Beware of COVID Relief Fraud
The size and scope of the federal and state response to the economic crisis triggered by COVID-19 made some amount of criminal activity inevitable. Long lamented gaps in the infrastructure that links federal and state governments to individuals and businesses, particularly those related to the absence of reliable tools to ensure that electronic payments reach their intended recipients, made many of these programs an easy target for criminals.
With six months having passed since the pandemic took hold, the magnitude of this fraud is now coming into view. It appears that criminals stole billions of dollars of money intended to benefit firms and families affected by the economic dislocation. Washington State alone appears to have paid out more than $550 million in fraudulent unemployment benefits,
Public scrutiny of how criminals exploited U.S. financial institutions in the form of government investigations, congressional oversight, and potentially litigation is inevitable. The False Claims Act (“FCA”)
As a result, banks or other lenders distributing funds under the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act will face scrutiny of their efforts to distribute and monitor the relief. Although the CARES Act provides certain protections, including allowing lenders to rely on certifications by borrowers, lenders will face questions about whether their reliance on those certifications was reasonable, the reasonableness of their procedures and controls over the process, and whether they knew or should have known that certain borrowers did not meet the qualifications for relief. Lenders also may face questions about whether they favored existing clients with outstanding loans over other clients or new applicants, raising questions about conflicts of interest. Other statutory claims also may apply, including potential criminal violations.
I. The Scams
COVID-19-related fraud has taken a number of forms. To date, most of the concern at the national level has arisen with respect to the PPP, but fraud rings in the United States and elsewhere appear to have systematically exploited other COVID-19-related relief programs, including state unemployment programs, as well. As noted above, it appears that Washington State paid out $550 to $650 million in fraudulent unemployment benefits. Estimates of losses in other states, including Nevada, Rhode Island, and Hawaii, appear to be in the hundreds of millions of dollars.
Although the precise scams vary from program to program, the theme is the same: fraudsters filed fraudulent applications for relief to various government programs. In the case of the PPP, these applications took the form of fraudulent loan applications, and more recently fraudulent documentation of requests for loan forgiveness. In the case of state unemployment programs, the scams began with fraudulent applications for unemployment benefits.
As several states, including Washington and Nevada, do not have state income taxes, they do not routinely collect and verify information about wages paid by employers to specific employees. Fraudsters were able to apply for benefits en masse by using social security numbers and other biographic information that had been exposed in the many security breaches that have taken place over the last several years.
II. The Gaps That Were Exploited
Once an application was processed, the proceeds then were distributed through the banking system. In some instances, these distributions took place via check, but it most instances, funds were distributed electronically either through wires or the ACH system. Where the account owner was a participant in the fraud, as would be the case with fraudulent PPP loan applications (or the creation of fraudulent documentation to support a loan forgiveness application), the proceeds were distributed to an account associated with the one of the people associated with the fraud. Where a third party initiated the fraudulent application, the funds passed through apparent dummy accounts.
Those dummy accounts likely were opened using one of several known weaknesses in the systems used to control access to the banking system: (1) accounts opened by employees, contractors, or vendors to banks that had access to key systems; (2) accounts opened by third parties using identities obtained through data breaches; (3) accounts opened by individuals hired by fraudsters to open accounts and then transfer control of the accounts to the fraudsters (often described as “mule” accounts); and (4) accounts opened using synthetic identities (i.e., identities that are fake but that correspond to reports on file with one or more credit bureaus).
III. Getting Ahead of the Coming Scrutiny
Some financial institutions appear to be aware that they may have been exploited in this manner. Employees of a major financial institution received a memo when they returned to the office after Labor Day Weekend letting them know that the bank was investigating customers and employees responsible for “misusing Paycheck Protection Program loans, unemployment benefits and other government programs.”
In order to get ahead of the problem and manage these risks, firms that offer a product through which unemployment benefits have been distributed or that support such a program should consider conducting a risk assessment related to those accounts. Such an assessment would begin with a review of the identity information associated with the accounts and a review of the historical activity associated with the account.
Many aspects of this assessment can be automated. Many companies, for example, have assembled databases of stolen identity information, which can be checked against the identity information used to create accounts that received distributions of COVID-19-related proceeds. Likewise, automated tools exist to check account populations for information associated with synthetic identities. Issues identified can be investigated further, depending on their scope and substance. In this way, companies can take a risk-based approach to assessing and managing the risks associated with program abuse. Such assessments also can serve as a useful check on the efficacy of internal control procedures and compliance.
Public scrutiny is inevitable. We believe that firms should take immediate action to determine whether they were exploited by criminals seeking to divert benefits meant for individuals and businesses affected by the pandemic, and to protect themselves from the public relations and legal scrutiny that inevitably will follow.