ComplianceMay 11, 2020

Paycheck Protection Program and Bank Secrecy Act Compliance: Be True to Your Risk-Based Program

The CARES Act (Pub. L. No. 116-136) was enacted on March 27, 2020 to provide assistance in the U.S. given the challenges of the COVID-19 pandemic. In part, the CARES Act allocated more than $2 trillion to provide various types of targeted financial assistance to the U.S. economy. In particular, Section 1102 of the CARES Act created the Paycheck Protection Program (“PPP”) setting aside $349 billion for small businesses that qualify for assistance under its terms and that would otherwise be eligible for Small Business Administration (“SBA”) 7(a) loans. The goal of the PPP is to support small businesses during and through the pandemic and ultimately to protect millions of American jobs.

The speed with which the CARES Act was enacted, followed directly by the rollout of the PPP, demonstrated that the country was in full-on crisis mode. This dynamic is uncharacteristic for how legislative and business activities are generally conducted under otherwise “normal” circumstances, but essential given the severity of the pandemic’s economic consequences. Facilitating rapid access to funds under the PPP to deserving borrowers who desperately need to stay in business has been a monumental undertaking.

Yet, as lenders scrambled to align their small business lending programs to accommodate the crush of PPP loan applications, the stress on lending processes and controls raised concerns. In lenders’ rush to get this money to the small businesses, there have been obvious concerns that PPP funds could be accessed by bad actors poised to take advantage of vulnerabilities in the program. This article addresses those concerns.

Payroll Protection Program Overview

The PPP provides eligible small businesses with funds to cover payroll, mortgage interest, rent, and utility costs over the eight-week period after the loan is made. A profound aspect of this program is that PPP loans are subject to forgiveness, where 75 percent of the proceeds cover payroll costs. In addition, the program allows for a six-month payment deferral after the loan is made; has no collateral or personal guarantee requirements; and the PPP does not impose any fees on the borrower.

Loan amounts under the program are capped at the lesser of $10 million and the sum of 250 percent of an employer’s average monthly payments for payroll costs incurred during the one-year period prior to the date on which the loan is made, plus any Economic Injury Disaster Loan (“EIDL”) loan refinanced (but excluding the amount of any EIDL advance that does not need to be repaid). There are exceptions for seasonal employers and for the outstanding amount of any loan under the SBA’s Disaster Loan Assistance Program.

The application period opened on a staggered basis on April 3 for small businesses and sole proprietorships, and April 10 for independent contractors and self-employed individuals. The initial application period was set to accept applications until June 30, 2020 through existing SBA 7(a) lenders or through any federally insured depository institution, federally insured credit union, and Farm Credit System institution that is an approved SBA lender. Other lenders will be available to make these loans once approved and enrolled in the program. However, due to high demand, program funding was depleted on April 16. An additional $310 billion was appropriated, setting in motion a second round of lending that kicked-off on April 27.

Application and Underwriting Requirements

Spurred by the urgency of the pandemic, the PPP program was quickly launched based on rapidly released guidance, including some that was published in an Interim Final Rule (“Interim Rule”) on April 7. The Interim Rule requires that lenders shall:

  • Confirm receipt of borrower certifications contained in PPP application form;
  • Confirm receipt of information demonstrating that a borrower had employees for whom the borrower paid salaries and payroll taxes on or around February 15, 2020;
  • Confirm the dollar amount of average monthly payroll costs for the preceding calendar year by reviewing the payroll documentation submitted with the borrower’s application; and
  • Follow applicable Bank Secrecy Act (“BSA”) requirements.

The language of the Interim Rule stresses that insured banks and credit unions should continue to follow their existing BSA protocols in underwriting PPP loans to new or existing eligible borrowers. The Interim Rule states that “PPP loans for existing customers will not require re-verification under applicable BSA requirements, unless otherwise indicated by the institution’s risk-based approach to BSA compliance.” Each lender, in accordance with BSA/AML risk assessment guidelines published by the Federal Financial Institutions Examination Council, should have a well-founded understanding of the BSA-specific risks relative to products, services, customers, entities, and geography unique to the institution.

Under the Interim Rule, lenders are allowed to rely on borrower certifications. However, lenders should consider that once the funds have been disbursed and the crisis has passed, in the years that follow, regulators may likely scrutinize BSA compliance in connection with assessing whether loans were properly approved and whether any loans under the PPP were obtained as a result of fraud. Such scrutiny may come in the form of regulatory examinations or in accordance with risk-based audit schedules.

BSA Compliance and Beneficial Ownership

The legislative response by Congress to appropriate funding and the quick action to roll out the PPP program raised questions with respect to requirements established to ensure compliance with the BSA. Under the BSA, the requirements to which regulated financial institutions are accustomed present timing challenges, considering the urgent demand for PPP loans resulting from the pandemic.

On March 16, the Financial Crimes Enforcement Network (“FinCEN”) issued a press release to encourage financial institutions to keep FinCEN and their functional regulators informed as circumstances change due to COVID-19. In this communication, FinCEN also advised financial institutions to remain alert to malicious or fraudulent transactions and potential scams.

In guidance issued by FinCEN on April 3, the agency stressed that compliance with the BSA “remains crucial to protecting our national security by combating money laundering and related crimes, including terrorism and its financing. FinCEN expects financial institutions to continue following a risk-based approach, and to diligently adhere to their BSA obligations.” On April 13, PPP FAQs #18 and #25 were reiterated in separate guidance issued by FinCEN.

The SBA, in consultation with the Department of Treasury, released Frequently Asked Questions (“FAQs”) on April 8t. FAQ #18 poses the question:

Are PPP loans for existing customers considered new accounts for FinCEN Rule CDD purposes? Are lenders required to collect, certify, or verify beneficial ownership information in accordance with the rule requirements for existing customers?

The answer provided is that “[i]f the PPP loan is being made to an existing customer and the necessary information was previously verified, you do not need to re-verify the information. Furthermore, if federally insured depository institutions and federally insured credit unions eligible to participate in the PPP program have not yet collected beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance (emphasis added).”

In the face of the crisis and during the surge of applications, concerns spanned the spectrum from doing too little verification to doing too much and potentially slowing the process of approving these vital loans. Industry trade groups cited beneficial ownership rules as an impediment to PPP and petitioned for temporary suspension through December 31, 2020 for entities seeking PPP loans that are not current bank customers. This request does, however, emphasize that “[b]anks will exercise ongoing due diligence and monitoring to safeguard the PPP from fraud.

As published in updated FAQs released on April 13, FAQ #25 was added, aligning to FinCEN guidance on customer due diligence and information requirements for PPP applicants:

 “Does the information lenders are required to collect from PPP applicants regarding every owner who has a 20% or greater ownership stake in the applicant business (i.e., owner name, title, ownership %, TIN, and address) satisfy a lender’s obligation to collect beneficial ownership information (which has a 25% ownership threshold) under the Bank Secrecy Act?” The answer breaks down into two specific responses:

Lenders with existing customers: “With respect to collecting beneficial ownership information for owners holding a 20% or greater ownership interest, if the PPP loan is being made to an existing customer and the lender previously verified the necessary information, the lender does not need to re-verify the information. Furthermore, if federally insured depository institutions and federally insured credit unions eligible to participate in the PPP program have not yet collected such beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance(emphasis added).

Lenders with new customers: “For new customers, the lender’s collection of the following information from all natural persons with a 20% or greater ownership stake in the applicant business will be deemed to satisfy applicable BSA requirements and FinCEN regulations governing the collection of beneficial ownership information: owner name, title, ownership %, TIN, address, and date of birth. If any ownership interest of 20% or greater in the applicant business belongs to a business or other legal entity, lenders will need to collect appropriate beneficial ownership information for that entity. If you have questions about requirements related to beneficial ownership, go to https://www.fincen.gov/resources/statutes-and-regulations/cdd-final-rule. Decisions regarding further verification of beneficial ownership information collected from new customers should be made pursuant to the lender’s risk-based approach to BSA compliance(emphasis added).”

In the answer to FAQs #18 and #25 above, emphasis was added to the notion that lenders must be sensitive to their risk-based approach to BSA compliance in reviewing loan applications under the PPP—now perhaps more than ever.

Non-Bank Eligibility

The updated FAQs directly address the question of non-bank eligibility to make PPP loans. FAQ #22 asks:

“I am a non-bank lender that meets all applicable criteria of the PPP Interim Final Rule. Will I be automatically enrolled as a PPP lender? What criteria will SBA and the Treasury Department use to assess whether to approve my application to participate as a PPP lender?”

The answer provided: “We encourage lenders that are not currently 7(a) lenders to apply in order to increase the scope of PPP lending options and the speed with which PPP loans can be disbursed to help small businesses across America. We recognize that financial technology solutions can promote efficiency and financial inclusion in implementing the PPP. Applicants should submit SBA Form 3507 and the relevant attachments to [email protected]. Submission of the SBA Form 3507 does not result in automatic enrollment in the PPP. SBA and the Treasury Department will evaluate each application from a non-bank or non-insured depository institution lender and determine whether the applicant has the necessary qualifications to process, close, disburse, and service PPP loans made with SBA’s guarantee. SBA may request additional information from the applicant before making a determination.”

From the standpoint of BSA compliance, the Interim Rule provides that entities not presently subject to the requirements of the BSA should establish an anti-money laundering (“AML”) program equivalent to that of a comparable federally regulated financial institution. This step should be taken prior to engaging in PPP lending activities, whether this involves accepting applications for PPP loans from new or existing customers eligible to borrower under the PPP. In the realm of managing money laundering risk, it is prudent that an AML program include a customer identification program (“CIP”), which governs the identification and verification of PPP applicants based on date of birth, address, and taxpayer identification number. For business applicants, beneficial ownership information collection and verification requirements should be followed, as discussed above.

Alternatively, if available, entities may rely on the CIP of a federally insured depository institution or federally insured credit union with an established CIP as part of its AML program. However, this documentation may vary based on business model, funding source, or partnership arrangement. It is advised that entities “understand the nature and purpose of their PPP customer relationships” and develop customer risk profiles accordingly. Also, in establishing a conforming program, it is expected that identifying and reporting suspicious activity to FinCEN should be developed as part of the program. The Interim Rule encourages entities that have questions with regard to meeting these requirements to contact the FinCEN Regulatory Support Section at [email protected].


Lenders have lined up to process PPP applications and, despite some SBA system hiccups along the way, successfully disbursed loan funds to struggling small businesses in support of the CARES Act. However, a significant amount of money is at stake with these disbursements and, unfortunately, big money can lead to big problems if controls are relaxed or left unchecked.

In extraordinary times like this, managing risk takes on new meaning. It is a must to ensure that PPP loan funds are appropriately disbursed to the small businesses that need the money to survive. Now is not the time to relax standards and controls so that needed funds can be rapidly and properly lent under the PPP. Rather, these are the moments that ultimately test the controls that make the greatest difference.

When the time for reflection comes, it must be asked “what will the reviewer find?” Lenders and the SBA need to work quickly to assist borrowers in rapidly accessing funds, but it needs to be fulfilled in a manner that is compliant with both the explicit requirements of the PPP—as well as with other regulatory requirements that the guidance indicates continue to apply to loans made under the program. Stay the course and be true to the controls and standards established to ensure that loans are being made to honest Americans in their time of greatest need.


DISCLAIMER: The information and views set forth in this Wolters Kluwer Financial Services’ communication are general in nature and are not intended as legal or professional advice. Although based on the law and information available as of the date of publication, general assumptions have been made by Wolters Kluwer Financial Services that may not take into account potentially important considerations to specific businesses. Therefore, the views and information presented in this Wolters Kluwer Financial Services’ communication may not be appropriate for you. Readers must also independently analyze and consider the consequences of subsequent developments and/or other events. Readers must always make their own determinations in light of their specific circumstances.

Thomas Grundy
Senior Director, U. S. Advisory Services
With over 33 years of experience Thomas leverages his experience advising compliance and risk management executives on solutions to effectively manage risk in a complex and rapidly changing regulatory environment.