OFFICE OF
INSPECTOR GENERAL
DEPARTMENT OF THE TREASURY
WASHINGTON, D.C. 20220
`
July 29, 2019
OIG-19-041
MEMORANDUM FOR TIMOTHY E. GRIBBEN
COMMISSIONER, BUREAU OF THE FISCAL SERVICE
FROM: Katherine E. Johnson /s/
Audit Director
SUBJECT: Interim Audit Update - Matters for Consideration Prior to
Fiscal Service’s Selection of the Direct Express® Debit Card
Program Financial Agent
On June 18, 2018, we initiated an audit to review corrective actions taken by the
Bureau of the Fiscal Service (Fiscal Service) related to recommendations made in
previous Department of the Treasury (Treasury) Office of Inspector General (OIG)
reports issued in 2014 and 2017 related to the financial agency agreement (FAA)
with Comerica Bank (Comerica) to operate the Direct Express® Debit Card program
(Direct Express). Based on our audit work to date and due to the importance of
Direct Express and the needs of its customers, we are sharing our initial findings
and recommendations prior to completion of all audit work. We believe this interim
reporting is important for your consideration prior to the selection of the next
financial agent expected to be announced later this summer.
As part of our reporting process, we provided a draft of this memorandum to Fiscal
Service to obtain management's views and comments. In a written response,
provided in its entirety as an attachment to this memorandum, management
concurred with our recommendations and outlined planned corrective actions.
Background
In 2008, Fiscal Service, formerly known as Financial Management Service, entered
into a FAA with Comerica to operate Direct Express, which allows beneficiaries to
receive Federal benefit payments electronically, using a prepaid debit card.
Currently, more than 4.5 million individuals receive their social security, veterans,
and other benefit payments through this program. In 2014, Fiscal Service rebid the
Direct Express FAA and selected Comerica as the financial agent for an additional
OIG-19-041
Page 2
5 years, effective January 3, 2015. Since 2009, KRC Research (KRC),
1
a
Comerica subcontractor, has conducted an annual Direct Express cardholder usage
survey. Direct Express has maintained an overall customer satisfaction rating of 94
percent or above since 2009.
Financial Agent Selection Process
On November 27, 2018, Fiscal Service initiated the process to select the next
Direct Express financial agent. Fiscal Service announced the bidding cycle and that
applications for the Direct Express FAA were due no later than February 15, 2019;
however, due to the government shutdown the date was extended to March 8,
2019. Fiscal Service notified the financial agent finalists of their status on April 2,
2019. According to the Direct Express® Debit Card Program Financial Agent
Selection Process Questions and Answers (Updated 5/22/19), the Fiscal Service
review period was from April 1
May 10, 2019.
2
Fiscal Service provided the
sample FAA to the finalists, who were invited to make oral presentations.
The sample FAA did not include Exhibit A, Services, Attachment 1, Service Level
Requirements, Attachment 2, Initial Surcharge-Free Network, Exhibit C,
Compensation and Cardholders Fees, or Exhibit E, Memorandum of Understanding
Between the Selected Financial Agent and the Social Security Administration. The
Requirements for Applications to Provide Prepaid Debit Card Services (updated
11/29/18) (Requirements Document) provided general information related to service
requirements and compensation.
3
For example, the Requirements Document listed
19 Service Level Activities (SLA) as minimum requirements compared to 38 Service
Level Requirements (SLR) in the Direct Express FAA in use currently (current FAA).
Additionally, the 19 SLAs listed as minimum requirements are not weighted or
prioritized to emphasize the importance of customer service or any other specific
requirement over another. The specific requirements, tolerance ranges, and
weightings for each SLA will be negotiated with the selected financial agent prior
to signing the FAA. Fiscal Service plans to (1) select the financial agent, and (2)
sign the FAA with the selected financial agent later this summer.
1
KRC is a global strategic research firm that offers quantitative and qualitative market research
solutions to a number of industries from its offices in Washington, DC, New York, and Cologne,
Germany. KRC helps its clients optimize strategies and measure success.
2
https://fiscal.treasury.gov/files/directexpress/DirectExpressFASPQandAs.pdf
3
https://fiscal.treasury.gov/files/directexpress/FASP2020Requirementsfinal.pdf
OIG-19-041
Page 3
Previous and Current Audit Work
OIG issued two audit reports, the first in 2014 and the second in 2017, regarding
our reviews of Direct Express and the financial agent selection process. In our
March 26, 2014 audit report, Fiscal Service Needs to Improve Program
Management of Direct Express (OIG-14-031), we found that Fiscal Service’s
decisions to establish Direct Express and select Comerica as the program’s financial
agent were reasonable; however, its analyses and documentation of those
decisions should have been more complete. In addition, Fiscal Service needed to
improve its oversight of Direct Express and administration of the FAA. Accordingly,
we made 13 recommendations to Fiscal Service. In the Treasury OIG-17-034 report
discussed below, we verified 4 of the corrective actions taken by Fiscal Service
related to the 13 recommendations made in the Treasury OIG-14-031 report.
In our January 24, 2017 audit report, Direct Express Bid Evaluation Documentation
Requires Improvement (OIG-17-034), we found that Fiscal Service’s documentation
of the FAA bid evaluation had improved compared to the previous bid cycle but
further improvement was needed. Accordingly, we made one recommendation to
Fiscal Service.
To follow-up on the audit reports discussed above, on June 18, 2018, we initiated
a corrective action verification (CAV) engagement related to the 10 corrective
actions not previously verified as of our last report. Our objective was to determine
whether Fiscal Service’s corrective actions were responsive to the remaining 10
recommendations as noted in our previous audit reports.
Fraudulent Activity Experienced by Some Direct Express Cardholders
After beginning the CAV, we received information of fraudulent activity involving
the Direct Express Cardless Benefit Access Service.
4
Specifically, criminals used
cardholder data and personally identifiable information to impersonate Direct
Express cardholders. With this information, criminals exploited the Cardless Benefit
Access Service to empty accounts belonging to some beneficiaries, including those
who receive Social Security benefits and veterans who rely on disability payments
4
In August 2017, Comerica introduced the Cardless Benefit Access Service feature to all Direct
Express cardholders. This feature, formerly known as Direct Express
®
Emergency Cash, allowed a
cardholder, who did not have his/her physical card, to request a money transfer to a MoneyGram
location to be picked up by the cardholder. For example, during Hurricanes Harvey and Maria in
September 2017, many automatic teller machines were out of service. MoneyGram locations
provided cash access to Direct Express cardholders with or without their cards.
OIG-19-041
Page 4
to make ends meet. As a result, in August 2018, Comerica temporarily suspended
the Cardless Benefit Access Service. According to Comerica, there was no
evidence of a data breach at Comerica, its service providers, or in any data
management system used to administer Direct Express.
As required by Government Audit Standards, Section 6.32, we added procedures
to our ongoing work to address the fraud risk. For example, we are reviewing Fiscal
Service’s monitoring procedures to ensure that Comerica is (1) in compliance with
the FAA, (2) investigating and resolving fraud notifications from Direct Express
customers within the required regulatory timeframes, (3) providing appropriate
credits to customers within the required timeframes, and (4) providing monthly
performance measurement scorecards and annual customer satisfaction surveys.
We are also reviewing Fiscal Service’s monitoring of Comerica’s compliance with
customer service requirements outlined in the FAA.
Based on our work to date and due to the importance of Direct Express and the
needs of its cardholders, we are sharing our initial findings and recommendations
prior to completion of all audit work. We believe this interim reporting is important
for your consideration prior to the selection of the financial agent expected to be
announced later this summer.
Treasury OIG Findings and Recommendations
As noted above, Fiscal Service provided the sample FAA to finalists in the selection
process. The sample FAA did not include the specific details of several exhibits,
such as Exhibit A, Services, Attachment 1, Service Level Requirements. According
to its financial agent selection process guidance, Fiscal Service negotiates policies
and procedures (e.g., documentation to be maintained by the financial agent,
meetings with the financial agent, SLRs and other metrics, security, risk
management, and expense management) for overseeing a financial agent after the
financial agent has been selected and prior to signing the FAA. Given the
importance of customer service and based on our review of the (1) sample FAA
compared to the current FAA and (2) finalists’ proposals, we suggest consideration
of modifications to the following FAA provisions, which will be negotiated between
Fiscal Service and the selected financial agent prior to signing the FAA expected
later this summer.
1. Compensation and Performance
The current and sample FAA, provision 4E, Reduction in Compensation, states the
following:
OIG-19-041
Page 5
Depending on the Financial Agent’s compliance with the service level
requirements set forth in Attachment 1 to Exhibit A hereto, a reduction in
compensation may apply
The current FAA, Exhibit A, Attachment 1, Service Level Requirements, states the
following:
The table below sets forth the service level requirements (each, an “SLR”)
for various activities associated with the debit card program. On a monthly
basis, the Financial Agent will report on its performance
SLRs are a means of setting a high standard for performance that translates
to high quality services for federal benefit recipients.
We believe that under this financial agent selection process, the SLR and target
performance for the various activities need to be reviewed and revised with an
emphasis on providing better customer service related to the call center and
compliance with regulations related to chargeback and dispute processing. We
reviewed Comerica’s Direct Express SLR Monthly Scorecards from February 2015
through December 2018 and noted that Comerica’s compensation was never
reduced despite poor ratings in some categories. Conduent Incorporated
(Conduent), a Comerica subcontractor, manages the Direct Express call center and
processes claim disputes.
5
Although Direct Express has maintained an overall
customer satisfaction rating of 94 percent or above since 2009, the call center has
received poor ratings in some categories such as customer service representative
response times and regulatory compliance related to chargeback and dispute
processing.
The current SLRs consist of 38 separate activities, including but not limited to,
account set-up, card issuance/reissuance/replacement, payments, customer service
representative response times and call quality, reporting, chargeback and dispute
processing, and customer satisfaction survey. To calculate the monthly
performance score, the actual performance for each SLR is compared to the Target
Performance
6
and Tolerance Range
7
for an assigned rating of 2, 1, or 0 (the Initial
Rating) using the following formula:
5
Conduent, a New Jersey digital interactions company, creates digital platforms and services for
businesses and governments. Conduent provides such services as digital payments, claims
processing, and customer care.
6
Comerica’s primary performance goal for meeting the SLR.
7
Comerica’s performance is in the acceptable range, but not at the Target Performance goal.
OIG-19-041
Page 6
Performance at or above Target Performance for each SLR will be
assigned an Initial Rating of 2.
Performance lower than the Target Performance but within the Tolerance
Range for each SLR will be assigned an Initial Rating of 1.
Performance below the Tolerance Range of the Target Performance for
each SLR will be assigned an Initial Rating of 0.
Each Initial Rating will by multiplied by the Weighting
8
to calculate the
final rating for each SLR (the Final Rating).
The Final Ratings for each SLR are added together to calculate the
performance score for the applicable month (the Performance Score),
ranging from a minimum score of 38 to a maximum score of 80.
A Performance Score at or below 37 for 2 consecutive months will result in a
reduction of $0.01 per active account in the 3
rd
month, and each month thereafter
until the Performance Score equals or exceeds 37. Comerica never received a
Performance Score less than 62 because all the SLRs are added together allowing
higher scores in some activities to offset the lower scores in other activities. For
the 47 Direct Express SLR Monthly Scorecards reviewed, we noted that for the
SLRs related to account set-up, card issuance and replacement, payments, and the
customer satisfaction survey, Comerica/Conduent consistently received the highest
possible Final Ratings. We believe the commingling of all SLR scores does not
provide an incentive or disincentive to achieve a high standard in all areas,
including chargeback and dispute processing and customer service representative
response times.
In our review of the 47 Direct Express SLR Monthly Scorecards, we noted 4 SLRs
related to customer service representative response times, representing a total of
188 Final Ratings. Comerica/Conduent received the lowest possible Final Rating in
79 out of 188 instances, or 42 percent of the ratings.
In addition, there were 3 SLRs related to chargeback and dispute processing which
align with the Regulation E
9
time limits and investigation requirements.
10
We
believe these 3 SLRs are critically important as Regulation E and these SLRs are
designed to protect the Direct Express cardholders. These 3 SLRs represented a
total of 141 Final Ratings. For these SLRs, the FAA stipulates that the Target
Performance is 100 percent, which we believe is appropriate as a measure for a
8
The percentage applied to the SLR.
9
Regulation E was issued by the
Board of Governors of the Federal Reserve System
as an
implementation of the Electronic Funds Transfer Act, a law passed by the U.S. Congress in 1978
as a means of protecting consumers engaged in these sorts of financial transactions.
10
12 CFR 1005.11, Procedures for resolving errors, February 13, 2018
OIG-19-041
Page 7
regulatory requirement. If 100 percent compliance is achieved in that month, the
highest Final Rating (2) is assigned. The FAA allows for a Tolerance Range of 5
percent below the Target Performance (rating of 95-99 percent) non-compliance. If
95-99 percent compliance is achieved in that month, a middle Final Rating (1) is
assigned. If compliance for a given month is below 95 percent, a lowest Final
Rating (0) is assigned. Of the 141 Final Ratings, Comerica/Conduent was assigned
the following:
Highest (rating of 100 percent)14 instances, or 10 percent of the
ratings;
Middle (rating of 95-99 percent) 124 instances, or 88 percent of the
ratings; and
Lowest (rating below 95 percent)3 instances, or 2 percent of the
ratings.
Compliance with Regulation E is a critical component of Direct Express and a
regulatory requirement. Knowing the needs of beneficiaries and their dependence
on these payments, we believe the Tolerance Range of 5 percent is too high given
the regulatory nature of these 3 SLRs. For the period we reviewed, for chargeback
and dispute processing, Comerica/Conduent did not comply with the Target
Performance of 100 percent related to the Regulation E time limits and
investigation requirements in 90 percent of the 47 Direct Express SLR Monthly
Scorecards from February 2015 through December 2018.
As Treasury’s financial agent, Comerica is acting as a fiduciary of the Government
and as such should be encouraged to further the administrations agenda related to
customer service, including compliance with Regulation E. The current SLR
calculation does not specifically reflect the importance of improving the customer
service experience of Direct Express cardholders and protecting consumers in
compliance with Regulation E. The President’s Management Agenda identifies
Cross-Agency Priority (CAP) Goal 4, Improving Customer Experience with Federal
Services.
11
According to CAP Goal 4, Federal agencies will provide a modern,
streamlined, and responsive customer experience across Government, comparable
to leading private-sector organizations.
Specifically, this CAP Goal 4 will:
Transform the customer experience by improving the usability and
reliability of the Federal Governments most critical digital services;
11
Office of Management and Budget, President’s Management Agenda, March 20, 2018
OIG-19-041
Page 8
Create measurable improvements in customer satisfaction by using the
principles and practices proven by leading private sector organizations;
Increase trust in the Federal Government by improving the experience
citizens and businesses have with Federal services whether online, in-
person, or via phone; and
Leverage technology to break down barriers and increase communication
between Federal agencies and the citizens they serve.
Recommendation
We recommend that the Commissioner of the Fiscal Service revise the SLR
calculations related to incentives or disincentives, which will be negotiated
between Fiscal Service and the selected financial agent prior to signing the FAA
expected later this summer. The minimum target performance and/or weighting of
the SLRs should ensure that the financial agent and its subcontractors are
incentivized to provide excellent service in all areas, including chargeback and
dispute processing and customer service representative response times. Improving
the customer experience and compliance with Regulation E will increase the public
trust in Direct Express and Fiscal Service.
Management Response
Management concurs with our recommendation. Fiscal Service stated that in its
new FAA it will use SLRs that incentivize its financial agent to provide excellent
service in all areas, including chargeback and dispute processing and customer
service representative response times.
In addition, in addressing the SLRs related to chargeback and dispute processing,
management noted that:
While it is true that our agent did not achieve the target of 100% compliance
with SLRs between February 2015 and December 2018, the agent met the
Target Performance nearly 100% of the time. The agents Target
Performance Final Rating for the period of time in question is, on average,
99.42%.
OIG-19-041
Page 9
OIG Comment
Management’s response meets the intent of our recommendation. However, to
clarify our position on management’s statement about the chargeback and dispute
processing, we note that the financial agent did not meet the Target Performance
nearly 100 percent of the time. Instead, the financial agent achieved results within
the Tolerance Range of 5 percent (versus the Target Performance) 98 percent of
the time. As stated in our memorandum, we believe a Tolerance Range of 5
percent is not appropriate for a regulatory requirement.
2. Reviews and Audit
The current FAA, provision 10, Reviews and Audit, states the following:
Fiscal Service and entities authorized by Fiscal Service shall have the right to
conduct announced and unannounced onsite and offsite physical, personnel
and information technology testing, security reviews, and audits of the
Financial Agent, and to examine all books and records related to the services
provided and compensation received under the FAA, except as otherwise
prohibited by Federal law
Although Comerica is supervised by various banking regulatory entities, the results
of that supervision are not shared with or readily available to Fiscal Service for use
in its oversight of the Direct Express financial agent, nor did Fiscal Service attempt
to obtain this supervisory information. Specifically, Comerica is supervised and
examined by the Federal Reserve Bank of Dallas, the Federal Deposit Insurance
Corporation, and the Texas Banking Department. The Consumer Financial
Protection Bureau and MasterCard provide additional oversight, specifically on
Comerica's compliance with consumer protection requirements.
Federal law restricts Comerica’s ability to disclose the results of any
regulatory audits or reviews considered “confidential supervisory information”
under the Board of Governors of the Federal Reserve System’s (Board) Rules
Regarding Availability of Information (12 CFR 261.2(c)(1)(i) and (iii)). All
confidential supervisory information is the property of the Board, not the
bank. No supervised financial institution, person, or any officer or employee
thereof, may disclose such information. However, the Board has determined
that under 12 CFR 261.1(a)(3):
…it is authorized by law to disclose information to a law enforcement or
other federal or state government agency that has the authority to request
OIG-19-041
Page 10
and receive such information in carrying out its own statutory
responsibilities, or in response to a valid order of a court of competent
jurisdiction or of a duly constituted administrative tribunal.
Therefore, under the procedures described in 12 CFR 261.21(c), Fiscal Service
could submit a written request to the Board for supervisory information for use in
its official duty of monitoring Comerica’s compliance with the FAA and improving
Direct Express. The Board has the discretion to approve or deny the request, and to
impose conditions on its use and disclosure.
During interviews regarding Comerica’s customer service and Regulation E
compliance, Fiscal Service officials and staff told us they rely on Comerica’s
regulators to review the bank’s compliance with Regulation E. Fiscal Service also
noted that the criteria for disclosing bank supervisory reports may vary with the
regulator. We believe that compliance with the regulatory requirement of Regulation
E is a critical component of Direct Express and Fiscal Service should periodically
seek access to the regulators’ reports related to Direct Express, when allowed by
law.
Recommendation
We recommend that the Commissioner of the Fiscal Service periodically request
access to the Regulation E compliance reviews related to Direct Express conducted
by the banking regulators under the provisions outlined in 12 CFR 261 or other
relevant provisions related to the regulator. This information should be used by
Fiscal Service to monitor the financial agent’s compliance with the FAA and SLRs
or to improve Direct Express.
Management Response
Management concurs with our recommendation. In the future, Fiscal Service will
request access from the financial agent's prudential regulators to Regulation E
compliance reviews related to Direct Express when they learn that such a review
has been performed. Fiscal Service will use information that the regulator is willing
to provide to improve the financial agent's performance under the FAA.
OIG Comment
Management’s response generally meets the intent of our recommendation.
Financial regulator reports may have disclosure restrictions and therefore, Fiscal
Service may not be aware of reviews conducted. For this reason, we want to
OIG-19-041
Page 11
emphasize that Fiscal Service periodically request access to the Regulations E
compliance reviews related to Direct Express conducted by banking regulators
whether or not they are aware that a review has been performed.
3. Annual Certification: Notice of Violations
The current FAA, provision 20, Annual Certification: Notice of Violations, states
the following:
…the Financial Agent will notify Treasury’s Office of Inspector General if it
becomes aware of any instance of a possible violation of federal criminal
laws regarding fraud, conflict of interest, bribery, or illegal gratuities
affecting or related to the Direct Express® program. Such notification will be
on a timely basis, which shall not normally exceed one week.
Fiscal Service officials and staff told us that this FAA provision only applies to
insider crimes, such as fraud, bribery or embezzlement by Comerica employees or
its subcontractors. However, we believe that this interpretation does not agree
with the intent of the FAA which stated “…any instance of possible violations of
federal criminal law” and does not distinguish between internal and external
violations.
Due to the Right to Financial Privacy Act (RFPA),
12
Comerica cannot provide
information to OIG or Fiscal Service on individual fraud cases impacting Direct
Express without a subpoena or a signed authorization to release information from
the account holder. Consequently, Fiscal Service receives only aggregated fraud
data on Direct Express on a monthly basis. The Treasury OIG Office of
Investigations received this aggregate data on one occasion related to the
fraudulent activity in the Cardless Benefit Access Service discussed above. This
aggregate data did not provide OIG with the underlying fraud data necessary to
conduct an audit or investigation.
As part of our audit, we plan to review Comerica’s compliance with the
Regulation E cardholder protections including the reimbursement of Direct Express
cardholders’ stolen benefits, including related fees. We worked with Comerica and
Fiscal Service to develop a mechanism to receive cardholder information while
maintaining compliance with RFPA.
12
12 U.S.C. Chapter 35, Right to Financial Privacy
OIG-19-041
Page 12
We coordinated with Comerica to create an Authorization to Release Information
for Direct Express account holders. This authorization, when signed by the
cardholder, will allow Comerica and OIG to disclose and exchange information
with each other for the purpose of determining the status of the specific Direct
Express Debit MasterCard account and card, the proper routing and delivery of all
benefits associated with the specific account and card, and other account
information showing uses of, access to, and inputs associated with, that account
and card, for the purposes of identifying and tracking unauthorized and/or
fraudulent uses. These authorizations will be valid for 3 months from the date of
signature and can be revoked by the account holder at any time.
Recommendations
We recommend that the Commissioner of the Fiscal Service:
1. Coordinate with the financial agent to develop periodic reports that
comply with RFPA and provide useful information on potential violations
of federal criminal laws, including internal and external fraud relating to
Direct Express. These reports should be used to identify, analyze, and
monitor fraud and dispute claims, and other significant trends. By
reviewing and analyzing this information, Fiscal Service can improve its
oversight of Direct Express and the financial agent and proactively
respond to fraudulent activity.
Management Response
Management concurs with our recommendation. Fiscal Service will
coordinate with the financial agent to develop periodic reporting of
anonymized aggregate statistical data on fraud and dispute claims in a
manner that complies with RFPA.
OIG Comment
Management’s response meets the intent of our recommendation.
2. Revise FAA provision 10, Reviews and Audit, to state:
…the Federal Government will not be entitled to obtain or examine
any records related to individual debit cards, except as allowed by
law.
OIG-19-041
Page 13
Management Response
Management concurs with our recommendation. Fiscal Service will
clarify that RFPA does not bar Treasury from obtaining records related
to an individual debit card where the cardholder consents, by adding the
phrase "except as allowed by law" to provision 10 of the FAA.
OIG Comment
Management’s response meets the intent of our recommendation.
*****
We conducted this performance audit in accordance with generally accepted
government auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for
our findings and conclusions based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
We appreciate the courtesies and assistance provided by your staff. Should you
have any questions regarding this memorandum, please contact me at
(202) 927-8783.
cc: Derrick Watson, Audit Liaison
OIG-19-041
Page 14
Attachment: Management Response
OIG-19-041
Page 15
OIG-19-041
Page 16