Aid to Businesses Under the CARES Act
The Coronavirus Aid, Relief and Economic Security (CARES) Act, H.R. 748, was signed into law by the President on March 27, 2020. In addition to providing benefits for individuals, hospitals, health agencies and state and local governments, the 335-page, $2 trillion aid bill, aimed at reducing the economic impact of the coronavirus pandemic, contains assistance for businesses of all sizes. But with federal money comes the risk of exposure to federal fraud liability.
- Businesses with fewer than 500 employees, and businesses meeting the Small Business Administration’s size standards, are eligible for loans up to $10 million under the “Paycheck Protection Program.” Applicants must certify that the funds will be used to “retain workers and maintain payroll or make mortgage payments, lease payments, and utility payments.”  If used for certain purposes, these loans may qualify for forgiveness.
- Low-interest direct loans are available for mid-size businesses (between 500 and 10,000 employees). Borrowers must certify to eligibility conditions, including that the borrower intends to retain or restore at least 90 percent of the workforce at full compensation and benefits, will not issue dividends or conduct stock buybacks, will not outsource or offshore jobs, and will remain neutral in any union organizing effort.
- $46 billion is allocated to eligible businesses in the aviation industry and businesses “critical to maintaining national security.”
- An additional $454 billion is available for loans, loan guarantees, and investments in programs or facilities established by the Federal Reserve to provide liquidity to eligible businesses.
To oversee the $2 trillion in expenditures, the CARES Act creates an Office of the Special Inspector General for Pandemic Recovery (SIGPR) and a Pandemic Response Accountability Committee, composed of agency IGs.
The SIGPR, housed within the Department of the Treasury, has a five-year tenure funded with $25 million.
The Act also boosts more than a dozen other agency IG offices’ funding, including those of the Treasury Department, Department of Labor, Small Business Administration, and Defense Department.
Federal Enforcement Tools, Priorities, and Recent Activity
Given certification requirements and other terms and conditions that will be established for CARES Act funding, participating businesses need to be aware in particular of the civil False Claims Act (FCA), a powerful enforcement tool used by the Government to ensure compliance with Federal contracts, grants, and loan agreements. It punishes those who submit false or fraudulent claims for payment, or who knowingly fail to return funds owed to the Government, with treble damages and a penalty of not less than $5,000 and not more than $10,000 per claim as adjusted for inflation (currently, more than double those amounts).
But FCA cases are not only filed by the Government. In fact, it is more frequent that an FCA case is initiated by a whistleblower, called a qui tam relator. Successful qui tam relators are entitled to receive a percentage of a judgment or settlement against an FCA defendant, ranging from 15 to 25 percent of the proceeds if the Government intervenes in the case, to 25 percent to 30 percent if the Government declines to intervene, plus attorneys’ fees and expenses. The relator’s share thus provides a powerful incentive for whistleblowers—often present or former employees—to pursue action against a company for alleged noncompliance. Although whistleblower suits are perennially a possibility, in coming months the incentive may be even greater given the financial vulnerability and economic uncertainty posed by the novel coronavirus.
Businesses seeking assistance under the CARES Act may be outside the government contracting or health care industries—the traditional FCA targets—and therefore less familiar with the strings attached to Federal funds. Following the 2008 crisis, the financial services industry found itself newly in the crosshairs of FCA enforcement, so much to the extent that in 2018 the Treasury Department reported that FCA liability had “unnecessarily raised the cost” of engaging in the Government’s loan insurance programs. Much like the coronavirus legislation, two pieces of 2008 crisis legislation—the Emergency Economic Stabilization Act of 2008 (ESSA) and American Recovery and Reinvestment Act of 2009 (ARRA)—created a special IG (the Special Inspector General of the Troubled Asset Relief Program (SIGTARP)) and an oversight board (the Recovery Accountability and Transparency Board) and boosted agencies’ IG funding. SIGTARP remains active over a decade after its inception, reporting as of Q1 FY 2020 a total of $11 billion recovered as well as 381 convictions and successful enforcement actions related to fraud, waste, and abuse under the Troubled Asset Relief Program. History teaches us that the addition of new FCA targets, when combined with a heightened enforcement environment, will lead to increased fraud investigations and FCA activity. Like post-2008 enforcement, CARES Act eligibility certifications almost certainly will function as FCA hooks under the certification theory of liability.
Further, the recently-announced priorities by the Department of Justice suggest that federal enforcement activity is likely to come quickly and aggressively. The U.S. Attorney General issued a memo on March 16 prioritizing the “detection, investigation, and prosecution of all criminal conduct related to the current pandemic,” and another memo on March 24 announcing a task force to address hoarding and price gouging using the Defense Production Act and Stafford Act and listing legal authorities under which to punish wrongdoing related to COVID-19. The U.S. Attorney’s Office for the Eastern District of Michigan has posted a “Coronavirus Prosecution Guide” for State and Local Law Enforcement. Various other U.S. Attorney’s Offices have announced their own coronavirus initiatives.
These investigations are already leading to arrests and enforcement actions:
- On March 22, the U.S. Attorney’s Office for the Western District of Texas announced action against the operators of a website purporting to provide COVID-19 vaccine kits that do not exist.
- On April 1, the U.S. Attorney’s Office for the Central District of California announced a federal complaint charging a British man with smuggling mislabeled drugs purported to be a treatment for those suffering from COVID-19.
- On April 2, DOJ and the U.S. Department of Health and Human Services announced the distribution of medical supplies seized by DOJ’s COVID-19 hoarding and price gouging task force.
- That same day, the Washington Post reported that a Washington state nursing home could face penalties of more than $611,000 and termination from the Medicare/Medicaid program for failure to promptly notify regional authorities that it had a surge in respiratory infections.
How To Protect Yourself
Before applying for CARES Act aid, businesses should pay close attention not only to existing and forthcoming eligibility requirements, terms and conditions, but also to DOJ guidance on corporate compliance programs. Among other things, a robust compliance program that is supported by senior management, a qualified compliance officer, and an anonymous complaint/whistleblower reporting system will be the bare minimum requirements government investigators would look for in the course of any investigation into violations of federal funding requirements. Any federal review of a company’s compliance program will be guided by DOJ’s “Evaluation of Corporate Compliance Programs” (Apr. 30, 2019)
and “Guidelines for Taking Disclosure, Cooperation, and Remediation into Account in False Claims Act Matters” (May 2019).
The DOJ guidance collectively maps out the elements of an effective compliance program—one that is well-designed, implemented effectively, and results in the timely identification, remediation, and self-reporting of misconduct. A company that finds itself the target of a federal investigation and has an effective compliance program in place can much more credibly negotiate a favorable resolution with the government. While many employees are working remotely without face-to-face supervision, it is especially important to ensure that your compliance program is current, communicated, and accessible. Below are some questions all companies operating in highly-regulated areas should ask themselves in evaluating whether the compliance program does enough to prevent misconduct and to detect, analyze, and address misconduct that does occur:
- Role of Compliance Officer. How does the compliance officer compare to other strategic functions in terms of stature, compensation, rank/title, and resources? Has the compliance officer previously raised concerns in the area that the misconduct occurred?
- Policies and Procedures. Are they clearly communicated through initial training, signage, reminders, and available resources? What are the internal communications when an employee is terminated for failure to comply with policies and procedures? Are they periodically reviewed, tested, and updated? How are new policies and procedures integrated into operations?
- Risk Assessment. What method is the company using to identify, analyze, and address the specific types of risks (employee, operational, safety, etc.) in its particular line of business? Are resources allocated appropriately according to risk?
- Confidential Reporting and Investigation. Is there a confidential reporting mechanism? How is the reported information used? How are resulting investigations scoped and ensured to be independent, objective, thorough, and suitably documented?
- Analysis of Underlying Misconduct. What is the process for conducting a root cause analysis when misconduct is identified?
- Prior Red Flags. Were there prior complaints or reports noting similar misconduct? Why were the red flags missed or not addressed earlier? Can systemic issues be identified?
- Modeling by Senior Management. What have senior leaders done both to discourage the type of misconduct at issue and to let employees know the company’s position on the misconduct? How are they demonstrating leadership in compliance and remediation efforts?
- Internal Controls. What controls failed or were absent that might have prevented the misconduct? Have they been implemented or strengthened?
- Disciplinary Measures. What disciplinary actions did the company take in response to the misconduct and when? Did the company’s response consider disciplinary actions for any failure in oversight? What is the company’s history in terms of number and types of disciplinary actions relating to the type of misconduct at issue?
- Investigation Response and Remediation. What changes did the company make to reduce the risk of similar misconduct occurring in the future? Did the changes address the root cause and any missed red flags?
CARES Act, Pub. L. No. 116-136, § 1102(a).
§§ 4018, 15010(b).
div. B, tit. I, II, III, V, VI, VII, VIII, X, and XII.
31 U.S.C. §§ 3729–3733.
31 U.S.C. § 3729(a)(1).
31 U.S.C. § 3730(d)(1), (2).
Pub. L. No. 110-343, 122 Stat. 3765 (Oct. 3, 2008).
Pub. L. No. 111-5, 123 Stat. 115 (Feb. 17, 2009).
 See, e.g.
, United States v. Hodge
, 933 F.3d 468, 476 (5th Cir. 2019) (affirming verdict based on false certifications and quality control documents).