Audit of Processes Used To Develop and Control Redress Claimant Lists

Audit Report Number:
00-046

July 31, 2000

Chairman Pitofsky:

The Office of Inspector General has completed a review of redress distributions and their vulnerability to fraud. The objectives of this financial-related audit are threefold: (i) document the data collection and/or construction methods used to develop claimant data from fraudulent companies by agency staff and its contractors/subcontractors; (ii) identify what, if any, vulnerabilities exist pertaining to these methods that could lead to the payment of either erroneous or fraudulent claims; and (iii) audit a sample of distributions determined to be high risk to assess whether redress checks were issued to any individuals other than rightful claimants.

This review grew directly out of the OIG's annual financial statement audit, which includes fieldwork to review redress account balances. In fiscal years 1998 and 1999, redress distributions totaled approximately $25.8 million. During the review, the audit team observed that original claimant lists were not always maintained by the agency. As a result of this finding, the OIG suspected that internal control weaknesses might exist in the disbursement phase of the redress process. Specifically, the OIG was concerned that management would not always be able to independently verify the accuracy of redress distributions performed by third parties (contractors, responsible defendants and/or receivers). As the OIG audit opinion is rendered on the financial statements taken as a whole, and not on any individual statement line item, the OIG expanded its audit work by looking for the support behind the redress distribution amounts shown on the Statements of Custodial Activity.

Due to the limited number of original claimant lists available for audit, the OIG could not (other than for four cases audited) provide any assurance that only rightful claimants are receiving redress payments.

The OIG found that the agency has taken some steps to reduce the vulnerability to fraud in the payment of redress by enhancing the monthly reports submitted by the redress contractors. Such enhancements include standardizing the reporting format to enable the FTC reviewer to quickly and easily follow movement of funds (including deposits, interest earnings, redress, and fees) from month to month. RAO also randomly compares canceled checks against original claimant lists to verify that only authorized claimants received a check. This control helps to guard against an unscrupulous third party (e.g., contractor employee or responsible party defendant) from "salting" the claimant list.

While this check of claimants against an original list is the agency's first line of defense against theft, the OIG found that the original list was not available in 36 percent of the cases sampled. Another eight cases (28 percent) in our sample had lists that could have been compromised without the knowledge of the FTC. These were contractor and defendant-prepared lists where the FTC did not have a presence during list development. In these 18 cases, if claimant checks were mailed to individuals working in concert with an unscrupulous contract employee intent on diverting funds, the likelihood of this scheme being discovered would be small.

Although lists are occasionally sent off site for permanent storage, the most frequent cause for a missing list in the cases sampled by the OIG was attorney attrition: that is when the case manager leaves, knowledge of the list whereabouts frequently departs with him. Further, RAO guidance issued years ago to address this concern appeared to be ineffective as attorneys often failed to provide the RAO with a claimant list.

Of the remaining 10 cases in our sample where original claimant lists were available, half were selected for audit. However, an audit of one of these five selected cases could not be completed as documentation concerning redress was with a receiver who did not respond to agency requests for this information.

To address these vulnerabilities, the OIG recommended that claims administration contractors be instructed to accept claimant lists only from the RAO (and not from individual attorneys), thus ensuring that the unit will have an original copy of all lists so as to properly perform its oversight function.

The OIG also recommended that in cases where defendants will be providing claimant information to the FTC for its use in determining redress, attorneys seek, through negotiation with the defendant, (i) a copy of the claimant list prior to final judgment and (ii) agreement to oversee the construction of the final claimant list. This recommendation identifies a practice used on occasion by some FTC attorneys to establish a presence early on in the claimant list development process with defendant-prepared claimant lists. Such presence, in the opinion of the OIG, helps to ensure that criteria for determining claimant eligibility is applied without bias by the corporate defendant, who is certain to have a sizable financial stake in the size and composition of the claimant pool it is responsible for developing.

Our report findings and recommendations have been discussed in detail with RAO managers. RAO management agreed with our findings and recommendations. The OIG appreciates the assistance provided by the RAO throughout our review.

Respectfully submitted,

Frederick J. Zirkel
Inspector General

Audit of Processes Used
To Develop and Control Redress Claimant Lists

TABLE OF CONTENTS

Background  

Objectives, Scope and Methodology  

Findings  

Finding #1. Attorneys rely on RAO and agency redress contractors to ensure claimant verification Finding #2. Claimant lists are not routinely provided to the RAO
Finding #3. Defendant prepared lists provide little opportunity for FTC oversight 
Finding #4. Few cases auditable because of a lack of documentation. No wrongdoing found in four cases that were audited  

Conclusions and Recommendations

Recommendation 1 
Recommendation 2

The Federal Trade Commission (FTC) is an independent agency responsible for the administration of a variety of statutes that, in general, are designed to promote competition and to protect the public from unfair and deceptive acts and practices in the advertising and marketing of goods and services. FTC's Bureau of Consumer Protection (BCP) seeks to enhance the smooth operation of the marketplace by enforcing a variety of consumer protection laws enacted by Congress and trade regulation rules issued by the FTC. Its actions include individual company and industry-wide investigations, administrative and Federal court litigation, rule-making proceedings, and consumer and business education. An integral part of FTC's law enforcement function is the obtaining of monetary relief for consumers injured by fraud. Funds thus obtained are then distributed to consumers to redress harm suffered. Frequently, agency redress contractors make these distributions on behalf of the FTC.

Background

The administration of a redress distribution is a detailed process that requires the allocation of a sufficiently trained staff to be successful, and to ensure that funds are provided only to those individuals meeting certain criteria. Major components of the program include identifying claimants, determining eligibility, disbursing redress to claimants, accounting for the disposition of these funds, and program oversight. If management controls over any step of the process are absent or incomplete, significant errors or fraud can occur and not be detected.

The BCP's Redress Administration Office (RAO) is responsible for the administration and oversight of redress activities. The director of the RAO is also the Contracting Officer's Representative (COR) for contracts relating to redress activities. The COR designates a Contracting Officer's Technical Representative (COTR), generally the managing attorney for each redress case, and delegates responsibilities accordingly.

The FTC is currently under contract with two claims administration firms to manage and distribute the redress funds and is in the close-out phase of a contract with a third firm.(1) The most recent contracts let by the agency are for three years, on a fiscal year basis, beginning in 1998. In fiscal years 1998 and 1999, these three firms distributed approximately $26 million in consumer redress for FTC cases.

When case outcomes require the services of an FTC redress contractor, the managing attorney first contacts the RAO. The RAO, often in consultation with the managing attorney, selects the contractor.

At the beginning of a case, contractors are generally provided with the names of eligible claimants by FTC staff, court appointed receivers, or from the individuals/firms under the court order. On other occasions, a list of eligible claimants must be developed by the contractor from raw data (sales receipts, telephone logs, computer files, etc.) obtained or seized from the defendant, or from public notices appearing in newspapers and other mass media. For the cases reviewed by the OIG, the following claimant list construction scenarios were observed or identified to us by staff:

  • The FTC or other law enforcement agency seizes the claimant list from the premises of the defendant. A copy of that list is then provided to the contractor to make a redress distribution.
  • The contractor (second party) develops a claimant list from raw data. This list is used to make a redress distribution. It is available for FTC's review upon request.
  • A subcontractor (third party) hired by the contractor (second party) prepares a claimant list from raw data, and provides the list to the contractor to make a redress distribution.
  • The defendant prepares the claimant list and distributes the redress (a.k.a. a responsible party redress distribution).
  • The defendant provides a list of its customers to the contractor who determines eligibility and often, although not always, makes a distribution.
  • Court-appointed receivers seize claimant lists or raw data when marshaling assets. Usually FTC staff accompany such seizures and is provided a list of potential claimants by the receiver.

Generally, consumers must provide some "proof of purchase" to the contractor, but the extent of this proof varies, depending on the age of the scam, the nature of the product, and/or the condition of the defendant's sales records. The evidence required usually consists of a canceled check, credit card receipt, product invoice or the product packaging.

Claimant identification is, in many respects, the most vulnerable part of the redress process because of the opportunity to add names or otherwise modify claimant lists by contractor staff or defendants assigned the responsibility to manage all or part of the redress process. A claimant list produced or seized by the FTC and maintained by the FTC (an attorney list of claimants or an original claimant list) enables the agency to exercise control over the distribution of funds because agency staff, with minor exceptions, has the ability to identify the universe of claimants; i.e., the agency could cross check canceled checks against its claimant list. Any individual issued a check should be on the original claimant list. A check issued to an individual not on the list would be suspect.(2) Whether this check is actually performed on all distributions is of secondary importance. The contractor or defendant would not know which distributions would be selected for audit. Hence, the element of risk for the contractor or the defendant serves as a deterrent to fraud.

On the other hand, a claimant list prepared by a contractor (i.e., the contractor list of claimants), a defendant or a third party hired to construct a list from raw data diminishes the agency's ability to exercise control because agency staff are either (i) not directly involved in the identification of potential claimants, or (ii) do not know the universe of potential claimants. As a result, a contractor employee could, for example, add or replace a name on a claimant list with the name of an individual acting in concert with the contractor employee without fear of detection. That individual would then receive one or more redress checks. Comparing the contractor's list of claimants (not the original list of claimants) to canceled checks would only serve to verify that the contractor-identified claimants matched with the names on the canceled checks.

With the widespread use of automated record keeping, one of the most vulnerable scenarios - that of a third party constructing a claimant list from receipts, invoices, and other paper records - has virtually disappeared. Most consumer lists are now computerized; typically agency staff download computer files on to diskettes or remove hard drives containing claimant data. Although not risk-free, computer generated records enable the agency to maintain a strong element of control that was absent when, due to the sheer volume and condition of some paper copy files, reliance on other parties to prepare the consumer list was a necessity.

Vulnerabilities also exist with defendant-prepared lists, especially in those instances where the amount of the judgment is based on the number of claimants identified by the defendant. The incentive in these situations is to reduce liability by under reporting consumer injury. When monetary judgments are fixed; i.e., not dependant on defendant-provided claimant data, risk of under reporting legitimate claimants is reduced, but an incentive still exists to "salt" the list, e.g., add or substitute names of fraudulent claimants (e.g., family, friends, etc. of the defendant) to ultimately reduce the defendant's liability. In either case, without a presence in this phase of claimant identification, the FTC must rely on the defendant's veracity rather than on independent controls.

Receiver-prepared lists are a low vulnerability risk to the FTC to the extent that the FTC accompanies the receiver when company offices are secured and obtains a list of claimants from original source documents used by the receiver to develop the claimant list. FTC attorneys also receive the receivers' final report which provides information on claims distribution. Receivers often use one of the FTC contracted claims administration agents, so access to bank statements and canceled checks is possible. On the other hand, to the extent receivers and/or FTC staff do not verify claimant lists against canceled checks, the vulnerability to fraud is increased.

Objectives, Scope and Methodology

The objectives of this financial-related audit are threefold: (i) document the data collection and/or construction methods used to develop claimant data from fraudulent companies by agency staff and its contractors/subcontractors; (ii) identify what, if any, vulnerabilities might exist pertaining to these methods that could lead to the payment of either erroneous or fraudulent claims. Critical elements of this process are the identification of the individual(s) responsible for list preparation and control of the list once developed; and (iii) audit a sample of distributions determined to be high risk to assess whether redress checks were issued to any individuals other than rightful claimants.

The OIG identified 28 cases closed in fiscal year 1998 from case reports prepared by the agency's redress administration contractors with total claims paid of approximately $7 million. For these 28 cases, we attempted to (i) obtain a claimant list, (ii) ascertain claimant list construction methods used by staff, and (iii) identify cases for detailed audit based on their vulnerability to fraud.

To assess each redress distribution's vulnerability to fraud, the OIG developed the following criteria:

  • The dollar value of checks issued. The larger the dollar value, the more vulnerable the distribution. Conversely, distributions consisting of small dollar checks are low risk because several checks would have to be cashed to make the payoff worth the risk. The OIG deemed distributions with average check values above $1,000 to be high risk.
  • Location of original claimant list. If the FTC is in control of the original claimant list, the likelihood of fraud is reduced because the agency could compare canceled checks against the list. Any payee on a canceled check and not on the final attorney-approved list would be suspect. Lists prepared by a second or third party could be tampered with without the FTC's knowledge. The OIG deemed all distributions where the FTC was not in control of the original claimant list to be high risk.
  • Responsible party distributions. We noted select distributions where the defendants liability was determined by the number of claimants identified by the defendant. Even when the judgment is fixed, the opportunity to "salt" the list; i.e., add names, exists. Individuals could cash checks and return some or all of the money to the company. The OIG deemed responsible-party distributions to be high risk.
  • Prior knowledge of redress by claimants. In many of the cases we reviewed, the claimant knew in advance that s/he was about to receive a redress check. Oftentimes, the claims administration contractor will need to assess eligibility and ask the claimant for what amounts to "proof of purchase." The claimant is then expecting a check and will likely complain if one does not arrive when expected. In other cases, consumers learn of their redress check only when it is received by them in the mail. The OIG deemed distributions where consumers had prior knowledge of the distribution to be low risk.
  • Receiverships. For the purposes of this review, the OIG considered receivers as fulfilling their fiduciary responsibilities to the court honestly. On the other hand, we learned from attorneys that receivers spend little time reviewing outcomes, i.e., canceled claimant checks against original claimant lists. Hence, we considered cases in receivership as moderate to high risk for this reason.

On the 28 cases selected, 10 cases had original attorney lists that could be used to perform a detailed audit. Of the remaining 18 cases that were not considered for detailed audit, the following conditions were observed:

  • List not available at FTC. Generally staff with knowledge of the list no longer worked at the FTC, and other staff could not produce a list. (7 cases)
  • List developed primarily by contractor and the integrity of the list could not be guaranteed. (5 cases)
  • List developed by defendant and the integrity of the list could not be guaranteed. (3 cases)
  • List developed by receivers and not (currently) maintained at the FTC. (3 cases)

Based on our remaining sample of 10 cases, we selected five (5) for detailed audit. The other cases were not selected because they were either judged to be low vulnerability cases due to the dollar amount of the redress checks issued or the number of claimants receiving a check. Others had already reviewed by RAO.

For four of the five cases selected for audit, we obtained canceled checks, bank statements and final reports from the redress administration contractors and/or their respective banks. In the fifth case, we could not complete detailed audit procedures because the agency was awaiting a final report from the receiver which had not been received by the close of our fieldwork.(3) For the cases we did review, the average dollar amount of checks ranged from $626 to $1,193 per case. The number of checks distributed ranged from 151 to 396.

In addition to interviewing case attorneys, we met with staff in the agency's Redress Administration Office to discuss its policies and procedures for ensuring the integrity of the redress administration process, and to follow up on recommendations made in prior audits regarding the establishment of controls to ensure the integrity of the claimant payment process. We also interviewed staff from the agency's claims administration contractors to better understand controls in place to monitor claimant identification and claims disbursement.(4)

Our review was performed from August through November 1999 in accordance with generally accepted Government Auditing Standards. Without exception BCP staff greatly assisted our review.

Findings

The OIG review of claimant list construction vulnerabilities found that the agency has taken steps to reduce the vulnerability to fraud in the payment of redress. However, we also noted areas where improvement is possible.

The RAO, since its inception in 1991 has made strides in centralizing the claims management / contract administration functions. For example, contractors now produce monthly reports that show the disposition of redress funds, including funds deposited, interest earned, claims paid, expenses, and funds returned to the FTC. These reports are reviewed by RAO and attorney staff to track the progress of consumer redress payments.

But while monthly reports go a long way toward establishing financial accountability, it is crucial that the support behind the numbers be verified by an independent reviewer. For example, while the monthly redress reports may accurately show that $100,000 in redress was distributed, they provide no assurance that only authorized claimants were paid. To address this issue, the RAO cross checks a small sample claimant checks against the attorney list of claimants. Bank statements are tied to the monthly redress reports, and check numbers are randomly selected from bank statements. All original canceled checks are mailed to the RAO with a sample compared to the original claimant list for the case.

For this procedure to be effective, the RAO must have possession of the original claimant list. Yet the OIG noted that 36 percent of the cases in our sample did not have an original attorney list at the FTC. Until February 1999, lists were not required to be sent to the RAO for filing. Further, another 28 percent of the cases in our sample had lists that could have been compromised without the knowledge of the FTC. In all of these cases (36 percent and 28 percent), if claimant checks were mailed to an individual or individuals working in concert with an unscrupulous contract employee to divert funds, or the defendant "salted" the claimant list or deleted names from it, the likelihood of being discovered would be virtually nil.

Some attorneys we spoke with told the OIG that they do not view their role as verifying the integrity of the claimant distribution process. Regarding claimant identification, they are primarily involved in the seizure of claimant data or the negotiations behind settlements where sales records are provided, and approval of questionable claims. Attorneys told us that they rely on the RAO to monitor the contractors.

The agency's redress administration contractors have "in-house" controls to guard against errors on claimant lists (e.g., duplicate claims, repeat addresses, etc.) that could also identify fraud committed by their employees. However, these controls, according to one contractor employee, are not designed to catch individual check fraud; i.e., employees would have to "get greedy" to risk detection.

Court-appointed receivers also perform claimant identification procedures. Although we did not review their controls to ensure the integrity of the process, we found, based on staff comments, a varying degree of oversight by receivers over claims distribution. All FTC staff we spoke with told us that it is unlikely that receivers cross check canceled claimant checks to original source documentation. Essentially, if the FTC doesn't do it, it just is not done. Although staff told us that receivers are generally cooperative with FTC staff in sharing information, we noted that not all receiver reports were maintained by the agency and that some receivers are slow in providing their interim and final reports on the receivership which provides details on the redress distribution. Recognizing the limitations in agency control over receivers once they are appointed by the court, some FTC attorneys have suggested language in the final order limiting the amount of time receivers have to file the final report.

The FTC relies on the integrity of the defendant to provide accurate and complete data regarding potential claimants when defendants prepare claimant lists. The FTC does take steps to review the accuracy and completeness of the information, but few procedures would detect an under-reporting of sales/customers unless the FTC received such data from the company prior to, or at the very beginning of, settlement negotiations, enabling the FTC to check, and possibly question, claimant deletions or additions made subsequent to the final order. Unfortunately, some defendants may be inclined to under-report sales to reduce their liability, as some monetary judgments are based on this information. The FTC has, on occasion, established a presence prior to or during the early stages of settlement at the defendant's premises to help ensure the integrity of the customer list.

The OIG was unable to audit some of the distributions that we believe were the most vulnerable to fraud because of a lack of documentation (i.e., claimant lists) existing at the FTC. On other cases, we could not determine the extent of vulnerability because staff familiar with the claimant list construction method used were no longer at the agency. Due to the often compartmentalized nature of case administration, many current FTC attorneys who worked on a case were not aware of how the very narrow aspect of claimant identification was performed, and often did not have access to the claimant list. This points out the importance of securing the original claimant list in a central location to ensure that should claimant eligibility issues arise at a later date, they can be timely and accurately addressed with original source documents without necessarily requiring the assistance of staff who may or may not still be with the agency. For the cases we did audit, we found some inconsistencies but no contractor wrongdoing.

Finding #1. Attorneys rely on RAO and agency redress contractors to ensure claimant verification

Generally, attorneys are actively involved in the identification of claimants. Many case managers we spoke with generally had a good recollection of how lists were developed, and maintained an original copy of the list years after the final order was filed. However, the OIG found that attorneys were not always provided an original claimant list (especially in the responsible party judgments), and others with specific knowledge of the process left the agency for other professional opportunities, and knowledge or awareness of an original claimant list often left with them. On 36 percent of the cases in our sample, the OIG could not determine whether an original list was maintained.(5) Without this original list, neither the OIG nor the RAO can cross check canceled checks to verify the integrity of the contractor's claims process.

Attorneys we spoke with placed a great deal of reliance on controls with the RAO and with the contractor to ensure the integrity of the claimant lists. Virtually all attorneys we spoke with told the OIG that they do review monthly contractor reports to identify the amount of redress distributed on a case, while only a few said they "spot check" names on the contractor's claimant list against their original list.(6) Many said they leave the oversight to the RAO.

Other attorneys we spoke with placed a great deal of confidence in the agency's redress contractors and their in-house controls. Although the OIG did not audit these controls, we learned in prior audits that their existence and effectiveness vary by contractor. In a prior audit entitled Review of the Redress Administration Office's Oversight of Contractors, (AR 96-032) the OIG noted that one individual was in control of all or most of the major functions associated with claims notification, eligibility determination, claims disbursement, and reporting redress activity at each location. This lack of separation of duties puts the individual in a position to both perpetrate and conceal errors or irregularities in the normal course of his or her duties. RAO staff told the OIG that in the three years since this audit was completed, changes have been made to address these vulnerabilities. While we do not doubt staff's assurances, we continue to believe that it is in the best interest of the agency and consumers for attorneys to rely less on external controls and more on in house or internal controls.

Some attorneys questioned the motivation of the contractor to commit fraud, risking not only its relationship with the agency, but also the law, by adding fraudulent claimants to lists. While we agree that the contractor would have a great deal to lose in such a gamble, the contractor employees, many of whom are processing clerks, may assess the risk at an acceptable level, especially once they are familiar with the claims process and the contractor's review procedures. Further, many of these employees would likely be unaware of controls in place at the FTC to spot fraud, and thus would not be deterred.

Because the attorney's oversight activities are unlikely to detect fraud, and the extent of reliance the attorneys place on contractor integrity and RAO imposed controls, it is imperative that RAO have the materials it needs to perform such oversight.

Finding #2. Claimant lists are not routinely provided to the RAO.

The RAO has taken steps to tighten controls over the claimant lists. In addition to establishing a policy to spot check selected distributions, and communicating this policy to its contractors, in February 1999 the RAO issued guidance to BCP case managers asking them to submit their original claimant lists to RAO when the case is assigned to a redress contractor. However of 17 case files reviewed in RAO nine months later, we found only two attorney lists on file. Five claimant lists had been sent to the contractor without a copy provided to RAO. For the remaining 10 cases, RAO staff could not provide specific reasons for the absence of each list. According to RAO, some did not have claimant lists constructed yet because they involved a large number of defendants, although all reasons for the missing lists were not known. No follow up was made to these attorneys regarding transmittal of the list prior to the OIG inquiry.

RAO's reliance on attorneys to produce original claimant lists "upon request" has produced unintended results that has weakened RAO's oversight procedures. On one case, an attorney seeking to answer RAO's request for a claimant list simply contacted the contractor and asked for a copy of the contractor's list, which the attorney then dutifully provided to the RAO. Auditing against this list would not identify fraud if it had occurred; e.g., the integrity of this list could have easily been compromised while in the possession of the contractor.

To ensure efficiency and claimant list integrity, it is better for RAO to control original claimant listsbefore they leave the agency; e.g., before the lists are provided to the contractor. This ensures that staff attrition will not impact RAO's oversight, and decisions on which cases to audit (by RAO) will not be subject to list availability.

Finding #3Defendant prepared lists provide little opportunity for FTC oversight.

On three cases reviewed by the OIG, a customer list developed by the defendant was provided to the FTC or its contracted redress agents. In two of these cases, the defendants also made the distribution to consumers. Claimant data provided by the defendant is more difficult to validate after the fact than at the time the data is first developed. Further, in these cases the number of claimants identified by the defendant ultimately determined the defendant's liability. When the amount of the judgment depends on the number of consumers who will receive redress, defendants may be tempted to reduce the claimant list to reduce their financial liability.

The OIG found that the FTC exercises little oversight over the construction of the claimant list in self administered distributions, and only rarely maintains a direct involvement in the development of a list.

One FTC attorney we spoke with recognized the inherent vulnerability and decided to visit the defendant early on in the claimant list development process. He told the OIG that his visit served to remind the defendant that the FTC was watching. This attorney told the OIG that he requested customer data pre-settlement before terms, conditions and liability were discussed to lessen the likelihood that the defendant would add or remove names from the final claimant list at settlement. Staff we spoke with generally recognized the importance of overseeing the development of the claimant lists, but stated that given the time and expense to perform such oversight, little is done.

While the FTC is only occasionally involved at the front end of the claims identification process on responsible party distributions, it does exercise oversight by reviewing compliance reports submitted by defendants detailing the claimant construction methods and the distribution if self administered. On one of the three responsible party cases reviewed by the OIG, we found that FTC oversight netted consumers an additional $240,000 over what the defendant had originally paid out. Although this outcome was a result of calculation errors and not irregularities found in the claimant identification process, it does illustrate the importance of closely monitoring self administered redress performance.

Finding #4. Few cases auditable because of a lack of documentation. No wrongdoing found in the four cases that were audited.

The OIG assessed the vulnerability of 28 cases to select those we perceived to be vulnerable to fraud or other wrongdoing, based on criteria we developed. (See pgs. 4-5 of this report.) The OIG noted that 36 percent of the cases in our sample did not have an original attorney list at the FTC. As noted previously, lists were not required to be sent to the RAO for filing until February 1999. Further, another 28 percent of the cases in our sample had lists that could have been compromised without the knowledge of the FTC. As a result, 18 cases, or 64 percent of the cases in our sample, some of which were determined to be high vulnerability distributions by the OIG, could not be audited. The remaining 10 cases were auditable.

We selected five of the 10 cases to audit that we determined to have high vulnerability to fraud. However, on one of the five cases, we could not complete the audit before the end of our fieldwork because the receiver had not submitted his final report to the court. (See footnote #3). Review of this case awaits submission of the receiver's final report as our audit starts with the names of consumers paid redress. This report contains, among other information, the amount of redress distributed and the names of consumers receiving redress in cases where the receiver handled the distribution to consumers. Without this report, the OIG could not compare canceled checks to an original claimant list.

For the four distributions that we did review, all discrepancies that appeared to indicate a problem were resolved by the audit team. There were no findings of contractor wrongdoing.

Conclusions and Recommendations

The identification and payment of claims involves a process that is susceptible to fraud and acts of wrongdoing at many junctures. The lure of a large check at little perceived risk may be too powerful for some to ignore. Or, the opportunity for a defendant, who is already facing huge fines, to lower his liability to consumers by thousands of dollars by simply removing names from a customer list, again with little to no perceived risks involved, could lead to wrongdoing.

If the agency is to reduce these vulnerabilities and maintain adequate control over claims identification and administration, the agency must maintain control of the original claimant lists. The current process to maintain this control is decentralized. When claimant-related questions arise or a list is needed for audit purposes by RAO, staff are contacted. Individual case managers hold on to their claimant lists and (some) eventually store them at the Records Center in Suitland, MD with other case-related documentation. Further, attorneys occasionally leave the agency for other opportunities, and knowledge of the existence of the original claimant lists leaves with them, unless this knowledge is imparted on to their colleagues. It sometimes is...often it is not.

To address this vulnerability, the RAO issued guidance to BCP attorneys asking that they submit copies of their original claimant lists to the RAO at the time the list is provided to the contractor. However, the OIG review of RAO case files for the period after which the guidance became effective found little compliance. There is no enforcement mechanism, other than the persistence of RAO staff, to ensure that all lists make it into the RAO files. This observation, when juxtaposed with attorneys' admitted reliance on RAO for oversight of contractors reveals that, at a minimum, RAO does not have all of the documents it needs to fulfill its oversight responsibilities. BCP management must ensure that original claimant data exists for each open case within the agency and fully support the RAO in enforcing its policies to ensure compliance by staff attorneys. When the sole depository for claimant data lies outside the agency (e.g., with a contractor or responsible party defendant) there is opportunity for the custodian of this data to add or delete names to mask wrongdoing. An audit of this data would be fruitless.

During audit fieldwork, the OIG provided RAO staff an interim briefing which included a discussion of this vulnerability, and discussed ways to ensure original claimant lists are provided to, and maintained by, the RAO. As a result of this meeting, the RAO immediately instituted changes to bring about this outcome. These changes, identified below in the first OIG recommendation, should provide the necessary controls to ensure that the RAO has the original source documents it needs to adequately perform its oversight function.

Early involvement in the list development is critical, whether it involves being on the premises when the list is seized, maintaining a presence with defendants involved in responsible party distributions, or during list preparation activities on defendant-prepared lists. Without an original list, the agency seriously limits its ability to detect wrongdoing involving alteration of claimant data. The second OIG recommendation seeks to bring about this early involvement in all cases where such presence is permitted.

In conclusion, because of the limited number of original claimant lists available for audit, the OIG cannot (other than for the four cases audited) provide any assurance that only rightful claimants are receiving redress payments.

To address the findings discussed above, the OIG makes the following recommendations to the Director, Bureau of Consumer Protection:

Recommendation 1. The OIG recommends that the claims administration contractors be instructed to accept only attorney lists of claimants from the RAO thus ensuring that the unit will have an original copy of all lists for oversight purposes.

OIG Analysis: In discussions with RAO staff regarding past problems securing the attorney list of claimants, staff agreed with Recommendation 1. and informed the OIG that it had been implemented when first brought to the RAO's attention.

Recommendation 2. The OIG recommends that, in cases where defendants will be providing claimant information to the FTC for its use in determining redress, attorneys seek, through negotiation with the defendant, (i) a copy of the claimant list prior to final judgment and (ii) agreement to oversee the construction of the final claimant list.

OIG Analysis: This recommendation identifies a practice used on occasion by some FTC attorneys to establish a presence early on in the claimant list development process with defendant-prepared claimant lists. Such presence, in the opinion of the OIG, helps to ensure that criteria for determining claimant eligibility is applied without intentional or unintentional bias by the defendant, who has a financial stake in the size and composition of the claimant pool s/he is responsible for developing.   One FTC staff attorney who obtained a claimant list months before the final order told the OIG that he did so because of suspicions that the defendant might modify the list once it knew the criteria to determine its liability to consumers, which would have been identified in the final order. Another FTC attorney told the OIG that he visited the defendant simply as a reminder that the FTC was watching.

Endnotes:

1. As of September 30, 1999, this "third" firm was managing five FTC cases with funds totaling $1.8 million.

2. The attorney list of claimants refers to the universe of potential claimants which was obtained by FTC staff prior to any eligibility determinations by the contractor. A contractor list of claimants refers to a list with only eligible claimants. It is rare that a redress check will be made to an individual not on the attorney list of claimants.

3. The final order was signed by the court on January 16, 1996. As of November 30, 1999, a final report had not been filed by the receiver. According to the FTC attorney assigned to the case, there were less than 200 customers receiving redress. Audit of this distribution will be completed after submission of a final report by the receiver.

4. We did not visit the claims administration contractors to assess their on-site controls, although we did discuss these controls with the two current contractors to learn how each guards against check fraud.

5. On 25 percent of the cases, staff originally assigned to the case were no longer at the FTC. On an additional 11 percent of the cases, a court-appointed receiver developed the list and the list was not (currently) maintained at the FTC.

6. Comparing lists as some attorneys do does little to ensure the integrity of the contractor's claimant list. A contractor employee would be unlikely to document a name substitution on an official list of claims recipients provided to the FTC.