which maintains information on about 300,000 civil aircraft. Accurate registry information can help investigators combat illegal activities such as drug trafficking or purchasing an aircraft as part of a money laundering scheme.

We found FAA generally relies on self-certification and doesn’t verify key information such as applicant identity or aircraft ownership. Shell company or limited liability company ownership can also make it difficult to determine who ultimately owns an aircraft.

We made 15 recommendations, including that FAA verify key owner information.

Aircraft Registrations by Registration Type, 2018

Pie Chart: Individual-47%; Corporation-22%; LLC-19%; Co-owned-9%; Government-2%; Partnership-1%; and noncitizen corporation- >1%

Highlights

What GAO Found

To register civil aircraft, the Federal Aviation Administration (FAA) generally relies on self-certification of registrants' eligibility and does not verify key information. According to GAO's review of the registry process, there are risks associated with FAA not verifying applicant identity, ownership, and address information. The registry is further vulnerable to fraud and abuse when applicants register aircraft using opaque ownership structures that afford limited transparency into who is the actual beneficial owner (i.e., the person who ultimately owns and controls the aircraft). Such structures can be used to own aircraft associated with money laundering or other illegal activities (see example in figure). FAA has not conducted a risk assessment that would inform its eligibility review and collection of information to manage risks. Without a risk assessment, FAA is limited in its ability to prevent fraud and abuse in aircraft registrations, which enable aircraft-related criminal, national security, or safety risks.

Case Study Illustrating Aircraft-Related Criminal Activity Risks

102449_HLP_5_v8_McM

FAA makes some use of registry information to detect risks of fraud and abuse, but the format of the data limits its usefulness. Specifically, most data on individuals and entities with potentially significant responsibilities for aircraft ownership, such as trustors and beneficiaries, are stored in files that cannot be readily analyzed due to system limitations. As FAA modernizes its information-technology systems, it has an opportunity to develop data analytics capabilities to detect indicators of fraud and abuse in the registry.

FAA takes administrative actions, such as registration revocations, to respond to registration violations and coordinates with law-enforcement agencies on investigations and enforcement actions such as aircraft seizures. Since 2017, FAA has coordinated with the Departments of Justice (DOJ) and Homeland Security (DHS) as part of an Aircraft Registry Task Force to address aircraft registry vulnerabilities. However, this coordination is informal, and other mechanisms for joint enforcement actions, sharing of information, and use of liaison positions are not in place,

Why GAO Did This Study

The U.S. aircraft registry, managed by FAA, maintains information on approximately 300,000 civil aircraft. FAA issues aircraft registration to individuals and entities that meet eligibility requirements, such as U.S. citizenship or permanent legal residence. Registry fraud and abuse hinders the ability of law-enforcement and safety officials to use the registry to identify aircraft and their owners who might be involved in illicit or unsafe operations.

GAO was asked to examine registry fraud and abuse. This report assesses FAA's actions to (1) prevent, (2) detect, and (3) respond to fraud and abuse risks in aircraft registrations.

GAO reviewed relevant laws, regulations, and FAA policies; reviewed reports, DOJ press releases, and court cases that illustrated risks associated with the registry; analyzed aircraft registry data from fiscal year 2010 through 2018 to identify registrations with risk indicators; and interviewed FAA registry, legal, law-enforcement liaison, and safety officials, as well as officials from DOJ and DHS.

Recommendations

GAO is making 15 recommendations to FAA, including that it collect and verify key information on aircraft owners; undertake a risk assessment of the registry; leverage information-technology modernization efforts to develop data analytics approaches for detecting registry fraud and abuse; and formalize coordination mechanisms with law-enforcement agencies. FAA agreed with all recommendations.

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Office of the Administrator	The Administrator of FAA should conduct and document a risk assessment that considers inherent and residual fraud and abuse risks that may enable criminal, national security, or safety risks. (Recommendation 1)	Closed – Implemented The agency agreed with this recommendation. In March 2021, FAA reported that the Aircraft Registry officials conducted a fraud risk assessment, in partnership with other FAA stakeholders, in summer-fall 2020. In March 2022, FAA provided us with a civil aircraft registration fraud risk assessment. The assessment identified inherent and residual risks that fall into compliance, operational, legal, reputational, and reporting categories. FAA further determined risk tolerance, risk priority based on risk likelihood and impact, and developed risk treatment recommendations and tasks to mitigate identified risks. These actions meet the intent of the recommendation and are consistent with... View More
Office of the Administrator	The Administrator of FAA should determine impact, likelihood, and risk tolerance as part of a risk assessment. (Recommendation 2)	Closed – Implemented The agency agreed with this recommendation. In March 2021, FAA reported that the Aircraft Registry officials conducted a fraud risk assessment, in partnership with other FAA stakeholders, in summer-fall 2020. In March 2022, FAA provided us with a civil aircraft registration fraud risk assessment. The assessment identified inherent and residual risks that fall into compliance, operational, legal, reputational, and reporting categories. FAA further determined risk tolerance, risk priority based on risk likelihood and impact, and developed risk treatment recommendations and tasks to mitigate identified risks. These actions meet the intent of the recommendation and are consistent with... View More
Office of the Administrator	The Administrator of FAA should develop a strategy that outlines specific actions to address analyzed risks, including periodic assessments to evaluate continuing effectiveness of the risk response. (Recommendation 3)	Closed – Implemented The agency agreed with this recommendation. In March 2022, FAA provided us with a civil aircraft registration fraud risk management strategy. The strategy, among other things, outlined responsible organizations and timeframes for specific actions to address analyzed risks within strategy areas such as rulemaking, agreements, process updates, information technology updates, training, and change management. The strategy also included plans for periodic assessments. These actions meet the intent of our recommendation and are consistent with leading practices identified in GAO's Fraud Risk Framework.
Office of the Administrator	The Administrator of FAA should collect and record information on individual registrants, initially including name, address, date of birth, and driver's license or pilot's license, or both, with subsequent PII elements informed by the risk assessment, once completed. (Recommendation 4)	Open The agency agreed with this recommendation. In March 2021, FAA reported that it has determined that rulemaking was not required to collect personally identifiable information (PII). In March 2022, FAA reported that the ability to collect additional PII will be optional in the Civil Aviation Registry Electronic Services (CARES) system, and that PII will be collected and sent to a third-party service for verification. In March 2023, FAA reported that CARES Aircraft system was released in December 2022, using third party service to verify applicant information. However, submitted data--beyond individual name, physical address, and citizenship attestation--are not permanently saved in CARES.... View More
Office of the Administrator	The Administrator of FAA should collect and record information on legal entities not traded publicly—on each individual and entity that owns more than 25 percent of the aircraft; for individuals: name, date of birth, physical address, and driver's license or pilot's license, or both; and for entities: name, physical address, state of residence, and taxpayer identification number. (Recommendation 5)	Open The agency agreed with this recommendation. In March 2021, FAA reported that in late 2020 the agency held focus group meetings with a variety of end users and subject matter experts as well as developed requirements for data collection as part of the fraud risk assessment it had conducted in response to Recommendations 1 and 2. In March 2022, FAA reported that the agency anticipates the data collection to be included in the Civil Aviation Registry Electronic Services (CARES) system after refining requirements with external government agencies. In March 2023, FAA reported that CARES Aircraft system was initially released in December 2022, with physical company addresses and officer... View More
Office of the Administrator	Priority Rec. The Administrator of FAA should verify aircraft registration applicants' and dealers' eligibility and information. (Recommendation 6)	Open The agency agreed with this recommendation. In March 2021, FAA reported that it plans to include verification of eligibility for individuals and entities as part of the Civil Aviation Registry Electronic Services (CARES) system. In March 2022, FAA reported that it is partnering with external government agencies to identify ways to share data and verify eligibility. In March 2023, FAA reported that CARES Aircraft system was released in December 2022, using third party service to verify applicant information. However, submitted data--beyond individual name, physical address, and citizenship attestation--are not permanently saved in CARES. FAA reported that the agency anticipates to... View More
Office of the Administrator	Priority Rec. The Administrator of FAA should increase aircraft registration and dealer fees to ensure the fees are sufficient to cover the costs of FAA efforts to collect and verify applicant information while keeping pace with inflation. (Recommendation 7)	Open The agency agreed with this recommendation. In March 2021, FAA reported that the agency will need a minimum of six months of recordation data, from the time the Civil Aviation Registry Electronic Services (CARES) system is live, to assess and inform new fee amounts. In March 2023, FAA reported that the agency deployed the CARES system in December 2022 with limited capabilities. In February 2024, FAA officials told us they created a registry fee cost model that would achieve full cost recovery and be sustainable with inflation. According to FAA, the cost model uses a formula-based approach to calculate cost rates for fee activities and is consistent with generally accepted accounting... View More
Office of the Administrator	The Administrator of FAA should ensure, as part of aircraft registry IT modernization, that information currently collected in ancillary files or in PDF format on (1) owners and related individuals and entities with potentially significant responsibilities for aircraft ownership (e.g., beneficial owners, trustors, trustees, beneficiaries, stockholders, directors, and managers) and (2) declarations of international operations is recorded in an electronic format that facilitates data analytics by FAA and its stakeholders. (Recommendation 8)	Closed – Implemented The agency agreed with this recommendation. In March 2021, FAA reported that it plans to include aircraft ancillary documents in the Civil Aviation Registry Electronic Services (CARES) system. In March 2023, FAA reported that it deployed CARES system with limited aircraft capabilities in December 2022. FAA also reported that it is exploring additional CARES capabilities to convert ancillary aircraft documents into a format that facilitates data analytics and anticipates making a determination by December 2023. In March and April, 2024, FAA reported that effective March 2024, all aircraft registration files are accessible in an electronic format that supports data analytics by FAA... View More
Office of the Administrator	The Administrator of FAA should link information on owners and related individuals and entities with significant responsibilities for aircraft ownership through a common identifier. (Recommendation 9)	Open The agency agreed with this recommendation. In March 2021, FAA reported that this functionality is being considered as part of the Civil Aviation Registry Electronic Services (CARES) system. In March 2022, FAA reported that this functionality will be a part of CARES data migration plan with details to be determined in the coming months. In March 2023, FAA reported that it deployed the CARES system with limited capabilities in December 2022. FAA plans to include system capabilities to create and link CARES profiles for entities and individuals through a common identifier in future system releases, no later than June 2024. In March and April 2024, FAA reported that the CARES June 2023... View More
Office of the Administrator	The Administrator of FAA should, as part of IT modernization, develop an approach to check OFAC sanctions data on owners and related individuals and entities with potentially significant responsibilities for aircraft ownership for coordination with OFAC and to flag sanctioned individuals and entities across aircraft registration and dealer systems. (Recommendation 10)	Open The agency agreed with this recommendation. In March 2021, FAA reported that it is coordinating the implementation of this recommendation with its law enforcement partners. In March 2022, FAA reported that checks of OFAC sanctions data will be coordinated with other government agencies to limit the number of the Civil Aviation Registry Electronic Services (CARES) system interfaces with that contain personally identifiable information. In March 2023, FAA reported that it is developing plans to deploy CARES data to FAA's Enterprise Information Management platform for easy access by law enforcement partners by June 2024. Developing new processes and queries to conduct analysis against OFAC... View More
Office of the Administrator	The Administrator of FAA should use data collected as part of IT modernization as well as current data sources to identify and analyze patterns of activity indicative of fraud or abuse, based on information from declarations of international operations, postal addresses, sanctions listings, and other sources, and information on dealers, noncitizen corporations, and individuals and entities with significant responsibilities for aircraft ownership. (Recommendation 11)	Open The agency agreed with this recommendation. In March 2021, FAA reported that it is coordinating the implementation of this recommendation with its law enforcement partners. In March 2022, FAA reported that requirements for fraud prevention and detection algorithms will be coordinated with other government agencies in the coming months. In March 2023, FAA reported that it is developing plans to deploy CARES data to FAA's Enterprise Information Management platform for easy access by law enforcement partners by June 2024. An additional six months will be required by FAA and law enforcement partners to develop new processes to analyze data. In March 2024, FAA reported that CARES began... View More
Office of the Administrator	The Administrator of FAA should develop and implement risk-based mitigation actions to address potential fraud and abuse identified through data analyses. (Recommendation 12)	Open The agency agreed with this recommendation. In March 2021, FAA reported that, based on the fraud risk assessment conducted by the agency in response to Recommendations 1 and 2, it is developing a fraud risk management strategy, to include periodic assessments. In March 2022, FAA reported that it completed the strategy that includes periodic assessments. However, FAA has yet to develop data analytics activities that respond to identified fraud and abuse risks. In March 2023, FAA reported that it is developing plans to deploy Civil Aviation Registry Electronic Services (CARES) data to FAA's Enterprise Information Management platform for easy access and analysis by law enforcement partners... View More
Office of the Administrator	The Administrator of FAA should develop mechanisms, including regulations if necessary, for dealer suspension and revocation. (Recommendation 13)	Open The agency agreed with this recommendation. In March 2021, FAA reported that implementation of this recommendation, as well as some other recommendations, may require rulemaking. The agency anticipates consolidating its rulemaking into a single package. In March 2022, FAA reported that it continues to consider rulemaking, but may also identify alternatives to rulemaking to address this recommendation. In March 2023, FAA reported that a rulemaking proposal is being prepared that will include data collection necessary to proactively identify invalid or inactive dealers. FAA anticipates submitting a rulemaking proposal by December 2023. In March 2024, FAA reported that the registry is in... View More
Office of the Administrator	The Administrator of FAA, in coordination with relevant law-enforcement agencies, should enhance coordination within the Aircraft Registry Task Force through collaborative mechanisms such as written agreements and use of liaison positions. (Recommendation 14)	Open The agency agreed with this recommendation. In March 2021, FAA reported that the agency is coordinating with its law enforcement stakeholders. In March 2022, FAA reported that, as future coordination and data sharing may require technology updates, FAA anticipates that written agreements would be finalized by the end of 2023. In March 2023, FAA reported that an initial memorandum of understanding (MOU) defining data sharing terms and conditions has been drafted. FAA anticipates completing the MOU, proactively sharing data, and assigning a new liaison from the Department of Homeland Security by December 2023. In March 2024, FAA reported that A Homeland Security Investigations (HSI)... View More
Office of the Administrator	The Administrator of FAA, in coordination with relevant law-enforcement agencies, should develop a mechanism to provide declarations of international operations for law-enforcement purposes. (Recommendation 15)	Open The agency agreed with this recommendation. In March 2021, FAA reported that it plans to develop this capability as part of the Civil Aviation Registry Electronic Services (CARES) system. In March 2022, FAA reported that the capability will be developed as part of CARES enhancements, and the agency plans to test this feature with relevant stakeholders in 2023. In March 2023, FAA reported that it deployed the CARES system with limited capabilities in December 2022. FAA further reported that it plans to make CARES system enhancements to facilitate rapid notification when international operations are declared by June 2024. In April 2024, FAA reported that the registry currently shares... View More