Red Flags: The First Year of COVID-19 Loan Fraud Cases

More than a year after the pandemic brought much of the economy to a standstill, mounting fraud cases underscore how the Small Business Administration’s (SBA) oversight of its massive taxpayer-backed lending programs proved to be inadequate as they became magnets for fraudsters.

The Justice Department has brought criminal charges against at least 209 individuals in 119 cases related to Paycheck Protection Program (PPP) fraud since banks and other lenders began processing loan applications on behalf of the Small Business Administration on April 3, 2020. And these cases are just the beginning.

A Project On Government Oversight (POGO) review of court filings up to April 2, 2021, found that the charged individuals allegedly sought a total of nearly $445 million in Paycheck Protection Program loans. (In late March, the Justice Department told Congress that it had “charged $446.8 million in losses related to PPP.” Some of these cases may still be under seal and charges are routinely being unsealed.) More than half of that amount—$246 million—actually went to accused fraudsters. In other words, lenders and the Small Business Administration did not prevent the alleged fraud in these instances before taxpayer dollars went out the door.

Created under the Coronavirus Aid, Relief, and Economic Security (CARES) Act, the Paycheck Protection Program has lent out $755 billion to businesses as of April 11. Congress also authorized the Small Business Administration’s existing Economic Injury Disaster Loan (EIDL) program to lend in response to the pandemic, and nearly $202 billion in loans through that program have been approved as of April 1.

At least one Small Business Administration employee allegedly took bribes last year to process fraudulent Economic Injury Disaster loans, according to criminal charges recently unveiled by the Justice Department related to the developing scandal involving Representative Matt Gaetz (R-FL).

Both programs lacked basic anti-fraud safeguards and the Small Business Administration exercised insufficient oversight, according to the agency’s watchdog, the Government Accountability Office, and congressional committees that have investigated the programs.

The number of potentially questionable loans approved through these programs is vast, as will be the task of determining how many of those loans were fraudulent or otherwise improper. An internal analysis last fall by the Small Business Administration identified “over 2 million approved PPP loan guarantees” worth some $189 billion that were “potentially” not in compliance with the law, though it may turn out that many of those loans were not fraudulent.

The Justice Department has accused numerous defendants of using Paycheck Protection Program loans for unlawful purposes, such as purchasing private planes, sports cars, and taking pricey trips to Las Vegas casinos.

POGO’s analysis of the first full year’s worth of Paycheck Protection Program fraud cases found that in at least:

• 107 of the cases, accused individuals allegedly falsified payroll documentation to justify either getting a loan or getting a bigger loan than they were eligible for;
• 93 of the cases, accused individuals allegedly created fake tax documents used for verifying details in loan applications;
• 41 of the cases, accused individuals allegedly created bogus companies to get loans;
• 28 of the cases, accused individuals allegedly used defunct companies to get loans;
• 20 of the cases, accused individuals used stolen identities or aliases while applying for loans;
• 12 of the cases, accused individuals allegedly falsified ownership of existing legitimate businesses;
• 28 of the cases, accused individuals also obtained Economic Injury Disaster loans (some of these individuals have been accused of fraudulently obtaining these loans as well).

Some of these cases involve multiple defendants. For instance, in one larger case, the Justice Department has charged 19 individuals to date. As of late March, the department has obtained 48 convictions.

Law enforcement insiders say many more pandemic loan fraud cases will be brought in the months and years ahead.

Meant to help small businesses keep workers on the payroll, the Paycheck Protection Program offers loans of up to $10 million that can be forgiven in full if recipients meet certain employee retention requirements. During the program’s first round, the Small Business Administration issued 5.2 million loans between April and August 2020. The program began issuing loans again in January 2021, and some businesses are eligible for a second loan.

The Economic Injury Disaster Loan program is longstanding, and until recently the Small Business Administration limited these loans to $150,000 (last month it raised the cap to $500,000). The loans have to be repaid with low interest. For much of 2020, the agency also issued grants of up to $10,000 under the program that do not have to be repaid by eligible recipients. The program has traditionally been used to help small businesses facing revenue loss in the wake of natural disasters. (Eligible companies and nonprofit organizations can apply for and receive both Paycheck Protection Program and Economic Injury Disaster loans.)

Brian Grossman, the Small Business Administration’s assistant inspector general for investigations, told POGO that as of March 10, 2021, the watchdog office had 91 active Paycheck Protection Program investigations and 121 active Economic Injury Disaster loan investigations.

Some investigations begin with complaints received through the watchdog’s hotline, and others come from referrals by federal agencies or state and local law enforcement.

Normally, the office of inspector general receives between 700 and 800 hotline complaints or tips a year. But in the year since the CARES Act became law, it has received nearly 150,000 hotline complaints, representing “a 19,500% increase over prior years,” according to a staff memo from the House Select Subcommittee on the Coronavirus Crisis.

Other government agencies also submit referrals of potential fraud to the office of inspector general, and suspicious activity reports come in through the financial industry by way of the Treasury Department. The Small Business Administration has sent 1.34 million referrals related to Economic Injury Disaster loans to its office of inspector general, which is tackling these and Paycheck Protection Program fraud cases in coordination with a host of other law enforcement agencies. As the lending programs ramped up last summer, there was a spike in suspicious activity reports from banks and other lenders flagging potential fraud.

The oversight failures of the last year have become increasingly clear, eventually leading to changes.

On January 11, in the final days of the Trump administration, the Small Business Administration began processing a new round of Paycheck Protection Program loans. Both the outgoing Trump administration and the Biden administration appear to have learned lessons from the fraud that occurred in 2020.

The Biden administration published a fact sheet on February 2 detailing new measures to prevent fraud in the program. “Unlike the previous round of the PPP, loan guaranty approval is now contingent on passing SBA fraud checks, Treasury’s Do Not Pay database, and public records,” the fact sheet states. “The SBA now also conducts manual loan reviews for the largest loans in the PPP portfolio and a random sampling of other loans.” Underscoring the tension between fraud prevention and disbursing assistance quickly, the added checks to verify information submitted by applicants have somewhat slowed the processing of loan applications.

But the government could have implemented these safeguards from the beginning, which may have prevented significant levels of apparent fraud in the program.

“There were additional steps that could have been undertaken … that would not have significantly slowed down—in our view in the oversight community—the delivery of funds to the public,” said Michael Horowitz, the Justice Department’s inspector general and chair of the Pandemic Response Accountability Committee, in testimony before Congress on March 25.

Indeed, on the day lenders began processing applications for Paycheck Protection Program loans last year, Small Business Administration Inspector General Hannibal “Mike” Ware issued a white paper outlining lessons learned from previous stimulus loan programs. He warned that “increased loan volume, loan amounts, and expedited loan processing timeframes may make it more difficult for SBA to identity red flags in loan applications.” The inspector general called for the agency to put in place “sufficient controls,” but the agency did not heed the watchdog’s warnings at that time.

It soon became apparent that the Economic Injury Disaster Loan program’s setup also made it particularly susceptible to fraud. Loans through that program were directly processed by the Small Business Administration, while in the Paycheck Protection Program, loans were primarily processed by banks and other lenders.

In July, the agency’s inspector general warned of “potentially rampant fraud” in the Economic Injury Disaster Loan program.

This March, the Government Accountability Office revealed that “4 months after SBA started using” a system to approve Economic Injury Disaster loans in batches, agency officials realized this system “contained alerts that should have been reviewed by loan officers,” but had not been.

Representative James Clyburn (D-SC), chair of the House Select Subcommittee on the Coronavirus Crisis, said in the March 25 hearing that the Trump administration “ignored flags of potential fraud” in the Economic Injury Disaster Loan program, and “approved loans in batches with little to no vetting and abandoned a rule that required two SBA employees to approve each loan application.”

While a year has passed since the CARES Act became law and there are more checks now, government watchdogs say the Small Business Administration’s oversight of the lending programs is still inadequate. This March, the Government Accountability Office added the Small Business Administration’s emergency loan programs for small businesses to its biennial high-risk list of executive branch programs vulnerable to “fraud, waste, abuse, and mismanagement, or that need transformation.”

In a nod to changes that have improved oversight, William Shear, the Government Accountability Office’s director of financial markets and community investment, testified on March 25 that, “Although SBA has taken some steps to mitigate fraud risks to PPP and EIDL, such as conducting PPP loan reviews and implementing new EIDL controls, the agency has not yet conducted a formal fraud risk assessment for either program.” The Small Business Administration last month agreed to conduct such a risk assessment.

Not all the blame can be placed at the Small Business Administration’s feet. The CARES Act precluded the agency from exercising one important check on fraud in the Economic Injury Disaster Loan program. Normally, the agency can require loan applicants to fill out a form allowing the agency to verify their tax information with the Internal Revenue Service. “The disaster loan program’s strongest internal control is the ability to receive directly from the IRS recent tax transcripts,” wrote James Rivera, head of the SBA’s Office of Disaster Assistance, last fall. But, he added, “the CARES Act removed that control,” calling it a “pivotal change.”

Congress reversed course when it passed a new law on December 27, which authorized more coronavirus loans. That new law “permitted SBA to require additional information from applicants, such as tax returns, for loans and advances as part of its verification,” according to Shear of the Government Accountability Office.

Since last October, when POGO published a report examining trends in Paycheck Protection Program loan fraud at the program’s six-month mark, several eye-popping cases of alleged fraud have emerged. These cases further highlight the ways individuals appear to have taken advantage of lax oversight in the program.

More due diligence on the part of lenders or the Small Business Administration could have prevented at least some instances of fraud, especially when applicants appear to have inflated or fabricated payroll expenses or used defunct or bogus companies to illicitly obtain loans. In addition to automated checks against existing government databases, lenders could have conducted online searches or called businesses neighboring a loan applicant to help establish whether the company seeking the loan is real or is the size it claims to be.

One case involves Dinesh Sah, a Dallas-area man, who obtained $17.3 million after having sought a $24.8 million loan. According to an indictment, Sah submitted at least 15 fraudulent applications on behalf of at least 10 companies. Two of the companies, Symbiont Retailers and Horizon Enterprises, were not in good standing before the Paycheck Protection Program began.

Sah submitted falsified tax and payroll documentation in which he claimed to have “numerous employees and hundreds of thousands of dollars in payroll expenses,” according to a Justice Department press release, but none of the businesses he sought loans for had any employees. POGO found that 11 of the 15 loans were funded. Seven of the approved loans were processed by Cross River Bank, a top Paycheck Protection Program lender that closely allied itself with financial technology firms. Sah, who pleaded guilty on March 24, used the funds to buy a Bentley convertible and multiple homes, among other things.

In one of the most complex cases to emerge since POGO’s original analysis, at least seven individuals were indicted in a scheme that allegedly involved over 80 applications seeking a total of $30 million in Paycheck Protection Program loans. Applicants fraudulently obtained at least $16 million, per the Justice Department. According to court records, Amir Aqeel and several others in the Houston area allegedly created fake tax and payroll documentation in exchange for large kickbacks for referring others into the scheme that involved 12 corporate entities. An indictment includes text and email messages involving creating tax records for some of the companies.

Aqeel and others in the scheme allegedly used loan funds to pay individuals they claimed were employees but were actually “fake employees,” according to a court filing. In email and text exchanges, defendants acknowledged that a number of the companies did no legitimate business, disqualifying them from receiving the loans. Aqeel used some of the proceeds to purchase a Lamborghini sports car, according to the Justice Department.

An attorney for Aqeel, Tommy T. Mingledorff, told POGO by email that “these allegations are denied. Mr. Aqeel asserts his presumption of innocence and demands the United States prove their allegations beyond a reasonable doubt.” Mingledorff also said, “The case is in the pretrial phase of litigation. We expect to go to trial because of the serious nature of this matter.”

In another case, a Virginia resident obtained over $2.5 million from the Paycheck Protection Program and used the funds to buy not only a luxury car but a private plane. According to the Justice Department, Didier Kindambu obtained two loans “by creating fraudulent payroll documentation for each business.”

Kindambu applied for two Paycheck Protection Program loans representing Papillon Holdings, Inc. and Papillon Air, Inc., according to court documents. To support his loan applications, Kindambu claimed that Papillon Holdings had $150,000 in monthly payroll expenses and that Papillon Air had over $850,000 in monthly payroll expenses. But according to the Justice Department, neither company paid anywhere near the purported amounts and “had few if any employees.” Kindambu pleaded guilty in January.

In a case that garnered national attention, the U.S. Secret Service seized over $8.4 million in Paycheck Protection Program funds from a seemingly bogus ministry in Orlando, Florida that had no apparent operations at its physical location and a website filled with generic language taken from other religious organizations. According to a court filing signed by a Secret Service agent, a family of four was behind a scheme to fraudulently obtain the loan money.

Joshua Edwards, the supposed vice president of ASLAN International Ministry, is accused of submitting fake payroll, tax, and financial documentation in support of the loan application. In certified submissions to the federal government, the family’s ministry claimed a substantial operation with 486 employees, a monthly payroll of over $2.76 million, and revenue exceeding $51 million in 2019.

First Home Bank approved the $8.4 million loan, among the less than 0.1% of Paycheck Protection Program loans this large or larger (the maximum is $10 million). To disguise the fraud, family members moved the proceeds through several bank accounts held in different names, according to the Justice Department. Allegedly, the family sought, ultimately unsuccessfully, to use the funds to purchase a $3.7 million mansion in Disney World’s Golden Oak gated community.

POGO was unable to reach Edwards before publication.

On March 30, the Justice Department unveiled new charges against Joel Greenberg, a former Florida tax collector. Buried within the court filing are allegations that Greenberg bribed an unnamed Small Business Administration insider to fraudulently obtain nearly $433,000 in Economic Injury Disaster loans. It’s the first public case of fraud in these pandemic loan programs attributed to corruption within the agency’s own ranks.

Greenberg’s insider was a loan officer who began working for the agency in May 2020. “The SBA Employee would and did use her access to the SBA’s computer systems and her access to EIDLs to manipulate the status of EIDLs to trigger the system to extend funding for EIDLs submitted for the benefit for Joel Micah Greenberg,” the indictment alleges.

That story of corruption inside SBA has been overshadowed by other criminal allegations against Greenberg, notably child sex trafficking charges, and a scandal that might bring down a member of Congress. Greenberg is a friend of Florida Republican Matt Gaetz, and both were identified in a recentNew York Times report as having allegedly paid women for sex, as well as potentially a 17-year-old girl. Gaetz has denied the allegations and Greenberg has pleaded not guilty, although Greenberg’s attorney and a prosecutor have said in court that he may be striking a plea deal soon.

The involvement of a Small Business Administration employee in a pandemic loan fraud case raises questions about the agency’s vetting of employees. And this is not the only case. An October inspector general report states that “SBA has fired employees and contractors who were involved in approving loans to themselves or who inappropriately influenced loan approval.” The Small Business Administration did not respond to questions, but a spokesperson for the agency’s inspector general told POGO that “we are aware of one employee and two contractors” who have been fired for these reasons. But even with an allegedly corrupt insider, a loan system with adequate checks should have prevented Greenberg’s loans from being approved.

The three Economic Injury Disaster loans Greenberg obtained should have triggered red flags galore. On applications for loans for two companies, Greenberg Media Group and DG3 Network, Greenberg allegedly lied about not being under indictment despite having been arrested by federal agents and charged just days earlier—with the indictment a matter of public record. (He also applied for a separate loan just days before being indicted.) On June 28, 2020, the day loan applications were filed for the two companies, Greenberg reinstated the companies with Florida’s state government since they had been “administratively dissolved” years prior to the February 2020 eligibility cutoff. A check of Florida’s Division of Corporations database would have revealed the companies had just been reinstated. The addresses listed for the two companies, according to SBA loan data, also do not match the addresses in the state’s corporation records—yet another sign of potential fraud.

Banks and other lenders have been filing a huge number of suspicious activity reports to the Treasury Department’s Financial Crimes Enforcement Network (better known as FinCEN) related to the Paycheck Protection Program and the Economic Injury Disaster Loan program.

“Between May and October 2020, financial institutions filed more than 21,000 and 20,000 suspicious activity reports (SAR) related to PPP and EIDL, respectively,” according to the Government Accountability Office. “More than 1,400 institutions had filed SARs related to PPP, and more than 900 institutions had filed SARs related to EIDL.”

Suspicious activity reports for small business loan fraud continued at levels far higher than normal through the end of 2020, according to POGO’s review of federal data.

According to Grossman, the Small Business Administration watchdog official, “all of our ongoing investigations involve individual borrowers” rather than lenders. He said that lenders have been “extremely” cooperative during investigations and their suspicious activity reports have been “very useful.”

The inspector general office’s workload has increased significantly, Grossman said. The office’s 44 investigators have been “working at least three times the caseload that they’re usually used to working.” The FBI, Secret Service, Homeland Security Investigations, and other offices of inspectors general are also part of the federal law enforcement effort.

“We don’t have the capacity to work everything that comes in,” Grossman told POGO. “When we receive complaints on PPP and EIDL fraud, we immediately coordinate with the Department of Justice, to see what their interest is in the case. And if they’re not interested in prosecuting, for whatever reason, we don’t further pursue it at that time.”

Many of the cases are moving quickly, despite their complexity. “Normally, our agents work a contract or procurement fraud case … those can take several years to investigate,” Grossman said. But because the Department of Justice “has made PPP and EIDL a priority … we are seeing results from DOJ rather quickly in a lot of our investigations.”

Others in government have also remarked on how fast many of these cases are moving. “These are not simple or easy cases to investigate and charge,” then-acting Assistant Attorney General Brian Rabbitt said at a press conference last September. “They often involve obtaining and then piecing together often-complex financial, payroll, and tax records for individuals and companies, and sifting through other evidence.” Rabbitt noted the “unparalleled speed with which these cases have been investigated and prosecuted.”

There are many potential cases the Justice Department may not prosecute. For instance, the department may decline cases involving smaller-dollar amounts, especially in busier U.S. attorneys’ offices around the country, Grossman said.

That situation may arise in cases of apparent fraud involving Economic Injury Disaster loan advance grants of $10,000 or less. The Small Business Administration distributed 5.8 million advance grants worth $20 billion last year (despite the name, these are not loans that have to be repaid). Many believe a high percentage of these grants were stolen, but some federal prosecutors with heavy caseloads may find it hard to justify criminally charging someone for stealing $10,000 or less. Yet if there is sufficient evidence, the government can still seize stolen money even in the absence of criminal charges.

“We’ve got a process in place that once we’ve identified, for instance, a bank account that has money sitting in it, that was deposited through a fraudulent EIDL loan, we contact the Secret Service, and they have a method to go in and seize those funds,” Grossman said. “As of this month, we’ve seized over $580 million from over 23,000 fraudulent EIDL loans.”

Horowitz, the Justice Department’s inspector general, recently testified to a House panel examining COVID-19 loan fraud that a legislative reform could help address the problem of fraud in smaller dollar amounts.

If Congress amends the underutilized Program Fraud Civil Remedies Act, efforts by inspectors general “to fight fraud in pandemic related spending would be enhanced,” according to Horowitz’s testimony. “Too often those who fraudulently divert tax dollars in amounts below what is typically accepted by prosecutors are not fully held accountable, impacting agency programs and leaving the taxpayer footing the bill,” he wrote.

Civil enforcement—where the evidentiary burden is lower than in criminal cases—is another way of holding individuals and companies accountable. Under the False Claims Act (FCA) as well as the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA), either the government or whistleblowers with non-public information can initiate civil enforcement actions.

Both laws have provisions allowing whistleblowers to receive a reward for successful recoveries obtained for the U.S. government. But, in contrast to the False Claims Act where the reward is a minimum 10% of the recovery, FIRREA’s whistleblower reward is capped at $1.6 million. In the three decades since the law’s passage, there have been only six whistleblower settlements involving FIRREA, yielding $19.9 billion in recoveries, but only $9.3 million in rewards to whistleblowers, according to Whistleblower Network News.

“The False Claims Act will play a central role in the Department’s pursuit of COVID-19 related fraud,” Michael Granston, a Justice Department deputy assistant attorney general, said in December.

In January, the U.S. Attorney’s Office for the Eastern District of California obtained the first settlement in a Paycheck Protection Program civil enforcement case, against an online retailer called SlideBelts Inc. The Justice Department brought civil claims against the company under both the False Claims Act and Financial Institutions Reform, Recovery and Enforcement Act.

Grossman told POGO, “we expect a lot more civil enforcement.”

In fraud cases where there is no apparent misuse of a loan, civil enforcement may be more likely than criminal prosecution.

Generally, cases where there is any substantial gray area—such as a lack of unambiguous evidence of fraud or when it wasn’t clear what a government rule required—are far more likely to lead to civil enforcement, or to no enforcement. And there is a lot of gray area in the Paycheck Protection Program, partly because the Small Business Administration’s rules for the program changed repeatedly and were unclear, and because Congress created loose criteria for loan eligibility and allowed applicants to self-certify their information.

As former federal prosecutor Tarek Helou told the Wall Street Journal, “The scandal is what’s legal, not what’s illegal.”

Lenders may also be more likely to face civil enforcement than criminal enforcement. “Lenders can be liable under the FCA for knowingly certifying ineligible borrowers for PPP loans, including by failing to employ sufficient anti-money laundering protocols,” according to a memo from the Cleary Gottlieb law firm. The law firm K&L Gates, however, wrote in December that since Congress allowed lenders to rely on borrowers’ self-certified information, that should “decrease the likelihood that otherwise law abiding financial service providers would face government scrutiny for the fraudulent acts of their borrowers.”

The role of employees who become whistleblowers may emerge as a significant factor in civil Paycheck Protection Program cases. “Given the focus of the PPP to support employees during the COVID-19 pandemic,” the Robinson Bradshaw firm wrote last May, “it is easy to imagine how a dissatisfied employee observing imperfect business conduct in securing a PPP loan or applying loan proceeds could use that insider information to bring a qui tam action under the FCA.”

“We have a lot of qui tam cases that have been brought forward,” Grossman told POGO, generally referring to False Claims Act complaints filed by private individuals. Qui tam complaints are filed under seal to give the federal government time to investigate and evaluate the complaint before it becomes public. Even if the Justice Department declines to join a case, the whistleblower and their private counsel can continue to pursue it.

Some of these qui tam lawsuits are traditional whistleblower cases, but others involve individuals who “are slicing and dicing the data” that has been made available about loans, according to Grossman. When they believe they have unearthed sufficient evidence to allege the government has been defrauded, these individuals file qui tam lawsuits, Grossman said.

However, the Trump administration’s Justice Department also sought to assuage companies’ concerns, especially in regard to qui tam False Claims Act lawsuits. In remarks before the U.S. Chamber of Commerce, an influential business lobbying group, last June before the SBA released partial data identifying Paycheck Protection Program recipients of loans above $150,000, then-Principal Deputy Assistant Attorney General Ethan P. Davis said that with the administration’s decision to release that information, “some have predicted more qui tams as a result.”

Davis then said, “Let me be clear. If a company is eligible for a loan and submits certifications in good faith, that company will have nothing to fear from the Civil Division. We are concerned only with actionable fraud.” He added that, “in selecting enforcement targets, we will follow the law, and we will not pursue companies that access CARES Act programs in good faith and in compliance with the rules.”

With over 18 million Paycheck Protection Program loans and pandemic-related Economic Injury Disaster loans and advance grants approved over the last year, there is a sea of data on these programs. Analyzing that data for red flags is a way to identity subsets of loans and grants that warrant closer scrutiny and to help direct scarce investigative resources.

But, in the Economic Injury Disaster Loan program, the Small Business Administration has not conducted robust data analysis to find instances of loans and grants that may have been fraudulently obtained, according to the Government Accountability Office. That watchdog office has recommended that the agency use data analysis “as a means to detect potentially ineligible and fraudulent applications.”

Inaccuracies in the data or missing data can undermine oversight. For instance, in a review for the Pandemic Response Accountability Committee, the nonprofit MITRE Corporation examined a sample of 500 records for Paycheck Protection Program loans above $150,000. In 111 instances, the zip code in the Small Business Administration’s data did not match the state provided. According to the MITRE Corporation, “a mismatched zip code or insufficient award description doesn’t seem particularly egregious. But such gaps can create ambiguities that muddy the waters in overseeing spending.”

Still, much can be done with the data that does exist. While the Small Business Administration could be doing more with data on the Economic Injury Disaster Loan program, the agency’s independent watchdog has embraced this work. Data analysts at the inspector general’s office have been combing through Paycheck Protection Program and Economic Injury Disaster loan data to look for markers of potential fraud, such as repeat loan applicants from the same physical addresses, Grossman told POGO. “There’s a lot of red flags that they look at in the data to help us determine if it’s something we need to look at deeper.”

Grossman said his office has shared data with the Department of Health and Human Services’ Office of Inspector General, which identified some repeat offenders. “They determined that a lot of the folks that they have as subjects of their investigations in HHS OIG [for Medicare and Medicaid fraud], were also committing PPP and EIDL fraud,” Grossman said.

Many Paycheck Protection Program loans appear to have been issued to recipients who were not eligible under the program’s rules. Whether bad faith was involved is another matter.

In December 2020, an independent auditor informed the SBA that, out of 5.2 million Paycheck Protection Program loans in 2020, the agency made “over 2 million approved PPP loan guarantees” worth some $189 billion “potentially” not in compliance with the law.

Not all those loans were necessarily fraudulently obtained. Small Business Administration management flagged loans for at least one of 35 reasons, such as the recipient was created after the cutoff date of February 15, 2020, or the recipient’s owner had a criminal record, potentially rendering the recipient ineligible. The auditor found that “the deficiencies were caused by an inadequate entity wide control environment.”

There is abundant evidence that there was too little upfront vetting of loan applications in both the Paycheck Protection Program and Economic Injury Disaster Loan program.

In 2020, applicants could not lawfully receive more than one Paycheck Protection Program loan. But in March 2021, the Small Business Administration Office of Inspector General issued a report that found that lenders last year issued more than one Paycheck Protection Program loan “to 4,260 borrowers with the same tax identification number and borrowers with the same business name and address.” Those loans were worth a total of $692 million. (The latest round, which began in January, allowed some applicants to receive a second Paycheck Protection Program loan.)

The scale of lending means the potential amount of Economic Injury Disaster loan fraud is staggering. At $367 billion, “the amount of disaster funds provided through the EIDL COVID program is more than three times the amount of disaster loan funds approved for all disasters combined since the SBA was created in 1953,” wrote Jovita Carranza, then-head of the Small Business Administration, in December 2020.

Firm estimates of fraud related to CARES Act spending, including the Paycheck Protection Program and the Economic Injury Disaster Loan program, may not be available until many more cases are brought and more analysis has been conducted—potentially years away. But it may be far greater than the fraud rate seen in the 2009 American Recovery and Reinvestment Act. An estimated 1% of that 2009 stimulus was lost to fraud (some claim the rate is even lower than that). One percent of the recovery act’s $501 billion in spending would be about $5 billion.

About one year after the passage of the CARES Act, $626 million in funds have already been seized or forfeited related to criminal and civil investigations of pandemic loan fraud. That’s more than 10 times the fraud recoveries five years after the 2009 stimulus became law.

Linda Miller, the deputy executive director of the Pandemic Response Accountability Committee, told Federal News Radio in September, “My guess is when we’re all said and done, [the fraud rate is] going to be significantly higher than 5% in the case of the CARES Act.” If it is just 5% of the combined $957 billion in Paycheck Protection Program loans and Economic Injury Disaster loans and advance grants, that would still be about $48 billion in fraud.

According to the National Priorities Project, that’s enough money to pay for both coronavirus vaccine doses for every American and 1.1 million full-time jobs at $15 an hour for an entire year.

Neil Gordon contributed to this report.