USPS OIG Audited Cryptocurrency Use by Postal Inspectors
OIG summary of the Inspection Service’s Cryptocurrency Program Management Guide.
The audit seemingly focused on internal policies that helped prevent employees of the Postal Inspection Service (USPIS) from compromising undercover investigations. It additionally highlighted the potential for fraud or theft due to the fluctuating prices of cryptocurrencies and the lack of oversight in some investigations.
In 2017, USPIS established the Cryptocurrency Fund Program (CFP) to account for cryptocurrency transactions, reduce risk to individual Postal Inspectors, and manage a national wallet. The CFP manages a centralized exchange account. When postal inspectors need cryptocurrency for buying drugs online, their wallet receives funds from the CFP’s national wallet. To simplify the process, the CFP established a program through which inspectors could request cryptocurrency and view information about their wallets and transactions.
OIG summary of the Inspection Service’s Cryptocurrency Program Management Guide.
To facilitate and account for cryptocurrency transactions, including transfers between wallets and purchases made with cryptocurrency, the Program established the Application within the Case Management System (CMS). The Application stores inspectors’ cryptocurrency wallet information, monitors transactions and enables reporting. Within the Application, postal inspectors submit requests for cryptocurrency intended for investigative use, which includes information about the inspector’s cryptocurrency exchange account and wallet that will be used for the case. The Application tracks all cryptocurrency activity associated with an inspector’s exchange account by cross-referencing the public blockchain daily. Tracked activity includes disbursements of funds to postal inspectors from the Program’s national wallet and purchases made in online marketplaces.
Another graphic summary of the Inspection Service’s Cryptocurrency Program Management Guide.
The report listed only four issues which will be listed in this article. All four findings included a recommendation. The recommendations are as follows:
And, the lengthy findings are listed below with minor edits for brevity or formatting. The full report is available in pdf or html form at the bottom of this article.'
Finding 1: Use of the Cryptocurrency Fund Program
We found that while the Postal Inspection Service created the Program in 2017 to account for cryptocurrency transactions and reduce operational risk associated with the investigative use of cryptocurrency, postal inspectors are not required to use the program when requesting cryptocurrency to support investigations. The Program’s cryptocurrency exchange account supports the distribution and use of [redacted] cryptocurrency: [redacted]. These types of cryptocurrency are sufficient for most investigative needs and, according to the Program manager, if an inspector wants to use these types of cryptocurrency, they will generally go through the Program because it simplifies the process.
However, according to the Program manager, there are legitimate circumstances in which cryptocurrency can be obtained for investigative use outside of the Program. Specifically, postal inspectors may occasionally require the use of different types of cryptocurrency in their investigations. For example, some vendors may only accept payment in the form of [redacted], a type of private cryptocurrency not supported by the Program. In such cases, postal inspectors would request standard investigative funds in the form of U.S. dollars. The approval and distribution of these funds occur at the division level and the inspector is personally responsible for exchanging the dollars for cryptocurrency. Because any unused funds must be returned as U.S. dollars, the inspector must also be able to account for fluctuations in the value of the cryptocurrency to ensure the proper amount is returned.
According to the manager, if a different type of cryptocurrency is obtained outside of the Program for operations, the postal inspector’s team lead should notify the Program manager. However, notifying the Program manager is not required by existing guidance and is not always done. As a result, the Program manager does not have oversight of these cases, and management could not readily identify how many cases used cryptocurrency outside of the Program. Therefore, the Program cannot account for the total amount of cryptocurrency used for investigative purposes across the Postal Inspection Service. To better understand how many cases could potentially involve cryptocurrency use outside of the Program, we conducted a keyword search of the CMS for various cryptocurrency related terms. This search resulted in 1,064 unique case numbers, each of which would have to be reviewed manually to determine whether cryptocurrency had been used for investigative purposes.
The Standards for Internal Control in the Federal Government state that management should receive quality information that flows up reporting lines from personnel to help achieve the entity’s objectives.8 Thus, the Program manager requires quality information about cryptocurrency use to ensure the Program accomplishes its objectives. Without this information, the Program’s ability to effectively reduce the operational risk associated with cryptocurrency use is limited. In particular, the Program is unable to carry out one of its primary purposes—to help postal inspectors manage the challenges associated with cryptocurrency’s inherent volatility—which ultimately leaves the Postal Inspection Service susceptible to theft, abuse, and mismanagement of federal funds.
Finding 2: Cryptocurrency Transaction Data
We found that the Application’s Transaction Review Reports contain inaccurate data associated with cryptocurrency transactions. Specifically, we found evidence of missing, duplicate, and unrelated transactions when querying transactions for the cases in our scope.
Based on the review of the nine cases within our scope, we found:
The Application User Guide encourages postal inspectors, team leaders, division leaders and the manager to use the Transaction Review Report to track and manage transactions within their cases. The Standards of Internal Control in the Federal Government state that management must use quality information to achieve the entity’s objectives. Specifically, management must obtain relevant data from reliable internal and external sources. This data should be reasonably free from error and bias to help management perform monitoring activities.
According to the National Inspection Service Analytics team, if an inspector incorrectly enters their account information, transactions associated with that account would not appear in the Transaction Review Report even though funds would still be available for use. The Postal Inspection Service addressed this issue in May 2020 by creating a system-generated error message when an inspector enters invalid account information into the application. This error message will not allow an inspector to proceed with entering transaction information until the invalid account information is corrected.
In September 2019, an inspector informed the National Inspection Service Analytics team of the appearance of duplicate transactions in the Transaction Review Report. These potential duplicates included identical dates, wallet addresses, transaction amounts, and descriptions. According to the Program manager and analytics team, these transactions appear identical because of the limited information the Application includes in the Transaction Review Report. According to management, they have additional information which allows them to manually remove duplicate transactions before reconciling accounts. However, the duplicates still affect the balance presented in the Transaction Review Report.
Additionally, according to the Program manager and the analytics team, the Transaction Review Report may contain transactions from other cases because it pulls information from the inspector’s exchange account, rather than an individual wallet within that account. In February 2020, the Application’s developers implemented a new drop-down field in the Application that allows the inspector to indicate that a transaction is not related to the case. However, the Program manager stated that inspectors do not always use the drop-down option. Further, when the drop-down field is used, the unrelated transactions are still included in the Transaction Review Report final balance.
Because of the data integrity issues in the Transaction Review Report, it cannot be used to accurately track and manage cryptocurrency transactions or to assist in validating the final balance of funds for each case. Postal Inspection Service management provided the team with a list of nine cases within our scope showing that postal inspectors requested [redacted]. Based on the average value of [redacted] during the scope of the audit, this equals $20,212 worth of transactions. By modifying the Application to ensure the integrity of the data in the Transaction Review Report, the Postal Inspection Service will be better positioned to minimize the risk of theft, abuse, and mismanagement of cryptocurrency.
Finding 3: Cryptocurrency Training Program
We found that the Postal Inspection Service does not have a comprehensive cryptocurrency training program for inspectors. The User Guide and the Program Guide state that undercover training must be completed by any postal inspector requesting cryptocurrency funds before the funds will be disbursed. However, the guidance does not specify what training courses should be taken or how frequently refresher training is required. According to Postal Inspection Service officials, the Career Development Unit offers a basic and advanced Online Undercover Operations Training course; however, these courses are not required nor are they offered regularly. Additionally, the specific course is not referenced in documented guidance and cryptocurrency management is only a portion of the material covered in the course.
Because of the limited cryptocurrency-related training provided by the Postal Inspection Service, we found that two of the nine cases that management identified as using cryptocurrency were only opened to facilitate cryptocurrency training. Specifically, two divisions opened area cases to conduct on-the-job training courses in which trainees utilized cryptocurrency to make purchases of narcotics. Postal Inspection Service management was unable to provide documentation that 21 of 23 inspectors who made undercover purchases as part of these two cases were authorized to do so.
Additionally, when reviewing the case files associated with the two training cases, we found evidence that several of the guidelines and procedures for managing cryptocurrency during investigative use were not followed.13 Specifically, we noted that:
These requirements were developed to protect the Postal Inspection Service from the risk of fraud, mismanagement, and compromised investigations. Without establishing a comprehensive training program that incorporates cryptocurrency requirements, the Postal Inspection Service exposes itself to increased risk during the investigative use of cryptocurrency. If inspectors are untrained or trained in methods that do not reflect documented guidance, the likelihood of theft, abuse, and compromised undercover investigations remains high.
Finding 4: National Cryptocurrency Fund Management
The Postal Inspection Service’s cryptocurrency guidance does not include documented procedures in place related to certain aspects of managing the national wallet or how to conduct an annual review of the national wallet. The Program Guide and the User Guide define the procedures that postal inspectors must follow when requesting and using cryptocurrency to support investigations, such as documenting the information that must be incorporated into the cryptocurrency ledger and identifying the documentation that must be stored to support each cryptocurrency transaction. However, the guidance does not contain procedures that the Program manager must follow when managing the national wallet and its associated exchange account. Specifically, existing guidance does not identify requirements associated with (1) purchasing cryptocurrency for the national wallet, (2) the amount of cryptocurrency that should be maintained in the wallet, (3) verifying national wallet transactions, or (4) conducting an annual review.
The Standards for Internal Control in the Federal Government state that documentation of internal controls provides a means to retain organizational knowledge and ensure operational needs are met. The Standards also highlight the importance of documenting internal controls to assist management with identifying deficiencies on a timely basis and designing appropriate corrective actions.
According to the Program manager, the national wallet is legally considered to be an investigative fund subject to the existing investigative fund policies and procedures in the Inspection Service Manual. While these policies and procedures outline the process for establishing an investigative fund, they do not include specific information related to purchasing cryptocurrency with investigative funds, managing the national wallet to maintain a certain level of funds, or verifying national wallet transactions. These policies and procedures are unique to the roles and responsibilities of the Cryptocurrency Fund Program manager and are not documented in the Inspection Service Manual or the Program’s documented guidance.
Similarly, while the Program Guide and the User Guide state that the Program manager, an appointed cryptocurrency auditor, and an independent postal inspector should conduct the annual national wallet review, the guidance does not provide additional procedural guidance for how to conduct this review. For instance, the guidance does not include documented procedures for choosing the independent postal inspector or what evidentiary documentation should be analyzed during the review. The FYs 2019 and 2020 reviews include a description of documentation and review procedures followed by the auditor, but they are inconsistent. According to the Inspection Service, the procedures in the FY 2020 report are now considered the standard procedures to be used for the annual review. However, these procedures are not documented in or referenced by Program guidance.
The Program manager is responsible for drafting all procedures associated with the Program. Because the Program manager is also solely responsible for the management of the national wallet and its exchange account, the Postal Inspection Service did not find it necessary to document procedures pertaining to the manager’s role. Further, because review procedures are not documented in the Program guidance, there may be a lack of consistency in the quality of the review, potentially exposing the Postal Inspection Service to theft, abuse, and mismanagement of funds.
Well-documented procedures will help ensure that the Program’s objectives can be met and will provide reasonable assurance that national wallet cryptocurrency controls are operating effectively and minimizing risk. The Program manager agreed that documenting such procedures would be beneficial and stated that he would begin drafting them.
U.S. Postal Inspection Service Oversight of Its Use of Cryptocurrency (pdf), (html)