The Paycheck Protection Program (PPP) has been plagued with issues since its inception.1 Yet the issues themselves proved to be far deeper than headlines of fraud and misused funds have suggested.2 Although PPP fraud should be condemned, the fraud was a symptom of a much more fundamental problem: namely, a failure of federal oversight for the government program.

A Brief Paycheck Protection Program Primer

The PPP was established in April 2020 by the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).3 In an effort to protect businesses and thereby “protect paychecks,” the PPP offered low-interest loans to small businesses with the promise of forgiveness so long as the funds were used for qualifying business expenses and certain conditions were maintained. For example, qualifying business expenses included payroll, benefits, mortgage interest, rent, and utilities.4 In addition to spending the funds on specific resources, businesses were also required to maintain both staff and salary levels. To the extent these requirements could not be met, loans would need to be paid off with a 1 percent interest rate. However, loan payments could also be deferred, and, in all cases, there were no fees charged for the application process.

Lenders also stood to benefit from the PPP. The Small Business Administration (SBA) was the agency supervising the PPP, but the loans themselves were provided by private-sector lenders.5 To encourage lending, however, the SBA backed 100 percent of the loans so that lenders would not have to worry about the borrower defaulting—a bid to quell uncertainty regarding the surrounding pandemic and to get funds into the hands of those most at risk. The SBA also tried to reduce costs for lenders by requiring minimal underwriting on all loans. This issue will be discussed at length below, but the SBA routinely instructed lenders to conduct minimal oversight, and the program was specifically designed to remove incentives for lenders to lend carefully.

In short, the PPP was an attractive opportunity for borrowers and lenders alike. It offered a quick source of both loans and grants at a price few could deny. And in doing so, it had the potential to offer a helping hand for businesses that were struggling after the government mandated a lockdown in response to the COVID-19 pandemic. But in practice, the PPP quickly became embroiled in controversy.

A Failure of Federal Oversight

Cases of PPP fraud quickly stole the headlines as stories of misused funds emerged.6 Although the funds were meant to support struggling businesses, loans were also given to nonexistent businesses, celebrities, large publicly traded companies, and individuals looking to purchase sports cars.7 Public backlash quickly ensued and led to what became an 18-month-long investigation by the House Select Subcommittee on the Coronavirus Crisis.8 The subcommittee’s report was published in December 2022 and characterized the issue as one of financial technology (fintech) companies facilitating fraud. Yet the subcommittee’s report missed an important piece of the story: the fraud identified was a symptom of a more fundamental failure of the government to oversee its own program. While cases of fraud should indeed be condemned, those cases should not be used to divert attention from the fact that Congress and the SBA deliberately removed controls and safeguards to rush the $800 billion program out the door.9 Lenders were told time and time again by the SBA that only minimal underwriting was necessary. More so, the decision to guarantee 100 percent of the loans removed profit incentives on the part of lenders to ensure their loans were in good hands. And were these factors not troubling enough on their own, the SBA itself appears to have conducted minimal oversight.

From the beginning, the SBA was explicitly clear in its guidance that lenders did not have to worry about the quality of borrowers. For example, in April 2020, the SBA told lenders:

The lender does not need to conduct any verification if the borrower submits documentation supporting its request for loan forgiveness and attests that it has accurately verified the payments for eligible costs. The Administrator will hold harmless any lender that relies on such borrower documents and attestation from a borrower. (Emphasis added.)10

This messaging was reiterated in frequently asked question notices from June 2020 through July 2022, where the SBA told lenders that providing accurate calculations was the duty of borrowers alone and that lenders were merely expected to conduct a “good faith review.”11 In fact, the notices went so far as to say that a “minimal review of calculations … would be reasonable” and “lenders may rely on borrower representations.”12

The risks of this repeated messaging did not go unnoticed for long. In a June 2020 report, the Government Accountability Office (GAO) warned that, “To streamline the process, [the] SBA required minimal loan underwriting from lenders … leaving the program more susceptible to fraudulent applications.”13 The GAO also stressed that “reliance [on] applicant self-certifications can leave a program vulnerable to exploitation.”14 Unfortunately, the SBA did not take kindly to the GAO’s recommendations. When the SBA read the report, it accused the GAO of singling out the SBA and misrepresenting evidence.15 And in doing so, the SBA seems to have dismissed the GAO’s recommendation that the SBA should “address potential fraud,”16 because in October 2020, the Office of Inspector General wrote, “[The] SBA’s management continues to insist that its controls are robust despite overwhelming evidence to the contrary.”17

The SBA’s decision to back 100 percent of the loans worsened the issue. Normally, lenders must account for the risk that the money they lend out may never be repaid, or at least not in full. Lenders usually respond to that risk by adjusting the interest rate of the loan as well as the total amount that can be borrowed. For example, in 2022 individuals with a credit score of 300–629 could have expected to pay as much as three times more in interest for a personal loan than individuals with a credit score of 720–850.18 However, these types of adjustments were not allowed because the interest rate on all PPP loans was restricted to 1 percent. Normally, an interest rate ceiling would have cut out the riskiest borrowers, but the SBA’s 100 percent loan guarantee mitigated that issue by removing the consideration that a loan may not be paid off in full—or at all.19 That decision, however, was a double-edged sword. It ensured that struggling businesses would receive loans even if they posed increased risk, but it also removed any incentive for the lender to carefully review the risks. In other words, lenders were not under the same pressure to perform underwriting because they would get their money no matter what—once again compounding the message that the sole concern was getting the money out quickly.

The SBA appears to have applied the spirit of these explicit and implicit messages in its own work, as it, too, conducted minimal oversight. For instance, Blueacorn—one of the fintech companies considered at fault—did not exist before April 2020. As the subcommittee’s report notes, Blueacorn was founded “specifically to facilitate PPP loans.”20 Yet even though companies founded after February 15, 2020, were not allowed to receive loans, the SBA allowed Blueacorn to approve over 900,000 loans in 2021.21 To put that number in perspective, Blueacorn disbursed more PPP loans in 2021 than JP Morgan Chase—the largest bank in the country—yet they seem to have went unnoticed by the SBA.22

As the subcommittee report points out, the SBA didn’t just miss Blueacorn. Womply was the second-biggest offender in the report. The subcommittee was able to identify that Womply’s CEO—Toby Scammell—had been previously convicted of criminal fraud and barred from the securities industry.23 The SBA participated in livestreams on social media with the CEO, but it’s unclear if it ever vetted the company.24 To its credit, the SBA did formally warn Womply in June 2021.25 However, this warning only came because the company had not updated its website to reflect the end of the PPP a few weeks earlier in May.

While there are more examples from the report that may be discussed, the lack of oversight at the SBA was made clear when an independent auditor contracted by the SBA in November 2021 concluded: “Management did not adequately design and implement controls to ensure PPP loans guarantees approved [were in existence and accurate.]”26 A few months later, in January 2022, the Pandemic Response Accountability Committee described the SBA as having “effectively adopted a ‘pay and chase’ approach, using fraud detection only after funds had been disbursed.”27 And even when the issues were identified, the SBA’s diligence has been called into question. In an October 2022 report, the Project on Government Oversight reported that “The SBA applied nearly 98% of its flags between August 2020 and December 2020, then swept away the vast majority of them within the first weeks of 2021.”28 These lapses in oversight make it clear that the companies that committed fraud appear to be a symptom of a much larger issue: namely, that the SBA failed to oversee the program.

Who Are the Fraud Police?

The subcommittee’s report is filled with examples of evidence that fraud was taking place at four companies, but one particularly interesting piece of evidence (from a whistleblower) is that the leadership at one of the fintech companies told employees: “We are not the fraud police.”29 The subcommittee appears to have considered this statement a smoking gun because it was ultimately used for the title of its report. Yet this statement leads to an interesting question: Who are the fraud police? It’s a question that was largely left unanswered in the report. But it’s a question that should not go unanswered considering that the federal government has largely come to rely on the private sector to police financial services.

For over 50 years, the government has increasingly deputized banks and other financial institutions as deputy law enforcement investigators under the Bank Secrecy Act.30 In short, financial institutions are forced to file tens of millions of reports each year to the government on conducting transactions that could potentially be considered suspicious.31 Because this task is so complex, an entire industry of certification programs, courses, and consultants has been constructed around serving the government from within the financial sector. In fact, this trend has become so severe that the Financial Crimes Enforcement Network (FinCEN) would likely be unable to operate without the private sector’s help. At a hearing with the U.S. House Committee on Financial Services, Representative Barry Loudermilk (R‑GA) pointed out that although the law requires FinCEN to minimize burdens on businesses, it has only increased those burdens in practice.32 Likewise, at that same hearing, FinCEN acting director Himamauli Das was unable to answer when asked by Representative John Rose (R‑TN) if FinCEN would be able to effectively do its job without the help of the private sector. And this issue becomes abundantly clear when comparing FinCEN’s $210 million operating budget against the $26 billion that financial institutions are forced to spend in compliance with FinCEN and the Bank Secrecy Act.33

This framework needs to be fixed. No American should be forced to report on the activity of fellow citizens. And no company should be forced to be the watchdog for a government program. The SBA should have been supervising the space as the government agency behind the program. And to that end, while the subcommittee did not explicitly address the question of who the fraud police are, its recommendations implicitly answered it—the first five recommendations all instruct the SBA to conduct reviews, examine risks, investigate activities, and enforce guidelines.

A Conflict of Visions: Fraud versus Financial Inclusion

Although the subcommittee’s report recommended that Congress and the SBA carefully consider whether to work with fintech firms at all, it’s important to recognize that other reports have revealed that the fintech industry was a critical resource for Americans that have been historically excluded from the traditional financial system.34

As noted by Stacy Cowley in the New York Times, fintech companies were “frequently the only available option for those without business bank accounts and credit loans.”35 More so, compared to traditional lenders, fintech companies made a larger share of their loans to black-owned businesses.36 Likewise, one study found that fintech companies were disproportionately used “in ZIP codes with fewer bank branches, lower incomes, and a larger minority share of the population.”37 And finally, in testimony before Congress, Nick Schwellenbach argued it could benefit historically disadvantaged and underbanked communities if fintech companies were able to continue to participate in SBA programs, even despite the problems identified in the subcommittee’s report.38

Schwellenbach did well to point out there is a tradeoff that Congress cannot ignore. If financial inclusion can be achieved by relaxing the rules that have locked so many people out of traditional finance, and if those rules were designed to prevent financial fraud, then Congress must decide how it values preventing financial fraud versus achieving financial inclusion.39 Denying bank account access because someone does not have identification may prevent criminals from using banks, but it will also prevent law-abiding people without identification from having access. To that end, the tradeoff between financial inclusion and financial crime is a policy decision that Congress cannot ignore. Put simply, the optimal amount of crime is not zero.40

Recommendations

There are a few lessons from the PPP and the SBA’s performance in overseeing the program that should be considered carefully before the next crisis occurs.

Congress should consider carefully the extended consequences of all legislation. While this recommendation should be applied to all legislation, it is particularly important for responding to a crisis. As the Biden administration recently acknowledged, the PPP needlessly sacrificed security for speed.41 The problems were evident from day one and there were many warnings. In the future, Congress should carefully consider what is at stake when crafting such bills rather than rush billions of dollars in taxpayer money out the door.

Congress should end the practice of deputizing banks as law enforcement investigators. For far too long, the federal government has relied on the private sector to police financial crime. Worse yet, in addition to costing billions of dollars in compliance, this practice has largely eradicated financial privacy in the United States. Congress should review all legislation that requires private firms to act as law enforcement, including the Bank Secrecy Act.42

Congress should keep the federal government out of the retail banking business. While the PPP was a half-step removed from the government directly offering loans to American citizens, it should serve as a cautionary tale for why the government should stay out of retail services. Central bank digital currencies (CBDCs), FedAccounts, and Postal Banking have all been increasingly proposed in recent years.43 However, the SBA’s failure to oversee the PPP is proof that Congress should dismiss all such proposals.

Conclusion

The performance of the PPP should not be a surprise given the rushed nature of its creation.44 Faced with unrivaled uncertainty in the wake of the COVID-19 pandemic, Congress was solely focused on getting money out the door as quickly as possible and by whatever means necessary. As Cato scholar Ryan Bourne described it at the time:

[To Congress, details] were of second‐​order importance—lawmakers simply wanted dollars flowing to businesses through loans and payroll support, to households through checks, and to those laid off because of COVID-19 through more generous unemployment insurance benefits.45

Congress may have succeeded in getting dollars out the door, but the details that Bourne had warned of quickly came back to haunt the PPP. It took 18 months for the subcommittee to put its report together, but the problems were evident from day one.46 Individual companies at fault should be condemned to the extent that fraud took place, but that should not distract from the fact that it was Congress and the SBA that created the environment for fraud to not only occur, but also thrive.