You are here

PPP Lending: Special Considerations for Your Organization

Signed into law March 27, 2020, the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) includes a $349 billion Paycheck Protection Program (PPP) stimulus package to help small businesses make their payroll and rent payments over the next few months. Starting April 3, small businesses and sole proprietorships can apply for and receive loans to cover their payroll and other expenses through existing SBA lenders. Independent contractors and self-employed individuals can apply for and receive these loans starting April 10.

When developing a new product or service, it’s prudent to contact your regulator. This advance notice allows the regulator to provide the institution with advance instructions, guidance, and advice prior to being evaluated during an actual examination. Given the dynamic nature of this new program, and the lack of specific guidance on its processes and controls, agency websites and your direct regulators will be a valuable resource as new standards and interpretations arise.

In the interim, here are certain internal control, consumer protection, BSA/AML, cybersecurity, and IT issues that you should consider when evaluating the impact of the Program on your organization.

Internal Control Considerations

As with any other new product, the institution will need to develop new policies and procedures regarding the customized criteria of the SBA 7(a) Paycheck Protection Program. Loan staff should be trained on the specific qualification and underwriting criteria established in Department of Treasury application form and its accompanying instructions. Expecting a large volume of loan requests to be received, management should identify the various methods in which applications can be received and develop processes to record the receipt of these submissions.

The institution should utilize a tracking form to document the receipt, analysis, and acceptance of records relating to payroll, mortgage and rent payments, and other necessary transactional information. Internal records must be maintained to ensure compliance with the processing, notification, and distribution components of this loan program. The institution should establish controls to monitor loan request submissions for potential fraud, including validating TIN and tax documents and other identity theft red flags.

Consumer Protection & BSA/AML Considerations

Processing loan applications under the new SBA 7(a) Payroll Protection Program is straightforward, but not without regulatory compliance considerations. Two risk areas requiring attention are fair lending and BSA. While the underwriting portion of the loan program is quite concise, there may be fair lending concerns related to both the application intake process and eventual loan servicing. The institution should plan and analyze the practical controls concerning the acceptance and processing of these applications. The process(es) should be transparent, treating all credit requests fairly.

Specific application risks exist in relation to those institutions who would prioritize customer requests over requests from non-customers. While the business rationale for such a decision may be sound, the actual practice may be in conflict with the Equal Credit Opportunity Act if you are using a non-credit quality factor to influence the process. Additionally, some institutions ask whether caps or limits could be used to manage the total number of applications received due to finite capacity and remote processing. Although limiting applications would allow a business to focus more on providing adequate services to the loan applications accepted, risks may arise depending on:

  • How an organization determines what to receive and what to turn away
  • How to decide the cut-off threshold
  • How to enforce the cut-off
  • What happens if the institution subsequently determines it has capacity to process additional applications

The U.S. Treasury Department guide states that BSA compliance is required in accordance with the Program’s truncated underwriting standards. Institutions should review their processes and controls to ensure they maintain appropriate controls and documentation concerning CIP, due diligence, and beneficial ownership requirements on these loan transactions. Exceptions to existing BSA/AML practices should be recorded and substantiated. 

Unfortunately, malicious actors may attempt to take advantage of this situation. Identity theft and overall fraud detection and reporting controls should be reviewed to ensure that they are appropriate for the nature and volume of loan applications expected to arrive. Lastly, it’s important to remember that even attempted loan fraud can generally be considered suspicious activity regardless of whether the institution makes the loan and/or loses money as a result. 


In the current operating environment, it’s highly likely that you’ll be receiving many of these loan applications via email. As we’ve already seen, bad actors will always look to exploit any vulnerability by sending malicious attachments under the guise of a loan application. With that in mind, consider making sure your IT and cyber defense is solid and ready.

To help protect against spear-phishing attempts, the institution should be using controls such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) or header analysis to detect spoofed emails. Another important control is analyzing any attachment at the gateway before passing it to the end user. This control will eliminate the threat before it reaches the user. Network Intrusion Detection Systems (NIDS), firewalls, proxy monitoring, blocked uncategorized sites, and site reputation filtering controls are useful in detecting and preventing phishing attacks. If all else fails, the institution should use strong malware detection and response tools such as Endpoint Detection and Response (EDPR) solutions. These solutions defend against today’s advanced persistent threats (APTs) by leveraging behavioral analysis and threat intelligence. 

Lastly, consider more frequent and robust internal and external network penetration tests. Put the institution’s layered security controls to the test. Ensure your penetration testers are not only testing the institution’s ability to prevent attacks, but also its ability to detect and respond to them effectively.

IT Considerations

In addition to those cybersecurity concerns, institutions should consider IT operational issues. Are there any email size restrictions or mailbox restrictions that could impact the delivery of emails with loan applications attached? Are customer service representatives checking their spam folder for legitimate