(Published in Dodd Frank Update, June 2020 cover story)
The Paycheck Protection Program (PPP) has put banks and lenders in the spotlight since it launched – for the right reasons and sometimes, the wrong ones.
Banks and lenders rightfully have received credit for the work they have done to stand up teams to work with the Small Business Administration (SBA) and process millions of small business loans for clients. Stories of staff being redirected to work on PPP loans are numerous, with officers working 24/7 shifts to process loans and help keep businesses afloat and workers employed.
But there has been the downside, too.
Technology problems with SBA’s platform left many small business customers on the outside looking in – particularly during the first phase of funding – and that led to public calls that they would leave their bank or lender for a competitor. Even if there wasn’t anything the bank or lender could do about it.
Legislators and the public shamed public companies who applied for PPP loans into giving them back, even though they rightly qualified for them according to the original guidance. The focus then shifted to the banks and lenders who facilitated the loans, the scrutiny cast on why the lenders would do it.
There were charges of favoritism of clients, particularly among big banks, in the first round of funding – even though anti-money laundering (AML) and Bank Secrecy Act (BSA) provisions in the guidance from SBA and Treasury meant lenders could process customers they knew more quickly than customers which they did not.
Finally, there are regulatory inquiries and Justice Department subpoenas to look into lenders’ files for potential fraudulent activity. And although to date, the focus of those investigations has been on the borrower and their certification rather than the lender, the potential for investigation into other politically charged accusations exists.
“That all has been very challenging,” Independent Community Bankers of America Executive Vice President of Congressional Relations Paul Merski told Dodd Frank Update. “I’m amazed to see how many took on the challenge, despite all the uncertainty, the unclear guidance and the changing guidance.”
Could it have been prevented? Is there a way to gauge reputational risk in these situations, to help protect banks and lenders from potential losses on the back end of programs such as PPP?
To find the answers, we began by talking with Merski about some of the risks, including the conversation that lenders are just starting to get to about borrower certifications and loan forgiveness.
“One macro point is that every borrower coming in assumes this is a grant, but the rules are pretty clear on what is constituted a loan to be forgiven and what doesn’t,” Merski said. “The bank has to be the one to break that news to the borrower, too, should they not use at least 75 percent for payroll. You really had to make that certification as a borrower that you needed this money and you use at least 75 percent of it for payroll as a condition for forgiveness. That’s going to come up in a few weeks as banks determine the grants to be forgiven.”
It’s another situation in which banks could be held responsible by the borrower for being told the loan would be forgiven when they applied when, in fact, it might not be, as SBA and Treasury guidance changed the goalposts after the program launched.
“Banks are taking on a lot of risk there, and that’s why the 100 percent guarantee is there,” Merski said. “We’ll see how well that holds up.”
Among the debates that have come up along PPP in May was the eight-week period of time, beginning when the loan was disbursed, that borrowers would have to spend the funds. As the pandemic took hold, the view that two months would be enough to get through began to be questioned.
“Everyone thought this was going to be a short month or so period where people shuttered and shut down and then everything would open up. It turns out to be much longer,” Merski said, “and the economic damage is greater than when Congress first was contemplating the CARES Act.”
As SBA has been slow to issue guidance around certifications and forgiveness, more questions have arisen. The agency finally issued guidance around borrower certifications, providing a safe harbor for loans under $2 million to be considered made in good faith. But loans above that amount are still subject to scrutiny. And when SBA finally released the loan forgiveness application, without guidance around its terms, Treasury Secretary Steve Mnuchin told the Senate Banking Committee that they thought the form itself resolved all the major questions on forgiveness.
“There are a lot of challenges lenders are going to face,” Merski said. “There’s very strong language in the guidance about borrower certification, and that’s what the lender was to rely on. That should give them pretty strong protections. There was a lawsuit early on, with someone suing and saying that they didn’t get a loan because the bank was prioritizing customers, and the judge threw that out, so that would be a good precedent for other complaints. But there will be a lot of legal activity going on.”
To examine the way banks and lenders can and should look at reputational risk in starting new programs such as PPP, we talked with Wolters Kluwer Advisory Services Senior Director Tom Grundy.
“Think of it this way – an institution’s reputation is affected by all matters of risk management. The decisions made with respect to how an institution manages other categories of risk impact the company’s reputation,” he said. “If you pull reputational risk out and attempt to quantitatively and qualitatively analyze it in isolation, it’s almost impossible to do that.
“Reputational risk is, in large part, a byproduct of other types of risk. Operational risk is a great example of a separate area of risk focus. Regulators look at operation risk management as a scoring factor when determining quality of reputation risk management.”
Grundy recently authored a whitepaper on PPP and BSA compliance which said as the program launched during the crisis, and with a surge of applications, BSA concerns spanned the spectrum from doing too little verification to doing too much and potentially slowing the process of approving these vital loans.
He said the idea of the BSA risk within the program should drive lenders to think about the impact on the institution’s overall reputational risk.
“If you think about reputational risk and PPP, and you mess up the anti-money laundering piece, ultimately in time, that’s going to come out in the wash,” he explained. “Now you’ve got potentially bad loans on the books, and you may have actually financed bad actors. You have to think about reputational risk and where you stand overall in terms of your reputation.”
So an examination of reputational risk really begins with an examination of the company’s risk management profile. And Grundy said it starts with the basics.
“And the basics are, risk assessment at the business level and conducted at the second line of defense to gather critical detail. That ultimately helps upper management and the board form the foundation for establishing the enterprise risk appetite,” he said. “If you don’t do that basic work, you won’t know where you stand at any time with respect to relevancy of your risk and control environment tracking.”
The next focus is the control environment, and how the first and second lines of defense work together. The business level is closest to – and knows – the processes, people and controls, and the second line takes that information to the formalized level for use by enterprise risk, compliance risk, AML risk and such.
All of those activities help inform and maintain the status of the institution’s risk profile, Grundy said.
“Ultimately it’s the risk governance framework that supports the tolerances stated in the risk appetite statement that guides the board in setting the tone at the top,” he said. “In 2014, the OCC published its standards for heightened expectations, emphasizing the practice of the board setting expectations based on a defined risk appetite and holding management accountable for decisions made within or outside of tolerance. These standards, while applicable to larger financial institutions subject to OCC oversight, provide a lesson for risk management.
“They put a tremendous emphasis on accountability. If you are a business unit manager in a bank, you have to answer to the board for the decisions you make. You have to be in the zone of risk tolerance. If you make a decision that breaches it, you’ve got to explain yourself. To me, this brings it back to the basics of risk assessment, risk appetite, setting the culture based on that appetite through communicating the tone from the top and ultimately holding people accountable.”
Discussions about reputational risk don’t simply start as such, though. Because reputational risk is looked at through the lens of other risk factors, often that conversation comes up when discussing the risks of new initiatives, ventures or products.
“Every industry is constantly looking at new initiatives. Banks think about fintech and market share, how to gain the attention of millennials. Managing reputation risk is an ongoing effort and reveals itself in the course of day-to-day conversations with the business,” Grundy said. “Often the conversations that wind up focusing on managing reputation risk happen in context of tackling any number of assorted risks. Identifying reputation risk often is an organic process.”
There are lessons from inside and outside the financial services industry of companies which have found reputational risk that they did not expect. Whether that’s Tylenol tainted aspirin in the 1980s or a data breach from a major retailer or online company today, there are events which happen that risk compliance officers could not have seen coming.
Or could they?
“When you think about risk management and the job of risk managers, you’re supposed to imagine the ‘what if?’ or ‘what could happen?’” Grundy said. “If you think about the times in which we’re living, could we have imagined the impact of the pandemic? Sure, the government published guidelines on pandemic response and updated them recently. The industry accepts the guidelines from the regulators, writes policy, puts it in a manual, and may hold training on it.”
Imagining a scenario in which a pandemic can happen is one thing, but being able to gauge the risk to the business, and to its reputation, is harder to proactively comprehend.
“I think the things we should try to take away from reputation destroying headlines, and even what the world is going through with the pandemic, is that you can never fully imagine the impact of the potential risk,” Grundy said. “As risk managers, the goal should be that just when you think you thought it through, keep going.”
The question, and ultimate challenge, he said, is whether you can effectively plan and prepare for something that’s unimaginable.
“Whether it is managing information privacy or planning for the impact of a pandemic what was previously unimaginable surfaces as the lessons we learn,” Grundy said.
And as companies increasing rely on third-party service providers, and their service providers, Grundy said third-party risk, fourth-party risk and even fifth-party risk should be a consideration.
“There are so many possibilities and situations where fraud and control weaknesses factor into the equation, yet the more you contract work out, the greater the risk,” he said. “The job of the risk manager is to try and imagine this.”