Board Report: 2013-AA-B-006 March 29, 2013
We found that controls designed to prevent and detect unauthorized purchases can be strengthened. Specifically, we found that (1) the program coordinator had not blocked or flagged certain MCCs that could potentially allow cardholders to use their purchase cards for unauthorized transactions and (2) the program coordinator did not review available JPMC reports, which could aid in the detection of possible misuse of the purchase cards. The program coordinator has not updated the MCC listing, which includes allowable and blocked codes, since the Board's transition to JPMC as the card issuer and has not blocked or flagged some risky codes. In addition, the program coordinator told us that he does not utilize available JPMC reports because he has not found any past wrongdoing by cardholders. Without these controls, there is a risk that unauthorized or fraudulent purchases will be made and will go undetected.
An MCC is a four-digit code that identifies the type of business a merchant conducts (e.g., office supplies, uniforms, books, subscriptions). Merchants select an MCC with their bank based on their primary business. However, merchants may offer products that are unrelated to their primary business. Federal agencies may block certain codes to prevent unallowable purchases and flag others that may pose a risk of improper use. We found that the program coordinator has neither flagged nor blocked several MCCs that have a higher likelihood of misuse. According to GSA procedures contained in GSA SmartPay, The Basics of Travel, Purchase, Fleet and Integrated Charge Cards, one way that agencies can mitigate fraud, waste, and abuse is to restrict charges by using MCC blocks.
As the administrator of the Board's purchase card program, the program coordinator has the discretion to turn codes on (allow) and off (block) for purchase card usage at the point of sale and to flag other codes for monitoring. The Board utilizes MCCs as both preventive and detective controls to ensure that cardholders do not make unauthorized purchases. To prevent unauthorized transactions, the Board has blocked the use of cards with vendors within specific MCCs. The Board also flagged transactions with vendors within other MCCs in order to detect transactions that could be unauthorized. JPMC makes available periodic reports on blocked and flagged activity that the program coordinator can use to detect possible misuse.
The Purchase Card Procedures groups unauthorized purchases into five broad categories: (1) travel, cash advances, entertainment, meals, food, or beverages; (2) telecommunications services; (3) capital assets; (4) rental or lease of land or building; and (5) personal charges. During our audit, we reviewed the PaymentNet list of the Board's MCCs and found 1,004 MCCs-639 are allowable, and 365 are blocked.
However, we noted that the Board's listing of allowable MCCs includes codes that we believe elevate the potential for cardholder misuse or fraud given their description. Although we did not find any transactions within these codes, we believe that 10 of the 639 allowable MCCs should be blocked to protect against the risk of unauthorized or fraudulent transactions (table 3).
| MCC number | Description |
|---|---|
| 4829 | Wire Transfers |
| 6050 | Electronic Cash Withdrawal |
| 6051 | Non-financial Institutions-Foreign Currency, Cheques |
| 6211 | Security Brokers/Dealers |
| 6513 | Real Estate Agents and Managers-Rentals |
| 6760 | Saving Bonds |
| 7277 | Counseling Services-Debt, Marriage, Personal |
| 7278 | Buying/Shopping Services, Clubs |
| 7992 | Golf Courses-Public |
| 9223 | Bail and Bond Payments |
In addition, we identified allowable MCCs with activity descriptions that are similar or closely related to those of blocked MCCs. For example, MCC 5691-Men's & Women's Clothing Store is blocked, while MCCs 5611-Men's & Boy's Clothing and Accessories Store and 5631-Women's Accessory & Specialty Shops are both allowable. Inconsistencies such as these could result in a cardholder making an improper transaction when doing business with a vendor with the 5611 or 5631 codes. Although we did not find any transactions processed within these blocked MCCs, we believe that the program coordinator should review and update the current list of blocked and allowable codes and group MCCs with similar descriptions as either blocked or allowable.
We evaluated the Board's use of MCCs to detect and prevent unauthorized or fraudulent transactions by testing 221 transactions within 17 MCCs. These transactions were part of our judgmentally selected sample of 362 transactions. Our tests included inspection of the JPMC Transaction Detail Report describing the purchase and the cardholder's invoice, and to the extent possible, we physically inspected the items purchased.
The program coordinator informed us that he has not updated the MCC listing, which includes blocked and allowable codes, since the Board's transition to JPMC as the card issuer-a period of about three years-and that the listing includes certain MCCs that cardholders need to use. We believe that the listing includes some apparently risky codes that are allowable, but should be blocked or flagged as appropriate. According to the program coordinator, if the codes were blocked, the cardholder would have to call him and ask that the block be removed to allow the cardholder to make a purchase. We believe that the program coordinator should consider the level of risk as well as the frequency and need for use of MCCs when deciding whether to allow MCCs.
After we brought this matter to management's attention, the program coordinator informed us that he blocked several MCCs. We have not tested these blocked MCCs.
We found that the program coordinator and his staff are not utilizing all available reports to detect possible misuse of purchase cards. GSA procedures explain that reports generated from the card issuer's Electronic Access System, in this case JPMC's PaymentNet System, could assist the program coordinator in managing the purchase card program. The program coordinator could monitor the program more effectively and efficiently by using reports that track purchase card activity. During our interviews, we learned that the program coordinator does not utilize the JPMC Declines Report and Unusual Activity Analysis Report to monitor purchase card activity.
The program coordinator told us that JPMC notifies him of potential fraud, lost or stolen purchase cards, or suspicious transactions; reviews actions taken by JPMC in PaymentNet; and contacts cardholders if necessary. Because the program coordinator does not retain these notifications, we were unable to verify how the information is used.
The Unusual Activity Analysis Report can be used to monitor unusual transaction activity and to determine whether such activity is Board related. According to JPMC, the Board has flagged four allowable codes to be reported on the Unusual Activity Analysis Report: 7230- Beauty Shops and Barber Shops, 7273-Dating & Escort Services, 7299-Miscellaneous Personal Services (Not Elsewhere Classified), and 7631-Watch, Clock & Jewelry Repair. For calendar year 2011, only one of the four flagged codes, MCC 7299, appeared on the report because it was the only code to generate activity. The report indicated that 11 cardholders made 20 purchases totaling $12,065.68. We did not find evidence that these transactions were for other than appropriate Board purposes.
JPMC shows attempted but declined transactions, including transactions for blocked MCCs, on the Declines Report, which lists the date and time of attempted transactions and explains why a transaction has been declined. The Declines Report also lists transactions that were declined for reasons such as "exceeds single transaction limit for account." During calendar year 2011, the Declines Report listed 344 declined transactions for various reasons, such as closed account, card expired, or invalid expiration date. We believe that the Declines Report could be useful in determining the types of purchases cardholders attempt to make, including those that are fraudulent.
The program coordinator does not monitor the Unusual Activity Analysis Report or the Declines Report because he stated that he has not found any past wrongdoing by cardholders. He explained to us that he essentially reviews declined transactions as they occur because cardholders call and inform him of their declined transactions. We believe that regular inspections of the Declines and the Unusual Activity Analysis Reports would strengthen the controls designed to prevent and detect misuse and fraudulent use of purchase cards.
The Board can make better use of the available tools to prevent unauthorized or fraudulent purchase card transactions and detect suspicious use. Although we did not find evidence of any fraudulent transactions during our audit, opportunities exist for unauthorized or fraudulent purchases to occur because cardholders currently have access to merchants that provide goods and services that may be unrelated to official Board business. In addition, the program coordinator is not monitoring appropriate JPMC-generated reports on a regular basis to detect possible fraudulent, unusual, or suspicious purchase card activity.
We recommend that the Director of the Division of Financial Management
Regarding recommendation 3, the Division Director stated the following:
Concur. We agree that a periodic review of MCCs is prudent to (1) identify codes that should be blocked to prevent unallowable purchases and (2) flag other codes that may pose a risk of improper use. The Purchase Card Coordinator will review the MCC listing report semiannually.
The Purchase Card Coordinator will also begin conducting regular reviews of the Unusual Activity Analysis Report, and the Declines Report. Should there be evidence of questionable transactions, the Purchase Card Coordinator will contact the approving official to determine whether the transactions represent appropriate business-related activities.
In our opinion, the actions described by the Division Director are responsive to our recommendation, and we plan to follow up on the Division's actions to ensure that the recommendation is fully addressed.
