The size and scope of the federal and state response to the economic crisis triggered by COVID-19 made some amount of criminal activity inevitable. Long lamented gaps in the infrastructure that links federal and state governments to individuals and businesses, particularly those related to the absence of reliable tools to ensure that electronic payments reach their intended recipients, made many of these programs an easy target for criminals.
With six months having passed since the pandemic took hold, the magnitude of this fraud is now coming into view. It appears that criminals stole billions of dollars of money intended to benefit firms and families affected by the economic dislocation. Washington State alone appears to have paid out more than $550 million in fraudulent unemployment benefits, and the cumulative toll of fraudulent unemployment payments in other states as well as fraud related to the Paycheck Protection Program (“PPP”) could exceed that number by several orders of magnitude. As FinCEN, the federal watchdog for financial crime, warned while money was being distributed, criminals appear to have exploited known gaps in the processes used to open accounts and to prevent the transfer of account credentials.
Public scrutiny of how criminals exploited U.S. financial institutions in the form of government investigations, congressional oversight, and potentially litigation is inevitable. The False Claims Act (“FCA”)prohibits false statements or misrepresentations to the government in connection with billing, contracting, or procurement. It provides for civil penalties and treble damages when the party submitting the claim knew, or should have known, that the statement was false or misleading. Importantly, it also applies to “any person” who “causes” a false claim,including companies, funds, or individuals who exercise control over the funds or are involved with submitting the false statement.
As a result, banks or other lenders distributing funds under the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act will face scrutiny of their efforts to distribute and monitor the relief. Although the CARES Act provides certain protections, including allowing lenders to rely on certifications by borrowers, lenders will face questions about whether their reliance on those certifications was reasonable, the reasonableness of their procedures and controls over the process, and whether they knew or should have known that certain borrowers did not meet the qualifications for relief. Lenders also may face questions about whether they favored existing clients with outstanding loans over other clients or new applicants, raising questions about conflicts of interest. Other statutory claims also may apply, including potential criminal violations. We recommend that financial institutions review accounts through which COVID-19-related relief payments were paid for indicia of fraud to examine whether their employees or systems were exploited in connection with the scams.
I. The Scams
COVID-19-related fraud has taken a number of forms. To date, most of the concern at the national level has arisen with respect to the PPP, but fraud rings in the United States and elsewhere appear to have systematically exploited other COVID-19-related relief programs, including state unemployment programs, as well. As noted above, it appears that Washington State paid out $550 to $650 million in fraudulent unemployment benefits. Estimates of losses in other states, including Nevada, Rhode Island, and Hawaii, appear to be in the hundreds of millions of dollars.
Although the precise scams vary from program to program, the theme is the same: fraudsters filed fraudulent applications for relief to various government programs. In the case of the PPP, these applications took the form of fraudulent loan applications, and more recently fraudulent documentation of requests for loan forgiveness. In the case of state unemployment programs, the scams began with fraudulent applications for unemployment benefits.
As several states, including Washington and Nevada, do not have state income taxes, they do not routinely collect and verify information about wages paid by employers to specific employees. Fraudsters were able to apply for benefits en masse by using social security numbers and other biographic information that had been exposed in the many security breaches that have taken place over the last several years.
II. The Gaps That Were Exploited
Once an application was processed, the proceeds then were distributed through the banking system. In some instances, these distributions took place via check, but it most instances, funds were distributed electronically either through wires or the ACH system. Where the account owner was a participant in the fraud, as would be the case with fraudulent PPP loan applications (or the creation of fraudulent documentation to support a loan forgiveness application), the proceeds were distributed to an account associated with the one of the people associated with the fraud. Where a third party initiated the fraudulent application, the funds passed through apparent dummy accounts.
Those dummy accounts likely were opened using one of several known weaknesses in the systems used to control access to the banking system: (1) accounts opened by employees, contractors, or vendors to banks that had access to key systems; (2) accounts opened by third parties using identities obtained through data breaches; (3) accounts opened by individuals hired by fraudsters to open accounts and then transfer control of the accounts to the fraudsters (often described as “mule” accounts); and (4) accounts opened using synthetic identities (i.e., identities that are fake but that correspond to reports on file with one or more credit bureaus).
III. Getting Ahead of the Coming Scrutiny
Some financial institutions appear to be aware that they may have been exploited in this manner. Employees of a major financial institution received a memo when they returned to the office after Labor Day Weekend letting them know that the bank was investigating customers and employees responsible for “misusing Paycheck Protection Program loans, unemployment benefits and other government programs.” But many do not appear to be aware of these risks, and regulators may question failure to check or monitor the distribution of funds.
In order to get ahead of the problem and manage these risks, firms that offer a product through which unemployment benefits have been distributed or that support such a program should consider conducting a risk assessment related to those accounts. Such an assessment would begin with a review of the identity information associated with the accounts and a review of the historical activity associated with the account.
Many aspects of this assessment can be automated. Many companies, for example, have assembled databases of stolen identity information, which can be checked against the identity information used to create accounts that received distributions of COVID-19-related proceeds. Likewise, automated tools exist to check account populations for information associated with synthetic identities. Issues identified can be investigated further, depending on their scope and substance. In this way, companies can take a risk-based approach to assessing and managing the risks associated with program abuse. Such assessments also can serve as a useful check on the efficacy of internal control procedures and compliance.
Public scrutiny is inevitable. We believe that firms should take immediate action to determine whether they were exploited by criminals seeking to divert benefits meant for individuals and businesses affected by the pandemic, and to protect themselves from the public relations and legal scrutiny that inevitably will follow.
4 31 U.S.C. §§ 3729-3733.
See Tim Henderson, Fight Against Fraud Slows Payments to Unemployed, Stateline (Aug. 27, 2020), https://www.governing.com/security/Fight-Against-Fraud-Slows-Payments-to-Unemployed.html; Katie Mulvaney, R.I. has paid out $8.6 million in fraudulent unemployment claims since start of pandemic, Providence Journal (July 30, 2020), https://www.providencejournal.com/news/20200730/ri-has-paid-out-86-million-in-fraudulent-unemployment-claims-since-start-of-pandemic; Mike Shoro, Up to 200K potentially fraudulent jobless claims filed in Nevada, report says, Las Vegas Review-Journal (July 25, 2020), https://www.reviewjournal.com/business/up-to-200k-potentially-fraudulent-jobless-claims-filed-in-nevada-report-says-2081327/; Lynn Kawano, Identity thieves have stolen at least $15.8M in Hawaii jobless benefits . . . and probably much more, Hawaii News Now (June 26, 2020), https://www.hawaiinewsnow.com/2020/06/25/state-finds-it-paid-least-m-fraudulent-jobless-claims-millions-more-under-investigation/..