Written by: Jordan Lehtonen, CRCM
The three rounds of the Paycheck Protection Program (PPP) demonstrated the massive commitment financial institutions devoted to the application process to help both new and existing customers. The goal was to help businesses obtain funds as fast as possible to keep them afloat. Financial institutions surpassed the challenges of unclear directions and guidelines, last-minute announcements, and the strain on resources to provide much-needed financing to their local businesses and communities.
The CARES Act had the best intentions in mind for the end users, the business entities. Unfortunately, struggling businesses were not the only entities applying for PPP loans. As you probably have read in the news, the Department of Justice (DOJ) has reported an increase in the criminal charges being levied on consumers and businesses, where the purpose of the PPP funds was provided to ineligible entities, or the funds were used for ineligible purposes. Unfortunately, the lack of guardrails to the program unintentionally invited fraudsters to take advantage of the best intentions of the program. The interim final rules issued by the Small Business Administration (SBA) allow financial institutions to rely on the documentation provided by the applicants so long as the institution performs a “good faith review.” Essentially, the standard limits a financial institution’s fraud risk if the applicant attests to the submitted documentation. However, although the interim final rules limit risk to PPP lenders, it did not eliminate the requirement for financial institutions to maintain their Bank Secrecy Act (BSA) Program or Identity Theft Red Flag compliance program.
The questions that executives now need to consider as PPP funding is completed are as follows:
- Were employees that received and processed applications provided adequate training?
- Was your Compliance Department provided adequate resources to keep up with the application demand?
- Are you confident that your financial institution maintained its compliance program throughout each round of funding and that your Examination is going to reflect that assessment?
- Are you confident that your financial institution was aware of the potential identity theft red flags and that your Examination is going to reflect that assessment?
- Was adequate due diligence completed after the distribution of the PPP funds and is your Examination going to reflect that assessment?
Even if the PPP funds have already been distributed to the business borrower, your financial institution is not absolved from adhering to its risk. Consider the following examples:
- Instances where the business applied to your financial institution for the PPP loan; however, wanted to have the funding sent to another financial institution.
- A business with a dormant account or flagged for return mail applies for a PPP loan.
- Applicants received funding and transfer the funds to a personal account.
- The same business account receives multiple PPP loans within the same round of funding.
Possible fraud or identity theft? Perhaps. Fortunately, most financial institutions have software enabled to detect such red flags. Remember, your risk based BSA programs require a suspicious activity reporting (SAR) process when identifying unusual activity.
Call to Action
Although the PPP application process seems to be in the rear-view mirror, the regulatory agencies are still actively evaluating financial institutions’ performance and internal controls for the entire process. While the DOJ currently appears to be enforcing liability against the fraudulent applicants, testing of processes and controls in relation to PPP will be part of your regulatory examination scope. The potential risk may be if the regulators consider “what else could/should have been identified?”
As a starting point, executives could speak with their Compliance/Risk Departments to gauge their perspective regarding the PPP application processes and internal controls. Was management aware of the potential red flags at application that could include unqualified applicants, falsifying or inflating application information, or lacking supporting documents to support the application information? Was management aware of the potential red flags after the PPP funds were distributed that could include fast movement of funds out of the deposit account, abnormal account activity after the receipt of the PPP funds based on prior history, or transaction activity using cash applications?
If there are concerns based on their responses, it may be time to consider a post-closing review.
