The Payroll Protection Program (PPP), created under the CARES Act to provide small businesses with an incentive to keep their staff on payroll through the COVID-19 pandemic, has been the source of many discussions of late as the U.S. economy seeks to reopen and return to a semblance of normalcy. From the onset of the program, there were anti-money laundering (AML) compliance and fraud concerns raised, given the speed with which the program was rolled out and the fact that banks often had to adapt existing processes and platforms to facilitate these loans. As we approach the deadline for PPP applications, financial institutions have a chance to revisit their processes and procedures to ensure they continue to meet their ongoing obligations under the Bank Secrecy Act (BSA) and the USA PATRIOT Act.
Reinforcing Financial Crimes Compliance Programs
Given the vast amount of loans that were processed as a result of this program, as well as the need to ensure adherence to the BSA/AML regulatory requirements, banks may not have had sufficient time or resources to properly document the compliance measures that they implemented to support this effort. In some cases, banks that had not previously offered Small Business Administration (SBA) loans participated in PPP lending, which meant establishing a new product offering—an offering that would have to be assessed appropriately for risk and have sufficient internal control measures in place. In other cases, banks may have extended loans to new customers, which meant they needed to meet all of their existing customer onboarding standards—including components of Know Your Customer (KYC) such as customer identification programs, customer due diligence (CDD), enhanced due diligence (EDD), and beneficial ownership—as well as ensuring their processes continued to care for their customer risk rating, transaction monitoring, and sanctions screening obligations.
Banks should also re-examine the information captured pertaining to beneficial ownership, particularly for PPP loans. They should ensure they have appropriately captured information that aligns with the SBA requirements for a 20 percent threshold for beneficial owners, as opposed to 25 percent for the CDD beneficial ownership obligation standard. This means that there could be up to five beneficial owners identified per legal entity, not the maximum four beneficial owners and a controlling individual as established under the CDD rule. Further, the amount of required information per beneficial owner differs under the PPP obligations, which require the mandatory capture of the individual’s title and percentage of ownership.
Addressing Fraud and Money-Laundering Risks
When it comes to identifying issues related to fraud and money laundering directly related to PPP loans, it’s important to keep in mind the permissible uses of a PPP loan. According to the CARES Act, PPP loans should be used for one or more of the following three purposes:
- Coverage for payroll costs, including some benefits such as healthcare and retirement
- Payment of mortgage interest, rent, or utility expenses
- Payment of interest on certain other debt obligations
Many banks may rely on third-party systems for transaction monitoring—programs that have yet to develop rules and algorithms sufficient to detect PPP-related fraud or money-laundering scenarios. This leaves institutions with the need to develop reports and monitoring programs to ensure the use of the funds is aligned to the purpose of the loans.
Banks have an opportunity now to further enhance their existing monitoring program to address these types of issues as well as to look back through their existing PPP lending portfolios to see if any red flags exist that need to be investigated further. There may be instances, for example, where a corporate entity is identified as having used the proceeds of its PPP loan for personal use, such as the purchase of luxury items, and not direct payroll or other business-related activity. Other examples of PPP funds fraud or misappropriation learned about through recent criminal charges include obtaining a fraudulent loan to pay employees of businesses that were not operating prior to the start of COVID-19 or had no salaried employees, or using the proceeds of a PPP loan to pay employees at a business the loan applicant did not own.
Additionally, as with any crisis event, there are new opportunities for fraud that arise as a result of COVID-19. Although these instances are not directly related to PPP loans, banks should be aware that there has been a rise in the area of personal protection equipment (PPE) and cleaning supply fraud as well as an increase in business email compromise. Given that many businesses are closed or have employees that are working remotely, coupled with the closure of many bank branches, the use of cash has decreased while the use of electronic payments has increased. Hence banks should remain vigilant for increases in chargebacks, increases in disputes related to unauthorized activity, and changes in wire activity, all of which may be indicative of illicit activity.
Lastly, banks should ensure that any changes to their routine monitoring program that were made as a result of the introduction of the PPP lending program are well documented, including any modifications to the transaction monitoring parameters.
Time to Take a Step Back
As the volume and pace of PPP lending slows, banks have an opportunity to take a step back and revisit their processes and documentation to ensure these align with regulatory expectations and that the speed of response to the heightened need for lending did not negatively impact the controls in place. There are reviews that a bank can put in place to identify and remediate gaps in an effort to demonstrate continued compliance with its obligations.
In summary, there are four key areas that banks should focus on to ensure their BSA/AML program remains strong as they prepare for independent audits or examinations:
- Review policies and procedures. Banks that have not incorporated PPP loans as a new product offering within their compliance program, particularly those institutions that did not previously have SBA lending in their portfolio, must do so. This includes properly assessing the product risk and having documented internal controls in place.
- Incorporate transaction monitoring. Banks should incorporate into transaction monitoring programs measures to monitor permissible use of funds by loan recipients as well as changes in expected activity. Given the widespread shutdown of various businesses, there may be decreases in the use of cash and increases in use of electronic payments. These changes should be monitored to ensure they align with the expectations of the type of business and its geographic location.
- Maintain a strong day-to-day compliance program. Many banks diverted resources, including human capital, to support the lending processes, and BSA/AML teams may have been impacted. It is vital that BSA organizations continue to assess their resource needs and ensure that appropriate staffing and technological capabilities are in place.
- Train. Lastly, but very important, is providing timely training to analysts and investigators to be sure that they understand the PPP product offering, what red flags may be associated with the product, what information is available from the customer’s application that can be used in the course of the investigation, and what some of the emerging typologies are particularly related to fraud. Staying informed on emerging trends, including announcements of criminal activity identified, helps banks gain more insight into the types of fraud and money-laundering schemes that may be associated with this product, which in turn can be used to further train front-line and operational staff.
It is inevitable that at some point in the future a bank’s independent audit or examination will review the PPP loans that are being originated. As such, it’s imperative for institutions to make sure that the documentation of the processes that were implemented to support this product offering is appropriate and can thoroughly explain the risk-based approach to the execution of BSA/AML requirements. If banks had not previously taken the time to develop the regulatory framework necessary—from onboarding and loan initiation through to transaction monitoring, investigation, and reporting—they should conduct a full review, identify any gaps that may exist in the program, and document remedial activity accordingly. This exercise will likely set in place a process for program enhancements that can be leveraged not only for future rounds of PPP lending should they arise, but also sets the framework for introduction of new product offerings more broadly.