By: Daniel Silva and Manisha Malhotra
The Paycheck Protection Program (“PPP”) emerged as a lifeline for small businesses grappling with the unprecedented challenges of the COVID-19 pandemic. Lenders navigated a landscape of regulations that Congress quickly drafted in response to the pandemic. These regulations and obligations evolved, subtly yet materially, from the first and second round of PPP “draws.” Most significantly, the government required lenders to conduct a “good-faith review” of the borrower’s application during the second PPP draw.
This shift could have significant implications for financial institutions and financial technology (“fintech”) companies. Although the government has not prosecuted any financial institution for falling short of this “good-faith” standard, lenders should be prepared to defend their review of PPP loans in a similar way to their anti-money laundering programs, which require reasonably designed, risk-based procedures to identify and flag suspicious transactions.
Background: Lender Requirements
The Coronavirus Preparedness and Response Supplemental Appropriations Act and the Coronavirus Aid, Relief, and Economic Security (CARES) Act came into effect in March 2020 in the midst of the expanding coronavirus pandemic, providing more than $2 trillion in emergency funds to individuals and small businesses.[1] As part of the CARES Act, PPP loans were forgivable, uncollateralized, and low-interest, reaching up to $10 million for sole proprietors and businesses with fewer than 500 employees.[2]
Financial institutions could participate in the distribution of PPP funds to eligible small businesses, provided that the lending institutions were already qualified by the Small Business Administration (“SBA”) or otherwise a federally insured depository institution.[3] Participating financial institutions would engage in an “unprecedented public-private partnership,” with a goal to “position lenders as the single point-of-contact for small businesses—the application, loan processing, and disbursement of funds will all be administered at the community level.”[4] Nearly 5,500 lenders participated.[5]
As a result, the SBA admitted approximately 600 new lenders, including non-depository financial institutions.[6] These lenders handled processing and underwriting of PPP loans, with a focus, not necessarily on the borrower’s creditworthiness, but instead on “receipt of information” from the borrower that qualified them for PPP funds.[7] There was no obligation to check for the borrower’s creditworthiness.[8]
Lenders “Held Harmless” for First Draw PPP Loan Fraud
Immediately—the very day that the SBA began issuing PPP loans—the SBA’s Inspector General noted that the limited scrutiny by lenders presented “significant issues and relevant risk” of “inappropriate or unsupported loan approvals” for borrowers.[9] By July 2021, the SBA had guaranteed nearly 12 million loans, for more than $806 billion.[10] Two years later, the SBA’s concerns about fraudulent PPP loans proved accurate. There had been insufficient “organizational structure with clearly defined roles, responsibilities, and processes to manage and handle potentially fraudulent PPP loans,” nor was there a “centralized entity to design, lead, and manage fraud risk.”[11]
In short, the very structure of the application, approval, and distribution of PPP loans made it “more susceptible to fraudulent applications” by borrowers.[12] The SBA identified and continues to identify, millions of ineligible borrowers, fraudulent loan applications, and loans that merit further examination—covering hundreds of billions of dollars related to previously nonexistent, ineligible, or fabricated businesses.[13]
The SBA originally declared that lenders would be “held harmless for borrowers’ failure to comply with program criteria and will not be subject to any enforcement action or penalty relating to loan origination or forgiveness of the PPP loan if the lender acts in good faith relating to the origination or forgiveness of the PPP loan.”[14] That is, lenders had no duty to verify information in a PPP loan application, and could instead rely on the borrower’s representation and documentation in support.
Lenders Had to Perform “Good-Faith Review” for Second Draw PPP Loans
Lenders were also held harmless for second draw PPP loans.[15] Yet the eligibility criteria for the second draw changed slightly. In order to obtain a second PPP loan, businesses were required to demonstrate a revenue reduction of at least 25% in a comparable quarter between 2019 and 2020.[16] The SBA accordingly required lenders in the second PPP loan draw to perform a “good faith review, in a reasonable time, of the borrower’s calculations and supporting documents” for most loan and forgiveness applications.[17]
While the SBA did not define what a “good-faith review” would consist of, at the very least it obligated lenders: (i) to review the loan application and (ii) to conduct an affirmative, diligent, and timely assessment of the calculations and supporting documents provided by the borrower. This approach aimed to strike a balance between expediting the loan application process and ensuring the accuracy and legitimacy of the information presented by businesses seeking financial relief.
Recent inquiries by Congress have shown that fintechs were “disproportionately linked to PPP fraud.”[18] Certain fintech entities have already faced Congressional scrutiny for falling short of the “good-faith review” standard. Consequently, Congress has suggested that they disbursed funds without the necessary due diligence, potentially reaching businesses that did not meet eligibility criteria or misrepresented their financial circumstances. To be sure, lapses in due diligence were not limited to fintechs. Traditional banks and lending partners who collaborated with fintechs were also criticized by Congress for their minimal scrutiny of PPP loan applications.[19]
PPP and Bank Secrecy Act Similarities
In addition to following existing SBA requirements, PPP lenders were required to establish and maintain an anti-money laundering (“AML”) program if they were not already subject to the requirements of the Bank Secrecy Act (“BSA”).[20] For decades, AML programs have been central compliance functions at all manner of financial institutions. Financial institutions must maintain programs that are “reasonably designed to assure and monitor compliance” with AML best practices, regulations, and laws.[21]
There is no “one-size-fits-all” AML program. Each regulated financial institution needs to design a unique AML program,[22] employing “[a]ppropriate risk-based procedures for conducting ongoing customer due diligence,” including “[u]nderstanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile;” and “[c]onducting ongoing monitoring to identify and report suspicious transactions”.[23]
These AML obligations for maintaining a “reasonably designed” program with “appropriate risk-based procedures” offer some insight into how law enforcement and regulators may interpret a lender’s “good-faith review” of a borrower’s second PPP loan draw. The use of the term “reasonably designed” emphasizes the need for a thoughtful and effective approach in constructing and maintaining an AML program. It implies a degree of flexibility, acknowledging that any given program will vary based on factors such as the size and nature of the financial institution, the types of customers it serves, and the risks it faces.
Representative Enforcement Actions
Enforcement actions related to PPP lenders have garnered significant attention. As part of these enforcement actions, government agencies such as the SBA and Department of Justice have been actively scrutinizing lending institutions’ compliance with PPP regulations, focusing on borrower eligibility verification, and investigating adherence to PPP loan guidelines. Moving forward, there is reason to believe that the government will focus its next wave of enforcement actions on lenders’ “good-faith review” of loan applications, similar to the “reasonably designed” obligation for AML programs, as seen in the cases below.
A federal court recently questioned whether regulatory guidance published within the “context of [the Covid-19] pandemic” were “imperfect tools” for businesses attempting to understand their legal obligations.[24] Although that federal court was addressing healthcare regulations, it does suggest that PPP regulations will themselves be scrutinized. Until then, here are a few recent enforcement actions to help define the PPP and AML risks for financial institutions:
SEC v. DIMA – The SEC charged DWS Investment Management Americas Inc., a subsidiary of Deutsche Bank AG for failing to develop a reasonably designed AML program for mutual funds it advised, in violation of the BSA. The SEC found that DWS neglected to establish individualized AML programs tailored to the specific risks of the funds, resulting in a failure to detect and prevent money laundering and terrorism financing activities.[25]
FINRA v. Merrill Lynch, Pierce, Fenner & Smith Inc. – FINRA imposed a $6 million fine on Merrill Lynch, Pierce, Fenner & Smith Inc. for its failure to establish and implement effective policies, procedures, and internal controls designed to prompt the reporting of suspicious transactions, as mandated by the BSA. The lapse, persisting for over a decade, resulted in Merrill Lynch neglecting to file nearly 1,500 Suspicious Activity Reports (SARs). Merrill Lynch mistakenly applied a $25,000 threshold, intended for national banks, instead of the $5,000 threshold for broker-dealers following its merger with Bank of America, N.A. This misapplication led to the non-reporting of various suspicious activities, including unauthorized debit card withdrawals, forged checks, account intrusions, identity theft, and internet scams.[26]
FINRA v. UBS Financial Services Inc. – FINRA imposed fines on UBS Financial Services Inc. totaling $5 million and UBS Securities LLC $500,000 for their failure to establish and implement AML programs reasonably designed to monitor high-risk transactions in customer accounts. UBS had inadequate oversight of foreign currency wire transfers, and separately failed to monitor penny stock transactions routed through an omnibus account. The deficiencies in UBS’s AML monitoring systems allowed billions of dollars in foreign currency wires without sufficient oversight for more than eight years, resulting in the failure to capture crucial details such as customer identities, transfer values, involvement of third parties, and connections to high-risk countries.[27]
Conclusion
The PPP was a lifeline for small businesses facing unprecedented challenges during the COVID-19 pandemic, with lenders playing a pivotal role in the program’s success. The “hold harmless” protection incentivized lenders to participate in the program. With the program’s evolution between the first and second PPP draws, combined with increased scrutiny, financial institutions should be prepared to defend their pandemic-era operations.
[1] See, e.g., U.S. Dep’t of the Treas., Covid-19 Economic Relief (available at https://home.treasury.gov/policy-issues/coronavirus).
[2] SBA, First Draw PPP Loan (available at https://www.sba.gov/funding-programs/loans/covid-19-relief-options/paycheck-protection-program/first-draw-ppp-loan).
[3] Business Loan Program Temporary Changes, Paycheck Protection Program, 85 FR 20811 (June 1, 2020) (available at https://www.federalregister.gov/documents/2020/04/15/2020-07672/business-loan-program-temporary-changes-paycheck-protection-program) (satisfying either established the lending institution as one that was already subject to strict regulatory oversight).
[4] U.S. Dep’t of the Treas., Press Release: With $349 Billion in Emergency Small Business Capital Cleared, Treasury and SBA Begin Unprecedented Public-Private Mobilization Effort to Distribute Funds (Mar. 31, 2020) (available at https://home.treasury.gov/news/press-releases/sm961).
[5] GAO, Testimony: Paycheck Protection Program: Program Changes Increased Lending to Smaller and Underserved Businesses (Mar. 16, 2022) (available https://www.gao.gov/assets/gao-22-105788.pdf).
[6] Id.
[7] U.S. Dep’t of the Treas., PPP Lender Information Fact Sheet (available at home.treasury.gov/system/files/136/PPP%20Lender%20Information%20Fact%20Sheet.pdf).
[8] Select Subcommittee on the Coronavirus Crisis, Staff Report: “We are not the Fraud Police”: How Fintechs Facilitated Fraud in the Paycheck Protection Program (Dec. 2022) (available at https://coronavirus-democrats-oversight.house.gov/sites/democrats.coronavirus.house.gov/files/2022.12.01%20How%20Fintechs%20Facilitated%20Fraud%20in%20the%20Paycheck%20Protection%20Program.pdf).
[9] SBA, Office of Inspector Gen., White Paper: Risk Awareness and Lessons Learned from Prior Audits of Economic Stimulus Loans (Apr. 3, 2021, Rep. No. 20-11) (available at
[10] Business Loan Program Temporary Changes, Paycheck Protection Program, 86 FR 40921 (July 28, 2021) (available at https://www.federalregister.gov/documents/2021/07/30/2021-16358/business-loan-program-temporary-changes-paycheck-protection-program-covid-revenue-reduction-score).
[11] SBA, Office of Inspector Gen., White Paper: SBA’s Handling of Potentially Fraudulent Paycheck Protection Program Loans (May 26, 2022, Rep. No. 22-13) (available at https://www.sba.gov/document/report-22-13-sbas-handling-potentially-fraudulent-paycheck-protection-program-loans).
[12] GAO, Report to the Congress: COVID-19 – Opportunities to Improve Federal Response and Recovery Efforts (June 2020, GAO-20-625) (available at https://www.gao.gov/products/gao-20-625).
[13] Project on Government Oversight, The Great Pandemic Swindle: Feds Botched Review of Billions in Suspect PPP Loans (Oct. 6, 2022) (available at https://pogo.org/investigation/2022/10/the-great-pandemic-swindlefeds-botched-review-of-billions-in-suspect-ppp-loans).
[14] Business Loan Program Temporary Changes, Paycheck Protection Program as Amended by Economic Aid Act, 86 FR 3692 (Jan. 12, 2021) (available at https://www.federalregister.gov/documents/2021/01/14/2021-00451/business-loan-program-temporary-changes-paycheck-protection-program-as-amended-by-economic-aid-act) (emphasis added).
[15] SBA, Paycheck Protection Program (PPP) Second Draw Overview (available at https://rimanufacturers.com/wp-content/uploads/2021/01/PPP-Second-Draw-Overview.pdf).
[16] SBA, Second Draw PPP Loan (available at https://www.sba.gov/funding-programs/loans/covid-19-relief-options/paycheck-protection-program/second-draw-ppp-loan#id-loan-details).
[17] Business Loan Program Temporary Changes, Paycheck Protection Program, 86 FR 40921 (July 28, 2021) (available at https://www.federalregister.gov/documents/2021/07/30/2021-16358/business-loan-program-temporary-changes-paycheck-protection-program-covid-revenue-reduction-score) (emphasis added).
[18] Select Subcommittee on the Coronavirus Crisis, Staff Report: “We are not the Fraud Police”: How Fintechs Facilitated Fraud in the Paycheck Protection Program (Dec. 2022) (available at https://coronavirus-democrats-oversight.house.gov/sites/democrats.coronavirus.house.gov/files/2022.12.01%20How%20Fintechs%20Facilitated%20Fraud%20in%20the%20Paycheck%20Protection%20Program.pdf) citing PPP Scammers Made Fintech Companies Their Lenders of Choice, Bloomberg (Oct. 7, 2020) (available at https://bloomberg.com/news/articles/2020-10-07/ppp-loans-scammers-used-fintech-companies-to-carry-outfraud?leadSource=uverify%20wall#xj4y7vzkg) and Project on Government Oversight, Lamborghinis, Strip Clubs, Bogus Companies, and Lies (Oct. 8, 2020) (available at https://pogo.org/investigation/2020/10/lamborghinis-strip-clubs-bogus-companies-and-lies).
[19] See id.
[20] Id.
[21] Title 31, U.S.C., Section 5318(h)(2)(B).
[22] See, e.g., Title 31, C.F.R., Ch. X.
[23] Title 31, C.F.R., Section 1020.210(a)(2)(v).
[24] United States v. Elfenbein, 22-CR-146-JKB *82 (D. Md., Doc. No. 99), Court’s Memorandum in support of Order Granting Motion for Judgment of Acquittal.
[25] https://www.sec.gov/news/press-release/2023-194.
[26] https://www.finra.org/media-center/newsreleases/2023/finra-fines-merrill-lynch-6-million-longstanding-aml-program.
[27]https://www.finra.org/media-center/news-releases/2018/finra-fines-ubs-5-million-significant-deficiencies-aml-programs.
Please feel free to contact the attorneys listed below:
Daniel C. Silva is a Shareholder in the Firm’s San Diego’s office and a member of the White Collar & Investigations group.
Manisha Malhotra is a member of the White Collar & Investigations practice group in Buchalter’s Orange County Office.
This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.