Can BSA/AML Requirements Lead to Deemed Knowledge of Borrower Fraud?
The first two weeks of August brought a milestone of sorts in the ongoing recovery from the economic downturn brought on by the COVID-19 pandemic. The Paycheck Protection Program (“PPP”) ended its enrollment period on August 8, 2020 and the window for borrowers to apply to have their PPP loans forgiven opened on August 10, 2020.
The PPP was a centerpiece of the over $2 trillion Coronavirus Aid, Relief and Economic Security Act (“CARES Act”) that, according to a study by the Massachusetts Institute of Technology published on July 22, 2020 had to that point saved between 1.4 and 3.2 million jobs. Less formally observed but possibly more widely agreed, the PPP caused at least as many headaches with its rocky initial rollout and the ongoing uncertainty over applicable loan forgiveness standards. But, whereas implementing the PPP poses challenges to lenders now, due to the rampant fraud in the program (which, along with all COVID-19-related enforcement actions and policy statements, we track here) and its funding mechanics, it creates substantial downstream enforcement risk through the False Claims Act (“FCA”) for participating financial institutions.
Numerous districts already have charged borrowers with PPP-related fraud. To date, cases generally involve one of these scenarios:
- Borrowers submitted fraudulent loan applications and supporting documents to seek PPP funds for businesses that either already had failed pre-pandemic or that they did not actually own.
- Borrowers lied about amount, or even existence, of employees and payroll. These schemes involve inflated numbers of employees for companies, or even completely fake companies.
- Borrowers certified that they would use loan funds to support payroll expenses or other allowable expenses, but in fact used all or most loan funds to pay personal and non-business expenses.
The prosecutions to date have all centered on relatively obvious fraud by borrowers, not lenders. But, wider-reaching investigations are occurring and though we are very much at the beginning of the enforcement phase, the magnitude of fraud in these programs is coming into focus. On September 1, 2020, the House Select Committee on the Coronavirus Crisis released a preliminary analysis finding, among other things, over $1 billion in fraudulent PPP loans were issued and identifying red flags with respect to an additional $2.98 billion in loans made to 11,000 borrowers.
And, as we discuss, the anti-money laundering (“AML”) requirements of lenders imposed under the Bank Secrecy Act (“BSA”) may expose lenders to greater risk under the FCA, which can impose civil liability for the reduced mental state of reckless disregard. Many lenders have extended PPP loans to previously-existing customers. This is a rational business decision, given typically lower business risks presented by existing customers and lower compliance costs, because existing customers do not need to provide beneficial ownership information under the Customer Due Diligence (“CDD”) rule of the BSA. However, because lenders also are required under the BSA to understand to a degree the historical and current activities of its customers, lenders may be deemed in future FCA actions to have “known” about red flags generated by fraudulent borrowers because of information obtained by the lenders properly executing their AML programs. That is, compliance with the BSA ironically may generate evidence for downstream FCA enforcement actions based on deemed “knowledge” by the lender of borrower malfeasance. This irony may be exacerbated by any disconnect in real time between the AML compliance staff at financial institutions and the front-line business people extending loans, particularly given the incredible speed with which institutions have extended PPP loans, at the government’s urging.
The point here is not that PPP lenders will face direct regulatory liability for alleged BSA/AML failures – although they may. Rather, the point is that PPP lenders may face enhanced FCA liability due to borrower information obtained through an entirely functional BSA/AML program. This phenomenon highlights the need for the “front” and “back” offices at lenders to communicate.
The PPP was introduced on March 27, 2020 through the CARES Act with an initial $349 billion in funding meant to provide small businesses the means to continue paying their employees when COVID-19 caused near universal societal shutdowns. After a run on the program depleted the funding pool within weeks of its opening, an additional $320 billion in funding was authorized in May 2020.
While the PPP is a program of the Small Business Administration (“SBA”), responsibility for administering it has fallen to participating financial institutions, which are charged with processing and evaluating loan applications, approving and making loans, disbursing or collecting loans and repayments and evaluating and approving forgiveness applications all subject to various certifications by both the borrower and lender.
Understanding the flow of funds through the PPP is vital to understanding the enforcement risk. Lenders are not directly distributing government funds. Rather, lenders make approved loans, which are 100% guaranteed by the SBA. The Final SBA Rule on implementation of the PPP provides: “[l]oans guaranteed under the Paycheck Protection Program (PPP) will be 100 percent guaranteed by SBA, and the full principal amount of the loans may qualify for loan forgiveness.” Therefore, participating banks do not stand to lose on making PPP loans. That is, if a borrower repays the loan, lenders recoup their money; if a lender defaults, the SBA covers the debt; if a lender qualifies for forgiveness, the SBA reimburses the lender the forgiven amount. It is no surprise then that, notwithstanding the murky (at best) standards and guidance, lenders of all stripes rushed to participate in the program. This also means that lenders of all stripes rushed to take on the risk of potential fraud-related enforcement.
Who Can Participate?
Under the CARES Act, SBA-certified lenders are delegated authority to originate loans through the PPP. Any federally-insured depositary institution or credit union is also eligible to participate upon submission of a PPP Lender Agreement, SBA-Form 3506, as long as it is not designated in Troubled Condition by their primary federal regulator or is subject to a formal enforcement action by their primary federal regulator. Finally, non-bank lenders are also eligible to act as PPP lenders upon submission of a PPP Lender Agreement (Non-Bank), SBA-Form 3507, if they meet certain size and operational requirements and, critically, agree to “[a]ppl[y] the requirements under the BSA as a federally regulated financial institution, or the BSA requirements of an equivalent federally regulated financial institution”; that is, agrees to act as if it was subject to the BSA, including establishing AML compliance policies and filing Suspicious Activity Reports (“SARs”).
Of course, lenders are incentivized to participate in the PPP. In addition to guaranteeing all PPP loans, the SBA provides participating lenders with significant origination fees. According to Treasury-issued lender guidance, PPP lenders earn 5.0% on all loans of up to $350,000, 3.0% on loans between $350,000 and $2 million, and 1% on loans above $2 million. Though the analysis isn’t complete, as of July 2020, participating banks have earned over $25 billion in PPP origination fees, though many of the largest banks have pledged to reinvest those profits through charitable programs.
Who Did Participate?
With the lending period closing, the final statistics on the PPP are in from the Treasury Department and the numbers are enormous. 5,212,128 loans totaling $525,012,201,124 were made by 5,460 lenders. And the lenders were of all sizes. The largest class of lender participant in terms of number of lender-participants, loan quantity and total loan value are small lenders, those with less than $10 billion in assets. 5,338 small lenders originated 2,745,204 loans totaling $233,776,205,586. Eighty-eight medium lenders – those with between $10 and 50 billion in assets – originated 769,963 loans totaling $100,975,416,018. Thirty-four large lenders originated 1,696,961 loans totaling $190,260,579,519.
Treasury’s statistical summary gets far more granular, digging further into the lender type, loan sizes, recipient industries and loan totals by state and territory. However, the overarching point is a simple one – the PPP is a massive private lender-administered federal lending program.
FHA Analogue, and FCA Basics
In terms of both lending procedure and program size, the Federal Housing Administration (“FHA”) loan program provides a fair comparison to the PPA and a useful case-study for examining how the FCA may be utilized against PPP lenders.
Through its loan program, the FHA insures mortgages approved by qualified lenders for borrowers who might not otherwise qualify for a mortgage because of their risk profile. According to its FY 2020 Q1 report, in 2019, the FHA backed 1,114,232 total loans (776,347 purchase loans and 337,885 refinances) totaling approximately $245 billion. Through the FHA loan program, participating lenders apply to FHA for mortgage insurance. In the event a borrower defaults, the lender can submit a claim to the Department of Housing and Urban Development (“HUD”), FHA’s parent agency, for the losses resulting from the defaulted loan.
Prior to January 1, 2020 – when the FHA revised its lender certification due, in part, to the Department of Justice (“DOJ”) prioritizing FCA enforcement against FHA lenders – participating lenders were required to make numerous annual certifications to FHA regarding its implementation of the FHA loan program. Importantly, those certifications then (but no longer) included that “to the best of my knowledge and after conducting a reasonable investigation, during the Certification Period the Mortgagee does now, and did at all times throughout the Certification Period, comply with all HUD regulations and requirements necessary to maintain the Mortgagee’s FHA approval.” Additionally, in submitting insurance claims, lenders were required to certify that they complied with all originating, processing and underwriting requirements.
Finding that “lenders were originating loans insured by the FHA that the lenders knew were not eligible for such insurance,” the DOJ beginning in 2012 began utilizing the FCA – among other enforcement tools – to investigate and sue lenders that submitted insurance claims for defaulted loans that didn’t meet FHA underwriting criteria. The FCA establishes liability for a when a person “knowingly presents or causes to be presented a false claim for payment or approval” or “knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim.” In turn, “knowingly” mean the person “has actual knowledge of the information; acts in deliberate ignorance of the truth or falsity of the information; or acts in reckless disregard of the truth or falsity of the information.”
In its own statement of its former FHA/FCA enforcement policy, the DOJ explained that (i) the FCA “requires more than mere negligence or a simple mistake to hold a person liable”; and (ii) “insignificant violations that have no effect on a person’s entitlement to the payment of a claim also do not give rise to liability.” Therefore, “a lender that tries to adhere to FHA requirements and makes an immaterial error, or otherwise acts in good faith, will not be subject to liability under the False Claims Act.”
What did lead to liability, then? Knowingly submitting claims while “[f]ailing to verify a borrower’s employment, assets, or credit in accordance with FHA’s requirements; materially overstating a borrower’s income, assets, or willingness to repay the mortgage loan; materially understating a borrower’s liabilities or ability to repay the mortgage loans; and failing to ensure the property provides adequate collateral for the mortgage loan.” In other words, where lenders certified loans knowing, deliberately ignoring or recklessly disregarding that the borrower did not qualify, the DOJ considered them to have submitted a false claim under the FCA and pursued enforcement actions. Doing so, DOJ has recovered almost $10 billion from lenders since 2009.
The key here – particularly as we turn to the BSA – is that the government and private plaintiffs can establish FCA liability not just on the basis of actual knowledge, but also reckless disregard of facts. Of course, the BSA requires financial institutions to learn facts about its customers.
The PPP and BSA/AML Risks
Lenders could face similar FCA enforcement participating in the PPP. Like in the FHA context, to participate in the PPP lenders must make numerous certifications. Lenders are explicitly required to follow their existing BSA/AML protocols and, if a non-bank lender, to establish BSA/AML protocols. While lenders are not required to verify beneficial ownership for existing customers, they must do so for new customers – a significant pool of PPP loan recipients. Additionally, PPP lenders must certify that “[t]he lender has complied with the applicable lender obligations set forth in paragraphs 3.b(i)-(iii) of the Paycheck Protection Program Rule”; and “has obtained and reviewed the required application (including documents demonstrating qualifying payroll amounts) of the Applicant and will retain copies of such documents.” The Rule requires lenders to “[c]onfirm receipt of borrower certifications contained in Paycheck Protection Program Application form issued by the Administration; [c]onfirm receipt of information demonstrating that a borrower had employees for whom the borrower paid salaries and payroll taxes on or around February 15, 2020; [and c]onfirm the dollar amount of average monthly payroll costs for the preceding calendar year by reviewing the payroll documentation submitted with the borrower’s application.”
In summary, the Rule requires lenders to appropriately screen PPP borrowers employing sufficient BSA/AML protocols and to verify the fundamental payroll criteria for each borrower.
However, the Rule creates some uncertainty about the scope of compliance requirements and potential enforcement. It provides that “[t]he lender does not need to conduct any verification if the borrower submits documentation supporting its request for loan forgiveness and attests that it has accurately verified the payment for eligible costs.” Further, “[t]he Administrator will hold harmless any lender that relies on such borrower documents and attestation from a borrower.” In other words, lenders are entitled to rely on borrower certifications in approving loans and forgiveness applications. But, critically, this safe-harbor applies only to the SBA. There is nothing in the Rule, the CARES Act or any applicable regulations protecting lenders from enforcement by agencies other than the SBA – including, notably, the DOJ, the Office of the Comptroller of Currency, or private plaintiffs. For this reason, the SBA lender safe-harbor may have created a significant sense of false security. From a BSA/AML perspective, the key question remains: even in light of the stated ability of lenders to rely on borrower certifications, how much due diligence is required when reviewing borrowers’ certifications for loans and loan forgiveness?
As DOJ made clear in the FHA loan context, a lender can be subject to FCA liability for knowing, being deliberately indifferent to or recklessly disregarding that a borrower failed to meet loan eligibility requirements. The SBA Rule does nothing to change these standards, which are the statutory standards for FCA liability not subject to limitation or revision by a federal agency. Accordingly, notwithstanding the SBA Rule, lenders still can face FCA liability in the PPP context if it approves PPP loans or forgiveness applications knowing, being deliberately indifferent to or recklessly disregarding that a borrower failed to meet the PPP underwriting criteria, including the payroll figures, number of employees, use of funds and the necessity requirement. And here is where lenders’ BSA/AML compliance duties intersects with the PPP and FCA.
The Financial Crimes Enforcement Network (“FINCEN”) issued FAQs in April 2020 on PPP lending, noting that covered financial institutions do not need to re-verify beneficial ownership information for existing legal entity customers under the CDD rule when extending PPP loans. This generally has encouraged lenders to stick with existing customers, which is logical. But focusing on existing customers may have consequences under the FCA, given lenders’ ongoing BSA/AML obligations regarding those customers and information previously gathered.
Every PPP lender is charged with maintaining and implementing adequate BSA/AML policies, including performing customer due diligence, KYC for new customers, sufficient, risk-based transaction monitoring, and suspicious activity reporting. With respect to existing customers, lenders are necessarily in actual possession of historical (and future) customer information that might contradict information submitted in conjunction with a PPP application for a loan or for loan forgiveness. For example, if a borrower has maintained its payroll account over time at its PPP lender, what is the degree of review that the lender has to perform regarding that account before it approves the borrower’s assertions – both regarding past payroll, and going forward? What if there are discrepancies? What will constitute acceptable administrative error, and what will be deemed by the government or private FCA plaintiffs downstream to represent reckless indifference to “red flags” regarding the representations of borrowers and their actual known business activity?
Accordingly, the PPP creates a potential compliance minefield for lenders: they were encouraged to process loans with unprecedented speed while still obligated comply with fraud detection requirements under the BSA that might result in a lender possessing information, gathered collectively as an institution, that arguably calls into question the lender’s decision to approve fraudulent loans or forgiveness applications, particularly as to previously existing customers.