Fraud Prevention and the Payroll Protection Program (PPP)

Submitted by AICPA FLS Fraud Task Force

April 21, 2020

The COVID-19 pandemic is an unprecedented global catastrophe. Governments are faced with the simultaneous challenges of minimizing the number of people who contract the virus, mandating the shutdown of cities, states and nations, and maintaining stability among the most vulnerable businesses in the economy. In the United States, many small businesses are struggling to stay afloat. The Paycheck Protection Program (PPP) is the main driver of the small business stimulus in the Coronavirus Aid Relief and Economic Security (CARES) Act. Managed through the Small Business Association (SBA), the federal government has set aside $349 billion to date to provide forgivable loans to small businesses. As often happens during times of disaster, the government focuses on providing loans to small businesses, which are desperate to remain open and retain their staff, making funds available as quickly as possible. In the face of these efforts to protect society, there are bad actors trying to fraudulently take advantage of this program and the complexity of the legislation can lead to borrowers inadvertently failing to comply with the rules. If entities that are not legitimately entitled to these funds, which are earmarked for struggling businesses, are taking out loans, this reduces the amounts available to small businesses and may impact the overall economic recovery.

What Are the Risks?

There are many risks involved in any new program that has been implemented as a quick response to an emergency situation. A few to consider with respect to the PPP are:

  • Some lenders do not require borrowers to be an existing customer. These lenders are now being pressured to close loans under tight deadlines and are still required to meet all regulatory Know Your Customer (KYC) criteria.
  • Lenders should consider how supporting documentation is being verified to ensure that the information does not reflect inflated payroll or employee counts.
  • Legitimate borrowers must be made aware that submitting false information in a loan application is a violation of the False Claims Act, and the CARES Act, and could lead to criminal charges. To avoid these issues, the requirements for accurate record keeping of the PPP must be understood.  Likewise, borrowers must recognize that compliance with these loans will be audited to assure compliance with the intended purpose of maintaining employment.
  • Lenders should seek out adequate guidance, so they are not, inadvertently, turning away legitimate borrowers.
  • Phishing attacks to obtain personally identifiable information (PII) are increasing. With an increased risk of identity theft, lenders should take specific steps to verify that they are not dealing with an identity thief.
  • Third-party loan processors should ensure that they are sufficiently protected against cyber threats intended to steal PII, or plant malware.
  • Banks and other lenders should provide training for support staff so they understand the risks involved with granting fraudulent loans.

Who are the bad actors?

To date, the PPP is limited to $349 billion and once the that amount is exhausted, there is no guarantee that more funds will be available. Unfortunately, businesses that are not eligible under the terms of the CARES Act to participate in the PPP, are taking funds away from businesses with legitimate needs. These bad actors include:

  • Identity thieves may pose as valid business owners in order to submit bogus applications to lenders. Depending on when this fraud is discovered, the victim businesses may be required to certify how funds were utilized, and may be subject to criminal penalties,
  • Foreign-based criminals may submit fraudulent applications.  Any funds received will quickly be transferred abroad, making it impossible for the US government to recover that stolen money.
  • Money Launderers may commingle funds from criminal enterprises to exploit weaknesses in the PPP program.

How to Mitigate Risk

Given the types of risks noted above, lenders can take steps to mitigate the risk of fraud in the PPP:

  • Maintain KYC and other regulatory loan processing standards.
  • Provide guidance to borrowers on requirements of PPP, so that legitimate businesses will submit accurate and properly completed applications.
  • Consider the increased risk of using third-party loan processors. Third-party loan processors can be targeted for cyber hacking attacks to steal information and plant malware, to facilitate identity theft and ransomware attacks.

The intended goals of the CARES Act and the Paycheck Protection Program are to enable small businesses to remain open during this crisis,  keep employees on the payroll so they can have continued cashflow for living expenses, reduce the rate of  unemployment, and ease the economic freefall.  As lenders struggle under the strain of processing and administering $349 billion in emergency funding, they must be vigilant about preventing, deterring and detecting fraud, waste and abuse.