Shoring Up BSA Operations to Mitigate Post-Funding PPP Risks

COVID-19 has created a global “playground” for fraudsters and has the potential to result in mass-scale fraud. The general population is anxious and vulnerable, businesses are closed, governments are moving trillions of dollars through the financial system to combat the pandemic, and financial institutions are tightening their lending standards, making it increasingly difficult to procure necessary business materials. 

The Coronavirus Aid, Relief, and Economic Security (CARES) Act is one of the ways in which the U.S. government is trying to mitigate the economic fallout from the pandemic. The CARES Act includes the Paycheck Protection Program (PPP), which provides a fast way for the U.S. government to provide small businesses with the cash flow they desperately need in the form of forgivable loans from financial institutions (FIs). Criminals have already begun to target this program to exploit its well-intentioned yet vulnerable, design. For example, in Rhode Island, two men were charge on allegations that they tried to fraudulently obtain over half a million dollars in PPP loans, and in Texas, an engineer has been charged with allegedly filing bank loan applications fraudulently, seeking more than $10 million dollars in forgivable loans. Unfortunately, we expect to see many more cases like these in the near future. 

Recognizing the need for immediate relief in the current financial environment, FIs are disbursing loans without the benefit of their standard predistribution fraud prevention and detection controls. An FI’s ability to detect fraud is as critical as ever, particularly in light of the enhanced regulatory and government oversight scrutiny afforded to the distribution of these funds. Here, we will discuss ways that FIs can protect themselves and meet these obligations following their distribution of the PPP funds.

Brief Overview of the Paycheck Protection Program and the Role of Financial Institutions

As part of the $2 trillion aid package unveiled in the CARES Act, an initial $349 billion was dedicated to the PPP, which offers federal guaranteed loans to small businesses to cover payroll and other essential costs.

Scope of the PPP

The PPP was created to address small-business concerns (as defined in Section 3 of the Small Business Act, 15 U.S.C. 632) and employers with 500 employees or fewer — this includes sole proprietorships, independent contractors, the self-employed, private nonprofits, and 501(c)(19) veterans’ organizations.

Eligible companies must have been in business as of Feb. 15, 2020, and demonstrate their need to “support ongoing operations” because of the current economic uncertainty. Furthermore, per Small Business Administration (SBA) guidance issued on April 2, 2020, to qualify for forgiveness, at least 75% of loans received must be spent on payroll (as defined below). Applicants are limited to one PPP loan, and each loan will be registered under a Taxpayer Identification Number (TIN) at the SBA to prevent multiple loans to the same entity.

Modified BSA Requirements for PPP Loans

Under regular circumstances, BSA requirements would include a refresh of Know Your Customer (KYC) information and customer due diligence (CDD) on potential borrowers opening a new lending account. According to the Financial Crimes Enforcement Network (FinCEN) Guidance’s PPP Frequently Asked Questions, however, if the PPP loan is made to an existing customer and the necessary information was previously verified, lending FIs do not need to reverify this information. Furthermore, if federally insured depository institutions and credit unions eligible to participate in the PPP have not yet collected beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those borrower customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance.

For new customers, the lender’s collection of beneficial ownership information from all natural persons with a 20% or greater ownership stake in the applicant business will be deemed to satisfy applicable BSA requirements and FinCEN regulations. This includes the collection of the owner’s name, title, ownership percentage, TIN, address, and date of birth. If any ownership interest of 20% or greater in the applicant business belongs to a business or other legal entity, lenders will need to collect appropriate beneficial ownership information for that entity. 

Government Oversight

In addition to funding the PPP, the CARES Act also created and funded oversight authorities to prevent fraudulent activity. Specifically, the CARES Act created the Pandemic Response Accountability Committee and a Special Inspector General for Pandemic Recovery. This is in addition to the Government Accountability Office and the inspectors general of each department within the federal government. Demonstrating the seriousness with which the government will approach oversight of the CARES Act programs, Treasury Secretary Steven Mnuchin told the media that the government will perform a full audit on any company that borrowed more than $2 million, and that sampling would be performed on companies borrowing smaller amounts.

Detecting Fraud Post-Loan Distribution

Despite modified BSA requirements, FIs still have an ongoing obligation to monitor post-loan distribution activity for potential fraud and suspicious activity. A high-level, risk-based assessment of the FI’s existing internal controls is recommended to ensure that potential fraud schemes and other potential suspicious activity with a nexus to PPP loans is covered. The most effective options for detection include risk-based internal controls such as (1) transaction monitoring (TM) rules tailored to identify fraudulent and suspicious behavior related to PPP; (2) identification of KYC trigger events related to distribution of PPP loans; (3) documented procedures for loan origination and forgiveness; and (4) back-end testing to ensure proper implementation of procedures through targeted internal audits. 

Ongoing Transaction Monitoring

TM can provide important insight into changes in the borrower’s behavior. Detection of potential fraud and suspicious behavior is dependent on the FI’s TM rule typologies and whether the rules are appropriately designed to detect fraud specifically related to PPP loans. Client’s behavior during the pandemic may vary drastically from their behavior before the pandemic. For example, activity reflecting clients’ receipt of PPP funds and subsequent distribution of those funds to employees for payroll may trigger an alert based on rapid movement of funds, even though, because of the current environment, the activity is unlikely to be suspicious. Similarly, FIs could miss red flags on what would otherwise be considered normal activity, e.g., a cash-intensive business such as a restaurant that has continued to make cash deposits at the same rate as before the pandemic. FIs can enhance their ability to identify and prevent fraud by refreshing their TM models to account for such changes.

1. Risk-Based Fraud Typologies related to PPP Loans

The primary way for an FI to detect potential fraud and suspicious activity is to know its customer, including expected transaction activity and behavior. In this COVID-19 environment, FIs will most likely observe a change in the baseline behavior of their customers, especially their small-business customers. In the pandemic economy, small-business customers’ transactions — especially depository activity — are expected to drop off significantly and payroll may be suspended for many or most of their employees. After the FI disburses PPP loan funds to their small-business customers, the customers’ baseline activity related to payroll should revert to prepandemic activity. If this type of change is not observed, then it could be considered fraudulent or suspicious activity concerning the use of PPP loan funds. 

Other red flags include: increase in depository activity without a corresponding increase in payments for vendors, such as inventory suppliers; high volume of transactions with new third parties (as opposed to previously used third-party vendors); PPP funds deposited into an account and then shortly thereafter wired offshore; PPP funds transferred or journaled to unrelated accounts or personal accounts; and increased withdrawal activity from ATMs.  

Certain TM rule typologies are more effective than others in detecting changes in a customer’s behavior and other red flags of potential fraud and potential suspicious activity. At a minimum, FIs should ensure that their TM rules cover the following: 

  •  Velocity/rapid movement of funds/flow-through-funds rules (detect funds transferred in and then out in a short period of time and flow-through of funds to third parties) 
  • Change-in-behavior rules (detect customer transaction activity and behavior changes based on a baseline established by the FI) 
  • Fund transfers to high-risk jurisdictions/offshore rules (detect wires or other fund transfers to jurisdictions of money laundering concern, tax havens, and other high-risk offshore locations) 
  • Excessive ATM withdrawal rules (detect ATM withdrawals over a baseline threshold established by the FI)
  • Targeted TM rules (detect flagged customers or specifically flagged activity)

One option to target potentially fraudulent activity within PPP loan customer accounts could include flagging all accounts of customers with PPP loans to more closely monitor the transactions in and out of those accounts. Analysts should be instructed to look for the red flags discussed above and any other indicia that the customer is using PPP loan funds for prohibited purposes, such as paying employees who earn over $100,000 annually and/or for the payment of taxes, during their review of these flagged accounts.

Another option would be to flag small-business customers with PPP loans in a COVID-19-related industry, such as medical suppliers. In reviewing these flagged accounts, analysts should be instructed to scrutinize payments to the customer’s vendors, or lack thereof, to ensure that PPP loans are used properly.

2. Training for FI Analysts and Investigations

In addition to ensuring that compliance staff and internal audit staff have the requisite skills and experience to detect fraudulent behavior, FIs are encouraged to strengthen their internal education on current fraud trends and schemes. Additionally, training should be conducted on refreshed and/or new TM rules implemented to detect fraud as part of the PPP loan distribution, and on any steps the FI takes to refresh its other controls. 

KYC Trigger Events 

The U.S. Treasury Department and FinCEN’s CDD Rule require FIs to maintain and update customer and beneficial owner information on a risk basis. Specifically, FinCEN Guidance instructs that, absent a risk-related trigger or event, collecting or updating of beneficial ownership information is at the discretion of the covered FI. In the context of PPP loan disbursement, FinCEN instructed FIs that the issuance of a PPP loan to an existing customer is not considered an opening of a new account, as it might normally be in a situation where a customer was opening a loan account. The Guidance, however, did not remove the FI’s obligation to update customer and beneficial ownership information based on a trigger event.

Examples of triggering events in connection with issuing a loan, such as a PPP loan, are a change in ownership structure, account type, customer risk rating to a higher risk, transaction activity, or responsibility (i.e., change in control person). In particular, changes in transaction activity — such as a change in behavior detected by one of the TM typologies noted above — is a trigger event that FIs should consider as the first step for a CDD refresh on the customer and its beneficial owners.

Documented Policies and Procedures

The importance of documented policies and procedures cannot be understated. These policies and procedures should reflect all the FI’s processes related to loan origination and forgiveness. Documented loan procedures assist with fraud detection and prevention by providing FIs a clear road map of eligible borrowers, prohibited uses of funds, and triggers for when a loan is no longer forgivable. 

Back-End Testing Through Targeted Internal Audits

Internal controls are critical to the detection and prevention of fraud and the function of internal audit is to monitor and evaluate internal controls to ensure their effectiveness. FIs depend on this third line of defense, internal audit, to identify and evaluate the highest risks to the institution.  

In the context of disbursements of PPP loan funds by FIs, the internal audit function could prove to be especially important in ferreting out associated potential fraud and money laundering and terrorist financing risks by back-end testing the FI’s internal controls related to the distribution of PPP loans, such as the FI’s loan origination and forgiveness procedures. In particular, a targeted internal audit of just the institution’s role in the disbursement of PPP loan funds, and on PPP borrowers, is recommended.


With the U.S. Department of Justice already reaching out to 15 to 20 of the biggest loan processors for PPP funds based on its discovery of potential fraud among companies seeking relief through the PPP, it is imperative that FIs protect themselves against malevolent customers, rogue employees, and fraudulent transaction activity. FIs may also face enhanced scrutiny by various governmental and regulatory oversight functions over the distribution of funds associated with the PPP. Robust internal controls tailored to the fraud risk that PPP loans present are a financial institution’s best protection against both fraudsters and regulators in this politically charged pandemic environment.  

About the Experts

Back to top