Design fraud resistant policies

Understand risks and red flags to consider when designing Commonwealth policies and programs, and get some key tips for designing fraud resistant policies and programs.

Poor policy design can lead to the creation of significant fraud vulnerabilities. While we can’t prevent all fraud, taking fraud into account when designing and implementing Commonwealth policies can help you put appropriate controls in place to frustrate most fraudulent actions and prevent systemic fraud.

Red flags to consider

Here are some risks and red flags that may lead to fraud vulnerabilities in policies:

• Policy is developed without enough consultation with the area responsible for its implementation – This can lead to implementation problems and control vulnerabilities, such as eligibility criteria that is difficult to verify.
• Policy is developed without any critical analysis of potential vulnerabilities – This can lead to vulnerabilities being ‘designed in’ to the program and systemic fraud. This sometimes requires the program to be scrapped or completely redesigned.
• The program is managed across different government portfolios, service providers and/or jurisdictions – This can lead to a lack of clear governance processes, oversight and accountability for risks and controls.
• The program requires someone to verify or authenticate their identity, particularly online – If not designed well, this can lead to identity fraud and significantly harm members of the Australian public.
• The program involves electronic claims, submissions, assessments, verification and/or payments – If not designed well, this can lead to systemic fraud, including sophisticated cyber fraud.
• The program provides help to vulnerable people – A program helping the vulnerable may not create a greater fraud risk, but defrauding the program could disproportionately harm those who rely on government services such as the elderly, the vulnerable, the sick and the disadvantaged.
• The program has low thresholds for verifying eligibility or evidence for payments – These programs are susceptible to common methods used by fraudsters, such as deception and fabrication. This can lead to systemic fraud.
• The program needs to be delivered quickly, such as in response to emergencies – This can often make it difficult to put in robust up-front countermeasures. Post-event assurance activity is integral to effectively managing payments in emergency management scenarios.
• The program overly prioritises user/client experience – This can sometimes come at the cost of effective controls to mitigate fraud losses. It’s important to remember: if you make it easy for the client, you might also make it easy for the fraudster.
• The program involves brokers and agents who may help others facilitate fraud – Professional facilitators, also known as criminal consultants, are increasingly being used to help defraud government programs.
• The program creates new opportunities for unregulated industries or expands a regulated industry to new providers – Experience shows us that this can quickly lead to systemic fraud. Fraudsters are diverse, dynamic and adapt quickly. Fraud is their profession; their expertise is to examine government programs and find creative ways to exploit those programs.

Key tips for designing fraud resistant policies and programs

• Understand that while the majority of people are honest, there will always be some dishonest people in society.
• Understand that organised crime and certain groups actively target government programs to exploit them.
• Undertake a fraud risk assessment as early as possible. A good assessment should help you identify exactly how someone will try to defraud the program. This will allow you to put appropriate controls in place to frustrate most fraudulent actions and prevent systemic fraud.
• Use established processes and relationships, rather than setting up new ones.
• Work with trusted partners to deliver services such as other government agencies, reputable non-government organisations and established businesses.
• Learn from previous experiences (including failures) of other programs, both internal and external to your entity, and implement adequate countermeasures to limit the opportunity for fraud to occur.
• Make sure policy, legislation and systems have appropriate safeguards against fraud.
• If sufficient evidence cannot be collected up-front, make sure processes are in place to collect it at a later date through post-event assurance or compliance activity.
• Be aware that countermeasures can be breached and therefore it is important to have clear response protocols as part of fraud prevention.
• Determine responsibility for fraud response especially in cross-entity or cross-jurisdictional programs.
• Build in measures to make sure entities are able to collect and share information about fraud, investigate suspected matters and establish criminal conduct such as:
  • measures to make sure entities can review current fraud prevention design as a whole
  • measures to make sure that the preventative measures being implemented are effective.
• Get advice from your entity’s governance/fraud/risk area or other fraud control experts regarding relevant fraud risks.
• Include advice on fraud prevention techniques and red flags in any policy or program development training for officials.