Articles Logan Wamsley Aug 31, 2023
The pandemic-era Paycheck Protection Program was intended to distribute relief money to companies as quickly as possible to preserve jobs and the economy. But some banks were exposed to fraud or were left with unprofitable loans on their books.
The COVID-19 pandemic brought a nearly incalculable amount of change — and risk — to the business community, the full extent of which is still being analyzed. One such change was in the U.S. financial sector, where in March 2020, as part of the Coronavirus Aid, Relief, and Economic Securities Act, the Small Business Administration (SBA) created the Paycheck Protection Program (PPP).
This program enabled qualifying U.S. small businesses to apply for a low-interest private loan to pay for payroll and other costs. If the business managed to keep its employee counts and wages stable, the loan would be partially or fully forgiven.
In the financial services industry, this system presented an unusual situation where lenders would be required to put on their books a low-yield loan (often with 1% interest rates) that, if not forgiven, could represent some significant risk. Even more pressing, however, was the relative ease in which small businesses could qualify for the loan, which added a new wrinkle to the fraud landscape that warranted internal audit’s attention. Although the program ended in 2021, considering this event and the lessons learned from it can help internal auditors fully understand a financial institution’s risk makeup.
Without the forgiveness element, long-term, low-interest loans are difficult to maintain on the books, but for many banks that participated in the PPP program, this risk was mitigated following loan forgiveness. Where the risk would materialize, however, was in lender operations; institutions were tasked with exercising due diligence, often driven by adhering to Know Your Customer (KYC) requirements.
Because of the high volume of applications and limited capacities of staff, many small lenders would either limit the number of PPP loan applications they approved or prioritize applications from current customers. In effect, this made KYC conformance regarding the PPP program a relatively low risk for smaller lenders.
Robert Holden, senior vice president and chief credit officer for Pacific West Bank in Portland, Ore., says the PPP program was a low-risk endeavor for his bank. “We were one of the more active banks for our size, and so we considered it to be a highly successful program for the clients we were able to service and for ourselves,” he explains. “The vast majority, with the exception of a very small handful, were able to qualify for getting their debt forgiven.”
The wider the customer processing base, however, the wider the risk pool becomes, which would amplify the risk for mid-size or larger lenders. For example, according to Holden, because of the favorable loan rates, many large businesses for whom the PPP program was not intended often found ways to take advantage of the program.
“You could be a pretty big business and still qualify for this, so some people would get their high-powered attorneys involved to help them figure it out,” Holden says. “During the early stages, there was not a lot of information, which created some confusion regarding calculating how much would actually be forgiven. For example, wages over $100,000 were supposed to be excluded.”
Loans that were not forgiven could still be beneficial for customers, but trouble for banks, Holden says. For example, a 30-year loan at 1% interest is a favorable rate for customers, “but that’s not a desirable loan for a bank to keep long-term on the books,” he explains. Although banks could make money from processing fees, big banks that processed tens of thousands of PPP loans, and had a high percentage of them remain on the books, “would be dealing with a fairly low-yielding, long-term asset for a long time,” he says.
Beyond the long-term risk potential of maintaining such low returns, lenders of all sizes also had to contend with increased potential for fraud. According to The New York Times, more than 15% of PPP loans, or $76 billion of the total allocated $800 billion, were potentially fraudulent. Even now, financial institutions are still discovering more fraud, with the U.S. Department of Justice alleging that some individuals obtained hundreds of thousands of dollars in PPP loans to finance lavish personal expenses.
“Nothing like this has ever happened before,” said Matthew Schneider, a former U.S. attorney from Michigan who is now with Honigman LLP, in an interview with NBC Nightly News. “It is the biggest fraud in a generation.”
The fast roll-out of PPP contributed to the problem. “Unfortunately, it was inevitable that people were going to take advantage of it and do things they shouldn’t have done like fake that they have businesses or use fraudulent numbers,” Holden says. “Banks, in their defense, were given very little direction by the SBA. Their charge was, ‘Process the applications. Get the money out. Go and help people!’”
At the time, the fraud potential was considered negligible compared with the bigger picture that saw the U.S. economy on the brink of collapse, according to Jesse Morton, managing director for global investment firm Stout and leader for its Atlanta and Miami offices. “I don’t think they expected to see levels of fraud as high as 35%.”
For its part, the SBA required PPP lenders to have risk-based Bank Secrecy Act (BSA) and anti-money laundering (AML) programs, while it instructed depository institutions and credit unions to “continue to follow their existing BSA/AML protocols when making PPP loans.” Lenders not subject to BSA, meanwhile, were required to “establish an anti-money laundering compliance program equivalent to that of a comparable federally regulated institution.” Little additional direction was given.
“Based on conversations I’ve had with BSA officers and compliance officers at the community, regional, and even national banks, the PPP program was stressful and contained fraud, but it was the exception not the rule,” Morton says.
If such due diligence programs and controls were not already in place, the possibility of fraud attempts going undetected increased dramatically as the institutions tried to adapt quickly. For example, in institutions with high volumes of applications, many applications were taken and processed by employees who were not used to processing SBA loans or lacked knowledge of SBA processes and requirements. Without more explicit guidance, critical controls were not optimal at a time when they were most needed.
“The Small Business Administration, in sending that money out, basically said to people, ‘Apply and sign and tell us that you’re really entitled to the money,’” Justice Department Inspector General Michael Horowitz, the chair of the Pandemic Response Accountability Committee, told NBC. “And, of course, for fraudsters, that’s an invitation. … What didn’t happen was even minimal checks to make sure that the money was getting to the right people at the right time.”
Without the necessary due diligence, the fraud process was shockingly easy, with little more effort required than going on state websites, taking the names of existing businesses, or registering new, fake ones. “There’s absolutely no security on [those websites],” Haywood Talcove, the CEO for government at LexisNexis Risk Solutions, told NBC. “And voila, you have company ABC with 40 employees and a payroll of $10 million. And you go and apply for a PPP loan. It was a piece of cake.”
While it is easy to look at the mistakes of the past, the real challenge is learning from those mistakes. In the case of PPP loans, one of the largest takeaways should be the need for internal auditors in the financial sector to understand applicable SBA requirements, processing operations, staff capabilities, and the fraud landscape. Without such knowledge and access to all necessary parties and resources, the capacity for providing adequate assurance is limited.
To clarify internal audit roles in these organizations, The IIA offers a variety of resources. For example, the Practice Guide, Internal Audit and Fraud: Assessing Fraud Risk Governance and Management at the Organizational Level, contains detailed information on the roles of the three lines and the board regarding fraud prevention and detection. This guidance includes how the three lines should coordinate efforts, as well as how auditors can perform a fraud risk assessment and aid in establishing a fraud risk management program. Moreover, it has advice on how internal audit can maintain its objectivity through the process even when circumstances threaten to impede it.
According to the guide, internal audit roles in fraud risk could include:
Internal audit also can assist in, or even lead, fraud investigations directly, which often occurs in situations where organizational resources are limited, risk management and governance processes are not yet mature, or if new compliance initiatives have been introduced. In these cases, auditors must conform with IIA Standard 1100: Independence and Objectivity and ensure that any threats to independence are managed at the internal auditor, engagement, functional, and organizational levels.
Even in unusual circumstances where time and resources are limited, such as during the rapid implementation of the PPP program, internal audit still should provide assurance within its capabilities. This was particularly true in a situation where the federal government incentivized financial institutions to process PPP loans as fast as possible, Morton notes.
“Washington was sending mixed messages to follow laws and anti-money laundering procedures, but also to get the money out to prevent the collapse of the economy,” he says. “In this situation, an internal auditor can at least help in implementing very high-level basic controls.”