Rishi Sunak, then the chancellor of the exchequer, described the Treasury’s response to the Covid-19 pandemic as “an unprecedented economic package”. It’s hard to disagree. But that package also turns out to have been a golden opportunity for fraudsters, who exploited the pandemic to pocket billions of taxpayers’ pounds.
The final report from Tom Hayhoe, the government’s Covid counter fraud commissioner, is damning. Published in December, it found failures to properly address fraud risk during the pandemic response had cost UK taxpayers £10.9bn. So far, just £1.8bn of that money has been recovered.
Perhaps a spike in fraud was inevitable, given the speed at which public bodies were forced to respond to the pandemic – and the huge scale of that response. The crisis saw the UK government spend £147bn on financial assistance for businesses. Individuals received a further £59bn. And ministers bought £12bn of personal protective equipment in the first year of the pandemic alone.
Nevertheless, the scale of losses has shocked many. Professor Michael Levi, an expert on fraud and corruption at Cardiff University, says: “We just had not done the planning – there was no work equivalent to the kind of work now required on resilience in sectors such as banking.”
That’s easy to say in hindsight, but this failure proved disastrous. With PPE, for example, estimated fraud losses of £324m were equivalent to 8.5% of the value of the equipment actually used. Regarding the Bounce Back Loans Scheme for small businesses, lenders have now flagged £1.9bn of advances as suspected fraud to the British Business Bank, which guaranteed the debt. One in six loans made via the Recovery Loan Scheme, another Covid initiative, are currently in default, with evidence of fraud in many cases.
“Where was the professional scepticism?” asks Rachael Johnson, head of risk management and corporate governance at the Association of Chartered Certified Accountants (ACCA). “If only they had just asked a few more questions or taken more time to think about a contract with a new supplier.”
Indeed, Hayhoe’s report identifies a string of mis-steps that gave rise to Covid-fraud losses. Procurement programmes and support schemes were launched at speed, and the possibility of fraud was very much an afterthought. The high-profile High Priority Lane – widely known as the VIP lane – which fast-tracked potential PPE suppliers with links to MPs and other public figures, but made no checks on quality, was one obvious example.
Data sharing was also poor, enabling fraudsters to claim from several loan schemes simultaneously. Fraud controls were only improved gradually – for example, the fraud prevention service Cifas was only asked to look at the Bounce Back Loan Scheme after two-thirds of funding had been disbursed. Local authorities were not held to account on fraud risk related to the grants they were asked to distribute.
Should problems have been picked up earlier, perhaps at the audit stage? Possibly, but Katharine Bagshaw, manager for auditing standards at the ICAEW, points to issues here too. “ICAEW and every other professional body did issue Covid-specific auditing guidance at the time,” she says. “But if you want a statutory audit to be a fraud audit, you are fundamentally changing the nature of the relationship.”
Ongoing efforts
Against this backdrop, efforts to recoup mis-spent or fraudulently claimed Covid cash are ongoing. “Our outrage at fraud, abuse and error in Covid spending is undiminished,” Tom Hayhoe said following publication of his report. But channelling that outrage into practical actions to recoup the losses is not straightforward.
One challenge is simply the passage of time. Years after fraudsters struck, evidence is harder to find, stolen money has been moved on, and the overstretched justice system has limited capacity to pursue cases given multiple other priorities.
Still, work on recovery is continuing, with the Labour government having recouped almost £400m since coming to power in July 2024. And some departments are performing better than others. For example, of the £1.8bn recovered so far, HMRC is responsible for £1.3bn, having incorporated its recovery efforts into its regular investigations and enforcement work.
The Department of Health and Social Care has also made progress on PPE, reducing the number of disputed contracts from 55 worth £1.26bn in December 2024 to eight disputes today that represent £325m of potential recoveries. On a smaller scale, the Department for Science, Innovation and Technology has recouped £1.5m of the £1.6m lost to fraud and error on Covid-related research grants it oversaw.
By contrast, the Department for Business & Trade, which ran most of the business support schemes, is struggling. It has recovered just £80m of fraud losses thought to total £1.7bn.
Local authorities have also found it tough to identify and recoup losses, though Trevor Scott, chair of Fighting Fraud and Corruption Locally, local government’s counter fraud and corruption strategy, defends the sector. “Recognising the risks that arose, Fighting Fraud and Corruption Locally helped local authorities collaborate and share information to successfully help stop fraudsters abusing business grants schemes and subsequently recover money when necessary,” he insists.
ACCA’s Johnson points to different levels of sophistication and varying practices across the public sector. “Recovery outcomes remain uneven because of a lack of governance, maturity and ownership,” she says. “Also, it’s really clear in the public sector that escalation pathways are lagging behind the analytics capabilities that that some are starting to use.”
In other words, fraud is being identified more rapidly but not necessarily chased down to recoup losses. Still, public sector bodies have pursued a range of tactics to secure recoveries of Covid funds.
For example, HMRC and the Department of Work & Pensions leant heavily on teams and processes established to investigate tax and benefits fraud. Elsewhere, the DBT established the Dissolution Objection Process to prevent Bounce Back Loan Scheme borrowers dissolving their companies to evade recovery efforts; some 70,000 businesses with outstanding Covid loans have been placed in the DOP, including those thought likely to commit fraud worth £900m.
The government has also pursued both civil and criminal cases. The DHSC set up a specialist team to pursue suppliers who failed to fulfil PPE contracts, launching legal claims where it could not reach settlements. The Insolvency Service has pursued business loan fraudsters, securing criminal convictions and director disqualifications.
There has also been an effort to encourage people to do the right thing. The Covid-19 Voluntary Repayment Scheme, which expired at the end of last year, enabled both individuals and businesses to make voluntary repayments of support they should not have received.
New legislation could also help the recovery process. The government’s Public Authorities (Fraud, Error and Recovery) Bill, due to become law in the coming months, creates new powers to tackle fraud. It also extends the period during which actions against Covid fraud can be taken by an additional six years.
However, one question now is whether further spending on recovery work is justified given the cost. Cardiff University’s Professor Levi says: “Cost effectiveness is a consideration, even if you think this is a moral issue and that we need to convince the public we’re going after bad people.”
Joshua Reddaway, director of fraud and propriety at the National Audit Office, echoes the point. “We are in favour of getting as much money back as possible, but we think the government is very unlikely to get the majority of it back,” he says. “We’ve got to be realistic; if the government were able to improve recovery rates by a few percentage points, that would be amazing. But we would not advocate much more spending on recovery because there probably is not the return on that investment to justify it.”
Rather, Reddaway believes the key now is to strengthen defences and detection before the next crisis provides further opportunities for fraudsters. The NAO last year made recommendations for how the government should better prepare for spending in the next emergency. It argued that while public bodies may need to streamline conventional decision-making and governance processes to move quickly, they will need to maintain robust oversight and act within normal public spending rules.
Reddaway also points to gaps in the government’s understanding of its ongoing loss to fraud. “We think the government loses between £55bn and £81bn a year from fraud and error, but that wide range indicates how many public bodies simply don’t know,” he says. “There is definitely a return on investment from spending to combat fraud, but if you’re in that part of government where your accounting doesn’t measure fraud properly, you can’t demonstrate that return – in which case you probably won’t care enough about tackling it.”
European losses
The UK was hardly alone in suffering large fraud losses on pandemic support. The European Union’s Recovery and Resilience Facility, established in February 2021 was financed by both member states and the European Commission to the tune of €650bn (£566bn). “[It] continues to show multiple weaknesses in fraud detection, reporting and correction,” according to a report published in February by the European Court of Auditors.
Katarína Kaszasová, the ECA member who led the audit of the RRF, says systems are so weak that it’s not even possible to be sure how much has been lost to fraud, though thousands of cases have been identified, or what recoveries have taken place. “The Commission simply doesn’t know whether all the money that should be repaid to the EU budget is actually being repaid,” she warns.
What evidence there is does not provide much encouragement. Investigations carried out by the European Anti-Fraud Office into awards made between 2022 and 2024 recommended that recipients should repay €600m; so far, just €20m of that money has turned up.
The ECA’s report makes a series of suggestions for improving fraud protections, from strengthening fraud reporting to tougher action on recovery. But as member states discuss a replacement scheme for the RRF, due to expire this year, Kaszasová warns: “While the Commission has gradually taken steps, ongoing weaknesses leave the EU exposed to fraud.”
Back in the UK, work is continuing to reduce such exposures – not least as ministers consider Hayhoe’s recommendations. The launch in 2022 of the Public Sector Fraud Authority, with a mandate to focus on fraud detection and response throughout national and local government, is also widely seen as a positive step forward.
Auditors – including those in the public sector – also have a critical role to play, says the ICAEW’s Bagshaw. “Auditors now have to have a specific discussion at the planning meeting about the risk of fraud,” she points out.
Will such changes materially reduce losses to taxpayers during the next crisis – whatever it may be? Yes, says Cardiff University’s Levi, but he urges policymakers to make changes while the pandemic is fresh in people’s minds. “The longer we leave it, the harder it’s going to be to keep up the momentum on contingency plans,” he warns.
Recommendations
Learning the lessons from Covid
Tom Hayhoe, the government’s Covid counter fraud commissioner, set out four key recommendations in his final report, published in December. He described these recommendations as critical “to protect against fraud in a future crisis”.
- Embed fraud control in resilience planning and promote a culture of innovation in fraud prevention: Hayhoe’s report warned fraud prevention is insufficiently embedded in government thinking and practice.
- Build challenge into decision-making processes during crises: Hayhoe argued that ambitious responses to crises are intrinsically risky and must therefore be scrutinised. He suggested departments could create a “challenge champion” to play that role during crises, and that approval processes should recognise risk of fraud and error, with an estimated clean-up cost set aside at the outset. He also said ministerial directions with fraud risk implication should be refreshed after four months or lapse automatically.
- Incentivise universal commitment to preventing fraud and securing recoveries: Hayhoe warned decision makers often wrongly assumed all parties were equally focused on fraud risk. He suggested departments could be allowed to retain a proportion of recovered funds. Work with professional bodies and regulators could drive higher standards to protect the public against professionals who assist clients to abuse or defraud emergency schemes, he added.
- Improve data and intelligence sharing: Greater transparency is critical, Hayhoe warned. He urged the Public Sector Fraud Authority to look at how to ensure government departments share data more effectively. Public bodies should be more open about the awards of grants, loans and contracts, and provide more detailed information.
Hayhoe also warns that governments often don’t learn the lessons of crisis. He wants the Treasury to establish a scrutiny plan to review the implementation of his recommendations at six monthly intervals for at least two years.
