Investigation

“A Disaster”: Small Business Administration Scrambling to Stop Pandemic Loan Fraud

In July, SBA’s head said it was “doing all it can.” Internal emails show otherwise.
(Illustration: Leslie Garvey / POGO)

After loaning out more than $160 billion over the course of several months, the Small Business Administration (SBA) scrambled in late July and August to stop fraud from consuming its Economic Injury Disaster Loan program, internal agency emails obtained by the Project On Government Oversight (POGO) show. The agency’s inspector general reported in late July that there is “potentially rampant fraud” in the program.

An SBA source told POGO the program is itself “a disaster.” An SBA spokesperson declined to comment.

The Small Business Administration runs this massive coronavirus relief loan program along with the better known $600 billion Paycheck Protection Program. While the disaster loan program predates the pandemic, Congress and the SBA expanded it significantly to $370 billion to help small businesses address the financial fallout from coronavirus. Eligible applicants from various industries can receive an advance grant of up to $10,000 within three days that does not have to be repaid, and a loan worth up to $2 million. The funds are meant to go toward expenses that businesses can’t meet because of the pandemic.

Each of the pandemic loan programs surpasses the agency’s prior disaster loan efforts. For instance, SBA approved $7.2 billion in loans to address the trio of 2017 hurricanes. And from 1953 through 2018, the agency loaned out a total of $63 billion in disaster loans.

Beyond the inspector general’s report, mounting evidence points to widespread fraud. The Justice Department has already brought over a dozen indictments against individuals for defrauding the Economic Injury Disaster Loan program. In August, a Bloomberg Businessweek analysis of just the maximum $10,000 grants found “a total of $1.3 billion in suspect payments” in 52 congressional districts because the number of entities receiving the grants exceeded the number of eligible companies in those districts.

The agency could have prevented much of the fraud, in part through better training, systematically verifying applicants’ tax information, and requiring photo identification from all loan applicants.

SBA head Jovita Carranza has acknowledged, in a response to the inspector general, that there are “lowered guardrails required by Congress with respect to fraud prevention,” such as allowing loan applicants to certify their own eligibility.

Still, the agency could have prevented much of the fraud, the SBA insider told POGO, in part through better training, systematically verifying applicants’ tax information, and requiring photo identification from all loan applicants. Similarly, the inspector general’s report said the watchdog found “several systemic issues” and “indications of deficiencies with internal controls related to disaster assistance for the COVID-19 pandemic.”

In response to the inspector general, on July 23 SBA chief Carranza wrote that the watchdog is wrong “to portray SBA’s loan review process as one without a filter, approving everything coming through.” Carranza wrote that the agency “is doing all it can to reduce the risk of fraud on the loan side.”

But the agency emails obtained by POGO suggest that the SBA hadn’t done all it could, raising questions about Carranza’s candor in her official response to her agency’s independent watchdog. Anti-fraud policies do not appear to have been fully implemented in the agency’s loan processing operations—at least not until recently.

Anti-fraud policies do not appear to have been fully implemented in the agency’s loan processing operations—at least not until recently.

For instance, in Carranza’s response to the inspector general, she wrote that SBA was spotting duplicate loan applications from potential fraudsters in part by identifying “matching tax ID numbers (EIN or SSN),” referring to employee identification and Social Security numbers. She wrote that SBA’s internal controls have caught and rejected potentially fraudulent applications for loans and grants totaling tens of billions of dollars.

Yet, from the beginning of widespread lockdowns in March through late July, those internal controls do not appear to have been fully in place. On July 31, eight days after Carranza responded to the inspector general, an SBA manager informed the agency’s loan processing staff that the software system for processing loans had recently been updated to require correct tax ID numbers. “The Approve / Obligate buttons will be disabled until the Tax ID type in the application is corrected,” the manager wrote in an email.

POGO’s source said the SBA’s system should have required the correct tax identification months earlier, and that the agency approved vast numbers of loans without the correct ID prior to late July despite an IRS requirement that businesses with employees, and even some others, have an employee identification number. For businesses with an EIN, a 2020 IRS guide explicitly states, “Don’t use an SSN in place of an EIN” on tax documents.

A flurry of emails sent out on August 14 and 16 also demonstrate how far behind SBA was in catching up to the problem of fraud and stopping ineligible applications.

In an August 14 email, an SBA supervisor wrote that “due to the widespread presence of fraudulent applications, effective immediately, all COVID-19 applications that display the following message: Info Message: Gross Economic Loss is 0 or Negative must be declined.” The supervisor further explained, “If those figures result in no eligibility, Loan Officer action is to decline the loan.”


The economic injury disaster loans are meant to help small businesses that have been hurt by a calamity. If a company hasn’t been adversely impacted, it is not supposed to be eligible to receive a disaster loan.

The email marks a stricter turn in SBA’s approach to disaster loan applicants whose materials had incomplete information or discrepancies. Instead of sending a letter to an applicant requesting they refile with updated information, the SBA’s new position was applicants would simply be deemed ineligible based on the revenue and sales information they had already provided.

POGO’s source said the email reflected how a significant portion of SBA’s loan officers were untrained, and for months had been approving loans to applicants who should not have received them. While SBA chief Carranza wrote to the inspector general that “All Loan decisions are ultimately made by people—namely, Loan Officers—who review the rule-driven recommendations of the system,” neither she nor the inspector general remarked on whether they had been adequately trained.

A significant portion of SBA’s loan officers were untrained and for months had been approving loans to applicants who should not have received them.

The challenge of training new employees to deal with a surge in applications for SBA disaster loans is not new. A February 2020 Government Accountability Office report said that the agency’s Office of Disaster Assistance “did not have time to provide” the “significant training” new staff needed during the 2017 hurricane season.

The source also said that some legitimate businesses that made mistakes during the loan process have been wrongly denied loans or held in limbo for long stretches, reflecting what the source deems SBA’s haphazard system for processing applications.

Some of the other recent SBA emails POGO obtained similarly contain guidance on spotting fraudulent loan applications.

Another August 14 email, with the subject line “Updated Fraud Alert Info,” outlined various alerts SBA’s disaster loan staffers might see in their software system while processing applications. This information on fraud alerts in the agency’s loan processing software had been included in SBA guides distributed to loan staff, but SBA managers began emphasizing this guidance more after the inspector general report was made public, POGO’s source said.

The source said that, in part due to poor training and inadequate guidance, loan staff routinely overrode fraud alerts in SBA’s loan processing system, especially before the inspector general report was issued.

More basic guidance on fraud prevention went to SBA’s employees days later. An August 16 email with the subject line “Fraudulent Files” provided “pointers to take into account while processing” loan applications.

“We currently have too much fraud as it is, and we are trying not to give applicants additional time to provide fraudulent documentation,” an SBA employee wrote. The employee also wrote, referencing characters from Game of Thrones, that “Files with bank accounts that are not in the applicant’s name (e.g. Daenerys Targaryen is applying and Name on Bank Account shows Sansa Stark) should be declined.”