Relief programs for U.S. businesses affected by COVID-19 require lenders to act quickly, but in compliance with best practice on AML and the fight against financial crime. Will their KYC processes be able to deal with the threat of CARES Act fraud?
- The CARES Act includes the Paycheck Protection Program (PPP), which allows small businesses to apply for a loan via existing Small Business Administration (SBA) lenders.
- Compliance teams at PPP lenders must follow their own internal procedures, yet work at an incredible pace to make decisions to support businesses.
- SBA lenders must be vigilant about CARES Act fraud and abuse while upholding a robust KYC compliance program and adherence to AML regulations.
On March 13, President Trump declared a national emergency in the United States. A fortnight later, as part of the country’s response to COVID-19, the Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed.
It expanded all states’ ability to provide unemployment insurance for many workers impacted by the pandemic, including those who are not ordinarily eligible for unemployment benefits.
One temporary scheme established under the CARES Act Section 7(a) Loan Program, has been the Paycheck Protection Program (PPP). It allows small businesses to apply for a loan via existing Small Business Administration (SBA) lenders, for funds to be used for payroll costs including benefits, interest on mortgages, rent, and utilities.
The loan is capped at either the lesser of US$10 million or 2.5 times the average monthly payroll costs incurred in the one-year period before the date of loan origination.
The loan amount is more of a grant however, as it is forgivable if at least 85 percent is used towards payroll in the eight weeks after loan origination.
Eligible applicants are small businesses/non-profits/veterans’ organizations and tribunal concerns with fewer than 500 employees, who do not need to establish losses suffered during the pandemic, nor provide collateral/guarantees.
Support for small businesses
PPP is implemented by the SBA with support from the U.S. Department of the Treasury.
The first tranche of funding was authorized at $349 billion in late March, though it ran out by 16 April, with many small business applicants missing out.
The states with the most authorized PPP loans at that point included Texas, with $21.7 billion across 88,434 loans, and California with $20.8 billion across 54,922 loans, according to the SBA data.
This was not without controversy, as some publicly-listed larger sized businesses received funds, who have all since said they will give back the relief money.
On April 25, a second tranche of $320 billion was authorized to meet the overwhelming demand. Some new rules applied, this time around, firstly to rectify the controversy; dedicate $60 billion specifically to community banks to cater for small local businesses, which included an eight-hour window where the SBA only accepted these applications; allowing businesses to apply to more than one lender; and giving a second chance to previous applicants in the backlog queue.
Unprecedented demand on lenders
The speed at which the PPP was implemented by SBA lenders was nothing short of a miracle.
SBA lenders, such as large-to-medium sized banks, small community banks, and non-bank lenders, were quick to act as intermediaries, setting up processes and online forms within days to deal with the influx of applications from both existing and new customers.
Some institutions received in excess of 900,000 applications, which their loan processors and compliance professionals needed to review, as well as perform screening and due diligence.
They also had to adhere to guidance from the SBA, as well as the Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC).
With their own internal policies and procedures to consider, it’s no wonder a backlog exists and that many small businesses are left wondering at what stage their application had gotten to.
Institutions have needed to build an online program within days to support this relief program, many while working under a Business Continuity Plan in a virtual office environment, and then having to mesh this with their existing processes and policies almost seamlessly, in record time.
Potential for financial crime
When a large amount of money is being disbursed in a short amount of time, there is huge potential for fraud.
Financial crime risks come in all shapes and sizes, from legitimate businesses misrepresenting information on their applications, resulting in CARES Act fraud, and/or from various ‘bad actors’ looking to make some easy money by exploiting the circumstance.
Examples include:
Misrepresentation: A PPP applicant may overstate payroll details, employee figures on their application, or provide falsified support documents. Whether they are a new or existing customer, the onus is on lenders to perform the necessary ‘Know Your Customer‘ (KYC) checks quickly in line with their CIP program, and to prevent fraud and abuse.
Impersonation: Reliance on the internet, online security/privacy practices and the virtual office environment, has opened the door for increased phishing attacks to obtain personally identifiable information (PII) and identity theft.
Such impersonators may pose as valid business owners and submit fake applications to lenders. This means participating PPP lenders must take specific steps to verify that they are not dealing with an identity thief, that they know their customer and have performed the right level of customer due diligence on applications for loans.
To do this they need to have adequate controls and processes in place to prevent and detect such fraud, in line with federally required BSA/AML regulations. Further, should fraud be discovered, the victim businesses may be required to certify how funds were utilized, and may be subject to criminal penalties as well as the repayment of the loan.
Cross-border theft: Extending upon the above examples, foreign-based criminals may fraudulently submit applications, in which the loan received can be quickly transferred overseas, making it impossible for the U.S. government to recover that stolen money.
Fraudsters and money launderers may also commingle funds with other funds to exploit weaknesses in the PPP program.
Preventing CARES Act fraud
Compliance teams at PPP lenders are in a difficult position. They must follow their own internal procedures, comply with the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) best practice, yet work at an incredible pace to make decisions to support desperate businesses to help prop-up a stalled economy.
Their own actions must also not open the door to regulatory scrutiny later on.
In recognizing that fraud can take place via multiple mechanisms, regulatory obligations under BSA/AML compliance must take top priority. This starts with screening all applicants.
While the SBA guidance states to follow a risk-based approach and collect beneficial ownership information at 20 percent for new customers only, it is prudent to screen/re-screen all new and existing customers upfront in following a risk-based approach.
When warranted, it will also be necessary to conduct expedited enhanced due diligence to form a complete risk profile for the business entity and its owners, that may become your business customers.
This will help meet both FinCEN’s and the OCC’s guidance for PPP, and leave no surprises for future regulatory examinations on BSA/AML compliance.
The PPP and BSA/AML compliance
The intended goals of the CARES Act and the PPP are to enable small businesses to remain open during this crisis, keep individuals employed and receiving paychecks for continued cashflow for living expenses, reduce the unemployment rate, and help restart a stalled economy.
Authorized SBA lenders, and in particular loan processers and compliance functions, have played a key role in processing and administering over $660 billion in emergency funding so far.
However, they must be vigilant about preventing, deterring and detecting fraud and abuse while upholding a robust KYC compliance program and adherence to BSA/AML regulations.
To do this effectively they need to be armed with the right tools, such as trusted quality data and relevant risk information, to ensure the funds get to those that need them most.
