The Justice Department has brought charges against at least 82 individuals in 56 cases for Paycheck Protection Program (PPP) fraud in the six months since the Small Business Administration began disbursing these taxpayer-backed pandemic relief loans through banks and other lending institutions. A Project On Government Oversight (POGO) review of court records filed in that period found the fraud cases to date involve a total of a quarter of a billion dollars meant to help small businesses keep paying employees during the coronavirus-induced economic crisis. And these cases are likely just the beginning.
The alleged fraudsters used the money to buy Lamborghini sports cars, go to strip clubs, take gambling trips to Las Vegas, invest money in a cryptocurrency account, make risky stock market bets, purchase a 40-foot yacht and a $1 million rowhouse in Washington, DC, and other expenses not allowed by law, according to the Justice Department.
POGO’s analysis of the first 56 Paycheck Protection Program fraud cases found that in at least
- 50 of the cases, accused individuals allegedly falsified payroll documents to justify either getting a loan or getting a bigger loan than they were eligible for;
- 44 of the cases, accused individuals allegedly created fake tax documents used for verifying details in loan applications;
- 18 of the cases, accused individuals allegedly created bogus companies to get loans;
- 17 of the cases, accused individuals allegedly used defunct companies to get loans; and
- 5 of the cases, accused individuals allegedly falsified ownership of existing legitimate businesses.
The charged individuals sought a total of around $250 million in loans, though in some cases they either did not obtain loans or did not obtain the full amount they sought. Slightly less than half of that amount—$113 million—was successfully obtained by the individuals accused of fraud. In other words, lenders and the Small Business Administration did not stop the alleged fraud in these instances.
Want more content like this?
Get a roundup of POGO's latest work and announcements. Delivered Saturday mornings.
POGO was able to identify the lenders that approved most of those loans, 97 in total, using court records and Small Business Administration data. Nearly half of those approved loans (48 out of 97) involved in these alleged schemes involved seven financial technology, or “fintech,” companies, and banks working closely with fintech companies. This percentage may change as more cases are brought by federal law enforcement and as more information publicly emerges. Those seven fintech companies and banks processed 13% of the 5.2 million PPP loans.
Fintech is a loose term, encompassing a wide variety of financial services powered by technology. Some fintech companies operate outside of the banking industry, others work closely with financial institutions, and increasingly fintech companies themselves lend to businesses and individuals. The Small Business Administration approved a number of fintech companies—including PayPal and Square, which makes credit card readers that work through smartphones—to help process loans for the relief program. A Small Business Administration spokesperson told POGO that “SBA broadly defines fintech lenders as nonbank institutions. SBA cannot comment on individual lender operations or if fintechs partnered with certain banks” and “we can’t comment on individual lenders.”
The top two lenders who approved most of the allegedly fraudulent PPP loans are both banks that worked closely with fintechs, according to their own websites. Cross River Bank processed 15 allegedly fraudulently obtained PPP loans and Celtic Bank Corporation processed 15. Neither Cross River nor Celtic Bank responded to a request for comment.
That so many allegedly fraudulent loans were processed by fintech companies is an indication “that these fintechs weren’t doing what they needed to do,” said Gary Kalman, director of Transparency International’s U.S. office. Yesterday, Bloomberg published a story that similarly found that alleged "PPP scammers made fintech companies their lenders of choice."
According to a recent lobbying disclosure from Cross River, the bank supports legislation that would give lenders legal immunity from any accountability for fraud as long as they relied on the information loan applicants submitted. The Paycheck Protection Small Business Forgiveness Act has amassed support from at least 31 senators and 114 representatives from both parties.
A fintech insider told POGO their company processed Paycheck Protection Program loans at a blistering rate and with less due diligence than it would normally exercise if its own funds, rather than taxpayer dollars, were on the line.
Some fintech lenders have touted the speed of their PPP loan processing and approval.
The Paycheck Protection Program’s design and lack of sufficient safeguards made it vulnerable to fraud. “A high school student could do this,” the insider told POGO. “It’s too easy.”
Indeed, while the alleged fraud schemes POGO reviewed run the gamut, together they show that the government and lenders did too little upfront to prevent fraudsters from siphoning off this critical financial lifeline for struggling small businesses. POGO spoke with government and banking insiders and reviewed watchdog reports that paint a disturbing picture of how flimsy and often minimal oversight enabled what amounts to a litany of financial heists.
The House of Representatives’ select subcommittee on the coronavirus recently found that “a lack of oversight and accountability from the Treasury Department and Small Business Administration (SBA) may have led to billions of dollars being diverted to fraud, waste, and abuse, rather than reaching small businesses truly in need.”
As Congress considers new legislation that may offer further economic relief and may expand access to the untapped $130 billion left in the $660 billion Paycheck Protection Program, POGO’s findings may inform some ways to address oversight weaknesses in the system.
A Fraud Free-for-All
POGO identified several eye-popping alleged fraud schemes that highlight a number of trends in how people appear to have taken advantage of lax oversight and internal controls in the Paycheck Protection Program.
Early in the pandemic, New York City business owner Muge Ma sought over $20 million in pandemic relief for his two companies, according to the Justice Department. Ma ultimately received an $800,000 Paycheck Protection Program loan and over $650,000 through the Small Business Administration’s Economic Injury Disaster Loan program. According to the criminal complaint, Ma submitted five Paycheck Protection Program applications over the course of three weeks, in which he claimed to employ hundreds of people at New York International Capital, or NYIC, and Hurley Human Resources, the company that received the PPP loan.
Federal prosecutors accused Ma of submitting fraudulent tax documents, bank records, and payroll records.
According to investigators, a website for NYIC described the company as a “patriotic American cloud-based Management Consulting Firm,” adding that, “NYIC has the unique ability to deploy hundreds of brilliant, hard-working & passionate young professionals.” A website for Hurley HR described the company as “a global human resources consulting firm,” according to the Justice Department.
The Justice Department alleges that Ma—who also goes by “Hummer Mars”—was in fact NYIC’s sole employee, and that Hurley has no employees. Lenders flagged four of his five applications for potential fraud, according to the Justice Department.
The Justice Department alleges that at the same time Ma was submitting fraudulent loan applications, he was also falsely representing NYIC to companies abroad as working on behalf of the New York state government to procure COVID-19 test kits and personal protective equipment. In an email to a Canadian manufacturer of test kits, someone identifying themselves as an NYIC employee claimed NYIC was an investment bank “representing New York state Government and the Governor of New York,” adding, “your prompt response will be greatly appreciated because we are literally saving lives.” According to the Justice Department, Ma’s companies had no involvement in procuring test kits or protective equipment.
COVID-19 Relief Spending Tracker
Find out where $1.6 trillion of the $2.9 trillion in total government spending has gone so far.Explore our tracker
An attorney for Ma did not respond to a request for comment.
In one of the most complex cases to date, a Florida talent-management company owner named Phillip J. Augustin is accused of conspiring with at least 10 other people, including NFL player Joshua Bellamy, to defraud the Paycheck Protection Program. According to the Justice Department, those involved in the scheme sought over $24 million in loans and ultimately obtained at least $17.4 million. Indictments in the scheme have rolled in over recent months.
According to criminal complaints and affidavits in the case, a confidential source confessed to federal law enforcement to having forged payroll numbers and tax documents for loan applicants in the scheme. According to the criminal complaint filed against Augustin and his co-conspirators, approximately 42 of at least 90 fraudulent loan applications were ultimately approved and funded. Numerous applications allegedly used “near-replicas of the same falsified bank statements.”
In addition to recruiting several applicants “using his network of business contacts from his work as a manager for professional football players,” the Justice Department alleges Augustin created a formula for his co-conspirators to receive “kickbacks” for referring additional people to the scheme.
According to a criminal complaint filed by the IRS, Bellamy—who until recently played for the New York Jets—received a $1.2 million Paycheck Protection Program loan for his company, Drip Entertainment, in May 2020. According to the complaint, Drip Entertainment is inactive, having been dissolved in September 2019. Per the IRS complaint, Bellamy’s application matched the pattern of forgery created by the confidential source, and included falsified payroll numbers and tax documentation.
In the course of the investigation, an undercover agent posing as someone associated with the scheme called Bellamy, who was apparently seeking to have his loan forgiven. When asked what he was using the loan money for, he responded that he was “buying stuff,” as well as wiring and withdrawing funds.
According to the Justice Department, Bellamy spent over $62,000 of the loan money at the Seminole Hard Rock Hotel and Casino in Florida, and over $104,000 on high-end jewelry and at retailers Gucci and Dior.
Attorneys for Bellamy and Augustin did not respond to a request for comment.
In a separate scheme, Darrell Thomas, owner of Georgia-based Bellator Phront Group, is alleged to have conspired with four other business owners, fraudulently obtaining a total of over $4 million in Paycheck Protection Program loans. According to the Justice Department, Thomas and his co-conspirators forged payroll numbers and tax documents for five companies.
The Justice Department alleges that Thomas, who faces 28 of the 30 charges filed in the case, was the main perpetrator of the scheme. Along with a co-conspirator, Thomas forged most of the documents that supplemented the loan applications, according to the Justice Department. Four of the five companies, the Justice Department found, had the same forged payroll numbers for every quarter of 2019, a red flag for fraud.
None of the companies appears to have used the loans for their intended purpose of keeping employees on payroll. After the loans came in, Thomas and three others in the scheme transferred the majority of the funds into a single account, the Justice Department alleges. Thomas used some of his portion of the funds to purchase a Mercedes and a Range Rover, valued at over $125,000 apiece, according to the Justice Department.
Thomas’s attorney did not respond to a request for comment.
Three of the five loans in this scheme were approved by Cross River Bank, a small lender headquartered in Fort Lee, New Jersey.
Cross River and some other banks have formed close alliances with fintech companies. As a 2019 Forbes exposé on Cross River noted, “Once you get beyond the slick iPhone apps and inflated tales of big-data mining and AI-generated lending decisions, you realize that many fintechs are nothing more than aggressive lending outfits for little-known FDIC-insured banks.” (FDIC is the Federal Deposit Insurance Corporation.)
Cross River, which is the 12th largest Paycheck Protection Program lender by total dollars loaned, “partnered with over 30 leading technology companies, including BlueVine, Divvy, Gusto, Intuit, Veem, Kabbage and others,” according to a press release. The bank has been hailed as particularly successful in reaching smaller PPP borrowers, with an average loan size far smaller than any of the other top 15 lenders for the program.
Speed has been a selling point. At the outset of the program, fintech company GlossGenius, which partnered with Cross River Bank, advertised the bank as “processing and funding these [PPP] loans within days (as opposed to weeks, like many other banks).” Divvy, another fintech partner of Cross River, announced that “in the first five hours of accepting applications, Divvy processed over $800 million of loan requests.”
“Since the PPP program is first come, first serve, we knew we’d need a banking partner who could process lots of loans quickly, without applications getting stuck. And CRB [Cross River Bank] has done just that,” Divvy’s senior vice president said in a press release.
However, clients of the bank appear to be disproportionately charged with Paycheck Protection Program fraud. Cross River Bank processed 15 of the 97 approved loans where POGO was able to identify the lenders. POGO found that Cross River also approved at least six of the allegedly fraudulent loans in the scheme involving Augustin and Bellamy.
See additional noteworthy cases in the aside, “A Litany of Alleged Fraud,” below.
“Vulnerable to Exploitation”
Given the scale of the Paycheck Protection Program, it was likely to be a magnet for fraudsters. In late March, as lockdowns swept the country and job losses mounted, Congress quickly passed the largest economic relief bill in the nation’s history. The $2.2 trillion Coronavirus Aid, Relief, and Economic Security (CARES) Act created a number of relief programs, one of the largest of which was the Paycheck Protection Program.
Just six days after the CARES Act became law, the Small Business Administration began approving Paycheck Protection Program loans, a breakneck pace for a government program of such vast scope. Until the program expired in early August, the Small Business Administration, supported by the Treasury Department, administered the program, through which small business owners could apply for loans up to $10 million. The government tapped banks and other financial institutions, such as fintech companies, to handle approving and issuing these taxpayer-backed loans to eligible applicants. The loans can be forgiven in full if recipients meet certain conditions in how they use the funds.
In an illustration of the massive program’s hasty implementation, the Small Business Administration issued and then repeatedly revised guidance over the program’s first months, confusing and frustrating many business owners. The agency had not issued key congressionally mandated guidance even months into the program, including federal directives to lenders on prioritizing small businesses, especially those owned by women, minorities, and veterans—such businesses often find it harder to access capital and navigate the banking system than bigger companies.
The agency’s watchdog remarked that the value of Paycheck Protection Program loans issued between April 3 and May 6 was “an amount representing more than 20 times the largest year in SBA’s history in just 33 days.” In another report, the inspector general wrote that “increased loan volume, loan amounts, and expedited loan processing timeframes may make it more difficult for SBA to identify red flags in loan applications.”
To streamline the loan approval process, the program allowed loan applicants to self-certify that their needs were real. But, as the Government Accountability Office wrote in June, “reliance on applicant self-certifications can leave a program vulnerable to exploitation by those who wish to circumvent eligibility requirements or pursue criminal activities.”
As has become clear, many took advantage.
POGO’s review of the ways alleged fraudsters gamed the system could inform the ongoing debates in Congress and the Trump administration regarding pandemic relief oversight; whether to expand or narrow eligibility if the Paycheck Protection Program is extended; whether to automatically forgive loans of $150,000 or less; whether to release the identities of recipients of loans in that size category; and other issues that could affect current and future coronavirus relief programs.
There will likely be many more prosecutions of Paycheck Protection Program fraud. In July, banks filed nearly seven times the average monthly number of suspicious activity reports involving business loans to the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), according to data analyzed by POGO. In August, those reports further spiked to nearly 14 times the monthly average, according to a Bloomberg analysis.
While the prosecutions are an important check on abuse of the program, law enforcement efforts to track down, prosecute, and recover fraudulently obtained funds can themselves cost a significant sum to taxpayers and can be a far less cost-effective means of oversight than preventative measures. And many instances of fraud may go undetected, may not be worth prosecuting, or may pose other challenges precluding criminal prosecution, although the federal government can also pursue civil or administrative remedies.
Federal audits of loan recipients will also likely identify more recipients who were ineligible or who did not use the funds as intended. Treasury Secretary Steven Mnuchin pledged to audit all loans over $2 million. These audits likely will uncover additional evidence of fraud, which should be referred to the Office of Inspector General. Hannibal “Mike” Ware, the Small Business Administration’s inspector general, said his office’s oversight efforts of SBA’s pandemic response will take years. The first several dozen cases filed by the Justice Department are “the smallest, tiniest piece of the tip of the iceberg,” he told the New York Times.
While a White House report states that the Paycheck Protection Program helped “stabilize labor markets and facilitate recovery” and “surely contributed to the estimate that 80.6 percent of layoffs are likely to be temporary rather than permanent,” the report notes that, as of mid-August, “there has not yet been any direct reporting by recipients of response funds on job retention and creation.” Fraud will make it more challenging to figure out how many jobs were truly created or retained as some recipients may continue to lie to the government. And money diverted by fraud can erode the program’s effectiveness.
However, excessive fraud prevention before money went out the door could have impeded the goals of the program too. As Bharat Ramamurti, a member of the COVID-19 Congressional Oversight Commission, said on a recent podcast on the PPP, “there is a trade-off between efficiency, inclusiveness, and potential fraud. Now, you can solve the fraud on the back end by identifying cases of it and bringing enforcement actions to cut down on that or to hold people accountable. And I’m all for that.”
“But I find that what happens more often than not in government is that this idea that ‘the most important thing is making sure that people who don’t deserve the money don’t get it’ leads to all sorts of terrible policy designs and outcomes that have much greater harm than, you know, some small group of people getting money that we think aren’t deserving,” he said.
“Huge Moral Hazard”
An insider at one of America’s top fintech institutions, who requested anonymity out of fear of retaliation, revealed to POGO that detecting fraud by many applicants for Paycheck Protection Program loans took a backseat to moving the taxpayer-funded loans out the door as quickly as possible.
“There’s huge moral hazard,” the insider told POGO. “All the lenders are getting a percentage of the processing fee for each loan approved, and the government is backing the loans.”
Lenders might have to forfeit fees if the Small Business Administration later determines a borrower should not have received a loan, but some experts say lenders that stick to the rules have a good chance of keeping their cut.
“I think the banks are pretty much operating on the basis of as long as they acted in good faith, they’ll be okay,” Jeffrey Scheer, an attorney for small and mid-sized businesses, told the Miami Herald.
But there are signs that federal law enforcement is scrutinizing financial institutions, and lenders that cut more corners than most of their peers have a greater chance of facing legal repercussions. In mid-May, big Wall Street banks processing Paycheck Protection Program loans got hit with grand jury subpoenas, with an unnamed source telling Reuters, “There are concerns that there will be a boomerang effect six months down the road on banks that they didn’t do enough.”
Public and press scrutiny—which can ultimately help law enforcement detect fraud—of loan recipients under $150,000 has been stymied because the administration has not released their identities. The treasury secretary has proposed blanket forgiveness for smaller PPP loans, albeit potentially with measures to combat fraud and other protections. That proposal dovetails with lobbying by some lenders for forgiving PPP loans of $150,000 or less, which have been the specialty of fintech lenders. According to recent lobbying disclosures, Cross River Bank and PayPal have been among those lobbying Congress to implement the proposal. Cross River’s lobbying disclosures note that the bill “prohibits any enforcement or other action against a lender relating to loan origination, forgiveness, or guarantee based on the lender’s reliance on certifications or documentation submitted by a loan applicant or recipient.”
The financial institution where POGO’s source works, which had not processed Small Business Administration loans prior to the coronavirus relief program, approved over $1 billion in Paycheck Protection Program loans. The Small Business Administration pays banks up to a 5% processing fee for Paycheck Protection Program loans under $350,000; up to 3% for loans between $350,000 and $2 million; and up to 1% for loans between $2 million and $10 million. Researchers at the University of Massachusetts-Amherst recently wrote that “a reasonable estimate of the total bank haul on the $565 billion disbursed in PPP awards as of June 30 is $19 billion.” (The program continued until August 8.)
They wrote that the $19 billion is a “tidy profit for zero-risk lending.”
“There’s not much incentive to do oversight,” the insider similarly told POGO. “The incentives are to just get the money out and that’s what we did.”
Because the information the source shared with POGO is known only by a handful of people at their financial institution, the source asked POGO to withhold the company’s name. POGO confirmed that the source works at the financial institution.
According to the Government Accountability Office, one factor enabling the fraud is that the “SBA required minimal loan underwriting from lenders—limited to actions such as confirming receipt of borrower certifications and supporting payroll documentation—leaving the program more susceptible to fraudulent applications.” The agency did so to ease small businesses’ access to loans, yet that empowered bad actors seeking easy money.
One of the few requirements to obtain a PPP loan is a copy of a business’s 2019 tax return. But because the IRS pushed back this year’s tax filing deadline by three months to mid-July—just weeks before the Paycheck Protection Program expired—POGO’s fintech source says his company could not verify many tax returns. In those instances, lenders could not even check with the IRS to verify that the tax information was accurate.
Further, the fintech insider told POGO, the Small Business Administration did not require lenders to verify tax information even if the applicant said they had filed their 2019 tax returns.
Because it was not required and lenders were under pressure to move the loans quickly, the insider told POGO, “I would be surprised if any lender had required” applicants to fill out a form authorizing the lender to verify tax return information. A Treasury Department frequently asked questions document on the Paycheck Protection Program says a loan applicant only had to “affirm that the tax documents are identical to those you submitted to the IRS”—that is, the program relied on applicants to certify the accuracy of their own information.
In contrast, the Small Business Administration’s Economic Injury Disaster Loan program requires applicants fill out the form giving the agency authorization to check tax information with the IRS.
The fintech insider said it would have made sense for the Small Business Administration to have required 2018 tax documents for entities claiming to exist prior to 2019 that had not submitted their 2019 tax returns to the IRS. Similarly, the Small Business Administration could have required more documentation for newer entities that also had not filed their 2019 tax returns. The agency’s standard loan program for small businesses, known as 7(a), requires two years of tax return information, according to a comparison of Small Business Administration programs produced by Kapitus, a small business financing company.
POGO’s review shows that in over two-thirds of the 56 fraud cases, the alleged scheme involved falsified tax records.
The fintech insider’s company encountered hundreds of loan applications that contained duplicate tax returns where just the names and a few other things were changed, which are indicators of fraud.
“Management must know,” the source said of their company.
Some lenders appear to be conducting less due diligence than others. A recent McClatchy investigation with the Anti-Corruption Data Collective found more than 75 suspect loans and that about 20% of those suspect loans had been approved by fintech company Kabbage. Kabbage stated in a press release that “over 75% of all applications were processed without human intervention or manual review” and that it took a median time of four hours to approve loans. Out of the 96 approved loans where the Justice Department alleges fraud and where POGO was able to identify the lenders, Kabbage, Inc. loaned out six, the fourth highest of any lender to date.
A Kabbage spokesperson told POGO that it can’t discuss pending litigation. “Kabbage strictly adheres to industry-standard AML [anti-money laundering] and KYC [know your customer] protocols and the Bank Secrecy Act, including rigorous verification checks using data and technology which go beyond SBA’s validation requirements. Further authentication analyses are made after approval, before fund disbursement and even post disbursement,” the spokesperson emailed.
“These strict measures and use of automation allowed Kabbage to process applications for nearly 300,000 of America’s smallest and marginalized businesses who had difficulty applying through other institutions, helping preserve an estimated 945,000 U.S. jobs,” the spokesperson wrote.
Similarly, there are numerous anecdotal accounts online of applicants having their Paycheck Protection Program loans processed and funded in less than 48 hours, sometimes less than 24 hours, by Paypal and its lending partner, WebBank. PayPal and WebBank did not respond to a request for comment.
In contrast, Transparency International’s Kalman told POGO that banks have said performing enough due diligence to meet anti-money-laundering legal requirements, which are meant to reduce fraud and detect other crimes, typically take about three to five days of work. It’s more harmful “if money is stolen than if money is delayed by a few days,” Kalman told POGO.
Low-risk loans can be processed quickly, “although 24 hours seems a bit tight,” Kalman said. “Zero human interaction is more troubling,” he added, “for a new company or one you don’t know, I would think you’d at least want to do a quick Google search.”
A major criticism of the Paycheck Protection Program is the challenge many small businesses, often those minority-owned, had in obtaining these loans. House Republicans have said anti-money laundering requirements (AML) are largely to blame. Since lenders had to conduct additional due diligence with new customers that often are minority-owned, but not with existing customers, this created a disparity in how fast PPP applicants were processed, Republican lawmakers have written. “The banks confirmed that the requirement to collect and verify Bank Secrecy Act information from new customers allowed applications from existing clients to move through the process faster,” wrote Representative Steve Scalise (R-LA), ranking member of the House Select Subcommittee on the Coronavirus Crisis, in July. Similarly, Republicans on the subcommittee wrote in September that “Banks are particularly concerned with the BSA/AML risks of new small business clients because small businesses are more likely than medium and large businesses to be used as shell companies for money laundering.”
But that doesn’t explain the findings of the National Community Reinvestment Coalition that found disparate treatment by banks for PPP loans when “Black and White applicants with similar credit characteristics applied to a lender in the same time period.” Their study found “in 27 out of 63 (43%) tests that there was a difference in treatment with the White tester receiving more favorable treatment as compared to the Black tester in the small business pre-application arena.”
“There is a structural flaw in this program. It uses banks as middlemen. Any time you create a big program and give banks the ability to choose which customers it prioritizes, you’re going to have disparities,” Mehrsa Baradaran, a law professor at the University of California, Irvine, told NBC News.
Some fintechs seem to have zeroed in on businesses left behind by traditional banks, but then processed their loan applications at speeds that seem to suggest they conducted less due diligence than needed.
At least in terms of fraud, the root of the problems, according to POGO’s fintech source, lies not with the source’s company or other private sector-lenders.
“My biggest issue is the program design was very rushed, poorly done,” the source said. The source was troubled by the administration’s refusal to release the identities of those who received Paycheck Protection Program loans under $150,000 and the proposal to forgive all of those loans. The source said it appeared that financial institutions and the government want to conceal the massive misdirection of taxpayer-backed loans.
“There’s no incentive to reveal that this federal program has led to billions of dollars in fraud,” the fintech insider said. “A lot of people have made a lot of money.”
POGO has clarified that SBA and the Treasury Department will be conducting audits of PPP loans, not the SBA inspector general's office.