The STEP Act amends title 31 to tighten how federal agencies identify, estimate, and report improper payments and to raise accountability for fraud-risk controls. It inserts a uniform definition of agency chief financial officer, requires agencies to flag certain new high‑spend programs as potentially susceptible to improper payments, and mandates CFO certification of the agency’s identification and corrective-action monitoring.
The bill also strengthens requirements for annual reporting tied to agencies’ financial statements: agencies must use OMB- and CFO-approved estimation methods, report on progress implementing fraud-risk leading practices (including GAO’s framework and OMB Circular A–123 guidance), and deliver these reports for a defined multi-year period — all without authorizing additional appropriations. The result: clearer lines of financial accountability and earlier scrutiny of new, large programs, but a new compliance load for agencies operating under existing budgets.
At a Glance
What It Does
Clarifies who qualifies as an agency chief financial officer, requires annual identification of new programs likely to generate significant improper payments (subject to a $100 million/first-years threshold), and mandates OMB- and CFO-approved estimation methods plus CFO certification in agency financial reports. It also requires multi-year agency reporting on fraud-risk controls and leading practices.
Who It Affects
Executive-branch CFOs and agency financial teams, program offices starting large new programs, OMB and GAO as oversight partners, and congressional appropriations and oversight staff who rely on agency financial statements.
Why It Matters
This bill shifts more preventive scrutiny onto program design and CFO oversight before payments begin, standardizes estimation sign-off, and brings fraud-risk practice reporting into the annual financial statement lifecycle — potentially catching improper payments earlier but increasing compliance demands without new funding.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The STEP Act makes three practical changes to federal improper‑payments law. First, it inserts a clear statutory definition of an agency’s chief financial officer so there is no ambiguity about who signs off on improper‑payment estimates and related certifications.
Second, it expands the universe of programs agencies must consider for improper‑payment susceptibility by forcing agencies to identify new programs that will spend large amounts early in their life: any program expected to spend over $100 million in one of its first three fiscal years and that is within its first four years of operation must be flagged for review unless an agency’s review shows it is not susceptible. Third, it tightens reporting and internal control expectations by requiring estimation methodologies to have joint approval from OMB and the agency CFO and by adding explicit CFO certifications and fraud‑risk progress reporting to annual financial statements.
Operationally, the bill moves improper‑payment work upstream. Agencies must evaluate program susceptibility during the early design and start‑up phase, produce statistically valid or otherwise approved estimates, and include a CFO statement in the annual financial package certifying the reliability of those program identifications and describing oversight of corrective actions.
The bill also cross‑references existing standards — GAO’s fraud‑risk framework and OMB Circular A–123 leading practices — and requires agencies to report on implementing those practices.On oversight cadence, the STEP Act requires agencies to submit targeted reports on fraud controls for a defined period: beginning the first fiscal year after enactment and continuing for nine additional years, agencies must include a report with their annual financial statement describing progress on fraud‑risk controls, vulnerabilities (payroll, beneficiary payments, grants, large contracts, purchase and travel cards) and steps taken to curb fraud. The bill permits agencies to avoid duplicative standalone reports if the financial statement already contains the required information; a brief cross‑reference suffices.Finally, the Act expressly bars any new appropriations to implement its provisions.
That means agencies must absorb any compliance, review, and reporting costs within existing budgets and staffing, or reallocate resources away from other activities. Practically speaking, CFOs become the compliance fulcrum: they jointly approve methodologies with OMB, certify program‑susceptibility identifications, and must describe how corrective actions are being monitored — a concentration of responsibility aimed at earlier detection of improper payments.
The Five Things You Need to Know
The bill requires agencies to identify as potentially susceptible any new program that expects outlays over $100 million in any one of its first three fiscal years and is in its first four years of operation, unless an agency review finds no susceptibility.
Estimates of improper payments must be statistically valid or use a methodology jointly approved by the OMB Director and the agency’s chief financial officer.
Agency annual reporting must include a CFO statement certifying the reliability of the agency’s identification of susceptible programs and describing how the CFO monitors corrective-action plans.
For ten consecutive fiscal years (the first fiscal year after enactment and the following nine), agencies must include with their annual financial statements a report on progress implementing fraud-risk controls and GAO/OMB leading practices.
The Act contains an explicit ‘‘no additional funds’’ clause: it does not authorize new appropriations to implement its requirements.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title — STEP Act
Provides the Act’s public name: the Safeguarding the Transparency and Efficiency of Payments Act (STEP Act). This is administrative but matters for statutory citations and for practitioners searching by title.
Defines 'chief financial officer' for all executive agencies
Adds a two‑part statutory definition: for agencies covered by 31 U.S.C. 901(b) it references the CFO appointed under that section; for other executive agencies it covers whoever serves as the senior executive responsible for financial management. That change centralizes who must sign off on estimates and certifications and removes ambiguity in cross‑references elsewhere in chapter 33.
Requires early identification of large new programs and tightens estimate/reporting rules
Directs agencies to annually identify new programs or activities that are likely to have significant improper payments based on a numeric threshold ($100 million expected outlays in any one of the first three fiscal years) and the program being within its first four years. It allows an exception if an agency’s review shows the program is not susceptible. It also revises estimation duties so agencies must produce statistically valid estimates or use OMB- and CFO‑approved methodologies and mandates that these estimates be reported in accordance with a new reporting subsection tied to annual financial statements.
Mandates multi-year fraud-control reporting tied to financial statements
Replaces the previous reporting subsection with a schedule requiring agencies, for ten fiscal years, to report with their annual financial statements on progress implementing internal controls, the GAO fraud‑risk principles, and OMB Circular A–123 leading practices. The report must name vulnerabilities (payroll, beneficiary payments, grants, large contracts, purchase and travel cards) and describe strategies to curb fraud. Agencies may avoid duplicative filings if the financial statement already includes the required information.
No additional funds authorized
Specifies that the Act and its amendments must be carried out using existing resources; no new appropriations are authorized. That language creates an unfunded mandate: agencies must reallocate funds internally rather than rely on newly appropriated budgets.
This bill is one of many.
Codify tracks hundreds of bills on Finance across all five countries.
Explore Finance in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Taxpayers and congressional appropriations committees — by getting earlier, CFO‑certified identification of riskier new programs and standardized, OMB‑approved estimation methods that can improve the accuracy and comparability of improper‑payment figures.
- OMB and GAO — because the bill channels program‑start and fraud‑risk information into the annual financial statement process, giving these oversight bodies earlier visibility into control gaps and mitigation progress.
- Program integrity teams and internal auditors — the bill elevates fraud‑risk practices and creates a predictable reporting posture (including explicit attention to payroll, benefits, grants, major contracts, and cards), which helps prioritize audits and remediation.
Who Bears the Cost
- Agency CFOs and financial management offices — they must jointly approve methodologies, prepare the CFO certification, and provide ongoing monitoring and reporting with no additional appropriations, increasing workload and performance risk.
- Program offices launching new, large programs — they must conduct susceptibility reviews during early operations and support data collection for statistically valid estimates or approved alternative methodologies.
- Operational units (grants, payroll, procurement, travel card offices) — will face added scrutiny, data requests, and the need to implement GAO/OMB leading practices, which may require process changes and investment absorbed within existing budgets.
Key Issues
The Core Tension
The central dilemma: tighten prevention and accountability for improper payments by centralizing CFO authority and standardized reporting, or avoid imposing unfunded administrative burdens that could divert agency resources from program delivery — the bill strengthens oversight but leaves agencies to pay for it from existing budgets, producing a trade‑off between rigor and capacity.
Two implementation tensions dominate. First, the Act concentrates accountability in agency CFOs: they jointly approve estimation methodologies with OMB, certify the reliability of program susceptibility identifications, and must describe monitoring of corrective plans.
That creates clearer ownership but also concentrates reputational and practical risk in CFO offices, which may lack the programmatic knowledge or bandwidth to assess technical program vulnerabilities without additional staff or reallocated resources.
Second, the Act imposes substantive new review and reporting expectations while explicitly forbidding new appropriations. Agencies will need to absorb the cost of susceptibility analyses, statistically valid sampling (or approved alternatives), and expanded fraud‑risk remediation within existing budgets.
That may force tradeoffs between prevention work and program delivery, or lead agencies to prioritize compliance paperwork over substantive control improvements. Additionally, the $100 million/first‑years threshold targets large start‑up spending but could miss smaller programs with high fraud exposure; conversely, the focus on the first 4 years may incentivize program designs that shift spending timelines to avoid the threshold.
Finally, giving OMB and agency CFOs the joint gatekeeping role on methodologies risks delays or inconsistent methodological standards across agencies unless OMB issues clear, prescriptive guidance.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.