On January 24, 2023, the Federal Reserve Board (“FRB”) assessed a second-tier civil penalty of $2.3 million against New York-based Popular Bank (or the “Bank”) for unsafe and unsound practices related to six Paycheck Protection Program (“PPP”) loans. According to the FRB, the Bank processed and funded these loans despite detecting significant indicia of fraud in the loan applications. In doing so, the Bank did not adhere to internal anti-money laundering (“AML”) policies and procedures, in violation of the Bank Secrecy Act (“BSA”). Although the Bank ultimately self-reported, it failed to do so in a timely manner. As a result of these failures, the Bank incurred a cumulative loss of approximately $1.1 million related to the six fraudulent PPP loans. The FRB opted not to impose corrective measures, acknowledging in the consent order that substantial remediation efforts by the Bank were already underway.
Congress introduced the PPP in March 2020, with the enactment of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, intending to provide economic relief payments to small businesses financially impacted by the COVID-19 pandemic and granting the Small Business Administration (“SBA”) principal administrative authority. At the time, the emergency situation placed pressure on SBA-approved lenders to process PPP loan applications and disbursements as quickly as possible. This, combined with the PPP’s accelerated rollout and the minimal documentation, processing, and other requirements promulgated by the SBA, led to vulnerabilities and oversights that enticed and enabled fraudulent access to PPP funds. Consequently, federal authorities commenced a crackdown on PPP-related fraud, launching investigations and filing charges primarily against loan borrowers within a year of the PPP’s inception.
The FRB’s recent enforcement action against Popular Bank emphasizes an evolving expansion of government scrutiny from PPP borrowers to lenders. It further stresses the paramount importance of lenders adhering to internal AML policies and procedures and complying with federal BSA rules and regulations when processing and funding PPP loans. On August 8, 2022, President Biden extended the statute of limitations for PPP-related fraud from five to ten years, empowering criminal investigations and prosecutions to continue for a long time yet. Although civil investigations and enforcement actions will cease sooner, as most federal banking agencies and other relevant regulators are subject to a statute of limitations of five to six years, those actions still are not time-barred for at least another two years. Thus, we can expect to see more enforcement actions and penalties like Popular Bank’s.
Since the advent of the PPP, government agencies, specifically the SBA and U.S. Department of the Treasury’s Financial Crimes Enforcement Network, have collaborated to issue a series of “Frequently Asked Questions” and other advisories for purposes of guiding BSA compliance efforts by lenders, particularly with regards to conducting customer due diligence and reporting suspicious activity. Additionally, government and industry resources contain a wealth of information for best practices in identifying and curbing fraudulent activities associated with the PPP. Lenders’ compliance teams should make sure they are utilizing these resources to shore up compliance with all statutory and regulatory requirements.
Although acceptance of new applications for PPP funding ended on May 31, 2021, banks and other depository institutions continue to play a critical role in overseeing the use of disbursed PPP funds and are therefore optimally positioned to detect, prevent, and report fraud. Financial institutions should continue to take their BSA compliance obligations seriously and maintain strong and effective controls to monitor for indicia of fraud related to PPP loan disbursements, including, for example, customers who engage in transactional activity that is abnormal for their purported business, use funds for ineligible expenses, open and close numerous accounts erratically, and/or claim unverifiable employee or other business information.
 Section 8(i)(2)(B) of the Federal Deposit Insurance Act.