The Promise and Peril of Fintech Companies in Small Business Lending Programs

By Nick Schwellenbach | Filed under testimony | December 14, 2022

(Illustration: Renzo Velez / POGO; Photos: Getty Images)

Testimony before:

United States Senate Committee on Small Business and Entrepreneurship,

on "Improving Access to Capital in Underserved Communities: The Community Advantage Program, Microloans, and other SBA Initiatives"

Chairman Cardin, Ranking Member Paul, and members of the Committee, thank you for inviting me today to discuss the role of financial technology (“fintech”) companies and fraud in the Paycheck Protection Program (PPP) within the context of today’s hearing on underserved communities and their access to capital. I work as a senior investigator at the nonprofit Project On Government Oversight, or POGO. I have investigated fraud and potential fraud in the Paycheck Protection Program for over two years and have written several reports detailing my findings.¹

Founded in 1981, POGO is a nonpartisan independent watchdog that investigates and exposes waste, corruption, abuse of power, and when the government fails to serve the public or silences those who report wrongdoing. We champion reforms to achieve a more effective, ethical, and accountable federal government that safeguards constitutional principles.

Sign up to stay informed!

Find out how you can get involved and stay up to date with our work.

Before I say more, I should be clear that research has shown fintech lenders and associated companies did much to help underserved communities access PPP loans.² “Fintech lenders made a larger share of their loans to Black-owned businesses compared to traditional lenders,” according to a paper published by the National Bureau of Economic Research.³ Another paper studying the PPP published by the National Bureau of Economic Research found that “FinTech is disproportionately used in ZIP codes with fewer bank branches, lower incomes, and a larger minority share of the population.”⁴

POGO does not currently have a position on proposed rules from the Small Business Administration (SBA), one of which would give fintech lenders opportunities to participate in the agency’s lending programs beyond the PPP.⁵ But as a general proposition, it may benefit historically disadvantaged and underbanked communities if nontraditional lenders, including fintech companies, can participate in SBA lending programs.

At the same time, fintech companies did not always facilitate lending to those the Paycheck Protection Program was intended to serve.⁶ Many set on defrauding the program successfully utilized fintechs to divert money.

The SBA must have sufficient safeguards to ensure fintech companies — and other lenders — do not enable high rates of fraud.⁷ In discretionary programs like the PPP, where funds are fixed by appropriation, fraud reduces the amount of federal funding available for legitimate businesses seeking access to capital. There is up to an estimated $100 billion in PPP fraud.⁸ If that federal estimate is correct, that would mean $1 out of every $8 in the PPP, or 12.5%, was lost — more than high-end estimates of Medicare fraud.⁹

But fraud concerns should not stop the government from trying to address the very real equity issues that impede underserved communities’ access to capital.

The SBA’s Office of Inspector General wrote earlier this year that the fraud levels in the PPP are “unprecedented.”¹⁰ Indeed, just last week, the SBA suspended major fintech companies from further work with the agency as part of its efforts “to address the fraud and weak controls that were so prevalent at the onset of the PPP.”¹¹

But fraud concerns should not stop the government from trying to address the very real equity issues that impede underserved communities’ access to capital.

Fintech and PPP Fraud

In October 2020, POGO and Bloomberg News — independently and within hours of each other — highlighted that a disproportionate number of PPP loans that the Justice Department alleged were obtained through fraud had been processed by fintech lenders.¹²

Using court records and Small Business Administration data, POGO was able to identify the lenders for 97 PPP loans that were allegedly fraudulently obtained. Of those 97 loans, we found that 48 — nearly half of the approved loans involved in these alleged schemes — were obtained via one of seven fintech companies, and banks working closely with those fintech companies. Those seven fintech companies and associated banks processed 13% of the 5.2 million PPP loans that were issued up to that point in time.¹³

POGO’s work was also informed by a whistleblower at a fintech lending company who told us that their company did not have “much incentive to do oversight” because the funds were coming from the government, the rules governing the PPP were lax, and each PPP loan processed benefited lenders, who collected a fee.¹⁴

Additional reporting, studies, and investigations have added to the picture over the last two years.¹⁵

Researchers at the University of Texas at Austin found that PPP loans processed by fintech lenders were generally more likely to be accompanied by suspicious indicators than loans processed by traditional banks and credit unions.

Researchers at the University of Texas at Austin found that PPP loans processed by fintech lenders were generally more likely to be accompanied by suspicious indicators than loans processed by traditional banks and credit unions. However, there are some exceptions. The University of Texas researchers found that PPP loans processed by three well-established fintech lenders – Capital One, Square, and Intuit – had particularly low rates of indicators of potential fraud.¹⁶

The variance in fraud rates points to varying underwriting practices by fintech and other lenders participating in the PPP.¹⁷ Some fintech lenders appear to have engaged in more rigorous underwriting practices, including conducting due diligence on prospective clients and complying with Know Your Customer rules, which resulted in lower potential fraud rates.¹⁸ The wide variance in practices was enabled by lax rules governing the PPP program, which relied on loan applicants’ self-certification rather than verifying the accuracy of documentation and tax information applicants provided in support of their loan requests.¹⁹ As the Government Accountability Office wrote in June 2020, “to streamline the process, SBA required minimal loan underwriting from lenders — limited to actions such as confirming receipt of borrower certifications and supporting payroll documentation — leaving the program more susceptible to fraudulent applications.”²⁰

Earlier this month, the House Select Subcommittee on the Coronavirus Crisis issued a report on the role of fintechs in PPP fraud. The report stated that “Congress and the SBA should consider carefully whether unregulated businesses such as fintechs, many of which are not subject to the same regulations as financial institutions, should be permitted to play a leading role in future federal lending programs.”²¹ I urge this Committee and the SBA to review that report, as it contains troubling details about the practices of some of the major fintech players that participated in the PPP.

The SBA’s Role in Evaluating Fintech Lenders

Given that some fintechs are not associated with high rates of potential PPP fraud, it seems unlikely that there is some inherent flaw within the fintech model that makes these lenders more susceptible to abuse. Rather, evidence suggests that the government did not do enough to ensure that nontraditional lenders participating in the PPP had sufficient anti-fraud controls in place.

If the SBA goes forward with its proposal to broaden participation in its lending programs beyond traditional lenders, it has an opportunity to learn lessons from 2020. Unlike the chaotic days in March and April 2020, now is a time when Congress and the SBA can take deliberate steps to get this right before the next big disaster strikes.

In the spring of 2020, fintech industry groups successfully lobbied the government to allow their participation in the Paycheck Protection Program.²² The SBA issued interim rules governing the PPP on April 2, 2020 — the day before the program began accepting loan applications.

There were good reasons for expanding participation: In the spring of 2020, when rates of unemployment were skyrocketing, speed was of the essence. Expanding participation to more lenders meant more loans could be processed more quickly, and funds could potentially be disbursed more equitably.

Evidence suggests that the government did not do enough to ensure that nontraditional lenders participating in the PPP had sufficient anti-fraud controls in place.

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) gave the federal government, specifically the Treasury secretary in consultation with SBA, the authority to open participation in the PPP to “Additional Lenders,” and gave them the authority to issue “regulations and guidance.”²³

The criteria established by the Treasury Department and SBA required that participating lenders comply with the Bank Secrecy Act, an anti-money laundering law that mandates lenders conduct due diligence and comply with Know Your Customer (KYC) rules.

As the then-SBA administrator made clear in a press release issued on April 2, 2020, lenders would be “using their own systems and processes to make these loans.”²⁴

Those systems and processes varied. The SBA told the Pandemic Response Accountability Committee that “the more rigorously that PPP lenders applied KYC requirements, the more likely that individual loan fraud issues, like identity theft, would be identified.”²⁵

But some lenders and their lending partners did not apply those requirements rigorously — and thus enabled fraud.²⁶

Some Key Questions and Considerations

The case studies provided by the House report also highlight some of the limitations of the SBA’s approach to PPP loan distribution. For example, the agency did not collect and share information when lenders rejected PPP loan applications. According to the Pandemic Response Accountability Committee, the collection and distribution of such data could have reduced “instances of applicants’ ‘shopping’ for weaker internal controls among lenders. This approach may have allowed lenders with less sophisticated fraud detection controls to leverage the more effective controls of other SBA lenders.”²⁷

As the SBA considers the role of fintech companies in future initiatives, there is much to be learned by reviewing the role of fintechs in PPP program fraud. Revisiting the guidelines provided to these lenders and determining how they might be strengthened to prevent future fraud is the first step to ensuring that the agency is best prepared to increase access to capital in underserved communities in a way that is both effective and sustainable.

We recommend the following questions as part of such a review:

Did the Treasury Department and the SBA craft sufficient anti-fraud criteria for fintech lenders that wanted to participate in the Paycheck Protection Program?
How did Treasury and SBA evaluate these fintech lenders against the established criteria?
How would the SBA’s requirements for Small Business Lending Companies authorized under the SBA’s proposed rule differ from the criteria for participating lenders in the PPP?
How would the SBA’s requirements for Small Business Lending Companies authorized under the SBA’s proposed rule compare to the regulatory requirements that apply to traditional depository institutions?
Is compliance with the SBA’s requirements sufficient to prevent high rates of fraud?
Do the SBA’s requirements apply to third-party service providers working for lenders?
Does the SBA have sufficient resources and authorities to assess whether entities comply with its requirements both initially and through continual monitoring?
How can the SBA ensure that its participating lenders can equitably and in a timely way provide access to capital to customers they have never before done business with while rigorously complying with Know Your Customer requirements?
Are there investments in loan application and verification systems that the government should pursue before the next disaster strikes that would lower fraud risks while enabling widespread and speedy lending to historically underserved and underbanked communities?

The SBA should be commended for seeking ways to expand access to capital through its lending programs, but the committee should exercise its oversight authority to ensure the agency is taking prudent steps to reduce high fraud rates and ensure funds are not diverted from the communities they are meant to serve.

1 Nick Schwellenbach, Neil Gordon, Sean Moulton, and Leslie Garvey, “The Great Pandemic Swindle: Feds Botched Review of Billions in Suspect Loans,” Project On Government Oversight, October 6, 2022, https://www.pogo.org/investigation/2022/10/the-great-pandemic-swindle-feds-botched-review-of-billions-in-suspect-ppp-loans; Nick Schwellenbach and Ryan Summers, “Red Flags: The First Year of COVID-19 Loan Fraud Cases,” Project On Government Oversight, April 15, 2021, https://www.pogo.org/investigation/2021/04/red-flags-the-first-year-of-covid-19-loan-fraud-cases; Nick Schwellenbach, “Spike in Suspected Business Loan Fraud Reports Coincided with Paycheck Protection Program,” Project On Government Oversight, September 10, 2020, https://www.pogo.org/investigation/2020/09/spike-in-suspected-business-loan-fraud-reports-coincided-with-paycheck-protection-program. 2 “Fintech” is short for financial technology, but even traditional banks have long had a robust online presence, and financial technology is widely utilized. In the context of this discussion, fintech includes lenders that the Small Business Administration officially designated as Paycheck Protection Program “fintech” lenders; banks originating PPP loans that were closely associated with fintech service providers to process PPP loan applications; and those fintech service providers. Others have similarly used broader formulations. For instance, “Fintech lenders: All lenders officially designated as such by the [Small Business Administration]. We further include online lenders who originate primarily for or via fintech partners or platforms, online lenders founded since 2005, and online lenders that received venture capital (VC) investment.” Sabrina T. Howell et al., National Bureau of Economic Research, Lender Automation and Racial Disparities in Credit Access, Working Paper 29364 (October 2021; Revised November 2022), 10 of the PDF, https://www.nber.org/system/files/working_papers/w29364/w29364.pdf; A recent House select subcommittee on the coronavirus crisis examines fintechs as both lenders themselves and as lender service providers (LSPs). “Fintechs, acting as both lenders and LSPs, became prominent in the PPP. By the end of 2021, the vast majority of the largest PPP lenders, by both value and volume (nine out of ten), were fintechs or fintech-partnered lenders.” Staff of House Committee on Oversight and Reform, Select Subcommittee on the Coronavirus Crisis, 117th Cong., “We Are Not the Fraud Police”: How Fintechs Facilitated Fraud in the Paycheck Protection Program (Committee Print 2022), 17, https://coronavirus.house.gov/sites/democrats.coronavirus.house.gov/files/2022.12.01%20How%20Fintechs%20Facilitated%20Fraud%20in%20the%20Paycheck%20Protection%20Program_0.pdf. 3 Howell et al., “Lender Automation and Racial Disparities in Credit Access,” 51 of the PDF [see note 2]. 4 Isil Erel and Jack Liebersohn, National Bureau of Economic Research, Does Fintech Substitute for Banks? Evidence from the Paycheck Protection Program, Working Paper 27659 (August 2020, Revised December 2020), 2 of PDF, https://www.nber.org/system/files/working_papers/w27659/w27659.pdf. 5 Small Business Lending Company (SBLC) Moratorium Rescission and Removal of the Requirement for a Loan Authorization, 87 Fed. Reg. (proposed November 7, 2022), https://www.federalregister.gov/documents/2022/11/07/2022-23597/small-business-lending-company-sblc-moratorium-rescission-and-removal-of-the-requirement-for-a-loan. 6 The PPP was meant for most legitimate small businesses active before February 15, 2020, but certain markets were supposed to be priorities. “It is the sense of the Senate that the Administrator should issue guidance to lenders and agents to ensure that the processing and disbursement of covered loans prioritizes small business concerns and entities in underserved and rural markets, including veterans and members of the military community, small business concerns owned and controlled by socially and economically disadvantaged individuals (as defined in section 8(d)(3)(C)), women, and businesses in operation for less than 2 years.” Coronavirus Aid, Relief, and Economic Security Act of 2020, Pub. Law 116-136, 134, Stat. 293 (2020), https://www.congress.gov/bill/116th-congress/house-bill/748/text. 7 The SBA’s Office of Inspector General has found broader shortcomings when it comes to the agency’s oversight of lenders and supporting entities. According to its October 2022 report on the SBA’s top challenges, “Our previous audits have found SBA has not adequately recognized or managed significant lender weaknesses.” In additon, “Previous OIG audits have also shown that SBA did not effectively identify and track third-party agent involvement in its 7(a) and 504 loan portfolios. Tracking such agents is crucial in managing the portfolios because many lenders rely on the services of fee-based and other third-party agents to help originate, close, service, and liquidate SBA loans.” Small Business Administration Office of Inspector General, Top Management and Performance Challenges Facing the Small Business Administration in Fiscal Year 2023, Report 23-01 (2022), 28 of PDF, https://www.sba.gov/sites/default/files/2022-10/SBA%20OIG%20Report%2023-01_0.pdf. 8 Andrew Keiper, Perry Chiaramonte and David Spunt, “COVID-19 relief fraud led to billions in taxpayer-funded Paycheck Protection Program loans lost,” Fox Business, May 9, 2022, https://www.foxbusiness.com/politics/covid-relief-fraud-ppp-billions-taxpayer-funded-paycheck-protection-program-loans. 9 Jon Greenberg, “Medicare fraud rate is 8 to 10 percent, says Roskam of Illinois,” PolitiFact, June 17, 2013, https://www.politifact.com/factchecks/2013/jun/17/peter-roskam/rep-roskam-says-medicare-fraud-rate-8-10-percent/. 10 Small Business Administration Office of Inspector General, SBA’s Handling of Potentially Fraudulent Paycheck Protection Program Loans, Report 22-13 (2022), 5 of the PDF, https://www.oversight.gov/sites/default/files/oig-reports/SBA/SBA-OIG-Report-22-13.pdf. 11 Small Business Administration, “U.S. Small Business Administration Statement on the House Select Subcommittee on the Coronavirus Crisis Report Concerning Fraud in the Paycheck Protection Program,” December 8, 2022, https://www.sba.gov/article/2022/dec/08/us-small-business-administration-statement-house-select-subcommittee-coronavirus-crisis-report. 12 Ryan Summers and Nick Schwellenbach, “Lamborghinis, Strip Clubs, Bogus Companies, and Lies: The First 56 Paycheck Protection Fraud Cases,” Project On Government Oversight, October 8, 2020, https://www.pogo.org/investigation/2020/10/lamborghinis-strip-clubs-bogus-companies-and-lies; Michelle F. Davis, “PPP Scammers Made Fintech Companies Their Lenders of Choice,” Bloomberg, October 7, 2020, https://www.bloomberg.com/news/articles/2020-10-07/ppp-loans-scammers-used-fintech-companies-to-carry-out-fraud. 13 Summers and Schwellenbach, “Lamborghinis, Strip Clubs, Bogus Companies, and Lies” [see note 11]. 14 Summers and Schwellenbach, “Lamborghinis, Strip Clubs, Bogus Companies, and Lies” [see note 11]. 15 Meghan Bobrowsky and Ben Wieder, “Quickie lender Kabbage doled out billions in PPP loans. A number of borrowers raised red flags,” Miami Herald, September 10, 2020, http://web.archive.org/web/20201030160905/https://www.miamiherald.com/news/state/florida/article245599035.html; Derek Willis and Lydia DePillis, “Hundreds of PPP Loans Went to Fake Farms in Absurd Places,” ProPublica, May 18, 2021, https://www.propublica.org/article/ppp-farms. 16 John M. Griffin, Samuel Kruger, and Prateek Mahajan, “Did FinTech Lenders Facilitate PPP Fraud?” Journal of Finance, (Forthcoming; Revised August 15, 2022), 12, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3906395. 17 Underwriting involves assessing and verifying identities and income and finances using official documentation. “The SBA’s Interim Final Rule lists four actions a lender must take when underwriting PPP loans: (1) confirm receipt of borrower certifications contained in the PPP borrower application form; (2) confirm receipt of information demonstrating that a borrower had employees for whom the borrower paid salaries and payroll taxes on or around February 15, 2020; (3) confirm the dollar amount of average monthly payroll costs for the preceding calendar year by reviewing the payroll documentation submitted with the borrower’s application; and (4) follow applicable BSA requirements.” Robert L. Carothers and Graham H. Ryan, “Litigation and Regulatory Risks to Banks from Paycheck Protection Program,” National Law Review, May 21, 2020, https://www.natlawreview.com/article/litigation-and-regulatory-risks-to-banks-paycheck-protection-program. 18 This may be due to varying interpretations by lenders of what the Bank Secrecy Act requirements entailed. As the GAO stated in a footnote: “Because of the limited loan underwriting, lenders and SBA have less information from applicants to detect errors or fraud. For standard loans under SBA’s 7(a) program, borrowers have to provide documentation that includes a completed application, personal and business financial statements, and income tax returns. However, the initial interim final rule’s requirement that lenders follow applicable Bank Secrecy Act requirements may require lenders to collect additional identifying information from borrowers before approving a PPP loan. (The Bank Secrecy Act and its implementing regulations generally require financial institutions, including banks, to collect and retain various records of customer transactions, verify customers’ identities, maintain anti-money laundering compliance programs, and report suspicious transactions.).” [Emphasis added] Government Accountability Office, COVID-19: Opportunities to Improve Federal Response and Recovery Efforts, GAO-20-625 (2020), 47 of the PDF, https://www.gao.gov/assets/gao-20-625.pdf. 19 “In 91% of the reviewed cases applicants created, forged, or altered supporting documentation (e.g., IRS forms, payroll information, and bank statements). In 100% of cases, applicants misrepresented self-certifications on their PPP application.” Pandemic Response Accountability Committee, Small Business Administration Paycheck Protection Program Phase III Controls, January 21, 2022, 11 of the PDF, https://www.oversight.gov/sites/default/files/oig-reports/PRAC/SBAFraudControlsFinal02Jan21.pdf. 20 Government Accountability Office, COVID-19: Opportunities to Improve Federal Response and Recovery Efforts, 47 of the PDF [see note 17]. 21 Staff of House Committee on Oversight and Reform, Select Subcommittee on the Coronavirus Crisis, 117th Cong., “We Are Not the Fraud Police,” 9 [see note 2]. 22 Staff of House Committee on Oversight and Reform, Select Subcommittee on the Coronavirus Crisis, 117th Cong., “‘We Are Not the Fraud Police,” 14-15 [see note 2]. 23 As directed by the CARES Act, the Treasury secretary in consultation with the SBA administrator and the head of the Farm Credit Administration were responsible for setting criteria to approve lenders that were not federally insured depository institutions or credit unions, or farm credit system institutions. 15 U.S.C. § 9008 (2020), https://uscode.house.gov/view.xhtml?path=/prelim@title15/chapter116&edition=prelim. 24 Small Business Administration, “With $349 Billion in Emergency Small Business Capital Cleared, SBA and Treasury Begin Unprecedented Public-Private Mobilization Effort to Distribute Funds,” April 2, 2020, https://www.sba.gov/article/2020/apr/02/349-billion-emergency-small-business-capital-cleared-sba-treasury-begin-unprecedented-public-private-0. 25 Pandemic Response Accountability Committee, Small Business Administration Paycheck Protection Program Phase III Controls, 9 of the PDF [see note 18]. 26 The fintech Womply has even asserted these requirements did not apply to it. Staff of House Committee on Oversight and Reform, Select Subcommittee on the Coronavirus Crisis, “We Are Not the Fraud Police,” 62 [see note 2]. 27 Pandemic Response Accountability Committee, Small Business Administration Paycheck Protection Program Phase III Controls, 14 of the PDF [see note 18].