Semiannual Report to Congress

Message from the Inspector General

It is my pleasure to submit this semiannual report to Congress on the operations of the Office of Inspector General for the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau. This report covers the period from October 1, 2025, to March 31, 2026.

During this reporting period, our completed audit and evaluation work included an assessment of the Board and Federal Reserve Banks' approach to processing banking applications. In 2022, the Board implemented FedEZFile, a new document repository and tracking system designed to help reduce delays in the applications process. Despite this and other efficiency measures taken by the Board, processing times across all application types increased between 2021 and 2024. In addition, the Board does not capture sufficient information to pinpoint the root causes of the delays and identify opportunities for improvement. We believe that tracking and documenting key internal milestones in FedEZFile and enhancing monitoring capabilities can help the Board develop solutions that result in a more efficient and timely applications process.

We also completed our annual information security audits for both the Board and the CFPB and found that each agency's program is no longer effective. The Board's information security program declined to a level-3 maturity (consistently implemented)—down from level-4 (managed and measurable) in 2024—due in part to issues regarding mobile device security and the protection of confidential supervisory information. The CFPB's program declined two levels to a level-2 maturity (defined), as we found problems regarding authorizations, continuous monitoring, and outdated software. We issued multiple recommendations to each agency to strengthen these areas in their respective programs.

The work of our Office of Investigations continues to send a strong message that those who commit crimes that affect the integrity of our financial system will be brought to justice. In this reporting period, a former chief financial officer of a Nebraska bank was convicted for submitting fraudulent and inflated invoices from contractors to obtain $4.3 million in loans. In another case, two cofounders of a lender service provider were each sentenced to 10 years in prison and upward of $60 million in restitution for conspiring to submit fraudulent Paycheck Protection Program loan applications and charge borrowers illegal kickbacks. And in a third case, a real estate developer and investor in New York was indicted for allegedly defrauding pandemic relief programs in a scheme that cost taxpayers $8 million.

Overall, the work of our Office of Investigations during this reporting period resulted in 6 arrests, 13 indictments, 7 criminal informations, 20 convictions, 11 referrals for criminal prosecution, and about $171.6 million in civil judgments, forfeiture, criminal fines, restitution, and special assessments.

The work summarized in this report reflects our commitment to effective and independent oversight, and it is my honor to have been entrusted to lead this outstanding organization. I am grateful to the OIG staff for their exceptional work, and I look forward to our continued release of impactful reports.

Michael E. Horowitz
Inspector General
April 30, 2026

Highlights

We continued to promote integrity, economy, efficiency, and effectiveness of the programs and operations of the Board and the CFPB. The following are highlights, in chronological order, of our work during this semiannual reporting period.

2025 Audit of the Board's Information Security Program
The Board's information security program decreased from a level-4 maturity (managed and measurable) to a level-3 maturity (consistently implemented), leading us to conclude that it is no longer effective.

2025 Audit of the CFPB's Information Security Program
The CFPB's information security program decreased from a level-4 maturity (managed and measurable) to a level-2 maturity (defined), leading us to conclude that it is no longer effective.

The CFPB Can Enhance Its Processes for Storing and Disposing of Its IT Asset Inventory
The CFPB maintains a large inventory of aging, unassigned IT assets and does not identify and dispose of these assets timely or store them in a defined manner.

The Board Should Enhance Its Ability to Monitor the Efficiency and Timeliness of Its Processing of Certain Banking Applications
Despite taking measures to increase efficiency and timeliness, the Board's processing times for certain banking applications increased from 2021 to 2024.

The Board Should More Effectively Manage and Secure Its Inventory of Unassigned Laptops and Hard Drives Ready for Disposal
The Board's inconsistent tracking and management of IT assets—including 677 uninventoried laptops worth over $1.4 million and 5 laptops remaining with former employees—creates an inefficient use of resources and a significant risk of data exfiltration, respectively.

Former Bank Executive Convicted of Bank Fraud in Nebraska
Aaron T. Luneke was convicted by a jury of bank fraud and attempted bank fraud. Abusing his position as chief financial officer of a Nebraska bank, Luneke submitted fraudulent and inflated invoices from contractors to obtain $4.3 million in loans from his bank. He also attempted to defraud another bank for a $3.5 million refinancing loan.

Cofounders of Lender Service Provider Sentenced to Prison for $65 Million Pandemic Relief Fraud
Stephanie Hockridge and Nathan Reis were each sentenced to 10 years in prison and ordered to pay restitution of $63 million and $66 million, respectively, for a scheme to defraud the Paycheck Protection Program (PPP). As cofounders of Blueacorn, a lender service provider based in Arizona, Hockridge and Reis conspired to submit fraudulent PPP loan applications and charge borrowers illegal kickbacks.

New York Developer Charged for $8 Million Pandemic Relief Fraud
David Ebrahimzadeh, a New York real estate developer and investor, was indicted by a federal grand jury for a scheme to defraud the PPP and other pandemic relief programs. Ebrahimzadeh allegedly applied for and received $8.5 million in loans using false and fraudulent information, and then used the proceeds to buy luxury items and real estate.