Bad Watchdog Season 2 is out.

Testimony

The Promise and Peril of Fintech Companies in Small Business Lending Programs

(Illustration: Renzo Velez / POGO; Photos: Getty Images)

Chairman Cardin, Ranking Member Paul, and members of the Committee, thank you for inviting me today to discuss the role of financial technology (“fintech”) companies and fraud in the Paycheck Protection Program (PPP) within the context of today’s hearing on underserved communities and their access to capital. I work as a senior investigator at the nonprofit Project On Government Oversight, or POGO. I have investigated fraud and potential fraud in the Paycheck Protection Program for over two years and have written several reports detailing my findings.1

Founded in 1981, POGO is a nonpartisan independent watchdog that investigates and exposes waste, corruption, abuse of power, and when the government fails to serve the public or silences those who report wrongdoing. We champion reforms to achieve a more effective, ethical, and accountable federal government that safeguards constitutional principles.

Before I say more, I should be clear that research has shown fintech lenders and associated companies did much to help underserved communities access PPP loans.2 “Fintech lenders made a larger share of their loans to Black-owned businesses compared to traditional lenders,” according to a paper published by the National Bureau of Economic Research.3 Another paper studying the PPP published by the National Bureau of Economic Research found that “FinTech is disproportionately used in ZIP codes with fewer bank branches, lower incomes, and a larger minority share of the population.”4

POGO does not currently have a position on proposed rules from the Small Business Administration (SBA), one of which would give fintech lenders opportunities to participate in the agency’s lending programs beyond the PPP.5 But as a general proposition, it may benefit historically disadvantaged and underbanked communities if nontraditional lenders, including fintech companies, can participate in SBA lending programs.

At the same time, fintech companies did not always facilitate lending to those the Paycheck Protection Program was intended to serve.6 Many set on defrauding the program successfully utilized fintechs to divert money.

The SBA must have sufficient safeguards to ensure fintech companies — and other lenders — do not enable high rates of fraud.7 In discretionary programs like the PPP, where funds are fixed by appropriation, fraud reduces the amount of federal funding available for legitimate businesses seeking access to capital. There is up to an estimated $100 billion in PPP fraud.8 If that federal estimate is correct, that would mean $1 out of every $8 in the PPP, or 12.5%, was lost — more than high-end estimates of Medicare fraud.9

But fraud concerns should not stop the government from trying to address the very real equity issues that impede underserved communities’ access to capital.

The SBA’s Office of Inspector General wrote earlier this year that the fraud levels in the PPP are “unprecedented.”10 Indeed, just last week, the SBA suspended major fintech companies from further work with the agency as part of its efforts “to address the fraud and weak controls that were so prevalent at the onset of the PPP.”11

But fraud concerns should not stop the government from trying to address the very real equity issues that impede underserved communities’ access to capital.

Fintech and PPP Fraud

In October 2020, POGO and Bloomberg News — independently and within hours of each other — highlighted that a disproportionate number of PPP loans that the Justice Department alleged were obtained through fraud had been processed by fintech lenders.12

Using court records and Small Business Administration data, POGO was able to identify the lenders for 97 PPP loans that were allegedly fraudulently obtained. Of those 97 loans, we found that 48 — nearly half of the approved loans involved in these alleged schemes — were obtained via one of seven fintech companies, and banks working closely with those fintech companies. Those seven fintech companies and associated banks processed 13% of the 5.2 million PPP loans that were issued up to that point in time.13

POGO’s work was also informed by a whistleblower at a fintech lending company who told us that their company did not have “much incentive to do oversight” because the funds were coming from the government, the rules governing the PPP were lax, and each PPP loan processed benefited lenders, who collected a fee.14

Additional reporting, studies, and investigations have added to the picture over the last two years.15

Researchers at the University of Texas at Austin found that PPP loans processed by fintech lenders were generally more likely to be accompanied by suspicious indicators than loans processed by traditional banks and credit unions.

Researchers at the University of Texas at Austin found that PPP loans processed by fintech lenders were generally more likely to be accompanied by suspicious indicators than loans processed by traditional banks and credit unions. However, there are some exceptions. The University of Texas researchers found that PPP loans processed by three well-established fintech lenders – Capital One, Square, and Intuit – had particularly low rates of indicators of potential fraud.16

The variance in fraud rates points to varying underwriting practices by fintech and other lenders participating in the PPP.17 Some fintech lenders appear to have engaged in more rigorous underwriting practices, including conducting due diligence on prospective clients and complying with Know Your Customer rules, which resulted in lower potential fraud rates.18 The wide variance in practices was enabled by lax rules governing the PPP program, which relied on loan applicants’ self-certification rather than verifying the accuracy of documentation and tax information applicants provided in support of their loan requests.19 As the Government Accountability Office wrote in June 2020, “to streamline the process, SBA required minimal loan underwriting from lenders — limited to actions such as confirming receipt of borrower certifications and supporting payroll documentation — leaving the program more susceptible to fraudulent applications.”20

Earlier this month, the House Select Subcommittee on the Coronavirus Crisis issued a report on the role of fintechs in PPP fraud. The report stated that “Congress and the SBA should consider carefully whether unregulated businesses such as fintechs, many of which are not subject to the same regulations as financial institutions, should be permitted to play a leading role in future federal lending programs.”21 I urge this Committee and the SBA to review that report, as it contains troubling details about the practices of some of the major fintech players that participated in the PPP.

The SBA’s Role in Evaluating Fintech Lenders

Given that some fintechs are not associated with high rates of potential PPP fraud, it seems unlikely that there is some inherent flaw within the fintech model that makes these lenders more susceptible to abuse. Rather, evidence suggests that the government did not do enough to ensure that nontraditional lenders participating in the PPP had sufficient anti-fraud controls in place.

If the SBA goes forward with its proposal to broaden participation in its lending programs beyond traditional lenders, it has an opportunity to learn lessons from 2020. Unlike the chaotic days in March and April 2020, now is a time when Congress and the SBA can take deliberate steps to get this right before the next big disaster strikes.

In the spring of 2020, fintech industry groups successfully lobbied the government to allow their participation in the Paycheck Protection Program.22 The SBA issued interim rules governing the PPP on April 2, 2020 — the day before the program began accepting loan applications.

There were good reasons for expanding participation: In the spring of 2020, when rates of unemployment were skyrocketing, speed was of the essence. Expanding participation to more lenders meant more loans could be processed more quickly, and funds could potentially be disbursed more equitably.

Evidence suggests that the government did not do enough to ensure that nontraditional lenders participating in the PPP had sufficient anti-fraud controls in place.

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) gave the federal government, specifically the Treasury secretary in consultation with SBA, the authority to open participation in the PPP to “Additional Lenders,” and gave them the authority to issue “regulations and guidance.”23

The criteria established by the Treasury Department and SBA required that participating lenders comply with the Bank Secrecy Act, an anti-money laundering law that mandates lenders conduct due diligence and comply with Know Your Customer (KYC) rules.

As the then-SBA administrator made clear in a press release issued on April 2, 2020, lenders would be “using their own systems and processes to make these loans.”24

Those systems and processes varied. The SBA told the Pandemic Response Accountability Committee that “the more rigorously that PPP lenders applied KYC requirements, the more likely that individual loan fraud issues, like identity theft, would be identified.”25

But some lenders and their lending partners did not apply those requirements rigorously — and thus enabled fraud.26

Some Key Questions and Considerations

The case studies provided by the House report also highlight some of the limitations of the SBA’s approach to PPP loan distribution. For example, the agency did not collect and share information when lenders rejected PPP loan applications. According to the Pandemic Response Accountability Committee, the collection and distribution of such data could have reduced “instances of applicants’ ‘shopping’ for weaker internal controls among lenders. This approach may have allowed lenders with less sophisticated fraud detection controls to leverage the more effective controls of other SBA lenders.”27

As the SBA considers the role of fintech companies in future initiatives, there is much to be learned by reviewing the role of fintechs in PPP program fraud. Revisiting the guidelines provided to these lenders and determining how they might be strengthened to prevent future fraud is the first step to ensuring that the agency is best prepared to increase access to capital in underserved communities in a way that is both effective and sustainable.

We recommend the following questions as part of such a review:

  • Did the Treasury Department and the SBA craft sufficient anti-fraud criteria for fintech lenders that wanted to participate in the Paycheck Protection Program?
  • How did Treasury and SBA evaluate these fintech lenders against the established criteria?
  • How would the SBA’s requirements for Small Business Lending Companies authorized under the SBA’s proposed rule differ from the criteria for participating lenders in the PPP?
  • How would the SBA’s requirements for Small Business Lending Companies authorized under the SBA’s proposed rule compare to the regulatory requirements that apply to traditional depository institutions?
  • Is compliance with the SBA’s requirements sufficient to prevent high rates of fraud?
  • Do the SBA’s requirements apply to third-party service providers working for lenders?
  • Does the SBA have sufficient resources and authorities to assess whether entities comply with its requirements both initially and through continual monitoring?
  • How can the SBA ensure that its participating lenders can equitably and in a timely way provide access to capital to customers they have never before done business with while rigorously complying with Know Your Customer requirements?
  • Are there investments in loan application and verification systems that the government should pursue before the next disaster strikes that would lower fraud risks while enabling widespread and speedy lending to historically underserved and underbanked communities?

The SBA should be commended for seeking ways to expand access to capital through its lending programs, but the committee should exercise its oversight authority to ensure the agency is taking prudent steps to reduce high fraud rates and ensure funds are not diverted from the communities they are meant to serve.