On April 2, the Small Business Administration (“SBA”) issued the long-anticipated Interim Final Rule that sets out the current agency guidance regarding requirements that borrowers and lenders must follow in order to apply for and process loans, respectively, under the CARES Act Paycheck Protection Program (“PPP”).1 While borrowers bear the heavier burden for certifying compliance with the program rules, the PPP also imposes diligence and compliance obligations on lenders. As the expected onslaught of applications comes in – one bank alone received 58,000 applications on April 3, the first day the program opened – keeping up with the new and existing requirements will put an increased strain on the internal controls banks rely upon to verify account information in compliance with federal guidelines, such as the Bank Secrecy Act (“BSA”).
Creating a defined process to identify and appropriately respond to these issues will not only facilitate a borrower’s application, but also it will establish an audit trail that can be used to demonstrate that the lender employed best practices, acted in good faith and took reasonable steps to comply with the regulations.
Although lenders will be able to rely upon borrower certifications, lenders will still face regulatory scrutiny for their compliance obligations, especially if it is later determined that any loan was obtained fraudulently or deemed invalid for other reasons. For example, not only must a lender certify it has received the proper certifications from the borrower, the lender must “confirm receipt of information demonstrating” a borrower paid employees for the prior calendar year and “confirm the dollar amount of average monthly payroll.”2 The bank’s compliance with these provisions will be scrutinized if it turns out that the submitted information was false.
In addition, lenders must continue to comply with the BSA’s anti-money laundering and “KYC” requirements. While some reporting requirements have been relaxed to process PPP loans, the Financial Crimes Enforcement Network (“FinCEN”) issued a reminder to all financial institutions that they must continue to adhere to all BSA and anti-money laundering requirements and emphasized that this remains especially true for new customer accounts seeking access to the stimulus funds.3
As noted in a previous alert, lenders faced significant civil and criminal enforcement action associated with the stimulus relief package from the 2008 financial crisis. The PPP should be viewed no differently and implementing a standardized compliance process to account for the challenges posed by the PPP will be critical to mitigate future enforcement or litigation risk. Actions lenders take today will determine how regulators and courts view lenders potential liability in the future.
Streamlining policies and procedures – and identifying employees who will be responsible for carrying out specific PPP compliance – will establish a framework that lenders can rely upon to help insure against future enforcement actions or subsequent civil litigation.
1 Interim Final Rule on the CARES Act Paycheck Protection Program, https://home.treasury.gov/system/files/136/PPP--IFRN%20FINAL.pdf.
2 Id. at 21.
3 Financial Crimes Enforcement Network, The Financial Crimes Enforcement Network Provides Further Information to Financial Institutions in Response to the Coronavirus Disease 2019 (COVID-19) Pandemic, FINCEN.gov (Apr. 3, 2020), https://www.fincen.gov/news/news-releases/financial-crimes-enforcement-network-provides-further-information-financial.