The U.S. Small Business Administration’s (“SBA”) Paycheck Protection Program (“PPP”) launched on April 3, 2020, and in less than two weeks the allocated $349 billion in PPP funds was exhausted. On April 24, 2020, a supplemental relief package with an additional $310 billion in PPP funds was signed into law.
Given the significant volume of funding being provided in such a quick timeline, difficulties inevitably will arise in complying with statutory and regulatory requirements during the PPP lending process. This volume of expeditious funding carries an inherent risk of fraud, waste, abuse, and mismanagement. As has been the case with other emergency federal funding, we expect prosecutors will take an aggressive approach in investigating and pursuing allegations of fraud in connection with the use of PPP funds, for both borrowers and lenders. Earlier today, April 28, 2020, Treasury Secretary Mnuchin made clear that companies can and will face criminal liability for fraud in connection with the receipt of SBA relief funds.1
CARES Act Oversight Provisions
Congress and the Attorney General have already made clear that fraud in connection with the procurement and use of Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”) loans and grants will be investigated and prosecuted aggressively. In a March 16, 2020 memorandum to the U.S. Department of Justice (“DOJ”), the Attorney General urged federal prosecutors to “prioritize the detection, investigation, and prosecution of all criminal conduct related to the current pandemic.”2
The CARES Act specifically includes several provisions to fund oversight and enforcement of fraud related to the distribution of SBA relief funds, including utilizing existing Offices of the Inspector General (“OIG”) in several federal agencies and creating a new Office of the Special Inspector General for Pandemic Recovery (“SIGPR”).3 These include:
- Authorizing criminal penalties, under existing law, for fraud or other misconduct in seeking or using the SBA’s relief funds (Section 1109(i));
- Creating the SIGPR Office within the U.S. Department of Treasury to coordinate the auditing and investigation of management and spending of funds under any program established under the CARES Act, including the investigation and prosecution of fraud in the procurement and use of CARES Act loans (Section 4018); and
- Establishing a Pandemic Response Accountability Committee, composed of several Inspectors General, responsible for preventing and detecting fraud, waste, abuse, and mismanagement of all funds made available to any non-federal entity under the CARES Act, with the authority to conduct a comprehensive audit of all contracts entered into by the federal government pursuant to the CARES Act (Section 15010).
We previously saw aggressive investigations and enforcement actions by the DOJ, U.S. Securities and Exchange Commission (“SEC”), and other regulators against financial institutions and their senior executives related to the use of TARP funds following the 2008 Financial Crisis. Now, SIGPR has been given a broad mandate to “conduct, supervise, and coordinate audits and investigations” in connection with the CARES Act, which will likely mean the issuance of large numbers of subpoenas and the referral of cases to the DOJ for at least the five years provided by the CARES Act.
Fraud Risks for Borrowers in PPP Applications
As a general matter, any businesses applying for federal funds should take care to ensure that applications, certifications, and any reporting to the government in connection with the funds, are accurate. This diligence is essential given the potential investigative risks and liabilities related to any “fraud on the government,” including:
- Criminal penalties (prison time and/or fines) for false statements in connection with the PPP, as authorized by the Inspector General Act of 1978, or under other laws criminalizing false statements or fraudulent schemes;
- Criminal or significant civil liability under the False Claims Act (“FCA”), which carries large penalties for entities and individuals who defraud the government;
- Criminal or civil liability from audits or investigations connected to the expanded oversight activities by SIGPR; or
- Qui tam actions brought by whistleblowers.
Businesses must take time to consider whether they are the type of business for which PPP funds are intended from a common-sense perspective, particularly with continued media scrutiny of certain large entities that received PPP loans. Large businesses or small entities owned by large businesses are not necessarily precluded from applying for PPP loans, but they must be able to truthfully establish eligibility within the guidance. Secretary Mnuchin made clear on April 28, 2020 that all companies that received more than $2 million in small business loans would be audited by the SBA and subject to potential criminal liability if it is later determined that they were ineligible for the SBA relief funds.4 In fact, some large companies that received tens of millions of dollars of SBA loans have already announced plans to return the PPP funds due to public criticism of their participation, although they have not made any acknowledgments regarding their eligibility to receive the funds in the first place.5
Last week, on April 21, 2020, Secretary Mnuchin announced that the SBA may “give people the benefit of the doubt” if there were any misunderstandings about PPP certifications and a borrower immediately pays back the loan.6 The SBA updated guidance on April 26, 2020 confirms that ineligible borrowers may repay any PPP loan received in full by May 7, 2020 to “be deemed by SBA to have made the required certification [of eligibility] in good faith.”7 As part of the updated guidance, the Treasury and SBA have clarified the certification requirements for borrowers to the extent there was confusion, noting that only entities without access to other forms of capital, such as selling shares or debt, are eligible for the SBA relief funds.8 Businesses that have already received PPP loans should strongly consider whether their certifications regarding loan eligibility will withstand investigative scrutiny and assess whether to take advantage of the opportunity to return the funds by May 7th to avoid potential future criminal or regulatory exposure.
Fraud Risks for Lenders
While it is unlikely that financial institutions will be the principal focus of SIGPR or related DOJ investigations, they will inevitably become involved when such investigations begin. The SBA has declared that lenders’ underwriting obligations under the PPP are limited; the SBA has explicitly stated that lenders may rely on borrowers’ representations and certifications in the loan process. In fact, to ensure the new PPP loans reached recipients quickly, banks were largely absolved of the time-consuming responsibility of checking for fraud or egregious errors in loan applications, so long as borrowers provided necessary documentation.9 However, it remains unclear whether such lender protections extend to all of the many potential ways in which lenders may be held accountable in hindsight for borrower misrepresentations made in those applications.
It is unfortunate but expected that lenders will be involved in FCA and criminal CARES Act fraud inquiries. As financial institutions know well, these inquiries frequently include investigations related to the conduct of lenders, including their internal processes and controls, documentation, diligence, and relationship banker behavior.
While the SBA’s Interim Final Rule requires only limited due diligence on the part of lenders, it nonetheless requires that lenders “follow their existing [Bank Secrecy Act (“BSA”)] protocols when making PPP loans.”10 Prosecutors may therefore also inquire about whether banks followed their own BSA protocols, as well as regulatory or statutory requirements, which could lead to criminal or civil exposure for financial institutions.
In addition, the SIGPR mandate includes a requirement that it investigate fraud in the “sale of loans” in the secondary markets. This is likely to include inquiries into representations made as part of securitizations or the sale of loan participations. Any alleged false statements made in connection with this type of market activity can be the source of a separate investigation of a financial institution related to the CARES Act.
Best Practices for Lenders to Mitigate Risks
Financial institutions have admittedly been thrust in the middle of a rushed loan program with limited guidance and little time to prepare. Nevertheless, banks and bankers must remain vigilant to do what they can in the shortened and urgent application process to identify questionable representations. To avoid potential criminal and regulatory exposure, transparency and accuracy are especially important in the execution of applications for SBA loans under the CARES Act. To the extent possible, financial institutions should:
- Create and implement clear, documented processes for assessing the truthfulness of representations in CARES Act loan applications, including a review by compliance personnel, or at a minimum, a bank employee other than the relationship banker;
- Document any discussion with a borrower regarding a close question about eligibility or necessity for PPP funds under the law, and require a second review of any application where such a close question is involved;
- Confirm that borrowers do not have an alternate source of available funding, such as from a significant shareholder;
- Require relationship bankers to regularly seek and maintain documentation regarding any changes in a borrower’s investments or relationships with other business entities or affiliates that may affect eligibility or the eligibility certification;
- Collect any description of steps taken by a borrower to establish eligibility (e.g., any amendments to governance documents to irrevocably change control rights between affiliates);
- Collect additional documentation from borrowers, beyond the minimum requirements, demonstrating, for example, a decline in available funding through orders, ongoing business operations, or changes in the circumstances of a business’s customers;
- Compare borrowers’ assertions about payroll, rent, and other expenses with the Know Your Customer (“KYC”) information in the bank’s files;
- Compare any information in a borrower’s files about their affiliates with the list of affiliates that borrowers provide in their CARES Act loan applications, particularly for the counting of affiliate employees for eligibility purposes;
- Conduct diligence on the certification that borrowers will be required to submit attesting to the use of loan proceeds in order to obtain loan forgiveness as issues may arise if activity in borrowers’ bank accounts is inconsistent with loan application representations;
- Prepare trainings for relevant personnel on the CARES Act funding requirements and any subsequent guidance issued; and
- Review internal BSA policies and prepare regular BSA trainings and compliance alerts for bankers during this time.
While there is a need for financial institutions to act quickly to process CARES Act loan applications, basic compliance procedures and borrower diligence cannot be ignored. Incomplete or inadequate diligence or controls create investigative risks for both lenders and borrowers.