On June 30, 2016 Congress passed the Fraud Reduction and Data Analytics Act of 2015 (“FRADA”) (Pub. L. No. 114-186). Under FRADA, the Director of the Office of Management and Budget in consultation with the Comptroller General must “establish guidelines for agencies to establish financial and administrative controls to identify and assess fraud risks and design and implement control activities in order to prevent, detect, and respond to fraud.” The “financial and administrative controls” under FRADA are “required to be established by agencies” including USCIS.
The guidelines for establishing financial and administrative controls must incorporate the “leading practices” of the Framework for Managing Fraud Risks in Federal Programs (“Fraud Risk Framework”) published by the GAO on July 28, 2015. This provision of FRADA effectively incorporates over 40 pages of highly technical requirements into a law that is just over two pages of text.
In the Fraud Risk Framework, each leading practice is discussed as a means of carrying out an “overarching concept” of fraud risk management. Each overarching concept comprises one of four components of the Fraud Risk Framework:
- Commit to combating fraud by creating an organizational culture and structure conducive to fraud risk management.
- Plan regular fraud risk assessments and assess risks to determine a Fraud Risk Profile.
- Design and implement a strategy with specific control activities to mitigate assessed fraud risks and collaborate to help ensure effective implementation.
- Evaluate outcomes using a risk-based approach and adapt activities to improve fraud risk management.
The GAO’s 2016 Report to Congress on the Immigrant Investor Program (the “GAO Report”) evaluates USCIS’s progress towards implementing the leading practices in the regional center program (the “Program”). This agency’s findings are organized under the same overarching concepts used in the Fraud Risk Framework. Although the GAO Report found that USCIS is committed to combating fraud, it noted that implementation of the leading practices under the second component (planning and assessing) was incomplete. Since these leading practices have not yet been implemented, the GAO Report did not evaluate whether USCIS had implemented the leading practices under the third and fourth components.
Component #1: USCIS is Committed to Combating Fraud
Unsurprisingly, the GAO Report found that USCIS was already committed to combating fraud. Under this component, the overarching concepts are:
- Create an organizational culture to combat fraud at all levels of the agency,
- Create a structure with a dedicated entity to lead fraud risk management activities.
Overarching Concept: Create an Organizational Culture to Combat Fraud
To carry out the first overarching concept, USCIS must demonstrate a senior level commitment to integrity and combating fraud, and involve all levels of the agency in setting an antifraud tone that permeates the organizational culture. The GAO Report finds that these leading practices have been implemented. USCIS officials have stated their commitment to combatting fraud at all agency levels, and adjudicators have been provided training on specific fraud-related topics relevant to the adjudication of EB-5 Program petitions and applications.
Overarching Concept: Create a Designated Entity to Lead Fraud Risk Management Activities
The leading practices under the second overarching concept of this component are as follows:
- Designate an entity to design and oversee fraud risk management activities that:
• Understands the program and its operations, as well as the fraud risks and controls throughout the program;
• Has defined responsibilities and the necessary authority across the program;
• Has a direct reporting line to senior-level managers within the agency; and
• Is located within the agency and not the Office of Inspector General (OIG), so the latter can retain its independence to serve its oversight role. - In carrying out its role, the antifraud entity, among other things:
• Serves as the repository of knowledge on fraud risks and controls;
• Manages the fraud risk assessment process;
• Leads or assists with trainings and other fraud-awareness activities; and
• Coordinates antifraud initiatives across the program.
The GAO Report identifies the Fraud Detection and National Security (“FDNS”) unit as the designated entity for designing and overseeing fraud risk management activities. The FDNS has already developed and provided training on specific fraud-related topics relevant to the Program, and is charged with preventing, detecting, and responding to fraud risks. The GAO report found that the required leading practices were implemented, and that USCIS has thus completed the first component of the Fraud Risk Framework.
Component #2: USCIS has Planned some Fraud Risk Assessments but not yet Determined a Fraud Risk Profile
Under the second component of the Fraud Risk Framework the overarching concepts are:
- Plan regular fraud risk assessments that are tailored to the program
- Identify and assess risks to determine the program’s fraud risk profile
The GAO Report found that USCIS had “taken some actions that closely align with” the second component of the Fraud Risk Framework, and generally “followed or partially followed selected leading practices.”
Overarching concept: Plan Regular Fraud Risk Assessments Tailored to the Program
USCIS has implemented the following leading practices to carry out the first overarching concept under this component:
- Tailor the fraud risk assessment to the program.
- Plan to conduct fraud risk assessments at regular intervals and when there are changes to the program or operating environment, as assessing fraud risks is an iterative process.
- Identify specific tools, methods, and sources for gathering information about fraud risks, including data on fraud schemes and trends from monitoring and detection activities.
- Involve relevant stakeholders in the assessment process, including individuals responsible for the design and implementation of fraud controls.
The GAO Report implicitly acknowledges that USCIS’s fraud risk is “tailored” to the Program. It also notes the following activities related to planned fraud risk assessments:
- A current study of potential fraud associated with certain immigrant investors’ source of funds. FDNS will use overseas staff to identify possible fraud stemming from false statements by an investor.
- A random site visit pilot planned for completion before the end of 2016. Site visits will be “random, in-person, and unannounced.” A total of 50 site visits in four different states are planned. An agency official stated that the first visit was scheduled to take place in August 2016.
- A planned study of all national-security concerns associated with the program. FDNS did not have details at the time the GAO conducted its review.
Tools and sources of information about fraud risks include revised Forms I-526, I-829 and I-924. Additionally, USCIS plans to implement increased use of Financial Crimes Enforcement Network (FinCEN) checks to identify possible fraudulent actors, and interview I-829 applicants to remove conditions. According to some USCIS officials, some pilot I-829 interviews have already taken place and as a result the agency will refine and develop a comprehensive interview strategy. USCIS will also begin tracking job creation data through developing a case management system sometime in 2017.
Both the IPO and FDNS will be expanding their capacity to gather information about fraud risks. The FDNS staff has increased from 21 to 25, and added interns as well as administrative support. The IPO has created a specialized group dedicated to regulatory compliance by regional centers to help ensure that each regional center continues to promote economic growth. The GAO Report also notes that the increased filing fees for Program participants will cover the costs of these agency activities.
The GAO Report does not directly address USCIS’s progress towards the leading practice of involving relevant stakeholders in the assessment process. The Report does acknowledge stakeholder involvement in at least one area: USCIS has engaged with stakeholders regarding a study on the use of a software system for text analysis to detect plagiarism. Although not mentioned in the GAO Report, USCIS regularly conducts calls with stakeholders and on recent calls has solicited input regarding fraud risk.
Overarching concept: Identify and Assess Risks to Determine a Fraud Risk Profile
The GAO Report found that USCIS had made incomplete progress toward determining a Fraud Risk Profile for the Program. A Fraud Risk Profile is “an overarching document that guides an organization’s fraud-management efforts.” The steps towards creating a Fraud Risk Profile appear to be the sequential implementation of the leading practices under this overarching concept. Specifically, a fraud risk profile involves:
- Identifying inherent fraud risks affecting a program;
- Assessing the likelihood and impact of these risks;
- Determining the fraud risk tolerance;
- Examining the suitability of existing fraud controls and prioritizing residual fraud risks; and
- Documenting the Program’s fraud risk profile.
Included at Table 1 of the GAO Report (and re-produced below) is a hypothetical fraud risk profile from the Australian National Audit Office.
The GAO Report does not give examples of how a Fraud Risk Profile might look for the EB-5 Program. However, the Report does discuss existing actions and analysis that address several key elements in the Fraud Risk Profile: identified fraud risk, fraud risk factors, fraud risk owner, existing anti-fraud controls, and fraud risk response. Table 2 and Table 3 below provide hypothetical EB-5 risk profiles that reflect this existing USCIS analysis and activity. USCIS’s actual, completed risk profiles for the Program may become publicly available once finished.
Conclusion
FRADA requires USCIS to implement the leading practices in the Fraud Risk Framework. Thus, the Fraud Risk Framework was transformed from a GAO study into law. USCIS has already implemented some of the leading practices, but has not yet completed the steps required to create a Fraud Risk Profile for the Program. USCIS’s estimated completion date for its Fraud Risk Profile is September 30, 2017.
By observing USCIS’s actions as they relate to the Fraud Risk Profile, Program participants and stakeholders may be better able to maintain statutory and regulatory compliance and plan for increased scrutiny in the future. For example, the GAO Report explicitly acknowledges USCIS’s plans to digitize its files, “including the supporting evidence submitted by applicants and petitioners.” In connection with these plans, the GAO report suggests the use of “text analytics” to identify fraud. Interviews, site visits, and overseas investigations are also on the horizon. These activities are only half of the Fraud Risk Framework. Once the Fraud Risk Profile is complete, USCIS will begin designing and implementing strategies to mitigate assessed fraud risks, and evaluate and adapt these activities to improve fraud risk management. Thus, USCIS’s fraud risk management activities will be continually changing, and closely observing these activities would be a prudent move, if not a due diligence requirement.