Stock Exchange
The PPP Grift
How to Find It & Fight It
By Kathryn O'Donnell

A combination of good intentions, flawed implementations, and quick-acting criminals have resulted in the theft of potentially over one billion dollars of U.S. taxpayer money just this summer1, weakening the national pandemic response at an already difficult time as well as damaging the people’s faith in American financial and governmental institutions.  However, there are strategies financial institutions can employ to protect themselves, their customers, and the American people from these types of fraudulent activities in the future.


The Set-Up


In March 2020, soon after the outbreak of the COVID-19 pandemic in the United States, the U.S. federal government acted quickly to provide emergency financial assistance to small businesses across the country:  passing the Coronavirus Aid, Relief, and Economic Security (CARES) Act, to provision nearly $750 billion as of August 2020 to help small businesses continue to fund payroll and other expenses, keeping people employed and businesses ready to bounce back once recovery was underway.


The small business provision, known as the Payroll Protection Program (PPP), instantiated a novel public-private partnership between the government and financial institutions: private lenders would use their existing infrastructure and capabilities to approve and initially fund the loans, while the government – specifically the Small Business Administration (SBA) -- would guarantee the full amount of the loan. The participating small businesses, if they met the SBA’s criteria including size and previous income requirements, were eligible to have the full amount of the loan and any accrued interest forgiven if the proceeds were used to maintain payroll and other permitted expenses.


The Con


Financial institutions are no strangers to providing loans and other banking services to small businesses. Most have procedures in place to perform Know Your Customer checks in addition to determining the credit-worthiness of a business. However, with PPP, credit-worthiness was not a factor, meaning that the usual list of checks often did not take place. Moreover, because of the speed demanded by the program, it was nearly impossible to run comprehensive tests to determine if any of the existing guardrails were in danger of failing.


For PPP, lenders needed to check the paperwork submitted by the small business itself, such as IRS Forms 940 (unemployment taxes paid) and 941 (federal tax returns), previous banking account statements, and spreadsheets listing payroll expenses signed off by a company officer. These pieces of paperwork are incredibly simple to forge. And without the secondary checks provided by third-party credit services to raise the red flags, these forged applications were quickly approved and funded.


Once word got around the fraudster networks of the ease of submitting forged applications, fake small businesses with huge payrolls began cropping up across the country, receiving loans of hundreds of thousands to millions of dollars from PPP. A few have been caught by SBA audits and eagle-eyed lenders, but it is unknown how many more are out there.


The Fix


A key failing in stopping these fraudulent applications was the inability to meet the speed demanded by the government to get the money to the people who needed it. While the intention is laudable, this speed requirement short-circuited the normally slow and methodical pace financial institutions take when introducing new products. It is well-known that new products can and will introduce a variety of exploitable loopholes, so it often takes months, sometimes years, to test out various scenarios and do gradual roll-outs in different markets to ensure risk minimization.


What few financial institutions have invested in are automated test harnesses for risk scenarios. A concept well known in the engineering world, software test harnesses, for example, run products through a set of known, rigorous, and complete scenarios every time a change is made to the underlying code. This allows developers to be reasonably sure that their changes don’t negatively impact the system while allowing them to make fast and continuous improvements to the software product.


Financial institutions do a version of this with risk: a predetermined set of scenarios – including frauds – are thrown against a new product. If the tests are successful, the product is considered resistant to known risk. However, only the most technologically advanced institutions do this with automation; most others rely on a manual system, with product owners and business analysts responsible for thinking up the different scenarios and developing the tests for each product, with varying levels of rigor and completeness. But the only way to operate within the tight timelines required by the PPP product was to have the testing system already automated, hardened, and ready to go.


In the case of PPP, automated risk testing could have immediately identified forged documentation as a major exploitable weakness. At that point, lenders could create rules and models to detect forgery indicators and flag applications for manual follow-up, or use the results of their testing to request resources from the SBA and IRS for improving documentation checking capabilities.


The Takeaway


With PPP, the business-as-usual risk management procedures didn’t work, costing American taxpayers millions of dollars and denying genuine small businesses necessary aid during the COVID-19 pandemic. And as scenarios that demand rapid responses become more common – whether due to technological change, or governmental change, or societal change – financial institutions need to rethink the way they approach risk estimation and minimization.  Building strategic plans around and investing in modern approaches to technology is the only way that financial institutions are going to be able to keep up and survive in our rapidly changing world.

Kathryn O'Donnell is the CEO and Co-Founder of Clovis Technologies. Visit her LinkedIn page here.


1. Popken, B. (2020, September 1). Congressional Investigation Finds Over $1 Billion in PPP Fraud. NBC News.