Defensibility in the new era of False Claims Act enforcement: PwC

False Claims Act (FCA) enforcement scrutiny is intensifying and expanding into new areas, spurred by the federal government’s increasing use of data analytics, cross-agency coordination, and novel applications of the FCA itself.
This shift introduces new areas of exposure across the enterprise, including many functions beyond legal and compliance, particularly for organizations that receive government funding.
These organizations should take steps to improve their transparency, documentation, and control accuracy. They’ll need to develop and demonstrate an evidence chain behind all material representations, certifications, and claims to the federal government.

The federal government has intensified its oversight of fraud, waste, and abuse (FWA) of public funds in recent months. Central to this effort is the FCA, the primary mechanism for recovering taxpayer money from organizations and individuals that defraud the government. FCA settlements and judgments exceeded $6.8 billion in the most recent fiscal year alone.

What’s changing? For starters, FCA enforcement has become more data-driven and coordinated. Federal agencies increasingly use advanced analytics and cross-agency task forces to identify suspicious patterns and anomalies. They’re also applying the law in new ways. As a result, inquiries move faster and reach further, focusing not only on traditional billing issues but also on representations tied to cybersecurity, procurement integrity, pricing, eligibility, and diversity, equity, and inclusion (DEI) conditions. The trend is clear: Enforcement is becoming more proactive, coordinated, and expansive.

For organizations that receive, administer, or otherwise touch government funds—whether through contracts, grants, loans, or federal and state-administered programs—this shift changes the risk equation. FCA exposure no longer sits solely within legal or compliance. Operational teams in groups such as IT, finance, HR, supply chain, and program management are often responsible for representations and certifications that can trigger liability. When documentation, data lineage, and control evidence are fragmented across functions, even routine agency inquiries can escalate quickly.

In this environment, defensibility requires transparency, documentation discipline, and control accuracy across the enterprise. Organizations should have a clear “evidence chain” behind each material representation, certification, and claim submitted to the federal government.

The scale of government outlays, coupled with the growing severity of FCA outcomes, underscores why this risk profile is now enterprise-wide, and why preparedness should extend across the overall funding life cycle.

$7T+

Annual government outlays*

$6.8B+

FY2025 FCA settlements/judgments**

$233B+

Minimum estimated government losses to fraud (between $233B and $521B) annually***

^{Sources

* https://fiscaldata.treasury.gov/americas-finance-guide/federal-spending/

** https://www.justice.gov/opa/pr/false-claims-act-settlements-and-judgments-exceed-68b-fiscal-year-2025

*** https://www.gao.gov/fraud-improper-payments}

How FCA compliance risk is changing

The risk environment has shifted in four primary ways.

Government agencies and oversight bodies are increasingly using data-driven reviews to identify anomalies at scale. The practical impact is faster inquiries and higher expectations for well-documented explanations, particularly when claims or certifications can’t be supported with consistent records.

Beyond traditional billing and procurement fraud, FCA risk can be triggered by representations in areas like cybersecurity, domestic preference/sourcing, pricing integrity, and DEI-related conditions tied to funding. Proper execution of compliance functions now requires strategic cross-organization coordination rather than formerly siloed efforts.

Task forces and coordinated initiatives are a leading indicator of where scrutiny will concentrate. They also increase the likelihood that an issue will escalate from a routine audit or inquiry into broader investigative or look-back activity, potentially involving multiple agencies (and multiple states) at once.

Organizations often frame FCA exposure as “federal only.” Many states, however, have their own false claims acts, and state attorneys general can pursue claims involving state funds—including state-administered federal programs such as Medicaid and pass-through funds. States are increasingly expected to play a more active role in monitoring and escalating potential issues in programs they administer. This can create parallel enforcement pathways, multi-jurisdictional and multi-agency investigations, and additional whistleblower risk where state laws include qui tam provisions.

“The importance of enterprise-wide defensibility is matched only by the importance of enterprise-wide risk avoidance. To prevail in an FCA case, the government must demonstrate that a material, false claim was submitted to it knowingly. Knowledge, in this context, includes actual knowledge, deliberate indifference, and, most importantly, recklessness. To show recklessness, government investigators routinely focus on the robustness of the defendant’s compliance program. Accordingly, as with evidence chain defensibility, contractors should make FCA compliance an enterprise-wide endeavor, and not the sole province of their compliance and legal departments.”

Jonathan Aronie,Partner, Sheppard Mullin LLP

Your evidence chain: A key vulnerability

In many FCA matters, the most expensive failure mode is not the absence of a policy. Rather, it’s the inability to demonstrate a credible, repeatable, documented evidence trail showing that each material representation, certification, and claim was supported and defensible when made.

This means showing what was promised, who approved it, what data supported it, and how it was assessed at the time. That’s why FCA compliance has become an enterprise-execution and data-integrity problem, not solely a legal one.

Getting ahead of the curve requires having an organization-wide capability to answer the following questions.

Assertion: What did we certify or represent (proposal/application, contract/grant terms, invoice, reporting)?
Owner: Who approved it, and what was their review standard?
Source data: Which systems and records contain the underlying facts?
Controls: What controls/tests can confirm the assertion and create defensible artifacts?
Artifacts: What can we produce quickly (policies, approvals, logs, analyses, sampling results, individuals involved) that we’ve reviewed and are comfortable sharing?
Monitoring signals: What data patterns or exceptions would have signaled to us that something is drifting? What do we have to reference to see if we have any early indications of an issue?

“The most practical step organizations can take in the near term is to map their highest-risk, government-facing representations to actual evidence and ownership. For each major certification, whether in billing, cybersecurity, sourcing, or pricing, someone should be able to answer three questions quickly: What exactly did we say? What facts support it? And where will we go first if we’re asked to prove it tomorrow?”

Abigail Hazlett,Partner, Troutman Pepper Locke

Task forces and initiatives to watch

Task force or initiative	What it targets	Why it matters for organizations
Task Force to Eliminate Fraud (White House/interagency)	FWA in federal benefit programs, including improper payments, ineligible beneficiaries, provider or retailer fraud, and organized or cross-program fraud schemes.	Reinforces that scrutiny is moving upstream. Organizations may face greater expectations to substantiate eligibility, controls, and supporting documentation before and after funds flow.
Health Care Fraud Strike Force/Medicare Fraud Strike Force (DOJ and HHS-OIG and partners)	Complex healthcare fraud schemes involving Medicare, Medicaid, and other federal health programs including large-scale network fraud. Uses data analytics and multi-agency investigations.	High-velocity investigations; focuses on substantiation of medical necessity, coding, arrangements, and documentation. Also signals avenues established to share data across organizations enabling for earlier and easier identification of potential FWA.
Procurement Collusion Strike Force (DOJ Antitrust and interagency partners)	Bid rigging, price fixing, market allocation, and related fraud in procurement, grants, and program funding.	Collusion and integrity issues can become fraud allegations when pricing, competition, or certifications are impacted.
COVID-19 Fraud Enforcement Task Force (DOJ) and pandemic-relief oversight (e.g., PRAC)	Fraud tied to pandemic-era relief programs and misuse of emergency funds; coordinated sweeps and data sharing.	Legacy relief portfolios still drive investigations, recoveries, and derivative controls expectations.
Civil Cyber-Fraud Initiative (DOJ)	Cybersecurity representations and required reporting tied to federal contracts and grants.	Misalignment between security practices and contractual representations can create FCA exposure; evidence of controls matters.
Civil Rights Fraud Initiative (DOJ)	Civil rights compliance tied to receipt of federal funds; focuses on false certifications or statements about compliance.	Compliance commitments may sit across HR, student affairs, operations, and program teams; documentation is critical.
Student aid anti-fraud efforts (Department of Education/Federal Student Aid and law enforcement partners)	Identity theft, “ghost student” schemes, and improper disbursements in federal student aid programs.	Institutions face heightened expectations for verification, reporting, and control execution; operational capacity is tested.
Financial crimes lens on program fraud (Treasury/FinCEN alerts; IRS task-force actions in Minnesota as an example)	Suspicious financial flows related to benefits and program fraud; laundering indicators and reporting expectations for financial institutions.	Program fraud can trigger anti-money laundering and financial reporting scrutiny in parallel; increases the cost of response and remediation.
Trade Fraud Task Force (DOJ and Homeland Security task force surrounding tariffs, country of origin, national security)	Targets knowingly false statements, certifications, or omissions made to evade tariffs, antidumping and countervailing duties, customs duties, or other trade restrictions—including misclassification, undervaluation, country-of-origin misrepresentation, and other schemes that result in the underpayment of amounts owed to the US government.	Increases whistleblower exposure, amplifying cross-agency investigative coordination and raising the stakes for importers through significant civil penalties and potential criminal scrutiny.

Where enforcement pressure is concentrating

Nearly every sector is affected by these enforcement trends, as demonstrated in the DOJ’s FY2025 False Claims Act Settlements and Judgments Fact Sheet.

In healthcare, enforcement continues to concentrate on high-volume reimbursement pathways, particularly Medicare Advantage risk adjustment and other areas where diagnosis support, clinical documentation, and third-party or vendor activity can materially affect payment. DOJ’s representative matters also reinforce ongoing focus on kickback-related allegations and reimbursement mechanics across life sciences and pharmacy channels, including dispensing and prescription integrity where documentation and controls should keep pace with scale. Increasing federal and state program integrity activity, particularly in Medicaid and managed care, raises the likelihood that billing anomalies, documentation gaps, or unsupported reimbursement practices will be identified and escalated into audit findings, payment recoveries, or FCA exposure.

“DOJ has been notably active in two areas within the pharmaceutical and life sciences sectors.”

“With respect to pharma companies, the DOJ appears to have a renewed focus on government price reporting and whether drug prices are inflated, manipulated, or otherwise misreported to government agencies. Drug makers, particularly those with costly drugs or therapies, should be mindful of the methodologies and materials used to support their price reporting obligations and also avoid any aggravating optics that they're ‘marketing the spread’ between the drug acquisition cost and the amount reimbursed by federal healthcare programs.”

“As for medical device companies, the DOJ has recently pursued a string of cases where the false claim was premised on manufacturing or other quality issues that rendered the devices substandard or defective in some way. Medtech firms should be mindful of how quality system regulation compliance now materially intersects with the FCA and the need for cross-functional collaboration when evaluating FCA compliance and the company's overall control environment.”

Jonathan Stevens,Partner, Paul Hastings, LLP

Outside healthcare, DOJ matters show an expanding set of contract- and grant-related FCA allegations tied to procurement integrity, nonconforming goods or services, and false certifications. A clear theme is the growing overlap between FCA enforcement and cybersecurity requirements embedded in awards, where exposure often turns on alleged false certifications of compliance rather than an actual breach.

The DOJ also continues to pursue pandemic-relief matters where eligibility and attestation controls were weak, and it highlights trade and customs cases, such as tariff classification, valuation, and country-of-origin representations, where routine business processes can translate into FCA exposure when statements to the government are unsupported.

Looking forward, scrutiny is likely to remain elevated, particularly in high-volume healthcare reimbursement pathways where documentation, coding, and vendor activity can materially affect payment. At the same time, organizations should watch for FCA scrutiny expanding into representation-driven compliance areas, including cybersecurity requirements in contracts and grants, drug pricing and rebate reporting, DEI-related funding conditions, and trade or customs representations such as country of origin and valuation.

Getting to enterprise-wide defensibility

In this new era of FCA enforcement, traditional compliance approaches won’t suffice. Organizations should assess their exposure, prioritize the highest-risk public-funding touchpoints, and strengthen readiness, monitoring, and rapid-response capabilities. Data, analytics, and AI can support that work, but the goal is straightforward: know what you promised, monitor where risk is building, and be ready to respond with defensible evidence.

Map your government-funding footprint, representations, and obligations-to-evidence requirements. These obligations live across contracts, grant terms, and award conditions that are rarely consolidated.
Document intelligence tools can extract and catalog them at scale and surface where evidence gaps exist.
Define governance for certifications and representations. Establish clear sign-off standards, required support, and escalation paths when evidence is incomplete or risks are unresolved.
Test key controls on a risk-based cadence and retain defensible, audit-ready artifacts. Automated control testing can generate evidence continuously as part of the workflow. Sampling, reconciliation, and artifact retention happen on a cadence tied to risk, not reconstructed after an inquiry.
Engage cross-functional stakeholders who own the relevant risk areas. When the evidence chain runs through IT, finance, HR, and supply chain, these teams should have a shared view of data, analytics, and AI-enabled tools needed to identify obligations, assess support, and strengthen the evidence chain before issues arise.

Pilot analytics on FCA-sensitive assertions. Pattern detection can run against the same assertion types the government is targeting, such as payment anomalies, timekeeping irregularities, procurement red flags and cybersecurity attestation gaps. The goal is to identify what an investigator would find before they find it.
Create a triage queue for exceptions and allegations, route to accountable owners. Analytics and AI can prioritize exceptions by risk severity and route them with relevant context already attached: the obligation, the underlying data, the control history. Owners get something actionable, not just an alert.
Tune monitoring to help reduce false positives and expand coverage. As exceptions are reviewed and resolved, rules and models can be refined to improve signal quality and extend monitoring into areas that would be difficult to cover manually.

Stand up an inquiry or investigation playbook. Define roles, escalation paths, privilege considerations, evidence-preservation steps, and fact-development procedures before scrutiny hits. AI can support document collection and issue triage so your team can focus on coordination and defensible decision-making.
Prepare audit-ready narratives and a remediation tracker. AI-assisted drafting can generate initial response narratives from underlying evidence, giving the team a working draft to sharpen rather than a blank page. With response timelines compressing, that acceleration matters.
Run tabletop exercises to practice speed and coordination. Test how quickly the organization can assemble the evidence chain, align cross-functional stakeholders, and respond to issues such as a cyber incident, pricing defect, subrecipient problem, or eligibility challenge. Use data and scenario-based tools where helpful to identify gaps before a regulator or whistleblower does.

Defensibility in the new era of False Claims Act enforcement

How FCA compliance risk is changing

Your evidence chain: A key vulnerability

Task forces and initiatives to watch

Where enforcement pressure is concentrating

Getting to enterprise-wide defensibility