On Jan. 2, 2009 the United States Agency for International Development (USAID) released a final rule for its "Partner Vetting System" (PVS) for nonprofit and charitable groups. The PVS would require grant applicants to submit detailed personal information on "key individuals" to be shared with the intelligence agencies. Despite criticism from nonprofits that the PVS would create unnecessary and potentially dangerous barriers for humanitarian groups providing relief in global hot spots, the substance of the final rule remains unchanged. The Obama administration has delayed implementation of PVS until April 3, 2009, allowing public comments for 30 days.

This Issue Brief provides background information on PVS, analyzes problems with the final rule and recommends that USAID revisit this approach to vetting its partners. The first question for the Obama administration is not how PVS should operate, but whether it is the right overall strategy for ensuring USAID resources are used for humanitarian purposes, and not to support terrorist violence.

1. Background Information

USAID Fails to Address Concerns Raised in Public Comments

• Is PVS Needed?
• Increased Risks to NGO Workers
• Is Massive List-checking an Appropriate Use of USAID’s Authority?
• Lack of Due Process
• Lack of Specifics on PVS Procedures
• Insufficient Public Input
• Lax Data Security
• Processing Delays and Undue Burden on Applicants

2. Alternative Approaches Can be More Effective and Safer for NGO Workers

Background Information

PVS was first proposed in July 2007. USAID's goal is to "conduct screening to ensure USAID funds and USAID-funded activities are not purposefully or inadvertently used to provide support to entities or individuals deemed to be a risk to national security.; [p. 9] The rule has no definition of what a "risk to national security" is or what criteria are used to deem an individual or group to be such a risk.

The rule says "Information provided to USAID by applicants will be transmitted to USAID employees who will check that information against one or more databases maintained by the intelligence community." [p. 12] The personal data required on the proposed Partner Information Form includes: 

• name and government issued photo identification number
• place of birth and date of birth
• citizenship
• gender
• occupation
• current employer and job title
• home address
• email address
• rank or title in organization

The form also requires the applicant to certify that it has "taken reasonable steps (in accordance with sound business practices) to verify the information contained in this form." PVS would exempt the information on key individuals from Privacy Act protections so that USAID can share it with intelligence operations. The stated purpose of the Privacy Act is to protect confidential information from disclosure for people who are the subjects of investigation, in order to protect law enforcement and security aims. (See 22 CFR 215.3, 215.14) The net effect is to make the PVS process completely secret, so that a grant applicant may never learn how or why its application was turned down.

USAID says PVS would not rely solely on a computer match with a government watch list and will conduct its own follow up investigation. However, these investigations will be done in secret, reducing the likelihood that the results of the PVS process will be accurate or useful.

USAID says if the Obama administration approves implementation of the rule "it will be rolled out in an orderly fashion, with initial implementation for approximately four programs worldwide." [p. 12] The four areas are not specified, although the West Bank/Gaza program is expected to be one.

USAID Fails to Address Concerns Raised in Public Comments

On July 20, 2007 the proposed rule appeared in the Federal Register, and generated 175 public comments. The final rule leaves many central details to be determined later. USAID says the rule's lack of specifics will be addressed in guidance and protocols that it is currently drafting, saying "Once the guidance and protocol have been developed, the Agency will share it with our NGO partners and also provide appropriate training for affected applicant organizations." The effect of this is to avoid public comment on the specifics in the guidance and protocols.

The final rule's discussion of these comments generally fails to address the serious concerns raised, dismissing them with sweeping statements unsupported by evidence. For example:

Is PVS Needed?

Many submitting comments noted that there is no evidence that USAID funds have been diverted to terrorist organizations through nongovernmental organizations (NGOs). USAID responded that "USAID does not believe it should wait for hard proof that our funds are actually flowing to terrorists before implementing additional safeguards to its anti-terrorist financing program – even the suggestion that our funds or resources are benefiting terrorists is harmful to U.S. foreign policy and U.S. national interests." [p.10] This response misses the point. The question is not whether appropriate preventive measures should be taken, but whether or not PVS is either appropriate or effective prevention.

Before it proposed PVS USAID had already taken action to prevent diversion of its funds to organizations controlled by terrorists. In March 2002 it began including a clause in grant agreements reminding applicants of the prohibition on transactions with terrorist organizations in Executive Order 13224. This bars transactions with organizations on a list of Specially Designated Global Terrorists (SDGT) published by the Department of the Treasury's Office of Foreign Assets Control (OFAC). In December 2002 USAID began requiring all grantees to certify that funds do not assist terrorist activity, and in November 2005 it issued a bulletin reminding USAID officers of their responsibility to check the SDGT list during the grant award process.

USAID now says these procedures are insufficient, and that "merely checking names against the OFAC master list and requiring self-certification may not constitute adequate due diligence in certain situations." USAID notes allegations in the media and by the government that its funds may have gone to organizations controlled by Hamas, and in Pakistan and Bosnia "about whom derogatory information was reported." [p. 10] Although none of these grants assisted a SDGT, USAID said it believes a "comprehensive, systematic, and automated vetting system is essential."

To address the question of whether PVS is the best way to augment prevention, USAID cites a similar program it has operated in the West Bank and Gaza Strip that has "uncovered derogatory information on some of the applicants of USAID's funds." However no standards to define "derogatory information" are provided. USAID then cites Treasury's problematic Anti-Terrorist Financing Guidelines, which say checking the OFAC list is only "one part of a charitable organization's broader risk-based approach to protect against the risks of terrorist abuse." [p. 10] These guidelines have been consistently criticized by the nonprofit sector. The Council on Foundations, acting on behalf of a working group of grantmakers, NGOs, and nonprofit legal experts, has called for their withdrawal, saying “the Guidelines continue to impose onerous information collection and reporting requirements that do little to protect charities from terrorist abuse."

PVS focuses exclusively on the who involved in USAID programs and ignores the what. The actual aid activity is ignored. USAID never explains how or why a match does anything to achieve the goal of protecting USAID funds and programs. This problem is exacerbated by the fact that USAID is not limiting itself to the list of SDGT, which is made public and targeted to terrorist organizations. Use of a broader array of "intelligence databases," sweeping in a much larger universe of people, means that grant programs could be halted because innocent people are in the list. The involvement of one of these individuals in a USAID NGO partner's program may be completely irrelevant to whether or not USAID resources are used for humanitarian and development purposes. Nothing in PVS, as described by USAID so far, does anything to address this question or even takes it into consideration. Yet that is where the primary focus needs to be.

Increased Risks to NGO Workers

USAID's response to comments acknowledges concerns about considerable dangers to aid workers in foreign countries that would result from USAID's use of its grantees for data collection that is turned over to U.S. law enforcement and intelligence agencies. Even if that is not USAID's intention, the perception that grantees are acting as agents of the U.S. government could lead to retaliation against aid workers by terrorist organizations, militias and foreign governments. USAID's response to these concerns is limited to one paragraph with a blanket denial of this possibility, saying "In no way should this exercise be viewed as law enforcement or intelligence gathering."

This failure to acknowledge the harsh realities facing NGOs working in conflict zones or failed states demonstrates a disturbing lack of understanding of the independent nature and working environment of NGOs on the part of USAID. It also fails to acknowledge that "United Nations officials and aid workers who choose to work in conflict zones have always exposed themselves to banditry, crime and violence. But the assaults, kidnappings and killings of humanitarians have more than doubled in the past five years — precisely when independent humanitarian, reconstruction and development assistance has been urgently needed in places like Afghanistan and Iraq." (Oped in New York Times by Samantha Power, For Terrorists, a War on Aid Groups Aug. 19, 2008.)

This problem also surfaced in a December 2008 plan outlined by USAID and the Department of Defense (DoD) that would force humanitarian groups in certain areas to collaborate with the military. It has been called "potentially lethal" by critics, which include InterAction, CARE and International Relief and Development. A Senior Fellow at the Brookings Institution, Elizabeth Ferris, agrees that a close relationship between the military and humanitarian groups will open the door for attacks on charitable groups by insurgents. Ferris says, "Once insurgent groups perceive that a humanitarian organization is acting to pursue military or political objectives, that organization loses the protection it had by virtue of respect for humanitarian principles." Ferris added, "Rather than aid being seen as a response by the U.S. population to suffering people in need, it [will be] increasingly seen as another tool of U.S. foreign policy." (See Dangerous Partnership: Humanitarian Aid Groups and the Military OMB Watch Blog Dec. 23, 2008.)

Instead of taking these concerns seriously, USAID makes the claim that PVS is meant "to enhance the safety overseas of both USAID personnel and officials and employees of USAID's partners" and ensuring key individuals are not associated with terrorists "can only improve the safety and reduce of risk of kidnapping, assassination or injury." [p. 14] Unfortunately, USAID cannot wish this problem away with such statements.

The seriousness of this issue, both to the safety of aid workers and the integrity and independence of the nonprofit sector, deserves a much more thorough and open-minded assessment by USAID. The Obama administration should make sure this happens.

Is a Massive List-checking an Appropriate Use of USAID's Authority?

USAID says the Foreign Assistance Act gives it authority to impose PVS, noting that its requirement to prevent assistance from reaching terrorists is similar to requirements that the agency prevent assistance to narcotics traffickers and human rights violators. It also cites the statutory prohibition against material support to terrorism and Homeland Security Presidential Directive/HSPD-6, which establishes a policy of developing information on people "known or appropriately suspected to be or have been engaged in conduct constituting, in preparation for, in aid of, or related to terrorism." The directive says agencies should use the information "as appropriate and to the full extent permitted by law to support Federal screening processes." [p.11]

U.S. NGOs do not question USAID's goal of preventing resources from reaching terrorists, narcotics traffickers or human rights violators. But NGOs do question whether the USAID grant application process is an appropriate context for use of screening procedures based on terrorist databases, which are much broader and larger than the SDGT list. The ACLU comments on the rule said these databases "raise serious due process concerns….in light of the fact that the lists are error-filled and unreliable, with many false positives, and there is no effective means for challenging the fact that one is on the list." ACLU research has uncovered numerous instances where people have been put into terrorism-related databases because of activities supporting human rights, the environment, peace and other causes. (See examples in Collateral Damage Chapter 8: Counterterrorism Measures Used to Limit Dissent and Public Debate on Issues.)

If one such activist works for an NGO and his or her name triggers a match in the PVS process, the NGO could lose its opportunity to use USAID funds without ever knowing why, and without having any connection to terrorism.

In its comments OMB Watch expressed concern that PVS will more than likely result in the creation of a secret USAID blacklist of ineligible grant applicants, based on PVS results. Organizations and individuals erroneously listed as having ties with terrorism will have no way of knowing they are deemed as such, or why USAID responded that "Results of this screening will be recorded to document actions taken concerning the award for which the organization was screened. Results will not be utilized to create lists of organizations which would then be used for subsequent screening. It says that grant decisions will be based not just on whether a name matches one in a national security database, but also on the severity of the information, the reliability of the source, corroboration, if any, etc.[p.14]

However, the problem is not whether USAID keeps a list of PVS matches to intelligence databases. The problem is with using these databases in the first place. There are many lists and databases, all with different standards for why people are listed and how the information is intended to be used. A match could mean someone has a relative or neighbor suspected of associating with a terrorist organization or they have a similar name as someone else on the list.

In its comments on PVS OMB Watch said, "There are numerous reports of cases of mistaken identity or 'false positives' on government watch lists...One of the better known watch list errors includes the listing of the alias of Anthony Romero (Antonio Romero), the executive director of the ACLU, on the OFAC listing in 2004. But there are many more lesser-known cases. According to a March 2007 report released by the Lawyers' Committee for Civil Rights of the San Francisco Bay Area (LCCR), one of the major shortcomings of the OFAC list is its extensive inclusion of common Muslim or Latino names, such as 'Mohammed Ali' or 'Carlos Sanchez." The LCCR report describes examples of several ordinary citizens who were flagged as suspected terrorists when attempting to purchase homes, apply for jobs or health insurance.

These problems are exacerbated by expanding the list-checking beyond lists of designated supporters of terrorism to include a wide variety of government intelligence databases. The thresholds for intelligence gathering and entry of information into files are extremely low and are not limited to those under suspicion of terrorist or criminal activity. Problems with information sharing among local, state and federal law enforcement authorities have been documented by the ACLU in the December 2007 report What'sWrong With Fusion Centers. The report explains how the Justice Department's 2006 Guidelines on information collection and database entry standards go well beyond targeting people under suspicion of illegal activity, saying:

The inevitable result of a data-mining approach to fusion centers will be:

• Many innocent individuals will be flagged, scrutinized, investigated, placed on watch lists, interrogated or arrested, and possibly suffer irreparable harm to their reputation, all because of a hidden machinery of data brokers, information aggregators and computer algorithms.
• Law enforcement agencies will waste time and resources investing in high-tech computer boondoggles that leave them chasing false leads—while real threats go unaddressed and limited resources are sucked away from the basic, old-fashioned legwork that is the only way genuine terror plots have ever been foiled." 

OMB Watch's comments noted that "This denies a grant applicant the right to know when anyone associated with it is flagged by the watch lists, and the opportunity to present information that could eliminate a false positive. This secrecy is not necessary to protect national security." Other commentors expressed concern that data on innocent people submitted with grant applications could end up being stored in intelligence databases.

USAID seeks to assure NGOs that grant applications will not be denied "merely because there is an 'encounter' or positive match between information provided by an applicant and information maintained in a terrorist database. Instead, USAID will 'look behind' that match, considering the accuracy and severity of the information, the reliability of the source, corroboration, and other pertinent matters before granting an award. This review will include assessment of the terrorist information available in relevant databases, consideration of information provided by the USAID Missions or U.S. Embassies or any other relevant information available to the Agency." [p. 12] What it will not include is any clarifying or explanatory information provided by the applicant, since the applicants will not be notified a problem exists.

The final rule attempts to address due process concerns by providing that "any denial of funding by USAID as a result of PVS screening will be accompanied by a reason for that denial and an opportunity for the organization to appeal administratively." Since USAID will not confirm or deny whether an individual has passed or failed screening in terrorist databases, it will be difficult for applicants to pursue appeals. This is exacerbated by the fact that "The amount of information provided to a denied applicant will be dependent on the sensitivity of the information…" [p. 14]

USAID's appeal plan requires an applicant to wait until their application is denied before they have an opportunity to provide clarifying or supplemental information. This can result in substantial delays in program implementation, and puts an unfair burden on applicants. USAID will already have conducted its own investigation, and come to its own conclusions, in a process that lacks any element of transparency. The "appeal process" then puts the agency in charge of reviewing its own actions.

A similar process is used by OFAC to make decisions on whether to designate charities as supporters of terrorism, which results in freezing their assets and shutting down programs. Experience with this process has proven that non-transparent procedures that lack opportunities for confronting evidence or any type of independent review are fundamentally unfair, are susceptible to mistakes or abuse, and result in loss of public credibility for the agency involved. (See Collateral Damage Chapter 3: Lack of Appeal and Due Process Rights Leaves Charities and Foundations Open to Mistake and Abuse.

USAID responded to these concerns first by saying that "information provided by NGO partners will be retained in secure files" and "all information submitted on individuals and maintained in the USAID system will be available for those individuals to request, review and correct. Intelligence community systems will not retain information on individuals where there is no match." (emphasis added) [p. 12] This leaves open the possibility that a match that turns out to be a false positive could end up being retained in intelligence databases. Although USAID says "Intelligence community systems will not retain information on individuals where there is no match", there is no description of a process to guard against mistake or provide a remedy when mistakes are made.

Lack of Specifics on PVS Procedures

Many commentors expressed concern over the lack of specifics with respect to PVS procedures." USAID acknowledges that it has determined some PVS procedures, but "other procedures remain to be developed as part of the Agency’s guidance and protocol development process.[p. 14]

While USAID's publication of the Partner Information Form provides some clarification, too many issues, procedures and definitions have yet to be determined. For example: 

• How does USAID define a "threat to national security"?
• What is the definition of a beneficiary of training or services?
• What is "derogatory information"?
• Will USAID have deadlines for completion of its vetting process?
• How will the appeal process work?
• Has USAID considered alternative vetting strategies? 

Because the appeal procedures do not give applicants a meaningful opportunity to know or respond to the "derogatory information" that led to denial of their grant application, PVS mirrors the problems inherent in Treasury's process for designating SDGTs. The same constitutional problems go along with it. (See Chapter 3 of Collateral Damage, as noted above.)

Insufficient Public Input

USAID disagreed with numerous comments expressing concern with the lack of consultation with the nonprofit sector about PVS and the apparent effort to rush the rule through by making it effective on the day the public comment period was originally announced. The agency said it had followed all administrative requirements for public comment, but said it continues its "willingness to maintain a dialogue with the NGO community and with interested Congressional committee staff on PVS and associated notices." [p. 14] USAID’s reconsideration of PVS should allow for public input on all major issues involving the program, including consideration of alternative approaches to vetting.

Lax Data Security Problems

In the pilot PVS conducted on the West Bank and Gaza, serious data security problems were uncovered in a report by the Government Accountability Office and State Department Office of the Inspector General. The personal information submitted by applicants was kept in unlocked file cabinets and was otherwise vulnerable to security breaches that would have violated the privacy rights of the individuals involved. USAID says it has "developed user requirements, system architecture, data dictionaries, and user manuals for its vetting system" and that "USAID's information security program is considered to be exceptional." [p.15] While all this may be true, it only indicates that significant resources are being invested in an ill-advised and ineffective program.

Processing Delays and Undue Burden on Applicants

Commentors expressed concern that USAID does not have the capacity to conduct the investigations contemplated in the final rule. An InterAction press release notes that the West Bank/Gaza program "resulted in delays of up to five months for local procurement of goods and services for American NGOs. Even purchasing simple goods, such as fax machines, takes weeks or months, as local sellers are vetted. In one instance, when an American NGO asked whether it could use a local ambulance service (which had not yet been vetted) in case of medical emergency, the response it got from its USAID program officer was simply, 'I don’t know.'"

Despite clear feedback from experienced NGOs that PVS would impose heavy administrative burdens on both them and the agency, USAID said the information collection burden should not be significant. It says "NGO partners can be assured that USAID has no intention to vet hundreds or thousands of employees for each acquisition or assistance action." [p. 12] The agency bases this claim on the average submissions from applicants in the West Bank/Gaza program, which was 3.2 individuals. USAID predicts that the rule will result in an average of 4-6 names being submitted per application.

The vague definition of "key individual" opens the possibility that USAID grant applicants will need to collect and submit personal information on larger numbers, especially where an organization operates in multiple countries or locations. The Partner Information Form defines "key individual" as principal officers of the organization's governing body, executive staff, program managers of USAID funded activities and "any other person with significant responsibilities for administration of the USG-financed activities or resources." USAID said it will monitor implementation to determine what the actual burden might be, and in the meantime, the determination of who must submit information "is left to the organization applying for funds."

A more significant problem may be the requirement that the information be provided "on each individual to receive training, equipment, or other direct benefits…" This implies that program beneficiaries are subject to the information collection, and the final rule provides no clarification on this issue.

Alternative Approaches Can be More Effective and Safer for NGO Workers

Alternative approaches that would focus on the actual use of USAID resources are available. The NGO sector has pooled is expertise on numerous occasions to develop standards and programs that protect the integrity of their operations. These procedures are built on traditional principles of due diligence that emphasize personal contact and oversight. The sector’s mantra is "Know your grantee."

Examples of effective sector programs and standards include: 

• InterAction's Private Voluntary Organization standards
• Principles of International Charity, developed specifically to address the threat of diversion of resources for terrorism, by a working group of grantmakers, NGOs, civil society organizations and legal experts.
• An accreditation program developed and operated by Muslim Advocates. 

Conclusion

The Partner Vetting System, as conceived and designed by USAID, is built on flawed assumptions about how effective vetting is conducted. The agency has pursued a strategy that relies on computers rather than on-the-ground experience and personal relationships. It fails to take advantage of the experience and expertise of the NGO sector. The narrow focus on intelligence databases fails to consider how USAID resources are actually used. Finally, it ignores the universal warnings from the NGO sector that data gathering for PVS will create a perception that NGOs are arms of the U.S. government. This creates safety hazards for aid workers and undermines program effectiveness.

NGOs want the same thing USAID wants- to ensure foreign assistance is used for legitimate aid and development purposes. To make this happen, USAID must engage in good faith collaboration with the NGO sector to develop a vetting system that is effective and workable.