JP Morgan Chase recently shared their discovery that employees and customers have misused government funds that were intended to support the Payment Protection Program (PPP). While this is isn’t the first instance of PPP-related fraud, it has potential to be the largest in terms of dollar volume. Banks of all sizes have participated in the PPP stimulus using various methods to collect and submit initial and forgiveness applications to the Small Business Administration (SBA). This means that banks of all sizes are susceptible to PPP fraud and subsequent reputational risk.
Though financial institutions took varying approaches to support their communities through the SBA’s PPP program, many chose to implement a system to help manage the volume of applications and create an efficient intake and review process. Institutions that fall under this category are in luck:
There are specific actions you can and should take to ensure you have controls in place and reporting set up to catch bad actors who may be looking to commit fraud.
To asses if your institution has the right controls in place for your forgiveness process, go back to the beginning and analyze the original PPP loan approval process. Agnostic of which technology solution was put in place, you must show you performed the necessary diligence on your applicants and requests and ensure that approvals occurred through the proper risk management.
Identify the system and process controls that were used during the initial PPP loan application:
Which employees can change existing information in the system and what was entered by a loan applicant into the system? An example of a system control is locked fields from applicant data that employees cannot override. Additional fields can be added to the system to amend applicant information, but the original information submitted by the applicant should be retained. The process control should be management reviewing who has access to certain information while complying with internal policies regarding structured access.
Are the appropriate fields required or optional when filling out the application? And is the right information in those fields? A system control should require certain fields to be filled out prior to application submission. Additionally, fields such as EIN should have logic that checks for the right number of characters. Given that field control is enabled by a system, there is no real process control.
Were ID verification, ownership and other KYC requirements met? The system control should have been a hard stop by the system if all required entity data wasn’t entered into the application. The process control should have been the reviewer flagging anything missing or entity data that didn’t align to the type of entity applying for the funds.
Were the necessary documents, including those showing use of funds, collected? And did the right representatives of the entity sign off on them? The system control should have been a hard stop by the system if the document place holders weren’t filled. The process control should have been the reviewer flagging documents signed by people other than the authorized signers for the entity as compared to the signature card on filed.
Did the approval process cover the review of KYC information and collected documentation to be sure that entity qualified for the loan? The system control should have been an attestation by the reviewer that he or she looked at the necessary data and documents and that they were appropriate, as well as the system authenticating that the reviewer had the right level of authority to review and approve. The process control should have been a signoff within the system that the reviewer approved the loan application. Additionally, for those banks that were reviewing larger loan amounts, an additional control should have been a dual sign off requirement for loans of a certain size by management level staff or above.
Once you’ve assessed the appropriateness of the controls that were in place during the initial application for PPP funds, you will be able to confirm that you have the right controls in place for the forgiveness process. If it turns out that you were missing one or some of the controls in the initial application process or that they were insufficient, you will need to enhance controls during the forgiveness process to ensure that the misuse of funds is caught.
In some instances, these controls are the same as what was used for the original application, but there will be some key differences. System and process controls for the forgiveness process must include:
Were the right documents collected from the borrower to show/validate how funds were used? The system control should be a hard stop by the system if the document place holders aren’t filled. The process control should be the reviewer flagging documents that don’t align to dollar amounts and fund usage as described in the forgiveness application.
Is the right amount of funds being forgiven? The system control is based on the calculation / math in the system. The amount forgiven should match what the system generates based on the application entries submitted by the borrower. The process control has two parts. The first, at the time of initial set up – legal and/or regulatory should sign off on the calculations used to arrive at the forgiveness amount. The second, if the forgiveness amount ultimately ends up being different than what the system calculated, then the difference and the reason for it needs to be documented in a standalone field in the system.
Did the approval process include a review of all relevant documentation, calculation, and verification? The system control should an attestation by the reviewer that they looked at the necessary data and documents and that they were appropriate. The process control should be a signoff within the system that the reviewer approved the loan forgiveness application. Similar to before, this process should also include dual sign off for loans of a certain size.
Is a decision being made to forgive part or none of the loan amount? The system control should be a flag on any application that isn’t being 100% forgiven. The process control should be that if flagged, these applications should follow a separate flow within the system to be reviewed by a more senior member of the team and dual signoff should be required.
Are standardized communications being generated in the system at key points during the application process? The system control should be that these communications are sent to the correct contact in the system who is a liable party to the loan. Borrowers should receive emails at the time of application completion/ submission, when documents are approved or rejected, decision status, and when the forgiveness application is sent to the SBA. The process control for this is to design a communication flow that covers key points, e.g., password resets, submission confirmations, review, confirmations, etc.
Is information being sent directly to the SBA from your loan application system or are team members manually reentering the information? The system control should be setting up integration with the SBA to drastically reduce human error. The process control should be a review of information and documentation before initiating the sending of application data to the SBA.
Once you have the right effective controls in place, your institution must look at how it leverages the reporting functionality available through the system. This reporting should be run on a regular schedule and used to communicate throughout the appropriate teams and leadership on the volume of applications being submitted and reviewed as well as the dollar amounts that are being forgiven. Reports should also be leveraged to mitigate risks by looking at anomalies in applications and/or owners as well as destinations of funds.
By the time you have reviewed and implanted controls and reporting functionality, you should be able to sit across your desk from an examiner and articulate the methodology that your institution followed to grant loans and forgiveness, the controls that were in place to mitigate fraud, and provide reports to back up your statements.
These reports will also become key artifacts during an audit or exam. They can be used to show consistent treatment of borrowers by the bank, prove audit trails, and show the portfolio in aggregate. While reporting is usually a tool used to react to events, it is also an important detective control to use as an alert when something is happening that shouldn’t be.
Be aware: The impact of ensuring the above goes beyond reputational risk and fraud loss. For the first time, regulatory exams will include information requests regarding PPP programs.
Be prepared. Given the fraud that has occurred in the market, it is likely that regulators will be taking a very close look at how PPP applications were reviewed and decisioned, how dollars were tracked, and how forgiveness amounts were determined and ultimately signed off on.
System reporting will make this easier and provide concise and consistent information for your examiners – use it! Prepare a methodology statement that outlines the approach you took to PPP lending and forgiveness. And make sure that client information is householded appropriately so that when a sample of customer information is requested, it is easily accessed and shows the PPP process beginning to end and how it plays into the overall customer relationship.
When the PPP program is ultimately done, the banks that will have been the most successful at mitigating fraud and passing exams will be those that leverage the system controls, processes, and reporting that are available to them. It is the most effective way to manage accompanying PPP risks and to stay out of the news.