Advertisement

‘Pay and chase’ is a confession. We should stop treating it as a fraud-fighting strategy. 

How the federal government combats fraud in benefits programs is a flawed operating doctrine, a former chief of staff to the U.S. CIO argues.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(Getty Images)

The federal government has a name for the way it handles fraud in some of its largest benefit programs: It’s called “pay and chase.” 

The Centers for Medicare and Medicaid Services uses the term in official guidance. In a formal CMS FAQ, state Medicaid agencies are instructed that under this method the agency pays the claim first and then pursues the liable third party for repayment, “unless it is determined that recovery of reimbursement would not be cost-effective.” 

Read that sentence twice. It is not an accusation from a critic; it is the operating doctrine. 

Recovery remains an important function of government, but recovery is not prevention. The federal government has built much of its fraud response around the assumption that, most of the time, it will not get the money back. This tells us something important: The system has already accepted fraud as a recurring outcome. 

Advertisement

The status quo for decades has been to tolerate errors and fraud as the cost of running large government programs, and the public side of the response was loud — with indictments, perp walks, and the occasional record-setting recovery. These spectacles can feel like a deterrent, but they don’t prevent the problem. 

Federal prosecutors in Minnesota recently traced nearly $250 million in stolen meal-program funds to a network operating behind a nonprofit front. That case has been cited by both the current and prior administration as a marquee fraud cause. The convictions matter, but they also do nothing to ensure meals are given to children who were supposed to eat them. 

Meanwhile, we’re losing confidence in who sits on the other side of the transaction. Synthetic identities now combine real Social Security numbers with fabricated biographies that pass outdated eligibility checks designed to confirm a name and a date of birth. 

Deepfake-assisted account takeover has moved from novelty to commodity. Off-the-shelf scripts apply for benefits at machine speed with the same credentials across dozens of states. Treasury and inspectors general offices have catalogued the shift, program by program. The fraudsters have professionalized and matured their tools while our defenses, in many places, still depend on whether someone notices that something looks off after the money has moved. 

We should be honest about what “pay and chase” actually represents. By the time a fraud case is announced publicly, the fraud has already occurred and the funds have already left the system. Accountability matters and recovery efforts should continue, but we are fooling ourselves if we believe those activities are a substitute for prevention. 

Advertisement

Once funds move through criminal networks, much of that money is never recovered. The measure of success should not be how effectively we investigate fraud after it happens — it should be how effectively we prevent it from happening in the first place.

The good news is that the people closest to the problem inside the government know this and are saying so. For example, Ken Dieffenbach, the Pandemic Response Accountability Committee’s executive director, described a fraud-prevention engine they built using more than 5 million pandemic-era applications. It can review 20,000 applications per second and flag anomalies before payment. 

The point of the work, he said plainly, is to move from a reactive model — pay and chase — to a proactive one that gives grant officers and contracting officials something they can act on before the money goes out the door. 

Across administrations, oversight bodies, inspectors general, and agency leaders, a broad consensus has finally emerged around the idea that fraud prevention is more effective than fraud recovery. The recent executive order establishing the Task Force to Eliminate Fraud reflects that reality by directing agencies to identify high-risk transactions and implement controls before funds are obligated or disbursed. 

The PRAC’s work points in the same direction, as do years of findings from the Government Accountability Office and inspectors general. The debate is increasingly moving beyond whether prevention should happen and toward how quickly it can be operationalized.

Advertisement

What the technology now allows — and what the current moment demands — is a different default: 

  • Identity verified at the front door of every program, in real time, against the kinds of signals that synthetic identities cannot easily fake. 
  • Cross-program data-sharing that lets a benefits agency know, before it cuts a check, that the same applicant has already been flagged elsewhere in the federal enterprise. 
  • Risk-scoring at intake rather than at audit. 

None of this requires new technology to be developed; it requires existing technology to be applied with the seriousness the threat now warrants. 
 
The reason this has not happened already is not technical; it is institutional. Many laws, such as the Privacy Act of 1974 and the Computer Matching and Privacy Protection Act of 1988, were written before the modern technology landscape existed, making program data sharing procedurally heavy and slow. 

Program offices guard their data and public servants are reasonably wary of false positives that lock legitimate applicants out. In addition, fraud prevention is mostly funded through annual appropriations, while fraud losses are absorbed quietly into mandatory program spending and rarely show up as a number anyone has to defend. 

Let me say the quiet part out loud: In many cases, it is institutionally easier to absorb billions in fraud losses than to spend millions to build the controls that would prevent them.

Advertisement

The country has spent decades getting comfortable with a fraud doctrine that mostly recovers narratives. The technology is now available to recover the money instead, by not losing it in the first place. The political consensus, unusually, is there. 

The remaining question is whether the agencies charged with this work will treat prevention as a line item in their next strategy refresh, or as the strategy itself. 

Jordan Burris is the head of public sector at Socure and a former chief of staff to the U.S. chief information officer.

Latest Podcasts