By John Hintze
The federal government’s urgent rush early in the pandemic to provide forgivable loans to struggling small and midsize businesses through bank intermediaries became a tempting target for fraudsters. Egregious cases announced by the Justice Department include a Texas engineer seeking $10 million who claimed to have 250 employees but in fact had none, and at least two instances of individuals using Paycheck Protection Program funds to purchase Lamborghinis.
Nearly $5 billion in loans identified in a Sept. 1 report by staff of the House of Representatives’ Select Subcommittee on the Coronavirus Crisis were clearly fraudulent or raised significant red flags. While that is less than 1 percent of the $525 billion in PPP loans provided to 5.2 million recipients through August 2020, more garden-variety fraud is expected to be uncovered in the PPP loan forgiveness process, when borrowers must verify funds were used for permissible reasons under the program. While that process started several months ago, many borrowers have waited for a long-promised simplified form for PPP loans of $150,000 or less that was issued by the Small Business Administration in January.
“Banks are working in earnest now [to process forgiveness applications]for all-size loans, not just the larger ones,” says Mark Meiklejohn, president of $3.2 billion-asset Bank Rhode Island.
Paul Benda, SVP for risk and cybersecurity policy at the American Bankers Association, notes that SBA’s initially unclear and inconsistent guidance on several issues as well as frequent changes in subsequent FAQs also increased challenges and risks. Banks should consider:
- The basics
- Double dipping
- Unusual account activity
- New provisions for the 2021 round of PPP
- Likely regulatory scrutiny
Scrutinize loan applications carefully
The SBA has started monitoring loan applications in the 2021 round, but banks remain the first line of defense. Lenders must again process an elevated volume of applications in a limited time window, but government authorities expect them to be more vigilant this time around.
“In light of so much focus by the Justice Department on fraud in the first round of PPP , it’s implicit that financial institutions must now be more careful,” says Marissa Koblitz Kingman, an associate at law firm Fox Rothschild.
Banks should ensure the borrower used its first-round PPP loan as intended, comments Scott Moritz, senior managing director at FTI Consulting. Recipients should expect to see a large deposit in face value of the loan amount, and then a corresponding deposit to a professional-employer organization such as ADP, or to a payroll account or other mechanism to pay employees.
Representations on the loan application that are easily verifiable and refuted cannot be overlooked in the current round of loans, Moritz adds. A company claiming to have been incorporated in 2013 but which then filed the incorporation documents just weeks before—information in the public record—should sound alarms. And so should consumer-facing businesses without footprints in the public domain, such as a website, listing in a public directory and Yelp reviews.
Naftali Harris, co-founder and CEO of SentiLink, which works with financial institutions and government entities to identify and track “synthetic identities” used for fraudulent purposes, notes the importance of examining PPP borrowers’ payroll data.
“In addition to making sure people on the payroll are real, banks can ask for paystubs or bank statements with payroll debits to be sure the payroll is actually happening, since the payroll amount is really what justifies the loan PPP loan amount,” he says.
No double dipping for government funds
Aid to smaller businesses has also been made available through several federal programs, including the Federal Reserve’s Main Street Lending Program and the SBA’s Economic Injury Disaster Loan program. Firms receiving PPP loans were also able to borrow under the now-closed MSLP, for example, but they must certify their PPP debt load, according to the Office of the Special Inspector General for Pandemic Recovery in its fourth-quarter report to Congress.
The report also points out that bank customers should not double dip, noting that “if an individual or entity receives funding from the federal government twice for the same purpose, only one of the funding streams can be put to the use for which it was granted, meaning the second funding stream represents waste, at best, or fraud, at worst.”
Jennifer Burke, a partner at Crowe, which ABA endorses for risk, compliance and governance consulting services, observes that some borrowers are applying for PPP funds at more than one bank to see which lender responds first and with the largest loan amount. She adds that the SBA’s checks have made it harder to tap other federal emergency lending programs to cover the same costs, but it’s still happening.
Watch for stolen and fabricated identities
PPP borrowers buying Lamborghinis and other luxury items are obvious red flags, but banks must also monitor for subtler signs.
Karen Boyer, VP for financial crimes and fraud intelligence at People’s United Bank, a $60 billion-asset institution based in Bridgeport, Connecticut, says bank customers receiving large ACH payments during the pandemic may have had their identities stolen. “Mule” accounts are nothing new for banks—and during the pandemic, they have been used to harbor fraudulently obtained unemployment benefits, sometimes filed from multiple states in which the account-holder did not reside, as well as PPP and other pandemic-related loans.
In other cases, customers have been tricked into expecting money in their accounts, not realizing it was a fraudulently obtained SBA loan. A bank’s business customer, for example, may receive cold calls from a fraudster posing as an SBA representative who says the government is providing additional stimulus payments and then requests the sole proprietor’s name, Social Security number, and bank routing and account numbers. Funds arrive soon after.
“In almost every case the customer was instructed to send back a portion of the funds for the ‘loan application fee,’ for whatever reason they were given,” Boyer says.
The scams may change, but large deposits with descriptions of matching stimulus payments/loans stipulated by the CARES Act are often a signal of fraudulent activity in a customer account, Boyer says. And newly opened or dormant accounts that suddenly receive large deposits may belong to fraudsters. Watch out for sizable ACH deposits going into customer accounts, especially if withdrawals begin soon after via card rails or P2P applications such as Apple Cash, Venmo or Zelle, often at set intervals and amounts.
Benda notes the easy application process to apply for EIDL advances of up to $10,000, even if borrowers did not ultimately receive an EIDL, makes them susceptible to fraud. Although banks noticed unauthorized and even unwanted advances appearing in customer accounts, procedures to report them were initially lacking. “After much industry prodding, the SBA created a procedural notice and set up a website with instructions on how to report EIDL fraud,” Benda says.
Don’t overlook 2021 PPP changes
The current round of PPP differs from the first round in several ways. Straightforward differences include a reduction in the maximum number of employees a firm can have to 300 from 500 and a new requirement to demonstrate a 25 percent reduction in gross receipts.
Requiring deeper digging is new language that disqualifies borrowers with significant ties to China. Those ties include the governments of China or Hong Kong owning directly or indirectly at least 20 percent of the company, Kingman said, or a resident of China serving on the corporate board. Even U.S. firms that import significant products or supplies may face complications.
“Legislators have made it very clear they do not want any of U.S. government funds going to China in any way,” Kingman said.
Another change is the wider variety of expenses that PPP funds can cover, including technology updates permitting employees to work from home and personal protective equipment.
“If firms spent money on those expenses, which were not permissible under PPP-1, under PPP-2 they may still be eligible,” says Timothy Dunfey, bank compliance consultant and regulatory attorney at Alhambra Compliance Consultants.
A little known “threading of the needle,” says Sam Sidhu, vice chairman and COO of $18 billion-asset Customers Bank, headquartered in West Reading, Pennsylvania, is that a first-time PPP borrower receiving a first draw in the 2021 round and then spending the money prior to March 31 can apply for a second-draw loan during the same period.
The SBA conducting its own due diligence for PPP loans is another change to consider. Borrowers who normally would be barred from receiving SBA loans, because of past felonies or other reasons, may have received PPP loans in the rush but be snagged by reviews this time around and denied funding.
“My advice is for banks to review their customers’ activity and the information they provided in the first round, and file SARS for those they no longer feel comfortable with,” Dunfey says. He added that communication and coordination between departments is critical, to avoid one part of the bank lending to a problematic customer who the SBA had already warned another part of the bank about.
Prepping for the scrutiny to come
Moritz noted that the SBA’s sometimes “enigmatic language,” such as a recent FAQ stating banks need not “re-verify” clients’ information in 2020 PPP applications to approve their 2021 loans, should not prompt bankers to assume their approach in 2020 is still adequate today.
“The reality is that banks were pressed into service to get money out, but a day of reckoning will come for institutions if regulators conclude they were remiss,” he says. He adds that prior to the pandemic there were no rules or typologies in banks’ transaction monitoring systems that identified PPP-related fraud, but banks should update and refine those systems with what they’ve learned.
Dunfey advises banks to update and revise their risk assessments to include all they now know about PPP. “Now is the time to do your risk assessment to address all the new risks you’ve taken on, and that will be your protection should the environment get more complicated,” he says. “The bank can say, ‘We didn’t catch this risk at the time, but we’ve retroactively put measures in place.’”
Pandemic or not, banks have nevertheless had to comply with KYC and other lending requirements as best they could under the circumstances. Recognizing the ongoing complications, the SBA and regulators may overlook certain problematic loans, especially the increasingly sophisticated scams that are difficult for banks to flesh out even in normal times. For that reason, it is critical for banks to document that they’re following SBA requirements and standard lending requirements such as KYC when booking the loans.
“That’s really all they can do and should be expected to do,” Burke says. “Bankers tend to be seen as the bad guys, and so whether they’re responsible or not for fraud that emerges, they may be blamed by the public.”
John Hintze is a frequent contributor to the ABA Banking Journal.