On March 27, President Trump signed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to provide emergency assistance for those affected by the coronavirus pandemic. As part of the CARES Act, the U.S. Small Business Administration (SBA) received funding and authority to assist small businesses nationwide that have been adversely impacted by the COVID-19 emergency. In its Interim Final Rule (the Rule),  the SBA sets out the requirements for lenders and borrowers who elect to participate in the  Paycheck Protection Program (PPP), effective now.  This Rule allows lenders to make guaranteed loans to small businesses to cover payroll and other operating costs, if the businesses continue to pay their employees and meet other minimal requirements.

The goal of the PPP is to get money to small businesses quickly and avoid laying off employees. Usual SBA requirements, including those related to personal borrower guarantees and collateral, have been loosened to help expedite the lending effort.   Bank regulators have also issued guidance designed to ease the burden on bank lenders.  The Federal Deposit Insurance Corporation, Board of Governors of the Federal Reserve System (Federal Reserve), and Office of the Comptroller of the Currency (together, the agencies) issued an interim final rule on April 7, 2020, that allows banking organizations to neutralize the regulatory capital effects of participating in the Federal Reserve’s Paycheck Protection Program Lending Facility (PPPL Facility). Through the PPPL Facility, each of the Federal Reserve Banks will extend non-recourse loans to eligible lenders, including depository institutions, to fund loans under the PPP.

Lenders, however, have expressed the need for further guidance and stronger safe harbor language on their potential liability for fraudulent actions by borrowers or non-payment under the PPP.

In addition, concern about compliance with usual Bank Secrecy Act (BSA) requirements such as Customer Due Diligence processes are time-consuming and conflict with the CARES Act’s objective of quickly disbursing funds.   For these and reasons related to handling demand for PPP loans, some financial institutions are uncertain about participating in the PPP and are limited applications to small businesses that are existing customers.

From a compliance perspective, the Rule expressly requires participating lenders to be a provider that has “a formalized compliance program (and) applies the requirements (of) the BSA.” The Rule further states that PPP lending participants must adhere to the following applicable BSA requirements:

  • Existing BSA protocols to new or existing customers
  • Customer identification program (CIP)
  • Know your customer (KYC)
  • Beneficial ownership
  • Customer due diligence (CDD)
  • Enhanced due diligence (EDD)
  • Suspicious activity monitoring and reporting

Existing customers will not need reverification unless there is an increase in customer risk profile if allowed by institution policy.

The Rule notes that lenders not presently subject to BSA requirements should establish an anti-money laundering compliance program “equivalent to that of a comparable federally regulated institution” before engaging in PPP lending activities. “Alternatively, if available, entities may rely on the [customer identification program] of a federally insured depository institution or federally insured credit union with an established CIP as part of its AML program. In either instance, entities should also understand the nature and purpose of their PPP customer relationships to develop customer risk profiles.”

The Financial Action Task Force (FATF) also issued a statement on April 1 addressing COVID-19 related financial crime.  The FATF advises that criminals are taking advantage of the COVID-19 pandemic and that institutions must remain alert to illicit financial risks.   Further, FinCEN issued a release on April 3, reminding financial institutions that compliance with the BSA remains crucial to protecting our national security.  FinCEN also recognized the need to facilitate the disbursement of funds under the CARES Act and stated that eligible federally insured depository institutions and federally insured credit unions would not be required to re-verify existing customers under applicable BSA requirements for PPP loans, “unless otherwise indicated by the institution’s risk-based approach to BSA compliance.”

When considering entering the PPP as an approved lender, community banks and lenders, and smaller credit unions, should ensure that they have at least a basic BSA compliance framework in place. Onboarding processes should cover all BSA requirements.  If a strong BSA program is in place and includes transaction monitoring, the new loans should incur little additional BSA risk. PPP lenders should also move to swiftly administer basic BSA training, whether new or as a refresher to lending staff, that covers BSA requirements and red flags.

With these compliance requirements in place, most community banks and non-bank financial institutions are well-positioned to assist small businesses through this challenging time. Ensuring that their  PPP lending efforts are also guarded against potential money laundering and fraud risk can also help make this good business opportunity for participating lenders.