The Federal government doesn't know who its paying, and that makes it easier to defraud
On May 29, the Office of Management and Budget (OMB) published the most significant rewrite of federal grants regulation since 2013. The proposed rule replaces the Uniform Guidance with something called the Uniform Grants Regulation. To date, most of the commentary has focused on DEI restrictions, expanded termination authority, the politics of converting guidance into binding regulation.
But buried in the rulemaking is the fact that federal agencies do not know who they are paying, and the proposed changes don’t fix that.
Once a federal grant moves past the prime recipient, the trail goes cold. There is no limit on how many subrecipient tiers a federal award can pass through. A federal dollar can move through four or five organizations before it reaches whoever is actually doing the work, and the agency that wrote the check has virtually no way to see past the first handoff.
The nation watched the exploitation of this gap up close in Minnesota.
The sponsor problem
USDA's Federal Child Nutrition Program funds flowed from USDA to the Minnesota Department of Education (the state agency and prime recipient), to Feeding Our Future (a sponsoring organization functioning as a subrecipient), to more than 250 individual meal sites.
The state agency's direct oversight obligation reached only the sponsor tier: state agencies are required to review at least one-third of participating institutions annually. Oversight of the sites themselves, where the fraudulent claims actually originated, was delegated entirely to the sponsor. Feeding Our Future was, by design, both the only entity with a direct line of sight to the sites and the entity orchestrating the fraud at those sites. Federal and state oversight had no independent visibility into the tier where the fraud occurred, because the regulatory structure assigned that visibility exclusively to the subrecipient with the greatest incentive to misrepresent it.
Feeding Our Future’s payments went from $1.4 million in 2019 to $140 million in 2021, a hundredfold increase in two years, and the structure designed to catch that kind of growth was looking at the sponsor’s paperwork, not the sites. Minnesota’s legislative auditor later found that the state’s oversight of the sponsor itself was inadequate. But in reality, even a state agency doing everything right at the sponsor level would not have seen the fraud, because the fraud was happening at a tier the state was never positioned to see directly.
What the new rule does
The proposed rule treats subrecipient risk as a real problem rather than ignoring it, and it contemplates two important changes.
First, it integrates grants payments with Treasury’s Do Not Pay system, the same screening infrastructure used to catch deceased payees, excluded parties, and other categorically disqualified recipients before money goes out the door. Grants have operated outside that infrastructure for years and bringing them in is overdue.
Second, it tightens subrecipient oversight, adding new SAM.gov reporting requirements and making noncompliance grounds for termination. Pass-through entities — the states, counties, and large nonprofits redistributing federal money — now face a sharper incentive to actually monitor who they’re funding rather than file a risk assessment once and move on.
Treasury screening and stronger SAM.gov reporting would have improved the federal government’s visibility into Feeding Our Future as a subrecipient. But importantly, neither change reaches the sites, where the fraud actually happened.
The architecture is the problem
The subrecipient monitoring requirement has existed in some form since 2013 but it has been woefully inadequate ever since. The requirement obligates a pass-through entity to assess the risk of the subrecipients it funds directly. It doesn’t require that entity, or anyone above it, to see the tier below that. A state monitors the sponsor, but nobody in the federal government, and often nobody at the state, is positioned to independently verify the sites the sponsor funds. The regulation assumes that risk assessed at one tier is risk accounted for at every tier beneath it. It isn't. Each layer of a subaward chain can only see as far down as the layer directly below it, and the federal government, several tiers removed, sees none of it directly at all.
Compare this to how the rest of the financial system works. A bank doesn’t extend credit to an organization without verifying the borrower exists, confirming who owns it, and checking that ownership against a sanctions list. That is baseline due diligence that any commercial lender performs as a condition of moving money. The federal government, moving over a trillion dollars a year through layers of subrecipients, has no equivalent requirement that travels down the chain. Each pass-through entity does its own version of due diligence, to its own standard, on its own timeline, and nothing forces that standard to improve, or to reach past the tier it’s already looking at.
This isn’t a new idea. The federal government already built it once and let it lapse. Under the 2009 Recovery Act, Section 1512 required subrecipients to report directly into a federal system, rather than have the prime recipient report on their behalf. A state passing money to a nonprofit wasn’t the only party answering for that money, the nonprofit was. That design choice is a part of the Recovery Act oversight apparatus that is worth bringing back, because it gave the federal government a line of sight past the prime recipient. The mechanism slotted into the same kind of reporting system the government already runs today, SAM.gov, which currently collects subaward data largely as the prime recipient chooses to enter it. There is no reason that system couldn’t take direct submissions from subrecipients themselves, the way Section 1512 once did, and no reason it should still stop at the first tier down.
What the new rulemaking misses
While Treasury integration and stronger SAM.gov reporting are vital, they’re insufficient because they still treat subrecipient risk as something to document at the first tier rather than something to see all the way down. Closing the gap requires three things this rule doesn’t do.
One, it requires visibility into the full subrecipient chain, not just the layer immediately below the prime. OMB should require that subrecipients at every tier of an award report their own identifying information — legal name, taxpayer identification number, beneficial ownership, and banking relationships — directly into SAM.gov, rather than have that information collected and passed upward by the prime recipient or an intermediate pass-through entity. OMB should restore the ARRA design, without restoring its administrative burden, and extend it to every tier of a subaward, rather than the one or two tiers SAM.gov currently captures.
Two, this visibility needs to be continuous rather than a point-in-time check, since the organizations at the bottom of these chains change hands and change behavior far faster than a once-a-year review can catch. OMB should require periodic re-screening of subrecipients against Treasury's Do Not Pay data and other disqualifying-event data sources for the duration of an award, not solely at initial subaward.
And three, it requires a common standard for subrecipient verification across the federal government. Subrecipient risk assessment quality currently depends on the sophistication and resources of whichever pass-through entity happens to be administering a given award. A state grants office, a county, and a small nonprofit serving as pass-through entities for the same federal program may apply entirely different standards of diligence to the same category of risk. OMB should establish a minimum, government-wide due diligence standard for subrecipient verification, comparable in rigor to the beneficial-ownership and identity-verification standards financial institutions are required to apply to commercial borrowers.
OMB’s rule moves the system from almost no visibility to partial visibility. But partial visibility into a complex, trillion-dollar grant system is still a system where the federal government doesn't know who its paying. Every fraud case that surfaces three years after the money is gone looks like the system is working exactly as designed, until the first case file gets opened. There’s still time to improve on the grants rewrite, and OMB should do so.
Photo by Ryoji Iwata on Unsplash. Article first posted on GovIntegrity.