Federal Reports

In accordance with the Reports Consolidation Act of 2000, the OIG reports annually on the most serious management and performance challenges the U.S. Department of Education (Department) faces. For FY 2025, we identified four management challenges the Department faces as it continues its efforts to promote student achievement and preparation for global competitiveness by fostering educational excellence and ensuring equal access. These challenges are (1) oversight and monitoring of student financial assistance programs, (2) oversight and monitoring of grantees, (3) data quality and reporting, and (4) information technology security. The report includes a summary of each challenge, a brief assessment of the Department’s progress in addressing each challenge, and shares information on further actions that, if properly implemented, could enhance the effectiveness of the Department’s programs and operations.

Over 5,300 lenders, including bank and non-bank lenders, participated in the Paycheck Protection Program (PPP), an $813.7 billion program that provided forgivable loans to eligible borrowers. The primary distinction between the two is that non-bank lenders are not federally regulated. Both were allowed to partner with third-party service providers to assist in the PPP loan process. We assessed the U.S. Small Business Administration’s (SBA) oversight of non-bank lenders, including financial technology (fintech), and third-party service providers in the PPP.

Opportunities exist for SBA to enhance its oversight of non-bank lenders, including fintechs, and service providers to promote program integrity and reduce financial loss. SBA had processes in place to approve non-bank lenders to become PPP lenders; however, it performed limited oversight of these lenders and was unaware of the extent of service providers’ participation in the PPP.

Executive and legislative actions led SBA to reduce or eliminate barriers for PPP borrowers, resulting in a significant increase in loans being made by non-bank lenders, including fintechs. Additionally, hold harmless provisions protected lenders from consequences if the lender complied with applicable legal requirements. Reduced controls and limited oversight increased the risk of fraud.

We found non-bank PPP lenders made $14.2 billion in suspected fraudulent loans at a rate more than five times higher than loans made by traditional bank lenders. Over $6.1 billion of the $14.2 billion in suspected fraudulent non-bank PPP loans, or nearly 43 percent, were made by lenders categorized as fintechs and other State Regulated Finance Companies.

Additionally, loans involving service providers had a suspected fraud rate more than three times higher than loans made without a service provider. Given SBA’s expanding loan portfolio and increasing reliance on non-bank lenders, including fintechs, in other loan programs and increasing lender reliance on fintech service providers, effective oversight is vital to ensuring program integrity and mitigating fraud risk and financial loss.

We made six recommendations for SBA to strengthen oversight of non-bank lenders and service providers. SBA management agreed with recommendations 1, 3, 4, 5, 6, and partially agreed with recommendation 2.

The VA Office of Inspector General’s information security inspection program assesses whether VA facilities are meeting federal security requirements related to four control areas the OIG determined to be at highest risk. For this inspection, the OIG selected the Health Eligibility Center (HEC) in Atlanta, Georgia. The OIG found deficiencies in three of the four areas inspected.
Configuration management controls, which identify and manage security features for all hardware and software components of an information system, were deficient in vulnerability remediation, system life-cycle management, and remediation of unauthorized software.
There were no deficiencies in contingency planning controls, which include physical and environmental controls.
In the area of security management, about 3.3 million veterans’ records containing sensitive personal information were not encrypted. VA security policy requires the encryption of sensitive information hosted on computer systems.
Access controls provide reasonable assurance that computer resources are restricted to authorized individuals. At the HEC, the OIG found deficiencies with access controls in the inventory of facility keys as well as in logging administrative actions, log retention, and log reviews.
The OIG made five recommendations aimed at correcting the identified deficiencies.