COVID-19 CARES Act: Beware the Risk of Fraud in Small Business Loans


The federal relief program for small businesses is beneficial but, as in other times of crisis, also attracts an unsavory element. Here’s how financial services can prevent, detect and respond to fraud when preparing to distribute funds. NOTE: This article and the accompanying comparison chart reflect updates following the signing of the Paycheck Protection Flexibility Act of 2020 ("PPPFA") into law on June 5.

When the federal government turns on the funding spigot, all kinds of players show up for a drink, especially during the chaos that follows an emergency situation. That includes, unfortunately, nefarious actors’ intent on stealing money during times of crisis. From opportunistic individuals to organized crime enterprises both online and off — and even nation-state organizations — a criminal element often appears.

The COVID-19 pandemic is no exception, and with attention understandably focused on urgent life-or-death issues, seemingly less-pressing ones like fraud can be overlooked. Now is the time for greater vigilance, especially within the overwhelmed financial services firms charged with distributing the funding to borrowers. In early April, Congress passed the first round of funding relief for small businesses affected by the fallout from the COVID-19 pandemic. More of a firehose than a spigot, that appropriation dried up within days. Congress approved a second round later in the month, a $310 billion deal to replenish the small-business loan program called the Paycheck Protection Program (PPP). On June 5, significant changes were made to the program with the signing of the Paycheck Protection Program Flexibility Act of 2020 ("PPPFA").

There may well be future rounds of funding, considering the unprecedented economic situation we are in. (A staggering 22 million people filed claims for unemployment in only the first few weeks after shut-downs began; weekly claims have totaled more than 1 million for 13 straight weeks as of June 18.)

For the service agencies, the question is how to detect and stop the inevitable fraud that relief programs will confront and ensure the funding makes its way to suffering Americans, where it belongs. This article briefly outlines the different programs associated with the Coronavirus Aid, Relief and Economic Security Act (CARES Act); discusses fraud in past crises; identifies crucial early warning signs of fraud; and recommends practical steps to take now to prevent it.

Small-Business Loan Resources in the CARES Act

The CARES Act provides for various temporary funding options through the Small Business Administration (SBA). See also the chart that follows of program eligibility, rates and other details, including:

  • Paycheck Protection Program (PPP) – Expands the existing SBA 7(a) program to provide loan forgiveness to businesses for retaining employees and paying rent, mortgage interest and utility bills
  • Economic Injury Disaster Loan (EIDL) Program – SBA's disaster loan program which provides up to $2 million in loans and up to $10,000 in advances to eligible borrowers
  • 7(a) Loan Program – SBA's primary program for providing loans to small businesses

Fraud in Previous Periods of Acute Economic Distress

Responses to fraud in funding programs have evolved as we have learned about early warning signs and prevention strategies over time. The brief recent history begins with Hurricane Katrina in 2005, when the U.S. Justice Department established the first-of-its-kind Hurricane Katrina Fraud Task Force to tackle a variety of fraudulent activity. Several federal law enforcement agencies came together to conduct investigations and coordinate with federal, state and local agencies. This group morphed into the more general Disaster Fraud Task Force to tackle fraud during ensuing disasters such as major floods, the Deepwater Horizon oil spill and other pipeline and oil tanker leaks.

Policy makers adopted the same concept following the 2008 financial crisis. President Bush and Congress approved the Troubled Asset Relief Program (TARP) to help financial institutions. To protect this massive infusion of government funding, a special inspector general for TARP was created to investigate fraud, waste and abuse in the program. The CARES Act also provides for inspector generals.

Recent COVID-19 funding is on a scale and at a speed unrivaled in modern (or indeed all of) American history, addressing systemic economic damage not limited to one region of the country or sector of the economy. With the second and potentially additional rounds of funding upon us, banks may be turning to loan applications from new clients without existing due diligence in place. These factors may suggest a greater potential for fraud than in previous crises. At the same time, digital connections between financial institutions and their banking clients have become faster and more secure, while analytics and authentication have also improved.

Key Early Warning Signs

Fortunately, past crises have also taught us the early warning signs of potential fraud to look for. These can include:

  • Multiple applications for funding assistance from common identifiers can that help spot criminal activity.
  • Account takeover signs, such as changes to client identifying data (CID) and digital channel authentication risks.
  • Incomplete statements or information provided on applications that contradict other records.
  • Payroll data inconsistent with the known or anticipated size, scope or type of business.
  • Self-dealing or undisclosed conflicts of interest between the prospective borrower and lender.

While not an exhaustive list, these signs are good indicators that something may be amiss.

Prevent, Detect and Respond to Fraud

So you’ve identified potential fraud. How do you stop it? And how do you prevent it in the first place? Here are guidelines for preventing, detecting and responding to fraud:

Know program requirements: To the extent possible, be knowledgeable about COVID-19 relief programs. Rules, requirements and guidance are all works in progress due to the fast-moving nature of the situation and may require ongoing interpretation. Institutions should document their specific interpretations and ensure they apply them consistently across borrowers.

Anticipate new schemes: Understand not only typical loan fraud schemes, but new schemes and variations on old schemes that undoubtedly will be used to attack CARES Act programs. For example, the U.S. Attorney’s Office for the Eastern District of Virginia has offered additional tips for COVID-19 fraud.

Update analytics: Update fraud and anti-money laundering (AML) monitoring protocols as new schemes are uncovered.

Due diligence: Re-evaluate typical loan due diligence strategies. Lenders should review quality assurance (QA) and quality control (QC) functions related to relief programs that distribute CARES Act funds. They should also develop and implement enhanced due diligence procedures seeking to identify applicant misrepresentations and prior bad acts. The General Services Administration’s System of Award Management is a useful tool for seeing whether applicants have previously defrauded or defaulted on SBA loans and also a useful source to check to prevent repeat offenses.

Intelligence gathering: Work collaboratively and cooperatively with federal regulatory and law enforcement agencies to exchange data and to share knowledge about the potential risks associated with organized criminal networks. The convergence of internal intelligence and analytical capabilities across fraud, cyber/IT and AML are also highly valuable to preventing both fraud and money laundering.

Application process: Re-evaluate and map typical loan recipient due diligence to program requirements and known fraud schemes. Look for unexpected common links across the entire applicant pool, such as addresses, phone numbers, emails, addresses and borrower names.

Fraud investigations: Prepare for new and increased investigative and regulatory requirements.

Bank Secrecy Act (BSA)/AML: Be aware of new and increased investigations and reporting. Ensure know your customer (KYC) policies and procedures cover the relief programs. (For more information about BSA/AML requirements for PPP lenders, see “Fraud in the Wake of COVID-19.”)

These are just some of the approaches to take to combat the inevitable fraud that follows large government distributions of funding during crises. Of course, we are still in the midst of the COVID-19 crisis and can expect new developments and actions by the federal government as the situation unfolds.

Small Business Association Loan Programs

© Copyright 2020. The views expressed herein are those of the authors and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals.

More Info

Share this page