SBA’s disaster loan programs suffer increased vulnerability to fraud and unnecessary losses when loan transactions are expedited to provide quick relief and sufficient controls are not in place. The expected increase in loan volume and amounts, and expedited processing timeframes will place additional stress on existing controls. – SBA Inspector General White Paper, “Risk Awareness and Lessons Learned from Audits and Inspections of Economic Injury Disaster Loans and Other Disaster Lending”. April 3, 2020
This article has been updated from its original publication date of April 6, 2020.
The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law by the President on March 27, 2020. It is a stunning piece of legislation meant to support our first responders and medical personnel treating those that are stricken, and to provide emergency economic relief to individuals, small businesses, and even large corporations that have been so adversely impacted by the pandemic.
The ink was barely dry on the CARES Act (enacted March 27th), which created the $349 billion Small Business Administration’s Paycheck Protection Program loan program, when the Interim Final Rules were published on various government websites (April 3rd, with publication in the Federal Register scheduled for April 15th). Those PPP loans will be doled out by qualified lenders to qualified Applicants, in increments of up to $10 million per Applicant based on the Applicant’s monthly payroll (essentially 2.5 times the monthly payroll, with some exceptions and limitations), with a limit of one PPP loan per Applicant. Those loans will bear interest at 1% per year, with interest and principle payments deferred for six months and – here’s the best part – the Government will forgive “qualifying” loans.
As soon as the program launched, two things happened. First, thousands of new lenders applied to be PPP lenders – from a pre-PPP of about 1,800 qualified lenders to over 4,000 qualified lenders in a matter of days. Second, many of the qualified lenders were inundated with applications. One of the lenders, Wells Fargo, publicly stated that it had max’ed out its funding capacity ($10 billion) to lend under this new PPP loan program: Wells Fargo was only able to extend its participation after the Federal Reserve relaxed some terms of an asset cap order it had imposed back in February 2020. Bank of America reported that it received 177,000 applications in the first two days seeking $32.6 billion in PPP loans. One week into the program, the SBA apparently had “approved” (more on that later) over 660,000 applications from 4,300 qualified lenders for loans of more than $168 billion. And yet the rules are not yet fully understood, and new guidance is coming out daily.
In 2006 I wrote about the dilemma facing BSA/AML programs:
We’ll be judged tomorrow on what we’re doing today, under standards and expectations that haven’t yet been set, based on best practices that haven’t been shared.
This lament has never been more applicable than it is today with these SBA PPP loans and the BSA obligations that follow.
As I read the Interim Final Rules – the 13 CFR Part 120 IFRs around eligibility generally as well as the 13 CFR Part 121 IFRs around affiliates and the common management standard – it LOOKS like lenders can rely on the documents submitted and certifications given by the borrower and its authorized representative in order to determine eligibility of the borrower, use of the loan proceeds, loan amount, and eligibility for forgiveness … but lenders “must comply with the applicable lender obligations set forth in this interim final rule”.
Here is some of the guidance set out in the Interim Final Rule:
At page 5: “SBA will allow lenders to rely on certifications of the borrower in order to determine eligibility of the borrower and use of loan proceeds and to rely on specified documents provided by the borrower to determine qualifying loan amount and eligibility for loan forgiveness. Lenders must comply with the applicable lender obligations set forth in this interim final rule, but will be held harmless for borrowers’ failure to comply with program criteria; remedies for borrower violations or fraud are separately addressed in this interim final rule.”
That is positive. The Interim Final Rule then poses a question, “What do lenders need to know and do?” then answers it in three sections, each posing a question:
a. Who is eligible to make PPP loans?
b. What do lenders have to do in terms of loan underwriting?
c. Can lenders rely on borrower’s documentation for loan forgiveness?
In response to the second question – what do lender have to do in terms of loan underwriting – the SBA provides the following answer (at pages 21-23 of the Interim Final Rule):
“Each lender shall:
i. Confirm receipt of borrower certifications contained in Paycheck Protection Program Application form issued by the Administration;
ii. Confirm receipt of information demonstrating that a borrower had employees for whom the borrower paid salaries and payroll taxes on or around February 15, 2020;
iii. Confirm the dollar amount of average monthly payroll costs for the preceding calendar year by reviewing the payroll documentation submitted with the borrower’s application; and
iv. Follow applicable BSA requirements:
I. Federally insured depository institutions and federally insured credit unions should continue to follow their existing BSA protocols when making PPP loans to either new or existing customers who are eligible borrowers under the PPP. PPP loans for existing customers will not require reverification under applicable BSA requirements, unless otherwise indicated by the institution’s risk-based approach to BSA compliance.
II. Entities that are not presently subject to the requirements of the BSA, should, prior to engaging in PPP lending activities, including making PPP loans to either new or existing customers who are eligible borrowers under the PPP, establish an anti-money laundering (AML) compliance program equivalent to that of a comparable federally regulated institution. Depending upon the comparable federally regulated institution, such a program may include a customer identification program (CIP), which includes identifying and verifying their PPP borrowers’ identities (including e.g., date of birth, address, and taxpayer identification number), and, if that PPP borrower is a company, following any applicable beneficial ownership information collection requirements. Alternatively, if available, entities may rely on the CIP of a federally insured depository institution or federally insured credit union with an established CIP as part of its AML program. In either instance, entities should also understand the nature and purpose of their PPP customer relationships to develop customer risk profiles. Such entities will also generally have to identify and report certain suspicious activity to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). If such entities have questions with regard to meeting these requirements, they should contact the FinCEN Regulatory Support Section at FRC@fincen.gov. In addition, FinCEN has created a COVID-19-specific contact channel, via a specific drop-down category, for entities to communicate to FinCEN COVID-19-related concerns while adhering to their BSA obligations. Entities that wish to communicate such COVID-19-related concerns to FinCEN should go to www.FinCEN.gov, click on “Need Assistance,” and select “COVID19” in the subject drop-down list.
Each lender’s underwriting obligation under the PPP is limited to the items above and reviewing the “Paycheck Protection Application Form.” Borrowers must submit such documentation as is necessary to establish eligibility such as payroll processor records, payroll tax filings, or Form 1099-MISC, or income and expenses from a sole proprietorship. For borrowers that do not have any such documentation, the borrower must provide other supporting documentation, such as bank records, sufficient to demonstrate the qualifying payroll amount.
So it looks like the obligations include some detailed BSA-related customer due diligence requirements, citing an April 3rd FinCEN press release on risk-based approaches to BSA.
The new (as of April 2nd) Form 2483 PPP Borrower Application has a lot of detail on 20% or more owners as well as whether entities are “Affiliates” based on the Common Management Standard … so can lenders rely on the borrowers’ certifications contained in these forms absolutely, no matter how patently false or incomplete? Probably not. There must be an implied level of due diligence, as there is with beneficial ownership information.
So it looks like risk-based BSA/AML customer due diligence will trump otherwise willfully blind reliance on patently false certifications, and when the PPP lending storm is over and the tide is out two years from now, the SBA will be holding lenders to account for fraudulent applications, dubious certifications, and sloppy underwriting.
The opportunities for PPP-related fraud are off-the-charts.
Every fraudster on the planet knows that the US Government just created a $350 billion pot of money that needs to be lent out in the next 90 days based on eligibility determined by the “certifications” the borrowers will submit. Even if deliberate fraud (fraudulent or fake borrowers created by professional fraudsters) and opportunity fraud (legitimate small businesses that deliberately “fudge” a few facts in order to qualify for a loan or even inadvertently misstate a few facts) amounts to only 1% of this pot of money, that is $3.5 billion, or enough to pay the promised $1,200 to 3 million Americans.[1]
Even if banks can process hundreds of thousands of PPP loans, can the SBA approve them?
This is a trick question, written to make a point. And that point is that it doesn’t look like the SBA will be “approving” these PPP loans like they did (and continue to do) for “regular” 7(a) loans. In 2019 the Small Business Administration approved a total of just under 59,000 loans totaling about $30 billion. In 2020, through March 20th, the SBA approved 24,745 loans for ~$12.5 billion. According to the SBA’s last congressional report (Fiscal 2021 Congressional Justification & Fiscal 2019 Performance Report), it noted that “The time to process a 7(a) non-delegated loan greater than $350,000 decreased from 15 days to 9 days (40 percent efficiency gain) [from FY 2017] and for loans under $350,000, from 6 to 2 days (67 percent efficiency gain).” So in fiscal 2019, the SBA approved about 46,100 7(a) loans totaling $23.2 billion. Each of those took between 2 and 9 days.
There will be hundreds of thousands of SBA PPP loans written in the next 90 days for as much as $349 billion – over 660,000 loans in the first week for almost $170 billion. But the SBA isn’t approving these; it is simply acknowledging that it received the necessary borrower and lender forms and sending the lender back a Loan Number. With that, the lender then processes, underwrites, and disburses the loan proceeds.
SBA’s E-Tran System Has Been Glitchy … and according to the SBA’s most recent report to Congress, it had 4,191 employees in 2019 but only 3,274 in 2020.
The SBA’s E-Tran system is its electronic loan processing system that allows approved lenders to submit loan information and documentation. Lenders upload the information and documentation and provide a certification (more on that later) and the SBA returns a loan number. With that, the lender has the delegated authority to fund the loan.
And my guess is that the first PPP loans to go to the SBA will be from existing (experienced) lenders lending to their current (experienced) borrowers … to be followed by experienced lenders lending to new (inexperienced) borrowers … to be followed by those new (inexperienced) lenders the SBA is currently approving who will likely lend to new (inexperienced) borrowers. Inexperience + Inexperience = Opportunities for Fraud. So expect the fraudsters to migrate to the inexperienced borrowers.
What will the bank lenders need to do to meet their BSA obligations?
It’s too early to know. The SBA requirements for beneficial owners seem to require 20% or more legal ownership (so up to five persons with legal ownership) and a stunningly complex “control” disclosure requirement set out in 13 CFR Part 121. But, it looks like the SBA is going to allow lenders to rely on the certifications of their borrowers. For SBA purposes. Those lenders still must comply with their BSA requirements.
So the SBA lenders will have information on up to five owners and, perhaps, on some affiliated persons under the SBA’s “common management standard”. The BSA requirements for beneficial owners seem simple in comparison: 25% or more legal ownership (so up to four persons with legal ownership) and a simple “control prong” of one person set out in 31 CFR Part X.
And where SBA expectations or guidance is still to be provided, BSA regulatory expectations have been set with FinCEN’s Ruling (in FIN-2018-R004). That Ruling carves out an exemption from the beneficial ownership rule so that banks – in this case lenders – do not need to re-verify beneficial ownership information for extensions of loans that do not require underwriting review and approval. Based on that Ruling, the exemption does not appear to apply to these PPP loans, as they are, by definition, underwritten. So even though FinCEN’s unofficial press release from April 2nd – it wasn’t formal Guidance or a Ruling – says that PPP loans for existing customers will not require re-verification under applicable BSA requirements, that is qualified by “unless otherwise indicated by the institution’s risk-based approach to BSA compliance.” That risk-based approach should have followed the FIN-2008-R004 Ruling that exempted renewals of loans that didn’t require underwriting.
So where does that leave us? Nobody knows. As Yogi Berra once said,
It’s tough to make predictions, especially about the future.
Three things I will predict with certainty, though. First, we will get new guidance, advisories, press releases, and rulings to come from the SBA and from multiple agencies that oversee the BSA, probably on a daily basis (as I was writing this, the Federal Reserve issued a press release that it will establish a facility to facilitate lending to small businesses via the Small Business Administration’s Paycheck Protection Program (PPP) by providing term financing backed by PPP loans). Second, fraudsters are going to exploit the Paycheck Protection Program. And third, we’ll manage through this and come out stronger and better for it.
Back in January and early February, we failed to recognize that the then-nascent COVID-19 epidemic raging through Asia would, by mid-February, become a full-blown pandemic that would ravage the planet. Comparing the inevitable fraud that will emerge from the Paycheck Protection Program to the coronavirus pandemic is ridiculous, but we can learn from our pandemic planning and take the steps now to prevent, detect, and mitigate the fraud that will accompany the PPP.
Late Tuesday evening, April 6, the Treasury Department published FAQs on the PPP program. Treasury PPP FAQs April 6, 2020. The 18th and last Q/A was the following:
18. Question: Are PPP loans for existing customers considered new accounts for FinCEN Rule CDD purposes? Are lenders required to collect, certify, or verify beneficial ownership information in accordance with the rule requirements for existing customers?
Answer: If the PPP loan is being made to an existing customer and the necessary information was previously verified, you do not need to re-verify the information. Furthermore, if federally insured depository institutions and federally insured credit unions eligible to participate in the PPP program have not yet collected beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance.
Parsing this answer out, Treasury is giving guidance only on PPP loans for existing customers: existing customers with verified beneficial ownership information, and existing customers without verified beneficial ownership information … unless otherwise indicated by the lender’s BSA policies and procedures. There is nothing about PPP loans for new customers.
What has FinCEN said about the PPP loans? In an April 3rd press release FinCEN wrote:
Compliance with BSA Obligations – Compliance with the Bank Secrecy Act (BSA) remains crucial to protecting our national security by combating money laundering and related crimes, including terrorism and its financing. FinCEN expects financial institutions to continue following a risk-based approach, and to diligently adhere to their BSA obligations. FinCEN also appreciates that financial institutions are taking actions to protect employees, their families, and others in response to the COVID-19 pandemic, which has created challenges in meeting certain BSA obligations, including the timing requirements for certain BSA report filings. FinCEN will continue outreach to regulatory partners and financial institutions to ensure risk-based compliance with the BSA, and FinCEN will issue additional new information as appropriate.
Beneficial Ownership Information Collection Requirements for Existing Customers – One of the primary components of the CARES Act is the Paycheck Protection Program (PPP). For eligible federally insured depository institutions and federally insured credit unions, PPP loans for existing customers will not require re-verification under applicable BSA requirements, unless otherwise indicated by the institution’s risk-based approach to BSA compliance.
For non-PPP loans, FinCEN reminds financial institutions of FinCEN’s September 7, 2018 ruling (FIN-2018-R004) offering certain exceptive relief to beneficial ownership requirements. To the extent that renewal, modification, restructuring, or extension for existing legal entity customers falls outside of the scope of that ruling, FinCEN recognizes that a risk-based approach taken by financial institutions may result in reasonable delays in compliance.
FinCEN will continue to assess reasonable risk-based approaches to BSA obligations and will issue further information, as appropriate, particularly as the CARES Act is implemented.
April 13 FAQs Provide More Guidance
The 25th and last question in the April 13 FAQs provides some clearer guidance on the beneficial ownership issue:
25. Question: Does the information lenders are required to collect from PPP applicants regarding every owner who has a 20% or greater ownership stake in the applicant business (i.e., owner name, title, ownership %, TIN, and address) satisfy a lender’s obligation to collect beneficial ownership information (which has a 25% ownership threshold) under the Bank Secrecy Act?
Answer: For lenders with existing customers: With respect to collecting beneficial ownership information for owners holding a 20% or greater ownership interest, if the PPP loan is being made to an existing customer and the lender previously verified the necessary information, the lender does not need to re-verify the information. Furthermore, if federally insured depository institutions and federally insured credit unions eligible to participate in the PPP program have not yet collected such beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to Bank Secrecy Act (BSA) compliance.
For lenders with new customers: For new customers, the lender’s collection of the following information from all natural persons with a 20% or greater ownership stake in the applicant business will be deemed to satisfy applicable BSA requirements and FinCEN regulations governing the collection of beneficial ownership information: owner name, title, ownership %, TIN, address, and date of birth. If any ownership interest of 20% or greater in the applicant business belongs to a business or other legal entity, lenders will need to collect appropriate beneficial ownership information for that entity. If you have questions about requirements related to beneficial ownership, go to FinCEN Resources Link . Decisions regarding further verification of beneficial ownership information collected from new customers should be made pursuant to the lender’s risk-based approach to BSA compliance.
So where does that leave us?
According to the SBA’s March 20th weekly update, roughly 13% of the 21,106 7(a) loans it has approved in 2020 are categorized as “change of ownership”. So beneficial ownership is a dynamic attribute that needs to be managed. Below are my thoughts on where we are at 8:20 a.m. PST on April 7, 2020:
- Compliance with the Bank Secrecy Act (BSA) remains crucial. FinCEN expects financial institutions to diligently adhere to their BSA obligations. Not to adhere to BSA obligations, to diligently adhere.
- PPP loans for existing customers will not require re-verification (if you’ve already verified them) or verification (if you haven’t previously verified beneficial ownership), unless otherwise indicated by your risk-based approach to BSA compliance. So for your higher- and high-risk customers applying for PPP loans, whether previously verified or not, re-verify beneficial ownership. Be diligent about those “cash intensive” businesses that you likely have characterized as higher- or high-risk.
- As to new customers, there appears to be a trade-off of sorts. For Title 31 BSA purposes, non-PPP lenders need to collect and verify the name, TIN, address, and DOB of up to four legal owners and one control person. For Title 13 SBA purposes, PPP lenders need to collect but perhaps not verify the name, TIN, address, DOB, title, and ownership percentage of up to four legal owners. The April 13th guidance doesn’t say anything about the BSA control person and whether the SBA Authorized Representative would or could be that control person.
- In answering the question “can lenders rely on borrower’s documentation for loan forgiveness?” the Interim Final Rule – again, published by the SBA and Treasury – provides, “Yes. The lender does not need to conduct any verification … the Administrator [of the SBA] will hold harmless any lender that relies on such borrower’s documents and attestation … section 1106(h) [of the CARES Act] prohibits the Administrator from taking any enforcement action …”. So in two places the rule provides that the SBA Administrator will not and cannot take any action against a lender. That is pretty specific. It doesn’t provide that the Federal Government will not and cannot take any action against a lender … does that mean that the lender’s functional regulator (e.g., the OCC) can bring a “safety and soundness” action against a sloppy PPP lender under Title 12? Can FinCEN bring a Title 31 action? Can the Department of Justice bring a Title 18 action? The answer to those three questions is “probably, maybe, perhaps.”
My advice? As FinCEN reminded us, compliance with the BSA remains crucial. Be diligent and confirm – in writing – whatever you decide to do in your policies and procedures and with your regulators. Remember, you will be judged tomorrow on what you’re doing today, under standards and expectations that haven’t yet been set, based on best practices that haven’t been shared.
[1] This paper deals only with the PPP. There are other COVID-19 related disaster loan programs, such as the emergency Economic Injury Disaster Loan (EIDL) program. The SBA Inspector General issued a White Paper on April 3, 2020 titled “Risk Awareness and Lessons Learned from Audits and Inspections of Economic Injury Disaster Loans and Other Disaster Lending”. In that paper, the IG noted that “SBA’s disaster loan programs suffer increased vulnerability to fraud and unnecessary losses when loan transactions are expedited to provide quick relief and sufficient controls are not in place. The expected increase in loan volume and amounts, and expedited processing timeframes will place additional stress on existing controls.” See https://www.sba.gov/sites/default/files/2020-04/SBA_OIG_WhitePaper_20-12_508_0.pdf
