Necessary. Not Sufficient.
On Washington's new approach to fraud, and its limits
When the White House updates a regulation governing operational and financial controls, news outlets rarely clear the front page. So the Office of Management and Budget’s revised version of OMB Circular A-123, released earlier this week, will surely escape the attention of all but the closest observers of federal government.
But the new circular deserves attention, if only because it brightens the spotlight on fraud prevention in the government.
At first glance, the update looks like a meaningful shift. The circular explicitly emphasizes fraud, waste, and abuse as risks agencies must identify and manage. It directs agencies to consider fraud scenarios in their risk assessments, integrate fraud risks into enterprise risk management, and strengthen preventive internal controls.
In a government where fraud has long been treated primarily as a law-enforcement problem, that framing matters. The Government Accountability Office estimates the federal government loses up to $521 billion annually to fraud—losses that occur because public systems were never designed to defend themselves against organized, technology-enabled crime.
Recognizing fraud as a management risk is a necessary step.
It is not a sufficient one.
Still Siloed and Compliance-Focused
The mechanism Washington is using to implement this reform—Circular A-123—has historically functioned as a compliance exercise administered by Chief Financial Officer offices. That matters because the systems that determine whether fraud is actually prevented rarely sit in the CFO shop.
Eligibility rules, payment processing systems, identity verification tools, grant management platforms, and transaction analytics are typically owned by program offices or IT organizations. The financial management staff responsible for A-123 assurance statements often have limited authority over those operational systems. And without dedicated resources to build real fraud prevention capability, the CFO’s budget authority translates to limited operational influence over the systems where fraud actually happens.
The result is that many agencies experience A-123 not as a catalyst for program redesign but as an annual documentation cycle: risk assessments are conducted, control matrices are updated, assurance statements are prepared for OMB. The exercise can improve financial reporting discipline. It rarely changes the way federal programs defend themselves against sophisticated fraud.
This is the governance gap.
A structural reform that could materially strengthen fraud prevention would be the establishment of clear government-wide fraud leadership. Countries including the United Kingdom, Australia, and New Zealand have created centralized authorities responsible for coordinating fraud detection, analytics, and prevention across public programs. The United States still manages fraud largely program-by-program, with no single entity responsible for cross-government fraud strategy.
A more coherent approach would place that coordination at the center of federal fraud management—not to centralize program administration, but to ensure fraud prevention is treated as a government-wide operational mission rather than a fragmented compliance activity addressed separately within hundreds of individual programs.
Three additional realities the circular leaves unaddressed compound the problem.
The first reality is technology.
Modern fraud schemes operate at digital scale. Criminal networks exploit automated enrollment systems, stolen identities, botnets, and coordinated claims infrastructure. Defending against those threats requires agencies to deploy real-time analytics capable of identifying suspicious patterns before payments are released.
Most federal programs still rely on documentation-based, manual review processes or retrospective audits to identify fraud after money has already left. By the time investigators identify a scheme, the funds have typically been laundered and wired offshore.
Real-time detection systems—similar to those financial institutions use to screen transactions—can identify anomalies such as identity reuse across programs, coordinated application networks, or abnormal claims patterns before payments are made. Deploying those tools requires operational investment, data integration, and clear leadership accountability.
The revised circular states that management should prioritize preventive controls where possible and use detective controls where prevention is not feasible. But it stops well short of requiring agencies to deploy real-time transaction screening, network analytics, identity-resolution tools, or pre-payment risk scoring. Aspiration without mandate rarely moves federal agencies to act.
The second reality is the law.
Many of the most effective fraud prevention techniques require data matching across programs and agencies. Organized fraud rings don’t limit themselves to a single federal program—they often exploit multiple benefit systems simultaneously using shared identity infrastructure. Detecting those patterns requires seeing across programs.
Yet outdated federal privacy statutes often prevent agencies from conducting the kind of privacy-preserving record linkage necessary to identify coordinated fraud. Even when agencies recognize the risk, the legal authorities needed to share or match data across programs may not exist.
Executive branch guidance cannot solve that problem. Congress must modernize the legal framework governing federal data sharing to explicitly authorize secure, privacy-protective analytics across programs. Without that reform, agencies will continue to fight organized fraud with fragmented information—investigating each arm of an octopus without being permitted to see the body.
The third reality is incentives.
In most federal agencies, preventing fraud does not carry the same institutional weight as delivering program benefits quickly or obligating funds on schedule. Program managers are evaluated primarily on how efficiently they move money out the door, not on how effectively they prevent criminal exploitation of the programs they run.
That imbalance shapes behavior in predictable ways. Fraud prevention requires additional verification steps, investment in analytics, and the willingness to pause suspicious transactions—actions that slow program delivery and attract criticism when legitimate recipients experience delays.
Without explicit leadership accountability for fraud outcomes, the rational bureaucratic choice is to prioritize speed over prevention.
Independent oversight is where accountability enters the equation. For decades, the Government Accountability Office has served as the federal government’s most important watchdog for systemic weaknesses in program integrity. GAO’s estimates of annual fraud losses have done more to elevate fraud prevention as a national policy issue than any internal reform effort.
As the new A-123 framework is implemented, GAO will play a critical role in determining whether agencies treat the circular as a meaningful management reform or simply another compliance requirement. Independent scrutiny can reveal whether agencies are conducting genuine fraud risk assessments, implementing preventive controls, and investing in analytic capabilities—or merely updating documentation. That distinction will determine whether this revision matters.
Circular A-123 moves the conversation forward. Recognizing fraud prevention as a core management responsibility, rather than a law-enforcement afterthought, is the right frame. But it’s far from enough given the sophistication and scale of today’s fraud environment.
Stopping fraud at the scale the federal government faces will require real-time analytics, legislative reform enabling responsible data sharing, leadership accountability for fraud outcomes, and sustained oversight to ensure agencies treat prevention as a mission rather than a checkbox. Until those changes arrive, the United States will continue operating some of the largest financial programs in the world with defenses designed for a paper-era bureaucracy—in a digital criminal economy.
And the criminals know it.