Opportunities Exist for the CFPB to Strengthen Compliance with Its Purchase Card Policies and Procedures

Introduction

Objective

Our overall objective for this audit was to assess whether the controls for the Consumer Financial Protection Bureau's (CFPB's) purchase card program were adequate to (1) ensure that purchase card use is appropriate and in compliance with applicable laws, regulations, and the CFPB's policies and procedures and (2) prevent and detect improper or fraudulent use of purchase cards.

The Government Charge Card Abuse Prevention Act of 2012 (Charge Card Act)¹ requires Offices of Inspector General to conduct periodic audits or reviews of charge card programs. In the past, the Government Accountability Office and other Offices of Inspector General have identified weaknesses and vulnerabilities in the federal purchase card program and reported that federal agencies have failed to ensure proper use of purchase cards. As the CFPB's program is fairly new and also experiencing rapid growth, a review of the internal controls related to the purchase card program is warranted.

Background

To streamline the acquisition of micropurchases and simplified acquisitions,² the CFPB participates in the General Services Administration's (GSA's) SmartPay2 program through a task order with the Department of the Treasury's master contract with Citibank.³ The Department of the Treasury's Bureau of Public Debt's Administrative Resource Center (BPD ARC), provides the CFPB with purchase card administrative services through an interagency agreement. This agreement states that BPD ARC will provide a full range of financial management accounting services for the period October 1, 2012, through September 30, 2013.⁴ Specifically, BPD ARC submits CFPB employees' purchase card applications to Citibank, processes purchase card payments, closes accounts of separated employees, and acts as the liaison between the CFPB and Citibank.

The CFPB's Office of Procurement is responsible for managing the operation of the purchase card program and ensuring that the program complies with applicable laws, regulations, policies, and procedures. The CFPB's Office of Procurement also monitors the purchase card program's effectiveness as a payment vehicle while working to ensure that the proper controls are in place.

As of March 31, 2013, the CFPB had 311 active cardholders classified as either flagship cardholders or examiner cardholders. Flagship cardholders are office-based employees located in the CFPB's District of Columbia and regional offices⁵ who make purchases to support the overall operations of the CFPB as well as its offices and divisions. Examiner cardholders are mobile employees who work all over the country and in some cases are based out of home offices. They purchase office supplies for their use in the field and at their home offices. From April 1, 2012, through March 31, 2013, CFPB purchase cardholders made approximately 3,000 transactions totaling about $1.4 million.

To minimize risk within its purchase card program, the CFPB has instituted a number of controls, including setting a low dollar credit limit for each of its examiner cardholders and restricting the allowable merchant category codes (MCCs)⁶ for both flagship and examiner cardholders. In addition, ongoing monitoring activities include management and oversight of the purchase card program by the Agency Program Coordinator (APC) and approving officials (AOs). Flagship cardholders report to an AO in their office, and examiner cardholders report to an AO in their respective region.

Since its inception in May 2011, the CFPB's purchase card program has grown substantially. Due to the purchase card program's significant growth, the CFPB has implemented a number of changes to bolster internal controls and enhance oversight. For example, CFPB has refined its purchase card application and closure processes and increased the number of AOs.

Laws, Regulations, and Guidance 

The CFPB's purchase card program is subject to the following laws, regulation, and guidance:

• The Charge Card Act requires that agencies with employees who use purchase cards and convenience checks establish and maintain safeguards and internal controls to ensure the proper, efficient, and effective use of purchase cards and convenience checks.⁷
  
• The CFPB's purchase card program operates under the BPD's 2011 Government Purchase Card Procedures until the CFPB finalizes its own purchase card policies and procedures.⁸ The BPD's Government Purchase Card Procedures provide guidance on the proper use of the purchase card and outline specific responsibilities for cardholders, AOs, and the APC.
  
• CFPB purchase cardholders are also required to follow the CFPB's Purchase Card Guides for the Mobile Workforce and Flagship Cardholders. These documents provide guidance on the proper use of purchase cards for all purchase cardholders and the record retention requirements for related documentation.

In addition, the CFPB has decided to follow the Federal Acquisition Regulation (FAR) in its entirety on all procurements. Specifically, FAR, Part 13 -- Simplified Acquisition Procedures, designates the purchase card as the preferred method for making micropurchases. In addition, this FAR part establishes criteria for using purchase cards to place orders and make payments.

Office of Management and Budget (OMB) Circular A-123, Appendix B, prescribes policies and procedures to agencies on maintaining internal controls that reduce the risk of fraud, waste, and error in government charge card programs and establishes minimum standard requirements and suggests best practices for government charge card programs. CFPB legal guidance issued in June 2012 states that the CFPB is not obligated to follow this OMB guidance. However, this legal guidance states that if OMB guidance identifies procedures that agencies are encouraged to follow, the CFPB should assess whether it would benefit from following these procedures. It also suggests that as a matter of good administrative practice and in order to create a record for purposes of audit and oversight accountability, the CFPB consider, articulate, and document its reasons for departing from OMB guidance when it chooses to do so.

• 1. The Government Charge Card Abuse Prevention Act, Public Law 112-194, October 5, 2012.   Return to text
• 2. Micropurchases are defined as any purchase under $3,000, and simplified acquisitions are defined as purchases not exceeding $150,000.   Return to text
• 3. In June 2007, the GSA awarded a set of master contracts, known as the SmartPay2 program, to Citibank, JPMorgan Chase, and U.S. Bank to provide credit card services to government agencies. The contract covers a four-year base period (December 21, 2007, through November 29, 2011) and two option periods (November 11, 2011, through November 29, 2015, and November 30, 2015, through November 29, 2018).   Return to text
• 4. CFPB management officials indicated that they intend to renew the interagency agreement for the following fiscal year.   Return to text
• 5. The CFPB has four regional offices: West (San Francisco, CA); Midwest (Chicago, IL); Northeast (New York, NY); and Southeast (Washington, DC).   Return to text
• 6. According to the GSA SmartPay2 glossary, an MCC is a four-digit code used to identify the type of business a merchant conducts (e.g., gas stations, restaurants, airlines). The merchant selects its MCC with their bank based on its primary business. Agencies can block or flag MCCs to guard against unallowable charges.   Return to text
• 7. Convenience checks are issued by Citibank to purchase cardholders who are also warranted contracting officers within the CFPB. The use of convenience checks is limited to cases in which the vendor or merchant is not able to accept a purchase card or an electronic funds transfer.   Return to text
• 8. CFPB management officials indicated that they plan to finalize the internal policies and procedures in September 2013.   Return to text