PPP loans and fraud – the red flags that could have been spotted

Amanda DuPont

Approximately $800 billion went out in the CARES Act’s Paycheck Protection Program (PPP), providing nearly 12 million loans between April 2020 and May 2021 to U.S. businesses. These loans are all potentially fully “forgivable,” so calling them loans is not exactly accurate. Approximately 5,500 lenders — made up of financial institutions, fintechs, and commercial lenders of all sizes — shared in submitting PPP loan applications and were paid guaranteed loan processing fees for doing so. 

All told the average loan size was just under $68,000, and the guaranteed payments to lenders for processing these loans were already at $19 billion as of June 2020. Now that the forgiveness process on these loans is just starting, it seems like a perfect time to ask, “What key learnings are there so far?”

Political math

In October 2020, after the first roughly $525 billion of the program had been exhausted, I wrote about how $4 billion of the PPP loan program had been already flagged as having early fraud indicators. 

My takeaway was the PPP loan program agreed to take the bad with the good to get fast funding out the door and help U.S. businesses in an unprecedented economic shutdown caused by a global pandemic. But I thought it worthwhile to ask whether technology tools were being leveraged anywhere — from the government to the lenders — to help stop the fraud and to spot red flags on the applications. 

Looking to public records could help confirm applicants were not on the government debarred lists, were not currently in bankruptcy, and were actually in business, to name a few obvious ways the technology could be used. I essentially asked, “Weren’t there easy ways to spot fraud in this live experiment of fast business funding? If government money was being leveraged, what were the safeguards to thwart the fraud?

It is worth noting that catching fraud on the back end, after funding was distributed, was always part of the government’s calculation. The political math used in the first rounds of PPP funding in the late spring/summer of 2020 went like this:

  • Put as little friction and as few steps for verifying PPP loan applications on the front end to process these loans as fast as possible and get money into the hands of the businesses needing immediate help. 
  • Require business owners to self-certify that their applications are truthful. 
  • Attempt to make the applications fair to everyone applying. 
  • Invite financially innovative types of business (fintech's) into the process in addition to traditional banks and credit unions to help provide technology options for processing these applications quickly and supporting the unbanked. 
  • Perform spot checks and audits. 

It quickly became apparent, however, that some more serious fraud checking was needed. By the third and final PPP round of funding in early 2021, a list of red flag checks was added to the process. The Small Business Administration’s Procedural Notice dated Febuary 10, 2021, laid out the changes.

Round three changes 

Under the CARES Act, PPP lenders were delegated authority to make and approve PPP loans without prior Small Business Administration (SBA) review. All First Draw PPP Loans made in 2020 were later individually screened by an automated tool. The automated tool compared First Draw PPP Loan data against publicly available information and applied eligibility and fraud detection rules to identify anomalies and attributes that may indicate noncompliance with eligibility requirements, fraud, or abuse. 

Additionally, after issuance of the SBA loan number, SBA performed data analytics on the 2020 First Draw PPP Loan portfolio, including reviewing information from the Department of Treasury Do Not Pay lists and other analyses. The automated tool screening, data analysis, and other analyses resulted in the issuance of Hold Codes on certain 2020 First Draw PPP Loans. 

In 2021, before issuing SBA loan numbers to applicants, SBA began conducting front-end compliance checks on lender loan guaranty applications for new First Draw PPP Loans and Second Draw PPP Loans, using a modified version of the automated screening tool and information from the Department of Treasury Do Not Pay lists.

So, what was finally getting flagged? Below is a list of the reason codes tied to flagged 2021 PPP loan submissions, covering everything from checks for fraud-based recent criminal records to no verification the business exists. If flagged, the applicant had to submit evidence the flag was not correct. 

  • Criminal Record – fraud based in last 5 years
  • Current Bankruptcy – Bankruptcy identified in public records 
  • Potential Decedent Applicant 
  • Inactive Business 
  • Mismatch of TIN (Tax Identification Number) (EIN/SSN) 
  • Mismatch of Entity Name (Individual or Company) 
  • Business Shows in Operation After February 15, 2020 
  • Potential Ineligible Business Size 
  • Many Employees at Residential Business Address 
  • Employee Count Threshold Exceeded
  • Business Address is Currently Vacant 
  • Business tied to Marijuana/Cannabis Sales 
  • Business/Subject matches to Debarred Business 
  • Business/Subject Defaulted on an SBA loan in the last 7 years 
  • Business/Subject matches to Department of Labor (DOL) Office of Federal Compliance Program (OFCCP) Violations 
  • Unauthorized business NAICS (North American Industry Classification System) codes NAICS 522 – Credit Intermediation 
  • Unauthorized business NAICS codes Payday Lender 
  • Potential Affiliation Issue to another applicant business
  • Data Anomaly Issue 
  • Research Duplicate 9 Digit Tax ID Issue 
  • SBA – Potential Affiliation Issue 
  • Unauthorized Business – Foreign Country-related entities 
  • Unauthorized Business – State or Local Government 
  • Unauthorized Business – Eligibility / Lobbying 

Anecdotally, lenders appeared much busier doing submission work in this round than in previous rounds, having to actually collect additional information to submit loans that were not immediately going through.

But the ability to see these types of flags existed in technology solutions and public record providers at the start of the PPP loan program. The solutions existed for the lenders too. Automation options easily process large volumes of data. So, what do we do next time – should we ever be faced with a comparable situation? What if we make sure we have the architecture in place for both lenders and the government to do fraud checks at the application stage – much like the processes added to the last round of PPP loans in 2021. Technology like Thomson Reuters CLEAR exists today to flag this information in public records tied to a company or business owner. Lesson learned.

About the author

Amanda DuPont has more than 22 years of professional experience in the legal industry and is a highly experienced investigative researcher and speaker. She is a CAM-certified licensed attorney and practiced law in Minneapolis for more than 8 years where she represented businesses in all types of legal advising roles — from class action litigation work to contracts and negotiations.

Amanda joined Thomson Reuters in 2006 and has held roles throughout the business. Since 2010, Amanda has worked exclusively in the Thomson Reuters public records solutions. In her current role as Public Records Product Specialist, Amanda works closely with both corporate commercial customers as well as the Thomson Reuters New Product Development team to help develop innovative solutions in the public records arena, including Thomson Reuters flagship product CLEAR.

She also consults on automation solutions with our customers including working with partner software vendors interested in building API connections into CLEAR. Amanda holds a B.A. from the University of Wisconsin-Madison and a J.D. from Mitchell Hamline School of Law.

Banking on better intelligence

Discover how to protect your organization from risk and increase the accuracy of your AML/KYC investigations while saving time and money