Cross-agency group explores where government should go next with identity verification

A cross-agency group released a report and simulation tool on how the government can address identity fraud in government programs. One big takeaway: it’s complicated. 

The Joint Financial Management Improvement Program report identifies trade-off considerations for different identity solutions and frameworks, and it comes with a simulation tool from the Government Accountability Office to show how decisions about identity verification affect government programs in ways that extend beyond fraud levels alone.

JFMIP, a cooperative venture between the Treasury Department, the Office of Management and Budget, the Office of Personnel Management, and the Government Accountability Office, based the report on panel discussions with more than 20 experts. The report represents the first stage of a two-part initiative started in 2020 on identity verification and improper payments in government programs. The group also plans to conduct targeted studies on the effects of different identity verification controls.

This report comes as the government is grappling with an increase in identity theft. Improper payments — which include identity theft and other types of incorrect payments — shot up by at least $75 billion between fiscal year 2020 and 2021.

As agencies look for solutions, the hope is that the report and simulation tool inform more nuanced conversations about identity verification by showing the “trade-off considerations” that agencies should consider, said Taka Ariga, GAO chief data scientist and director of the GAO Innovation Lab.

“During the pandemic, a lot of agencies at the federal and state and local levels had sort of rushed out there implementing a number of digital solutions” without necessarily thinking through “all the sort of trade-off decisioning that they have to make along the way,” he said. “There are anecdotal examples where agencies have implemented with a pretty significant level of buyer's remorse.”

The simulation tool, powered by 1,000 synthetic applicants to a hypothetical benefits program, is intended to illustrate the interconnected aspects of a program affected by identity verification tools.

Changing inputs like whether all applicants go through the same identity verification process and how their data is protected affect how many legitimate applicants get through and how many are blocked, how many incorrect payments are made and what those interacting with the program think about it, as well as cost.

Beyond individual agencies and programs, the report also explores how centralized a government-wide identity credentialing framework should be.

Many panelists suggested a federated framework, the report states, where program offices can use third-party credentials for identity verification, and citizens choose what service provider they want to use.

Several panelists also suggested a shift to a more risk-based approach.

Instead of requiring the same identity verification controls for everyone that interacts with a program, agencies could use data to power a “risk-based transaction management system.”

Transactions deemed riskier by predictive modeling – or statistical techniques that find patterns or criteria associated with a certain transaction being more likely to be fraudulent –  would get more scrutiny. 

The idea is that this would push agencies beyond the so-called “pay and chase” approach where incorrect payments are recovered after they happen, a model the report says both GAO and OMB have urged agencies to move away from by using more preventative measures.

“We need to evolve identity verification practices across the federal government,” said Jordan Burris, former chief of staff in the White House Office of the Federal CIO, panel participant and senior director of public sector product market strategy at identity verification company Socure. “There has to be a better alignment and approach that’s being taken, and much of what they called out are practices that are being implemented in the private sector today.”

But moving to a federated identity framework or a more risk-based approach could require things like funding, data and policy changes. 

One place to watch is the National Institute of Standards and Technology, currently remaking its 2017 Digital Identity Guidelines that govern technical requirements for identity services. 

Experts said that the agency might consider baking in a more risk-based approach “that would better allow program offices to adapt to their specific assessed levels of risk.”