Auditors found that during the pandemic DOL had to compensate for its outdated system by overriding existing controls designed to prevent improper payments. DOL’s “pay and chase” approach increased the risk of overpayments, payments charged to the wrong funding source, and fraud. For instance:
- Auditors tested a sample of 53 claimants, selected for various risk factors, and found that 18, or one-third, potentially received UI payments that exceeded the maximum allowed amount.
- Auditors sampled an additional 100 claimants and found 96 of the combined total of 118 claimants were improperly paid nearly $2.8 million through the state’s traditional UI program instead of the temporary federal CARES Act.
- Auditors identified another $41.2 million paid to 8,798 claimants, whose payments appeared to be more than the maximum allowed amounts. Auditors questioned whether these claims were correctly paid or if the correct funding source was used. While DOL officials said it had identified this issue and adjusted claims on its UI system, adjustments to federal reports have not occurred and these claims were incorrectly paid with state funds.
The outdated system also created obstacles to monitoring and analyzing fraudulent claims and for making operational decisions. Auditors found that DOL could not identify the root cause of overpayments and fraud and did not implement controls to address weaknesses in the system. During the audit, DOL was unable to provide auditors with information to support their management and response to fraudulent claims and could not account for:
- The number of claims that were paid to fraudulent claimants before being detected;
- The length of time from when claims were filed to when they were identified as fraudulent (to determine the number of weeks that payments were made); and
- How the claims were identified as fraudulent (e.g., whether through departmental procedures or based on complaints from individuals whose identities were used by imposters to file false claims).
DOL’s failure to provide auditors with information and its slow response to requests delayed the audit’s completion. DOL was unable to provide supporting documentation on the over $36 billion in fraudulent claims the Commissioner of Labor said that it had prevented. It also could not explain to auditors why the estimated number of frauds for traditional UI claims more than tripled during SFY 2020-21, nor was it willing to provide data to auditors that would enable them to perform their own independent analysis to assess the amount of fraudulent claims.
This information is critical for New Yorkers because during the pandemic the state had to borrow from the federal government to support UI claims. It had a loan balance from the federal UI trust fund that averaged $9.3 billion from September 2021 through April 2022 which now stands at about $8 billion. This loan must be paid back with interest at the expense of New York’s employers. Previous DiNapoli reports identified that borrowing from the federal UI trust fund has a significant cost impact for businesses operating in New York State.
Auditors also found that while DOL repeatedly pointed to identity theft as the major cause of fraud within the program, specifically for the temporary benefit programs, it did not implement a critical system to stop identity theft, a program called ID.me, until February 2021, or nearly a full year after these temporary programs were put in place and approximately 80% of UI claims had already been made.
In implementing ID.me, DOL failed to capture information to ensure it not only prevented fraudulent claims but also balanced the ease of access for legitimate applicants. For example, groups like seniors, lower income people and recently migrated individuals were identified in a 2018 report by ID.me as being particularly disadvantaged in proving their identity online. DOL acknowledged that certain groups may encounter difficulties with the verification process using ID.me, but did not capture information on which applicants had difficulty with the verification process to enable it to address these issues in the future.
DiNapoli’s auditors also found DOL did not take some critical steps to secure its UI system and data. As a result, DOL has minimal assurance that its substantial personal information assets are protected against loss or theft. For example, auditors determined DOL did not classify data on its UI system, failed to encrypt certain information, did not enforce strong access controls or authentication rules, and did not have a policy in place to ensure systems logs were monitored. Some of its changes to the UI system made in response to the pandemic did not meet all the necessary requirements of the State’s Office of Information Technology Services (ITS) Change Management Process and Policy, intended to ensure the mitigation of risks and minimize disruption of critical services.
The audit recommended DOL:
- Continue the development of the replacement UI system and ensure its timely implementation.
- Take steps, including collecting and analyzing data related to the identity verification process, to ensure the correct balance between fraudulent identity detection and a streamlined process for those in need of UI benefits.
- Follow up on the questionable claims identified by this audit to ensure adjustments have been made so they are paid from the proper funding source and overpayments are recovered, as warranted.
- Ensure the current and new UI system and data comply with provisions of the NYS Information Security Policy-the Classification, Authentication, Encryption, and Logging Standards, as well as the ITS Operations Change Management Process and Policy.
- Improve the timeliness of cooperation with state oversight inquiries to ensure transparent and accountable agency operations.
Department officials generally agreed with the audit’s findings and recommendations.