The CARES Act pumped over two trillion dollars into the American economy, with much of that money going directly to individuals in the form of stimulus checks or to small businesses in the form of Paycheck Protection Program (“PPP”) loans. Many of those recipients will spend that money lawfully in any number of ways. Yet, as many recently announced prosecutions make clear, the stimulus and PPP injections have increased the opportunities for fraud. In turn, compliance risks are heightened for financial institutions—particularly Bank Secrecy Act and Anti-Money-Laundering (“BSA/AML”) risks.^[1] In this article, we draw upon our experience in the federal government as well as in private practice to offer practical compliance guidance for financial institutions.

Applying Risk-Based Post-COVID (and Traditional) BSA/AML Controls

Regional banks, Small Business Administration (“SBA”) lenders, credit unions, community banks, and other financial institutions serving individuals or small businesses will need to remain vigilant in detecting COVID-related fraud, implementing new (often automated) controls to identify suspicious activity, and conducting prompt and accurate analysis of transactions and accounts. BSA/AML regulations continue to apply to all financial institutions, and safe-harbor provisions in the CARES Act and related regulations allowing lenders to rely upon borrower certifications may offer limited protections if lenders have not implemented risk-based compliance programs capable of detecting and preventing COVID-related fraud.^[2] Particularly as consumers begin to spend their stimulus payments and PPP loan recipients seek forgiveness of their loans under the CARES Act, the risks to financial institutions from inadequate compliance programs will increase. Thus, with the money now disbursed, monitoring how it is spent will increase in importance.

Meanwhile, many traditional red flags have not changed. For instance, large cash deposits from any entity that has not traditionally made such deposits with a clearly identifiable legitimate source (e.g., a licensed bar, a landscaping company, or a hair salon) typically warrant further inquiry from a financial institution because of concerns the funds may be illicit proceeds from what are known as “specified unlawful activities” or “SUAs.” But the infusion of funds in the current climate, which may be legitimately derived stimulus funds or PPP funds, may make it more difficult to identify suspicious deposit activity. After all, these infusions are by definition unusual for all individuals and entities receiving them. Financial institutions must not allow this high “noise” level to drown out the proverbial “signal” of illicit activity.

On the other hand, seemingly normal activity may itself stand out as unusual, given the “new normal” to which all businesses have grown accustomed. For example, if a bar or hair salon continued making typical cash deposits during a lengthy span of a stay-at-home order requiring closure of such businesses, financial institutions may be viewed as being “on notice” of the “unusual” or “suspicious” activity. Thus, further inquiry may be warranted, but existing controls and algorithms may not be effective to detect this activity. At the same time, such technology-assisted surveillance would need to account for instances of appropriate continued transaction activity, such as a landscaping business continuing to generate cash. Thus, the technology must be sensitive and case-specific—while avoiding the generation of false positives or negatives—to ensure the compliance program is cost-effective, efficient, and timely. Improvements to existing computer software, or the development of improved artificial-intelligence tools, may be necessary to elevate potentially suspicious activity for human-level review and analysis.

Using 2008 Financial-Crisis Lessons to Formulate Post-COVID BSA/AML Controls

Understanding financial flows in a post-stimulus world will also be important. Looking back to the 2008 financial crisis, examples of how individual stimulus payments were spent may help to inform the analysis.^[3]
Individual stimulus payments are intended to be used for mortgage/rent, utilities, debt relief, groceries, transportation, medical expenses, and other essentials. Financial institutions should therefore naturally anticipate an uptick in activity relating to those payment/spending channels. But other financial transactions may warrant closer scrutiny. For instance, an account’s receipt of dozens of payments from seemingly unrelated parties may indicate use of a personal account as a business account—perhaps even for a stimulus-payment-centered Ponzi scheme or an illegal hoarding/price-gouging reseller of essential supplies. Where numerous individuals in a locality begin sending money to a new business, further investigation may be warranted, as local medical-supply, debt-relief, energy-switching/utility, or tax scams may be involved. A classic red flag associated with illegal online gaming remains prevalent today, where the unlawful gaming operation uses a false industry code (e.g., jewelry store) and/or an overseas location to bypass restrictions imposed by financial institutions and payment processors. This activity is often revealed when consumers receive credits or “refunds” (e.g., gaming winnings being paid) to their accounts that are larger than the initial “purchases.”

Public reports, client inquiries, and conversations with numerous prosecutors and compliance officers around the country reveal that the PPP loans are creating similar issues. Small and large businesses alike, all desperate to open their doors to returning employees and customers, are actively seeking masks, hand sanitizer, cleaning products, and other recommended products and services. Meanwhile, opportunistic sellers may take advantage of this desperate need by either promising (and failing) to deliver these essential supplies, or delivering inferior product.^[4] Naturally, these same individuals will seek ways to wash their ill-gotten gains by laundering them back into the financial system.

FinCEN Guidance on COVID-19 Red Flags in Financial Transactions

Indeed, FinCEN dedicated the first of its forthcoming advisories to this issue of scam detection, noting that “FinCEN identified the following red flag indicators to help financial institutions identify COVID-19-related medical scams, and to assist financial institutions in detecting, preventing, and reporting suspicious transactions associated with the COVID-19 pandemic”:^[5]

• A government agency publicly identifying a party (or one of its beneficial owners) to the transaction as selling fraudulent products or otherwise involved in crime;
• A web-based search or review of advertisements showing a party is selling at-home COVID-19 tests, treatments, vaccines, or cures or highly sought-after goods, such as hand sanitizer, toilet paper, masks, or anti-viral/disinfectant cleaning supplies—which either do not exist or are only legitimately available from well-known distributors;
• A party’s website reflecting one or more suspicious indicia, including:
  •  a name/web address or online branding photographs similar to real and well-known companies,
  • a limited internet presence,
  • a newly created website (particularly with no pre-existing physical business presence),
  • online contact or WHOIS information that is inconsistent with the confirmed websites of the known brand it purports to be,
  • a location outside of the United States, and/or
  • the ability to purchase pharmaceuticals without a prescription when one is usually required;
• Corporate database searches revealing a merchant’s listing contains:
  • a vague or inappropriate company name,
  • a historic brand name that has been retired or updated,
  • multiple unrelated names,
  • a suspicious number of name variations,
  • multiple “doing business as” (DBA) names, or
  • information that does not align with its business model;
• Repeated delays or refusals when asked to provide invoices, shipment tracking, or other documentation supporting the stated purpose of the transaction;
• Invoice data or price advertising showing highly sought-after goods being sold at deeply discounted or highly inflated prices;
• An inability to explain how highly sought-after goods were obtained for sale;
• A personal account receiving payments related to the sale of medical supplies or deposits with payment messages suggesting that business is being conducted;
• An individual retail customer of a financial institution setting up a medical supply company after January 2020 or selling highly sought-after goods online;
• A new account receiving a large payment shortly after opening that was not mentioned during the account-opening process;
• Requiring unusual payment terms or methods (such as a pre-paid card, the use of a money services business, convertible virtual currency, or payment via an electronic funds transfer to a high-risk jurisdiction or a country that is not normally part of the supply chain for the items at issue);
• High chargebacks or return rates in account activity;
• Using an account in transactions for COVID-19-related goods (such as masks and gloves) with a company that is:
  • not a medical supply distributor,
  • involved in other non-medical-related industries, or
  • not known to have repurposed its manufacturing to create medical-related goods (such as a business account for a restaurant now receiving payments for sanitary supplies);
• Unusually large cash deposits, with or without confirmation that they derive from selling medical supplies or highly sought-after items; and
• Inability by the financial institution to understand a party’s business model or difficulty verifying its operations

Similarly, PPP loan recipients seeking loan forgiveness must demonstrate that their loan proceeds were used for allowable costs—such as employee payroll/benefits, rent, and utilities—within the applicable time period rather than undocumented or inexplicable activities that could suggest fraud or misuse. Additionally, recipients must not have laid off their workers (or they must have rehired the workers shortly after receiving the loan proceeds). Indeed, the SBA’s forgiveness application focuses on employee headcount at the relevant times and ensuring that at least 60 percent of the loan was spent on payroll/benefits.^[6]

Financial institutions failing to detect the scams discussed above, or that facilitate borrowing companies’ spending of money on unnecessary dividends or capital improvements or that fail to spend PPP proceeds within the applicable time frame (including failing to retain or rehire workers in accordance with their application), or that simply received over $2 million in loan proceeds without an actual need, may be hard pressed to obtain forgiveness and perhaps may even face criminal, civil, and administrative investigations and claims, depending on the degree of the financial institution’s compliance failure or even complicity. Additionally, financial institutions should be sensitive to efforts by customers to manipulate their records or facilitate their assistance in obtaining loan forgiveness that is not justifiable under PPP regulations and guidance.

For instance, banking transactions that clearly show large percentages of PPP funds going to advertising agencies or lobbying efforts could be reportable as suspicious activity if the financial institution knows the customer/recipient is seeking loan forgiveness. Similarly, PPP funds going to highly compensated executives, shareholders, or even non-existent employees could create issues, especially in a situation where a financial institution serves both the company receiving PPP funds and the person receiving the payments derived from the PPP funds. Even subtle efforts to quickly spend all of the PPP funds in the allotted months by prepaying or overpaying the routine costs a financial institution knows a business has could be an event triggering required suspicious-activity analysis.

Traditional Scams Remain—and Increase—in Financial Crises

Additionally, even businesses that did not benefit from stimulus payments or PPP loans may engage in potentially suspicious behavior. An increasing number of “overseas investors” are appearing with endless variants of advance-fee scams and false hopes for businesses desperate for financial lifelines that missed or were ineligible for PPP loans. “Account verification payments,” “bond surcharges,” “loan taxes,” and “transfer fees” are all being pushed upon businesses with promises that a small amount paid now will unlock company-saving funds in the future.

FinCEN has detailed instructions for completing mandatory Suspicious Activity Reports related to the scenarios discussed above. Compliance audits and employee trainings led by experienced counsel can also assist financial institutions in updating policies, procedures, and controls to detect, report, and prevent suspicious activity. Internal or private investigations of high-value transactions or accounts can mitigate both compliance and business risk arising from providing financial services to questionable parties. Often, such investigations may be ably handed by internal compliance, audit, and legal staff. In other instances, a financial institution’s dealings with bank examiners, government auditors or prosecutors, the new Special Inspector General for Pandemic Recovery (SIGPR), and responses to requests for information or grand jury subpoenas should also be supported by experienced outside counsel.

1. Specifically, 31 U.S.C. § 5318(a)(2) requires financial institutions to implement “appropriate procedures” for BSA/AML compliance, and the accompanying implementing regulations require a reasonable risk-based approach that puts compliance efforts on the same level as business/credit efforts. These institutions are also expected to be familiar with current FinCEN guidance, including “red flags” and the BSA/AML controls sufficient to detect them. Traditionally, these controls include an automated process to flag high-dollar, high-velocity, or other quantitatively unusual transactions, followed by a qualitative analysis by an appropriately trained human who documents the decision as to whether or not to file a Suspicious Activity Report (“SAR”) and why. See also 31 U.S.C. § 5318(h) (and related regulations); FinCEN Final Rule on Customer Due Diligence, Fed. Reg., Vol. 81, No. 91 (May 11, 2016).
2. FinCEN recently announced that, although it “recognizes that current circumstances may create challenges with respect to certain BSA obligations, including the timing requirements for certain BSA report filings,” nonetheless “FinCEN expects financial institutions to continue following a risk-based approach and to diligently adhere to their BSA obligations.” https://www.fincen.gov/sites/default/files/shared/May_18_Notice_Related_to_COVID-19.pdf.
3.  A survey tracking use of the 2008 payments showed that most recipients used the stimulus payments to pay off debt. See Claudia R. Sahm, Matthew D. Shapiro, & Joel Slemrod, Household Response to the 2008 Tax Rebates: Survey Evidence and Aggregate Implications, (Oct. 7, 2009), available at https://www.federalreserve.gov/pubs/feds/2009/200945/200945pap.pdf.

• Post-2008 financial crisis DOJ investigations reflect such scrutiny from the government regarding potentially suspicious financial transactions at banks and money-services businesses. See, e.g.:
  • Moneygram International Inc. Admits Anti-Money Laundering and Wire Fraud Violations, Forfeits $100 Million in Deferred Prosecution, U.S. Dep’t of Justice (Nov. 9, 2012), https://www.justice.gov/opa/pr/moneygram-international-inc-admits-anti-money-laundering-and-wire-fraud-violations-forfeits (involving allegations of aiding and abetting wire fraud and failing to maintain an effective AML program for “turn[ing] a blind eye to scam artists and money launderers who used the company to perpetrate fraudulent schemes targeting the elderly and other vulnerable victims”);
  • HSBC Holdings Plc. And HSBC Bank USA N.A. Admit to Anti-Money Laundering and Sanctions Violations, Forfeit $1.256 Billion in Deferred Prosecution Agreement, U.S. Dep’t of Justice (Dec. 11, 2012), https://www.justice.gov/opa/pr/hsbc-holdings-plc-and-hsbc-bank-usa-na-admit-anti-money-laundering-and-sanctions-violations (involving allegations of failing to maintain an effective AML program and thus facilitating the laundering of hundreds of millions of dollars of drug proceeds); and
  • Manhattan U.S. Attorney and FBI Assistant Director-In-Charge Announce Filing of Criminal Charges Against and Deferred Prosecution Agreement With JPMorgan Chase Bank, N.A., In Connection With Bernard L. Madoff’s Multi-Billion Dollar Ponzi Scheme, U.S. Dep’t of Justice (Jan. 7, 2014), https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-filing-criminal (involving allegations of failing to report suspicious transactions conducted as part of Madoff’s Ponzi scheme).

4. See, e.g., https://abcnews.go.com/Health/wireStory/report-stockpile-39-million-masks-exposed-fake-70111451 & https://www.ice.gov/news/releases/ice-hsi-arrests-georgia-resident-selling-illegal-pesticide-claiming-it-protects.
5. https://www.fincen.gov/sites/default/files/advisory/2020-05-18/Advisory Medical Fraud Covid 19 FINAL 508.pdf.
6. See https://www.sba.gov/sites/default/files/2020-05/3245-0407%20SBA%20Form%203508%20PPP%20Forgiveness%20Application.pdf (and recently updated to move the payroll requirement down to 60 percent from 75 percent).