On July 28, 2020, the Office of the Inspector General (OIG) of the Small Business Administration (SBA) released a Management Alert entitled “Serious Concerns of Potential Fraud in the Economic Injury Disaster Loan Program Pertaining to the Response to COVID-19.”¹  The Inspector General reported that the OIG has identified approximately $250 million in Economic Injury Disaster Loans (EIDL) program funds that were issued to “potentially ineligible recipients” in potentially fraudulent transactions.  While not directly questioning the amount, SBA Administrator Jovita Carranza disputed the conclusion that the alleged fraudulent transactions resulted, in part, from a failure by SBA to implement proper internal controls over the EIDL program.

Background

The EIDL program, under which SBA provides long-term loans for small businesses impacted by natural disasters, is well-established.  EIDL loans may be used to pay fixed debts, payroll, accounts payable and other liabilities if the business is otherwise unable to meet these obligations due to “economic injury.”  “Economic injury” has been interpreted to mean that the business is unable to pay its ordinary and necessary operating expenses.  The program differs in some significant ways from the highly publicized $660 billion Paycheck Protection Program (PPP) authorized under the CARES Act.  An EIDL loan is offered at a higher interest rate than a PPP loan – 3.75 percent – and is processed by the government rather than a private bank.  There are also fewer upfront restrictions on how the EIDL funds may be spent.

In March 2020, Congress expanded the program as part of the legislative response to COVID-19, as previously discussed by AGG.  In particular, the CARES Act appropriated $10 billion for immediate EIDL grants of up to $10,000 to qualifying small businesses and nonprofits.  Grant recipients are not obligated to repay these funds, if, for some reason, the application for the loan is subsequently denied.  On July 11, 2020, SBA announced the end of the advance grant program.

Congress required that these EIDL grant funds be disbursed within three days of the submission of the application.  Because of the short timeframe involved, the CARES Act also required SBA to accept a self-certification — under penalty of perjury — that the applicant is an eligible entity.  When this COVID-related expansion of EIDL went into effect, however, the SBA hit immediate roadblocks in servicing the millions of applications it received in a matter of days.  In order to address the backlog, and in response to criticism from both Congress and affected businesses, the agency outsourced much of the loan processing work to commercial consultants.  According to an SBA update³   published on July 15, 2.5 million EIDL loans, totaling approximately $150 billion, have been approved.

Report Findings

Since June, the OIG has experienced a major uptick in reports of suspicious and potentially fraudulent activity from financial institutions and law enforcement agencies.  Reports from nine banks alone accounted for a combined total of $187.3 million in suspected fraudulent transactions. Overall, the office has received more than 5,000 complaints regarding the EIDL program from 440 financial institutions with the majority – nearly 3,800 –coming from just six entities.

From these complaints, the OIG developed a list of red flags signaling potential fraud, including the use of stolen account identities, the inability to explain the origin of the business name on the application, attempts to transfer program funds to investment accounts or foreign accounts; accounts opened solely for the deposit of program funds, deposits of program funds to third parties, and more.  In one instance, a federal credit union reported to the Criminal Division of the Department of Justice (DOJ) that it had received $15 million in 60 transactions from SBA.  An audit revealed that 59 of those transactions appeared to be fraudulent.

In the course of its ongoing investigations, the OIG determined that over 20,000 EIDL advance grants and 6,000 EIDL loans have been issued to potentially ineligible businesses.  These include businesses that were registered after the January 31 application cutoff specified by SBA regulations.  The OIG also identified hundreds of businesses that received more than one EIDL loan, noting that the duplicate loan receipts were made possible because the agency “does not have effective controls in place to determine if the applicants had previously applied for and received financial help.”

Agency Response and Recommendations

SBA Administrator Jovita Carranza responded that the report findings were “unexpected.”  SBA disputed that it had failed to implement proper internal controls for both the EIDL advances and the EIDL loans.  Specifically, the agency identified a duplicate application check, a business owner identity check, bank account verification checks, and additional checks that had been implemented as part of the advance program.  The Administrator noted further that the loan processing system is an “automated decision engine that works in concert with” the program loan officers “to perform functions relating to Loan eligibility, potential fraud identification, and approval/denial,” and that there are more than 70 rules related to loan qualification and approval.

The agency also noted that it is continuing to enhance EIDL internal controls.  On July 16, SBA advised the Office of Disaster Assistance (ODA) of reports from three large banking institutions concerning suspicious activity related to the EIDL program.  On July 22, the agency issued Information Notice 5000-20037 to depository financial institutions and all SBA employees to alert them “to the potential suspicious activity related to COVID-19 EIDL funds deposited into business or personal accounts.”

In its analysis of the agency’s response, the OIG expressly commended the remedial actions taken on July 16 and July 22, while also calling for future “meaningful and cooperative discussions with SBA management to share information and reports of findings” to continue to combat potential fraud.

In light of its findings, the OIG also recommended that SBA (1) “[a]ssess vulnerabilities for the purpose of strengthening or implementing internal controls to address notices of potential fraud” and (2) “[c]reate an effective process and method for lenders to report suspected fraud to the Office of Disaster Assistance and to recover funds.”

Conclusion

This is not the first alarm to have been sounded with regard to COVID-19 relief programs’ relative susceptibility to fraud.  In June, the Government Accountability Office (GAO) released a report³   warning the PPP program was vulnerable to fraud and waste.  Like the SBA OIG, the GAO noted that “[b]ecause of the number of loans approved, the speed with which they were processed, and the limited safeguards, there is a significant risk that some fraudulent or inflated applications were approved…”

Nor are the OIG’s findings particularly surprising when viewed through the lens of the history of government disaster relief programs.  AGG’s in-depth coverage of previous disaster relief loans – and the ensuing fraud investigations and enforcement actions – can be accessed here.  The scrutiny of EIDL (and other COVID related relief) applicants and recipients has only just begun.  It remains critical for any company in need of such government funds to maintain a strong compliance posture, seek legal guidance where necessary, remain vigilant, and respond appropriately to allegations or suspicions of wrongdoing.

[1] https://www.sba.gov/document/report-20-16-serious-concerns-potential-fraud-eidl-program-pertaining-response-covid-19

[2] https://www.sba.gov/sites/default/files/2020-07/EIDL%20COVID-19%20Loan%207.15.20.pdf

[3] https://www.gao.gov/reports/GAO-20-625/