This section will provide you with information on how you can minimize the risk of misuse or fraud in your GSA SmartPay travel program. The most important thing you can do is to be aware of what activity is occurring on the accounts under your purview. Do not be afraid to ask account holders questions if you identify unusual or suspicious transactions or behavior.
What control mechanisms do program coordinators have to assist in managing the GSA SmartPay program?
Risk mitigation controls, policies, and practices are critical tools for ensuring the efficiency and integrity of payment solution programs by eliminating payment delinquencies, payment solution fraud, misuse, waste, and abuse. P.L. 112-194 and OMB Circular A-123 Appendix B places a great deal of emphasis on risk management, and the contractor bank shall support goals to manage risk, which include:
- Developing an efficient approach to risk identification, analysis, and mitigation;
- Suggesting and sharing industry leading practices;
- Developing and suggesting internal controls;
- Assisting in the development of risk mitigation policies;
- Providing agencies/organizations with exception reports that flag high risk transactions; and
- Assisting agencies/organizations and GSA in the communication of policies to account holders.
Program coordinators may proactively implement controls to prevent or minimize the occurrence of delinquency. Controls are used to ensure proper use of the card and reduce risk to all parties (the account holder, the agency/organization and the contractor bank). These controls are often referred to as authorization controls.
Authorization Controls include:
- Default Limit: Standard commercial default limits suggested by the Contractor during card/account set-up that may be changed by an agency/organization.
- Dollars per Transaction Limit: Restricting the dollars per single transaction that can be spent on each card/account as set by the A/OPC.
- Dollars per Month Limit: Restricting the dollars per month that can be spent on each card/account as set by the A/OPC.
- Transactions per Day Limit: Restricting the number of transactions per day on each card/account as set by the A/OPC.
- Transactions per Month Limit: Restricting the number of transactions per month on each card/account as set by the A/OPC.
- Merchant Category Code (MCC): Restricting the types of purchases made by each card/account as set by the A/OPC. Purchases are restricted depending on the type of merchant (identified by the merchant category code).
- Preferred Supplier Listing: Each account may be restricted from making purchases at certain merchants; straight-through processing (STP) or virtual accounts may have established relationships with a specific supplier.
- Preferred Supplier Listing Threshold: Each account may be restricted to certain dollar thresholds and preferred suppliers.
- Automatic Controls: Controls that flag and deny invalid cards (e.g. lost, stolen, suspended, canceled).
- Mass Changes: The ability for the A/OPC to make changes on a large number of accounts (to meet contingency operations such as natural disasters).
- Information Adjustments: The ability for the A/OPC to adjust account information based upon hierarchy levels.
- Activation/Deactivation on Demand: The ability for the A/OPC to activate/deactivate multiple accounts upon demand or activate/deactivate automatically based upon established business rules provided by the agency/organization at the task order level. No transactions shall be authorized on a deactivated account.
- User Account Recognition: The ability to uniquely identify and authenticate an account user before processing card-not-present transactions. The transaction processing shall support a two factor authentication where one of the factors is provided by a device separate from the computer gaining access. The concept to tie the financial authorization process with an online authentication.
- Card-Not-Present Notifications: The ability to notify the agency/organization on card-not present transactions.
When appropriate authorization controls are combined with effective oversight and consistent enforcement of agency policies/procedures, the result is a well-managed program. While there can be a cost to implement certain controls, the costs should be balanced against the benefits received by reducing delinquency and misuse.
What tools are available to assist agencies in minimizing instances of misuse and fraud?
Program management tools include:
- Credit limits - Credit limits restrict single travel, daily, weekly, or monthly expenditures by the account holder. In accordance with agency/organization policy, an A/OPC may set the limits which best meet the agency's needs. Setting limits that are realistic, but not excessive, will deter account holder misuse. By reviewing account holder spending patterns, you may be able to lower limits without disrupting the agency's mission. A/OPCs also have the authority to raise limits at any time in response to emergency or unforeseen situations.
- Merchant Category Code (MCC) Blocks - Merchant Category Codes (MCCs) are established by the associations or contractor banks to identify different types of businesses. Merchants select the codes best describing their business. You may limit the types of businesses where the account will be accepted by limiting the MCCs available to the account holder. The contractor bank has established sample templates that may assist you in determining which MCCs should be restricted. In the event that an account holder needs to make a travel purchase outside of his/her restricted MCCs, A/OPCs are authorized to override the restriction for a transaction by contacting the contractor bank's Customer Service Representative. Agency/organization policy should specify who is authorized to perform overrides.
- Online Reports - A/OPCs have access to many standard and ad hoc reports online through the contractor bank’s EAS.
- Account Deactivation - In those instances when the travel account is not needed on a continuous basis, deactivation of the account may serve as a deterrent to fraud and/or misuse. You may deactivate the account when an account holder is not using or is not planning to use the travel account. By understanding the account holder's need and use of the account, you can work with the account holder to establish deactivation guidelines. Deactivation and reactivation can be completed through the bank's EAS or by calling the bank's customer service phone number.
- Guides - The banks have developed written guides for A/OPCs and account holders, as follows:
- A/OPC Guide - This guide addresses issues of concern to the A/OPC, including responsibilities of program participants, account setup and maintenance, account suspension/cancellation, disputes, reports and invoicing procedures. The guide is available from the banks in hard copy and/or electronically.
- Account Holder Guide - This guide addresses authorized uses of the travel account, disputes and billing.
How do these tools make it easier to audit and manage the use of travel accounts?
By providing electronic reports and transaction files, auditors and agency/organization program managers have immediate access to information such as merchant name, type of merchant, dollar amount of transaction, and date of transaction. These tools make it easier to identify questionable transactions and follow through to ensure that the transactions were proper. In some instances, merchants also provide line item detail of transactions, including quantities, prices and product descriptions. GSA continues to work with the associations to increase availability of line item detail.
Are credit checks required for account holders?
According to the Financial Services and General Government Appropriations Act of 2010, specifically Section 738 of the Act, states that “each executive department and agency shall evaluate the creditworthiness of an individual before issuing the individual a government travel charge card.” Agencies have to complete this evaluation by using a consumer report from a consumer reporting agency and follow the guidelines outlined in the Fair Credit Reporting Act. These procedures must be followed when issuing a travel account to a new account holder. The result of the creditworthiness check will determine whether or not you can issue a travel account to a new account holder. An account holder that does not have a history of credit or has an unsatisfactory history of credit may not receive a travel account. These account holders, however, may still receive a restricted charge in accordance with agency policies and procedures. OMB Circular A-123, Appendix B also addresses this topic in detail.
Section 738 also requires that executive departments and agencies develop guidelines and procedures for disciplinary actions to be taken against agency personnel for improper, fraudulent, or abusive use of government accounts.
What are the consequences of account holder misuse or fraud?
Misuse/ Abuse is the use of a travel account for activities other than official Federal Government travel and travel-related expenses.
In most instances, the A/OPC is the first point of contact when misuse/abuse is suspected. Account holder activity should be monitored regularly to identify possible misuse/ abuse. Some activity may appear questionable upon initial review, but with further investigation it may be determined a valid federal government travel related expense.
Examples of misuse/abuse may include:
- Personal use;
- Use of the travel account for someone other than the specific account holder;
- Use while not on official government travel;
- Purchases from an unauthorized merchant;
- Excessive ATM withdrawals; and
- Failure to pay undisputed amounts on time.
Consequences for misuse/abuse may include:
- Travel account cancellation;
- Suspension of employment;
- Termination of employment; and
- Criminal prosecution.
Please note that it is up to your agency to provide agency-specific penalties and consequences for misuse/abuse of the travel account.
What should I do if I suspect misuse of the travel account?
A key responsibility for most program coordinators is to detect and report suspected misuse. If you are required to report suspected misuse, make sure you have all the information necessary to assist with a formal inquiry or investigation. Contact the account holder to obtain any information that could explain questionable charges. If the account holder provides documentation or an explanation regarding the charges and you still have questions or concerns about it, compile all the information (e.g., statement, exception report, documented contacts between you and the cardholder, copies of receipts, etc.) before you report it. Your agency/organization may ask you to report suspected misuse to one or more of the following personnel:
- The account holder's supervisor;
- The Human Resources Office;
- The Office of Inspector General OR the Office of Special Investigations
Always follow your agency's policies and procedures when handling cases of suspected misuse.
Fraud is a deception deliberately practiced with the motive of securing unfair or unlawful gain. Fraud can be an attempt to cheat the Federal Government and corrupt its agents by using GSA SmartPay payment solutions for transactions not part of official government business. Like any deception, fraud has its fair share of victims.
Some of the different types of fraud include:
- Counterfeit Accounts — To make fake cards, criminals use the newest technology to “skim” information contained on magnetic stripes of cards, and also to pass security features (such as holograms).
- Lost or Stolen Accounts — Often physical cards are stolen from a workplace, gym or unattended vehicle.
- Card Not Present (CNP) Fraud — Internet fraud occurs whenever account information is stolen and used to make online purchases. Usually, a merchant will ask for the CVC code (located on the back of the card itself) to help prevent this type of fraud.
- Phishing — Phishing occurs whenever an account holder receives a fake email directing him or her to enter sensitive personal information on a phony website. The false website enables the criminal to steal information from the account holder.
- Non-Receipt Fraud — This occurs whenever new or replacement cards are mailed and then stolen while in transit.
- Identity Theft Fraud — Whenever a criminal applies for an account using another person’s identity and information
What is salary offset?
The Travel and Transportation Reform Act of 1998 (Public Law 105-264) mandates the use of the Government contractor-issued travel account for all employees on official Government business. The Act allows an agency to collect from an employee's disposable pay any undisputed delinquent amounts that are owed to a contractor bank, upon written request from the contractor. This is known as salary offset.
Each agency must follow the due process requirements of the Act as presented in the FTR before collecting undisputed delinquent amounts on behalf of the contractor bank. Each agency must reach agreement with its bank on the process to be used for submittal of the request and handling of the request internally.
Specific issues to be addressed by the agency include:
- Determining whether the individual is still employed by the agency;
- Determining whether the employee has been reimbursed for travel expenses;
- Determining the amount of disposable pay available for collection. Salary may be subject to other garnishments, etc;
- Payroll's ability to process the request and provide a payment to the bank;
- Legal compliance with the terms of the Act;
- Union notification, if applicable.
A multifunctional team will be required to implement this process. Depending on your organization's structure, this team would be comprised of the A/OPC and representatives from travel policy, payroll, human resources, labor relations and Office of the General Counsel. It is suggested that you work closely with your bank to establish a process that works for all parties.
What is split disbursement?
Split disbursement provides for payments to be made by the agency on behalf of the account holders. At the account holder's direction and in accordance with agency policy, disbursement is split. The bank receives a direct payment by the agency of the account holder specified/ claimed amount. The rest of the payment is disbursed to an account holder account or directly to the account holder. Large ticket items such as common carrier, hotel and rental car charges are commonly paid directly to the contractor bank on behalf of the account holder while other disbursements are paid to the employee.
Split disbursement is an effective tool to reduce delinquency and improve refunds paid to the agency. It will require coordination with the bank to ensure proper payments are made by the Government and properly posted to an account holder's account.