Current Enforcement Efforts in the Battle Against COVID-19 Loan Program Fraud

[authors: Amy Yurish and Nicole McTernan]

Introduction

The COVID-19 pandemic caused unprecedented impacts around the world including stay-at-home orders, curfews, quarantines, and economic uncertainty. Businesses across the United States were forced to close their doors, limit hours of operations, and manage unpredictable financial losses. In an attempt to mitigate the impact of COVID-19, then-President Donald Trump signed the CARES Act into law in March 2020. The CARES Act intended to provide emergency assistance to individuals and businesses affected by the COVID-19 pandemic and included programs designed to quickly provide funds to individuals and businesses.^[1]

While COVID-19 itself may no longer be headlining the news cycle, the investigation of potentially fraudulent activity related to COVID-19 funds as described herein continues to be a top priority for government enforcement agencies. With billions of dollars in potential fraudulent disbursements, various government agencies have implemented targeted programs and task forces to identify potential fraud and hold those responsible accountable. As of April 2024, the US Department of Justice had already seized over $1.4 billion in funds that were determined to have been fraudulently obtained.

In this article, we examine the establishment of COVID-19 Loan Programs, indicators of fraud related to the loan programs , the continuing investigation and prosecution of loan fraud cases, recent enforcement actions, recommendations for strengthening internal controls, and how to prepare for a potential audit in relation to a COVID-19 loan probe. This information is intended to help those involved in COVID-19 Loan Program fraud investigations.

Background of COVID-19 Loan Programs

As provided for in the CARES Act, the Small Business Administration (“SBA”) quickly implemented the Paycheck Protection Program (“PPP”) in April 2020, which made available fully guaranteed loans to small businesses, individuals, and nonprofit organizations affected by COVID-19. These loans were eligible for forgiveness if at least 60% of funds were spent on payroll costs, with certain limitations, and the remaining spent on eligible expenses such as rent, utilities, and other operating costs. The overarching goal was to help businesses keep their workforce employed during the pandemic and provide quick liquid funds to help mitigate financial losses.^[2] PPP loans were offered in two rounds: between April and August of 2020 and between January and May of 2021.^[3]

The SBA also offered the COVID-19 specific Economic Injury Disaster Loans (“EIDL”) from March 2020 to December 2021 to provide funding – specifically working capital to meet ordinary and necessary operating expenses – to help small businesses and other entities recover from the economic impacts of the COVID-19 pandemic.^[4] The EIDL program was not a new program by the SBA, but instead the program was modified to support businesses impacted financially by COVID-19. Unlike PPP loans, EIDL funds were not eligible for forgiveness. However, these loans were offered with low interest rates and long-loan terms making them economically appealing to businesses. Additionally, the payments were deferred for the first two years, providing businesses with much needed flexibility during the pandemic.^[5]

Given COVID-19’s immediate impact on the US and its economy and the view to quickly provide funds to businesses, the SBA recommended financial institutions prioritize speed over due diligence and provided assurance to lenders that they would be held “harmless” if they relied on the information applicants submitted to them.^[6] This time-sensitivity in approving COVID-19 relief funds led the US government to waive most of its standard verification protocols required of lenders handling applications. Thus, banks and other financial institutions primarily relied upon self-certifications of applicants to make eligibility and approval decisions.

However, the government still required lenders to establish Bank Secrecy Act (“BSA”) anti-money laundering systems to conduct internal audits and flag suspicious customers.^[7] Large, established banks mainly had pre-existing BSA compliance programs in place. Conversely, new entrants trying to handle high volumes of PPP loans in order to cash in on government processing fees had to implement new systems and generally did not have pre-existing BSA compliance programs in place.^[8]

With little time to prepare and a powerful incentive to participate, many banks and other financial institutions were perfect targets for fraudsters looking to take advantage of a rushed and fragmented process.

Government Findings & Fraud Indicators

Since the start of the COVID-19 pandemic, the SBA has disbursed about $1.2 trillion of COVID-19 EIDL and PPP funds. Specifically, the SBA has disbursed over $400 billion in COVID-19 EIDL funds and $800 billion in PPP funds. Of the $800 billion in PPP funds disbursed, approximately $763 billion has been forgiven.^[9] There was rampant speculation almost immediately after these programs were implemented that there would be significant fraud throughout the programs due to the quick nature of approving loans and heavy reliance on self-certifications. As COVID-19 risks and impacts were mitigated and businesses returned to normal operations, the government began to investigate the usage of COVID-19 loan funds.

On June 27, 2023, the Office of Inspector General (“OIG”) published “COVID-19 Pandemic EIDL and PPP Loan Fraud Landscape” to provide an estimate of the potential fraud in the SBA’s pandemic assistance loan programs.^[10] The OIG estimated that more than $200 billion ($136 billion in COVID-19 EIDL loans and $64 billion in PPP loans) of the $1.2 trillion in COVID-19 loan funds was disbursed in potentially fraudulent loans, representing about 17% of all funds.^[11] The OIG concluded that due to the rush to swiftly disburse funds, the SBA weakened or removed the controls necessary to prevent fraudsters from easily gaining access to the SBA’s pandemic assistance loan programs and provide assurance that only eligible entities received funds. ^[12] This occurred even though early OIG reports warned of the importance of a strong internal control environment to mitigate fraud risk.

In order to strengthen internal controls, the OIG offered the following recommendations over the course of the SBA’s pandemic assistance loan programs:

• Implementing processes to ensure that PPP lenders validated that:
  • The loan amount did not exceed the maximum amount per employee,
  • The business was established before the mandated date, and
  • The loan amount did not exceed the maximum number of employees or other applicable standards,
• Working with the Treasury to develop a technical solution to enable the use of the Treasury’s “Do Not Pay” portal to determine PPP loan applicant eligibility and prevent improper payments before the release of federal funds,
• Updating the PPP borrower application to include a field for the North American Industry Classification System code for the business category and the business description to prevent potentially ineligible loan approvals,
• Revising the PPP application to include the demographic information of borrowers,
• Establishing or strengthening controls to ensure loan deposits were made to legitimate bank accounts for eligible borrowers only,
• Strengthening or establishing controls to ensure multiple loans were provided only to eligible COVID-19 EIDL applicants and to prevent the erroneous duplication of loans, and

• Strengthening controls for verifying an entity’s start date to ensure applicants met eligibility requirements.^[13]

The OIG identified the following fraud indicators related to COVID-19 loans:^[14]

Accordingly, the SBA implemented corrective actions, such as requiring tax transcripts for COVID-19 EIDL borrowers, flagging certain EIN prefixes, and requiring loan officer reviews for changed bank accounts prior to disbursements, among other actions.^[15]

The GAO also reviewed the SBA’s disbursement of COVID-19 loan funds and recommended that the SBA ensure it has and utilizes mechanisms to facilitate cross-program data analytics and identify external data sources that could aid in fraud prevention and detection, and to develop a plan to obtain access to those sources.^[16] The GAO identified the following additional fraud indicators for COVID-19 loans which could be identified through data analytics of loan documents:^[17]

Government Investigations of Potential COVID-19 Loan Fraud

Initially, most COVID-19 loans were subject to a five-year statute of limitations for any applicable enforcement efforts, meaning that criminal or civil enforcement actions were required to be filed no later than five years after the offense was committed. Recognizing the potential magnitude of fraud in the COVID-19 loan programs, two bills were enacted and signed into law by President Joseph Biden in August 2022 to extend the statute of limitations to 10 years.^[18]

The longer statute of limitations, which is consistent with the statute of limitations associated with bank fraud cases, gives the Department of Justice (“DOJ”) and other agencies more time to investigate large and complex COVID-19 loan fraud cases.^[19] Additionally, the expanded statute of limitations provides the government additional time to consider investigations into lenders and other insiders in cases where key individuals may have facilitated fraudulent loans.^[20]

According to the Internal Revenue Service’s Criminal Investigation Chief Guy Ficco: “In the last year alone, we have opened nearly 700 new COVID fraud investigations that collectively add up to $5 billion in potential fraud.” He also stated that while COVID-19 may no longer be top of mind to Americans, “the fraud committed through these different programs is very much top of mind…”^[21]

As of April 9, 2024, OIG oversight of PPP and EIDL loan programs resulted in 1,255 indictments, 985 arrests, and 683 convictions. Over $8 billion in EIDL funds has been returned to the SBA by financial institutions and another $20 billion by borrowers.^[22]

Also as of April 9, 2024, the DOJ’s nationwide effort to combat COVID-19 loan fraud has resulted in more than 3,500 defendants being criminally charged, and more than 400 settlements or court judgements totaling more than $100 million for civil charges. Additionally, DOJ prosecutors have seized over $1.4 billion in funding determined to be fraudulently obtained.^[23]

The False Claims Act, which is a civil statute that is leveraged against companies for defrauding government agencies, is being used by the DOJ to try to recoup taxpayer dollars from CARES Act lenders. In 2023 alone, the DOJ resolved approximately 270 False Claims Act matters and recovered over $48.3 million specifically in connection with PPP fraud.^[24]

The DOJ also uses the Bank Secrecy Act, which requires financial institutions to establish and maintain programs to detect and prevent money laundering, identify potential deficiencies in customer due diligence for loan applicants, and report fraud or other suspicious activity.

Federal prosecutors have been targeting businesses and individuals who may have violated the COVID-19 loan programs by:

• Making false statements on the loan applications;
• Applying for loans from multiple lenders;
• Using loan money for improper or unapproved purposes;
• Submitting false certifications for loan forgiveness; or
• Lying to agents during loan audits or investigations.^[25]

These violators fall largely into two categories: individuals or small groups and coordinated criminal rings.^[26] The most common criminal charges related to COVID-19 loan fraud are:

• Wire fraud;
• Bank fraud;
• False statements to a financial institution; and
• Conspiracy to commit fraud.^[27]

Initially, in May 2021, the DOJ created a specialized COVID-19 Fraud Enforcement Task Force to partner with other government agencies to identify and investigate potential instances of pandemic related fraud. In September 2022, the DOJ announced the creation of specialized “Strike Force teams”, with locations in Los Angeles, Sacramento, Miami, and Baltimore, to enhance efforts to combat and prevent COVID-19 related fraud.^[28] In August 2023, the DOJ launched another two Fraud Strike Forces in Colorado and New Jersey.^[29]

Much of the initial investigations and enforcement actions focused on so-called “low hanging fruit,” such as instances where applicants allegedly used funds for exorbitant personal purchases (vacation homes, expensive cars, etc.), created fictitious companies, and applied for loans for companies that did not exist prior to March 2020.

Greater Focus on Financial Institutions and Complex Fraud Schemes

More recently, the task force has shifted its focus to more complex potential fraud schemes as well as the review of certain banks and financial technology companies (“fintechs”) that may have approved allegedly false COVID-19 loans to identify evidence that banks either ignored red flags, bypassed fraud-detection measures, or colluded with customers.^[30] In Principal Deputy Assistant Attorney General Brian M. Boynton’s 2024 Federal Bar Association’s Qui Tam Conference Remarks on February 22, 2024, he identified that in April 2023, the DOJ filed claims against Kabbage, Inc., a fintech that processed PPP loan applications for lenders and underwrote PPP loans, alleging that the company miscalculated tens of thousands of PPP loans and knowingly failed to implement appropriate fraud controls.^[31] In May 2024, Kabbage, Inc. agreed to resolve these allegations with the DOJ stating that it would receive a claim of up to $120 million in Kabbage, Inc.’s bankruptcy proceedings.^[32]

In an example of enforcement related to banks, the DOJ settled with a regional bank in Texas and Oklahoma for allegedly processing an ineligible customer’s loan under the False Claims Act.^[33]

Other recent enforcement actions demonstrate the focus on more complex fraud schemes and where multiple individuals were involved in the alleged fraud. Some examples of these include:

• On September 6, 2024, a federal jury convicted one individual for defrauding three federally insured banks of more than $11.2 million in COVID-19 PPP funds. The individual submitted fraudulent loan applications purportedly for the benefit of companies that the defendant controlled. Evidence showed that the individual falsely represented certain material information, including information about payroll, employees, and use of the loan proceeds. The individual, upon receipt of more than $11.2 million in PPP funds, laundered and / or spent the proceeds by buying 25 residences and two luxury cars, funding a personal investment account, and gambling extensively, among other things. The individual was convicted of three counts of bank fraud, three counts of money laundering, and four counts of engaging in monetary transactions in criminally derived property and faces a maximum penalty of 30 years in prison on each bank fraud count, 20 years on each money laundering count, and 10 years in prison on each count of engaging in monetary transactions in criminally derived property.^[34]
• On June 7, 2024, two individuals were sentenced to seven years and three months in prison for submitting $15 million in fraudulent PPP loan applications. These applications included inflated data on four businesses owned by one of the conspirators, such as a higher number of employees and increased average payroll amounts. Approximately $7 million was disbursed through these applications, which was used by the individuals to purchase various luxury items for personal use. Furthermore, one individual also transferred a portion of the loan proceeds to family members to hide the scheme.^[35]
• On May 22, 2024, a federal grand jury issued a superseding indictment against a California man to include crimes committed through PPP and EIDL loan applications. In his applications, the individual claimed over $4 million in revenue and more than 60 employees for Life Fleet Inc., a fictitious company with no operations. He allegedly received approximately $319,800 in funding from the SBA, which was used for personal purchases. Separately, this individual was indicated on a series of tax evasion and filing false income tax return charges before further investigation discovered this manipulation of the PPP and EIDL loan application process.^[36]
• In March 2024, the Federal Trade Commission (“FTC”) announced that Biz2Credit and Womply, two US-based fintech companies, had agreed to pay $59 million to settle charges associated with PPP loan applications. The FTC alleged that Biz2Credit and Womply “made false promises to small businesses seeking to take part in the PPP, delaying and sometimes preventing them from obtaining funds” needed during the pandemic. The FTC says the $59 million total payment is the “largest damages amount ever secured by the agency under Section 19 of the FTC Act.”^[37]
• In March 2024, the leader of a wide-ranging COVID-19 fraud scheme was sentenced in a Seattle District Court for wire fraud and money laundering. Five other co-defendants also entered guilty pleas for their participation in the scheme. Based on records from the case, the leader personally submitted over 125 fraudulent applications to the US Department of Treasury’s Emergency Rental Assistance Program, PPP Program, COVID-19 EIDL Program, and CARES Act unemployment benefit program. Along with her co-defendants and other enlisted associates, the leader sought to raise more than $3.3 million by posing as fake tenants, landlords, and small business owners. To submit these applications, bank statements were falsified along with tenant ledgers and landlord attestations. The proceeds from the various applications were laundered through cash withdrawal, wire transfers, and luxury purchases. In this case, a plea agreement was reached, requiring the leader to pay restitution of $2,791,241 to the US Department of the Treasury and $512,730 to the SBA. The defendant will also forfeit $2,023,104 in proceeds from the scheme along with two luxury vehicles. The co-defendants are facing various amounts of prison time for their involvement.^[38]
• In February 2024, three individuals were sentenced for fraudulently obtaining and misusing PPP loans. Based on evidence presented during trial and supporting court documentation in federal court, the three conspirators obtained PPP loans in both 2020 and 2021 through fabricated businesses. The defendants falsified information and submitted fake documents to financial institutions to obtain around $3.5 million in funding.^[39] One defendant, who used the stolen funds to purchase jewelry and pay off credit card bills, was convicted by a federal jury of bank fraud. The other two entered guilty pleas to bank fraud.^[40]
• In February 2024, six Houston-area men were sentenced for conspiracy to fraudulently obtain over $20 million in PPP loans. According to court documents, the individuals conspired to obtain the loans by supplying false information related to their businesses on their PPP loan applications. This information included the falsification of the number of employees and average monthly payroll expenses. The applications also included fraudulent bank records and fake federal tax forms. After receiving the proceeds, the conspirators laundered a portion by writing checks to nonexistent employees, which were then cashed at specific check cashing businesses.^[41]

What’s on the Horizon

As the DOJ and other agencies continue to investigate and prosecute alleged fraud stemming from the COVID-19 loan programs, they will likely continue to become more sophisticated in their investigations and rely on data analytics and other potential fraud indicators to identify wrongdoing. While banks and fintechs relied heavily on self-certifications when approving loan applications, if there were blatant red flags or fraud indicators missed, these entities may also be subject to investigations and penalties. For banks and fintechs subject to these investigations, it is important to verify the effectiveness of identity verification programs and fraud prevention controls to support compliance with SBA requirements.

For businesses that received COVID-19 loan funds, it continues to be important to maintain and retain supporting documentation related to the initial loan application, usage of funds, and, specifically in the case of PPP, loan forgiveness. The loan agreements for both PPP and EIDL included certain loan covenants related to the segregation of loan funds, requirements related to the usage of the funds, and documentation to be maintained. They also provided certain stipulations on the business, for example, related to owner draws and usage of the assets of the businesses.

To prepare for a potential audit related to PPP or EIDL loans, it’s important for businesses to compile and maintain documentation related to loan application and the use of the loan itself. Examples of documentation that borrowers should generally retain include:

• Copies of PPP or EIDL applications including backup calculations related to number of employees and employee compensation,
• Copies of PPP forgiveness application, including all backup calculations and documentation that support qualification for forgiveness,
• Internal documentation and communications related to the determination of loan necessity and plans for use of the funds (e.g. emails, memos, transcripts),
• Financial records that display the company’s access or lack of access to other forms of capital,
• Copies of all mortgage statements, leases, utility, or any other non-payroll costs that were submitted for forgiveness (under the PPP program),
• Documentation related to all non-cash payroll compensation costs, such as employer contributions to health insurance, retirement plans, and state / local taxes,
• All documentation related to the communications with the PPP / EIDL lender, and
• Any other documentation that could further explain why the loan was needed and how the loan was used.

Since the statute of limitations was extended, businesses should retain documentation for a long enough period to cover potential government audits or investigations that may arise. Businesses should consider also including communications related to the COVID-19 loans that may support other official business documentation.

Conclusion

Like other types of inquiries or potential investigations from government enforcement agencies, businesses and individuals should consider hiring counsel to guide them through the nuances of a government investigation. While the DOJ has been vocal regarding the advantages of self-reporting potential fraud or improprieties and cooperating with their investigations, individual businesses need to evaluate the risks and rewards of doing so depending on their individual circumstances.

Forensic accountants play a critical role in supporting businesses, individuals, and lenders, along with their counsel, when faced with a government audit, investigation, or potential enforcement action. They have the expertise and training to perform complex financial analysis, large scale document review and data analysis, and fund tracing between multiple accounts and entities. Forensic accountants are also typically experienced in providing expert testimony and delivering presentations to enforcement agencies. For lenders in particular, forensic accountants are uniquely positioned to provide support due to the intersection between anti-money laundering systems and compliance with the nuanced requirements related to approval and distribution of Covid-19 loan funds.

Acknowledgements

We would like to thank our colleagues, Amy Yurish and Nicole McTernan, for providing insights and expertise that greatly assisted this research.