Paycheck Protection Program (PPP): Lender Risks & Mitigation Strategies

Paycheck Protection Program (PPP): Lender Risks & Mitigation Strategies

September 15, 2021

There is an immediate, urgent, and growing need for Paycheck Protection Program (PPP) lenders to understand, and likely mitigate, their risks related to PPP loans they originated. Specifically, PPP lenders should be proactive by:

  • Consulting with program experts to understand their PPP-related risks and potential downstream liability;
  • Hiring investigators to perform fraud- and misrepresentation-focused loan reviews on their entire PPP portfolio;
  • Performing independent Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) testing, specifically focused on assessing the adequacy of the policies, procedures, and controls that were in place when PPP loans were originated; and
  • Remediating and reporting, consistent with relevant rules and regulations, fraud and BSA/AML issues identified.

Taking this approach can greatly reduce a PPP lender’s potential liability associated with issues that are not self-identified or reported through a whistleblower, and can demonstrate a lender’s good faith attempting to comply with the applicable PPP laws, rules, and regulations.

PPP Lenders Held Harmless Clause is Not a Safe Harbor

Recent articles, studies, the Subcommittee on the Coronavirus Crisis, and other experts have highlighted that many PPP lenders originated a very high number of fraudulent and/or materially misrepresented loans. The reason, it seems, is that many PPP lenders relied on the PPP’s “lenders held harmless” clause to absolve them of all PPP fraud related liability, especially when they were bombarded with loan applications and ‘normal’ underwriting and BSA/AML obligations could not keep up with the volume of PPP loans being originated. Hence, required compliance, fraud prevention, and BSA/AML procedures that were explicitly required by PPP guidance simply may not have been performed—or, at least, not performed adequately.

This is not mere speculation, as evidenced by a recent article highlighting the prevalence of fraud in the PPP. The article quoted one PPP lender whose Chief Operations Officer stated, “We weren’t supposed to go around checking business registrations. The only reason you’d do that is if you believe you’ve been provided something that’s inaccurate.” But, this is a narrow interpretation of the PPP guidance since the program rules required lenders to:

  • Adhere to “BSA protocols when making PPP loans to either new or existing customers who are eligible borrowers under the PPP.”
  • “[P]rior to engaging in PPP lending activities, including making PPP loans to either new or existing customers who are eligible borrowers under the PPP, establish an [AML] compliance program equivalent to that of a comparable federally regulated institution.”
  • “[V]erify[]PPP borrowers’ identities (including e.g., date of birth, address, and taxpayer identification number), and, if that PPP borrower is a company, following any applicable beneficial ownership information collection requirements.”

Moreover, even if problematic PPP loans are not an issue, a PPP lender can nevertheless run afoul of the BSA/AML rules and regulations if they do not have an AML compliance program that is commensurate with their risk profile—especially if the BSA/AML program was put together hastily or inadequately.

This creates serious issues for a PPP lender, especially taking into consideration the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs guidance released in June 2020. It is abundantly clear from the regulations that the “lenders held harmless” clause only relates to SBA liability—and, specifically, indemnification (i.e., credit) liability—and not liability from banking regulators, the DOJ, the Special Inspector General for Pandemic Response (SIGPR), other government enforcement agencies, or an internal whistleblower.

To be sure, the PPP explicitly required PPP lenders to have a sufficient AML program in place, and follow commensurate customer identification procedures (CIP) and customer due diligence (CDD) procedures (among other things) to prevent, detect, and report suspected loan fraud and misrepresentation. Accordingly, while many lenders, especially those that originated a large number of higher-risk and/or fraudulent loans, believe that they may have been ‘off the hook’ from liability because of the “lenders held harmless” clause, it is becoming clear that regulators and legislators are acknowledging and beginning to focus on this issue.

Additionally, publicly available information from the SBA and SBA Office of Inspector General (OIG)’s indicates that these agencies have contracted hundreds of forensic accountants to perform detailed loan reviews of all PPP loans, specifically to identify loans that are fraudulent and/or contain material misrepresentations and/or are non-compliant, who are then referring their findings to the SBA’s OIG, SIGPR, DOJ, and other government enforcement agencies.

Indeed, articles have noted that some PPP lenders have already received subpoenas related to their PPP lending practices, and at least one major PPP lender has hired dozens of investigators to independently review the lender’s entire PPP portfolio to proactively identify potential fraud, misrepresentation, and non-compliance. More PPP lenders are sure to follow as government agencies identify lenders with a high number and/or proportion of “problematic” PPP loans.

Given the totality of the aforementioned dynamics, banking examiners will likely perform procedures specific to PPP lending as banks undergo their next BSA/AML regulatory examinations. Specifically, regulators are likely going to be looking at lenders’ PPP portfolios and examining what BSA/AML procedures were performed prior to origination, and whether appropriate CIP, CDD, and suspicious activity monitoring and reporting was performed. Especially for non-traditional lenders, including those that set up lending operations specifically for PPP, examiners will surely scrutinize their AML compliance programs for potential gaps.

To compound the situation, if systemic issues are identified by these government enforcement agencies, it could result in examination findings indicating a Matter Requiring Attention (MRA), Matter Requiring Immediate Attention (MRIA), Consent Order, civil monetary penalties, criminal liability, an O&D bar, or other consequences. Additionally, PPP lenders risk potential qui tam actions that may result in False Claims Act liability, or if it is ultimately determined that some of these PPP lenders lacked good faith, there could also be FIRREA implications—as we saw with the fallout of the Great Recession and the lending practices that led up to it.

Accordingly, PPP lenders should proactively identify and address potential risks in their PPP portfolios to mitigate their risks of potential civil and criminal liability related to BSA/AML rules and regulations, the False Claims Act (FCA), and the Financial Institutions Reform, Recovery, and Enforcement Act (FIRREA), among others.

Stout’s PPP Advisory Services Team Can Help

Stout’s PPP Advisory Services team can, and is uniquely qualified to, help. Our team includes highly experienced financial professionals including Certified Public Accountants (CPA), Chartered Financial Analysts (CFA), Certified Fraud Examiners (CFE), individuals Certified in Financial Forensics (CFF), Certified Anti-Money Laundering Specialists (CAMS), Certified Anti-Money Laundering & Fraud Professionals (CAFP), former regulators, and financial services auditors, and compliance professionals with collectively scores of experience, including on similar types of government programs, with agencies such as the FDIC, OCC, NCUA, HUD, and Special Inspectors General, relative to lending program compliance and enforcement.

Our help includes, but is not limited to:

  • Performing enhanced loan review procedures to help mitigate the risk of non-compliance, fraud, and misrepresentation on the entire loan portfolio or risk-based basis;
  • Conducting various types of loan portfolio analysis to identify potential portfolio risks;
  • Providing outsourced BSA/AML assistance including performing borrower CIP/KYC/CDD procedures including beneficial ownership, detecting and reporting potentially suspicious loans, performing investigations, performing independent testing, program remediation, and many other BSA/AML needs;
  • Providing government enforcement action and litigation assistance, including expert witness testimony; and,
  • Providing other assistance related to loan origination, servicing, BSA/AML, and other regulatory compliance.

Guest author: Derek Adams of Potomac Law Group


1) Online financial companies' processes facilitated fraud in PPP loans, Texas university study finds