It’s a simple question and vital for our role at the National Audit Office in holding government to account for how well it manages fraud and error.
Counter-fraud officials can get frustrated at people not taking responsibility. Some told us they have concerns that senior officials can be reluctant to prioritise the detection and pursuit of fraud and corruption because of reputational risk. Senior officials dispute that they turn a blind eye to fraud. Sir Alex Chisholm, the (now former) government chief operating officer told Parliament he did not doubt that counter fraud professionals reported these concerns to us, but it was not his own experience.
My own take is that counter-fraud officials’ concerns arise when fraud is seen as something that can be delegated to the counter-fraud team and not something that is the responsibility of those administering the schemes at risk of loss. Such an approach cannot work because it is not the counter-fraud professionals who operate the controls designed to prevent fraud.
This is why recent changes to the Treasury rules are so important – requiring an initial assessment of the fraud risk as part of the business case and setting up controls as part of the scheme design. These changes need to be followed through with the people delivering the services taking responsibility for stopping fraud and getting payments right.
But what about schemes where responsibility falls across multiple organisations? This can be far more challenging with fraud risks exacerbated by fragmented responsibilities. Below we set out two different examples where responsibility for preventing and detecting fraud has been difficult to pin down.
Student finance
We recently published our investigation on student finance for study at franchised higher education providers – where student loans are issued to people enrolled at institutions that work with an registered university or other higher education provider, but may not be registered with the Office for Students themselves.
Students at these franchised providers made up 6.5% of all financed students. Most are undertaking courses, but there are concerns that the system is open to abuse. One scheme, for example, offered rewards for students referring other people to the provider, promising £500 for each person who enrolled with no limit on the number of referrals. These practices can create incentives to recruit students who aren’t suitable, as they don’t meet admissions criteria, nor are they committed to the course. Students who sign up may be vulnerable to missold loans and may be less likely to make repayments. In the worse cases it can constitute a fraudulent attempt to receive funding for someone that is not actually being taught.
Last year we reported that of the £20bn of student loans given out, an estimated £327m was lost to fraud and error. Most of this goes undiscovered and it covers a range of things. Of the £4.1m of fraud that was discovered, half related to franchised providers.
The Student Loans Company is aware that that the system can be abused and has done work to identify fraudulent loans. For example, it detected suspicious patterns of activity across ten lead providers and their franchised courses. It identified and challenged 3,563 suspicious applications associated with £59.8m of student funding. It reviewed these applications, which helped it to prevent some fraudulent payments that would have otherwise been made.
But we found the regulatory system was not well set up to prevent fraud.
The funding arrangements require the lead higher education provider to oversee the franchised provider to take responsibility for fraudulent student enrolments. However, they have little skin in the game – and may have incentives in fact to maximise the number of enrolments.
The other key players had different attitudes and “risk tolerance” to tackling fraud. The Department for Education sets the overall regulatory framework, but delegates to the other bodies. Neither the Student Loans Company and the Office for Students have a formal fraud enforcement role, nor had they been tasked with preventing fraud. The Student Loans Company gives out the loans that are being defrauded and says it has a minimal tolerance for risks to taxpayers’ money. It shared intelligence with the Office for Students on loans it thought were odd. The Office for Students is responsible for regulating universities and ensuring they have controls over, for instance, fraudulent applications. But the Office for Students does not have any specific power to identify or investigate potential fraud relating to student loans.
This set-up between the bodies creates an obstacle to coordinated action to tackling fraud and led to risks to public funds.
Local authority Covid-19 business grants
Last year we reported on Covid-19 business grant schemes set up by the then-Department for Business, Energy and Industrial Strategy (BEIS). The Covid-19 business grant schemes were funded by central government and delivered by every local authority. Working through local authorities, BEIS distributed £22.6bn via 4.5 million payments to businesses in two years.
But BEIS prioritised speed over conducting pre-payment checks and did not then act quickly to conduct follow-up checks. The delay in following up made the recovery of amounts wrongly paid more difficult to achieve.
As a result, these schemes suffered significant levels of fraud and error – in a pattern we saw replicated across the rest of government’s Covid-19 schemes. BEIS estimated that 5% of the money dispersed through its business grant schemes was lost to fraud and error to the tune of £1.1bn.
Local authorities first heard about the schemes when the Treasury publicly announced them, leading to the schemes being launched with lots of practical issues still to be ironed out. The scheme rules were then developed and changed as they went along – leaving the schemes more open to fraud and error while the rules were tightened up.
Moreover, although local authorities received some funding to administer the schemes, they had little incentive to look for or manage fraud and error. When the local authorities were first asked to issue the money there was no explicit expectation they would need to check for fraudulent activity later.
A year after the scheme was launched, BEIS asked them to undertake a sample exercise to produce estimates for its accounts – and this only led to a recovery of £11.4m (1% of the estimated £1.1 billion lost).
So what are the key takeaways from these two case studies?
We made a number of specific recommendations, but personally I take away three big lessons.
The first is that ultimate responsibility rests with those responsible for the system. This is normally the lead government department and its permanent secretary as principal accounting officer.
Secondly, controls for preventing, detecting and reporting on fraud need to be set up across multi-organisational systems from the start, and not left to each individual organisation. The lead department needs to set out a clear system statement which sets out who is responsible for what.
And thirdly, there needs to be clear communication and information sharing on fraud and error across the system. Each body needs to be transparent and accountable for managing its part of the problem.
Together, this will help bodies work together in a seamless way to tackle and prevent fraud.
Find out more on the NAO’s work on fraud and error at https://www.nao.org.uk/topics/money-and-tax/