COVID RELIEF
Fraud Schemes and
Indicators in SBA
Pandemic Programs
Report to Congressional Committees
May 2023
GAO-23-105331
United States Government Accountability Office
United States Government Accountability Office
Highlights of GAO-23-105331, a report to
congressional committees
May 2023
COVID RELIEF
Fraud Schemes and
Indicators in SBA Pandemic
Program
s
What GAO Found
The Small Business Administration (SBA) moved quickly under challenging
circumstances to develop and launch pandemic relief programs to help small
businesses. These programs, including the Paycheck Protection Program (PPP)
and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL), totaled over
$1 trillion and assisted more than 10 million small businesses. However, in some
instances relief funds went to those who sought to defraud the government. As
schemes emerged, SBA adapted its fraud risk management approach and added
controls to help prevent, detect, and respond to fraud.
GAO analyzed 330 PPP and COVID-19 EIDL fraud cases. Federal prosecutors
across the United States filed bank fraud, wire fraud, money laundering, identity
theft, and other charges against 524 individuals associated with these cases. This
analysis is based on fraud cases publicly announced by the Department of Justice
(DOJ) as of December 2021.
Cases Charged by the Department of Justice Involving Paycheck Protection Program (PPP) and
COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) Fraud, as of December 31, 2021
In those cases, DOJ charged individuals with
• misrepresenting eligibility, falsifying documents, using stolen identities, and
• deliberately exploiting the programs by conspiring with each other, sharing
knowledge on how to circumvent controls, and obtaining kickbacks.
For the 155 of the 330 cases that reached conclusion through guilty pleas or
convictions, GAO calculated about $188 million in direct financial losses. Across
these cases, as of December 2021, 94 individuals had been sentenced to an
average of about 37 months in prison. The number of cases will continue to grow.
As of January 2023, the SBA Office of Inspector General (OIG) had 536 ongoing
investigations, and the statute of limitations has been extended to 10 years to
prosecute individuals who committed PPP and COVID-19 EIDL-related fraud.
View GAO-23-105331. For more information,
contact
Johana Ayers at (202) 512-6722 or
.
Why GAO Did This Study
Congress established four programs to
support small businesses during the
pandemic: PPP, COVID
-19 EIDL,
Restaur
ant Revitalization Fund, and
Shuttered Venue Operators Grant.
Widely reported incidents of fraud
raised questions about SBA’s
management of these programs. For
this and other reasons, GAO added
small business emergency loans to its
High Risk Program in 202
1.
The CARES Act includes a provision
for GAO to monitor COVID
-19
pandemic relief funds. This report
(1)
analyzes fraud cases charged by
DOJ involving PPP and COVID
-19
EIDL to understand fraud schemes and
impacts, (2)
provides the results of
select data an
alyses regarding fraud
indicators in PPP and COVID
-
19 EIDL,
and (3) identifies opportunities for SBA
to enhance its data analytics.
GAO analyzed DOJ press releases
and court documents related to PPP
and COVID
-19 EIDL cases publicly
announced as of December
2021 for
fraud schemes and impacts. GAO
analyzed 2020 and 2021 PPP and
COVID
-
19 EIDL data, comparing these
data to NDNH wage data to identify the
presence of fraud indicators. GAO also
evaluated SBA’s data analytic efforts
against leading practices.
What
GAO Recommends
GAO recommends that SBA
(1)
ensures it has and utilizes
mechanisms to facilitate cross
-
program
data analytics and (2) identifies
external data sources that could aid in
fraud prevention and detection and
develop a plan to obtain access to
th
ose sources. SBA concurred with
both recommendations.
Highlights of GAO-23-105331 (Continued)
United States Government Accountability Office
Select GAO analyses of PPP and COVID-19 EIDL data, including comparisons with National Directory of New Hires
(NDNH) wage data, identified over 3.7 million unique recipients with fraud indicators out of a total of 13.4 million (see
figure). Fraud indicators can be used to identify potential fraud and assess fraud risk. They are not proof of fraud.
Additional review, investigation, and adjudication is needed to determine if fraud exists. To that end, GAO referred the
unique recipients with fraud indicators it identified to the SBA OIG for further review and investigation. The unique
recipients identified include potentially non-existent businesses or businesses that may have misrepresented employee
counts to obtain more funds. However, it is possible that the analysis identified non-fraudulent recipients with data
discrepancies consistent with an indicator. While SBA has conducted its own analyses to identify recipients with fraud
indicators, it does not have access to the NDNH database and could not have performed the same analyses as GAO.
Unique Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) Recipients with Fraud Indicators
SBA has employed data analytics to enhance fraud prevention and detection. For example, the use of analytics
contributed to SBA determining that some PPP borrowers were ineligible for loan amounts or used them for unauthorized
purposes, resulting in $4.7 billion in loan proceeds not being forgiven. In addition, SBA referred over 669,000 potentially
fraudulent PPP and COVID-19 EIDL loans to the SBA OIG for investigation after using data analytics and conducting
manual reviews. SBA enhanced its analytic capabilities during the pandemic and has recognized that it would benefit from
further development of its data analytics program. SBA has opportunities to continue to improve its ability to prevent and
detect potentially fraudulent transactions. For example, SBA did not fully leverage information to help identify applicants
who tried to defraud multiple pandemic relief programs. While it has access to multiple external data sources, SBA does
not have access to other external data sources that could aid in fraud detection and prevention. Leveraging information
across programs and obtaining access to external data are consistent with leading fraud risk management practices. SBA
has the opportunity to ensure that it fully leverages data across programs and accesses external data to the fullest extent
possible to mitigate the likelihood and impact of fraud. Obtaining such access could necessitate pursuing statutory
authority or entering into data-sharing agreements with other agencies to gain timely access to those sources.
Page i GAO-23-105331 COVID Relief
Letter 1
Background 5
Analysis of PPP and COVID-19 EIDL Charges Illustrates Fraud
Schemes and Their Actual and Potential Impacts 21
Our Analysis Reveals Millions of PPP and COVID-19 EIDL
Recipients with Fraud Indicators, and Certain Lenders
Originated Higher Rates of Fraudulent PPP Loans 44
Enhanced Data Analytics Can Help SBA Identify Potentially
Fraudulent Recipients 75
Conclusions 79
Recommendations for Executive Action 80
Agency Comments and Our Evaluation 80
Appendix I Objectives, Scope, and Methodology 91
Appendix II Overview of SBA’s Fraud Risk Management Efforts
Implementing the Pandemic Relief Programs 108
Appendix III Prior GAO Recommendations to Address
Fraud Risks and SBA Actions 127
Appendix IV Regression Analysis 131
Appendix V Comments from the Small Business Administration 136
Appendix VI GAO Contact and Staff Acknowledgments 145
Related GAO Products 146
Contents
Page ii GAO-23-105331 COVID Relief
Tables
Table 1: Characteristics of Small Business Administration’s (SBA)
Pandemic Relief Programs 9
Table 2: Financial Losses (in Millions of Dollars) in Paycheck
Protection Program (PPP) and COVID-19 Economic Injury
Disaster Loan (COVID-19 EIDL) Based on Analysis of
Department of Justice Fraud Cases, as of December 31,
2021 35
Table 3: Non-Financial Impacts of Fraud in Paycheck Protection
Program (PPP) and COVID-19 Economic Injury Disaster
Loan (COVID-19 EIDL) 36
Table 4: Top Five Lenders by Number of Paycheck Protection
Program (PPP) Loans Associated with a Department of
Justice (DOJ) Fraud Case, as of December 31, 2021 69
Table 5: Created Variables Used in the Regression Analysis of the
Small Business Administration (SBA) Paycheck Protection
Program Loans, Years 2020-2021 132
Table 6: Variables Included in GAO Regression Models Using the
Small Business Administration (SBA) Paycheck Protection
Program Loans, Years 2020-2021 133
Table 7: Associations of Logistic Regression Model Variables
Based on the Small Business Administration’s (SBA)
Paycheck Protection Program Loans, Years 2020-2021 135
Figures
Figure 1: Illustrative Life Cycle of Fraudulent Paycheck Protection
Program (PPP) and COVID-19 Economic Injury Disaster
Loan (COVID-19 EIDL) Applications Involving Criminal
Cases 14
Figure 2: The Four Components of the Fraud Risk Management
Framework and Selected Leading Practices 16
Figure 3: Cases Charged by the Department of Justice Involving
Paycheck Protection Program (PPP) and COVID-19
Economic Injury Disaster Loan (COVID-19 EIDL) Fraud,
as of December 31, 2021 23
Figure 4: Ongoing and Closed Cases Involving Paycheck
Protection Program (PPP) and COVID-19 Economic
Injury Disaster Loan (COVID-19 EIDL) Fraud, as of
December 31, 2021 24
Page iii GAO-23-105331 COVID Relief
Figure 5: Individuals and Businesses Associated with Paycheck
Protection Program (PPP) and COVID-19 Economic
Injury Disaster Loan (COVID-19 EIDL) Fraud Cases, as
of December 31, 2021 25
Figure 6: Types of Businesses Identified in Paycheck Protection
Program and COVID-19 Economic Injury Disaster Loan
Fraud Cases, as of December 31, 2021 26
Figure 7: Clusters of Related Cases Charged by the Department
of Justice Associated with Paycheck Protection Program
and COVID-19 Economic Injury Disaster Loan Fraud, as
of December 31, 2021 30
Figure 8: Number of Paycheck Protection Program and COVID-19
Economic Injury Disaster Loan Cases Involving
Department of Justice Charges of Asset
Misappropriation, by Type of Ineligible Expense, as of
December 31, 2021 38
Figure 9: Foreign Jurisdictions to Which Fraudsters Redirected
Funds from Paycheck Protection Program and COVID-19
Economic Injury Disaster Loan, as of February 2023 39
Figure 10: Sentencing Ranges for Individuals Sentenced to
Prison, Probation, and Supervised Release for Crimes
Involving Paycheck Protection Program (PPP) and
COVID-19 Economic Injury Disaster Loan (COVID-19
EIDL), as of December 31, 2021 43
Figure 11: Unique Paycheck Protection Program (PPP) and
COVID-19 Economic Injury Disaster Loan (COVID-19
EIDL) Recipients with Fraud Indicators 48
Figure 12: Example of Information Mismatch between Paycheck
Protection Program (PPP) and COVID-19 Economic
Injury Disaster Loan (COVID-19 EIDL) Data 68
Figure 13: Number of Suspicious Activity Reports Filed on
Paycheck Protection Program Loans, by Month 74
Figure 14: National Directory of New Hires (NDNH) and Small
Business Administration (SBA) Pandemic Relief Data
Obtained for GAO Analysis 97
Figure 15: Examples of Changes to Traditional Small Business
Administration (SBA) Programs Made by the CARES Act 109
Figure 16: The Small Business Administration’s (SBA) Key Fraud
Risk Management Activities Occurred after Most Program
Funds Were Distributed 124
Page iv GAO-23-105331 COVID Relief
Abbreviations
Board Fraud Risk Management Board
BSA/AML Bank Secrecy Act and related anti-money
laundering requirements
Council Fraud Risk Management Council
COVID-19 EIDL COVID-19 Economic Injury Disaster Loan
DOJ Department of Justice
EIN employer identification number
FDIC Federal Deposit Insurance Corporation
Federal Reserve Board of Governors of the Federal Reserve System
FinCEN Financial Crimes Enforcement Network
Fraud Risk A Framework for Managing Fraud Risks in Federal
Framework Programs
IP internet protocol
IPSFF International Public Sector Fraud Forum
IRS Internal Revenue Service
NDNH National Directory of New Hires
OIG Office of Inspector General
OMB Office of Management and Budget
PPP Paycheck Protection Program
PRAC Pandemic Response Accountability Committee
RRF Restaurant Revitalization Fund
SAR suspicious activity report
SBA Small Business Administration
SSN Social Security number
SVOG Shuttered Venue Operators Grant
tax ID taxpayer identification number
Treasury Department of the Treasury
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
Page 1 GAO-23-105331 COVID Relief
441 G St. N.W.
Washington, DC 20548
May 18, 2023
Congressional Committees
The COVID-19 pandemic created economic hardship for small
businesses across the U.S. economy. Businesses in the restaurant, live
performing arts, and entertainment industries were particularly hard hit.
To assist small businesses, Congress created programs through the
Small Business Administration (SBA) between March 2020 and March
2021 for pandemic relief. Specifically, the CARES Act and other laws
provided funding for the newly created Paycheck Protection Program
(PPP) and the COVID-19 Economic Injury Disaster Loan (COVID-19
EIDL) program, which were available to most small businesses; and the
Restaurant Revitalization Fund (RRF) and the Shuttered Venue
Operators Grant (SVOG), which targeted hard-hit industries.
1
The more
than $1 trillion in relief funds provided through these four programs
assisted more than 10 million small businesses affected by the pandemic.
However, in some instances these relief funds went to those who sought
to defraud the government.
We and others have raised questions about SBA’s management of fraud
risks in these programs.
2
Since June 2020, we have reported multiple
times on fraud schemes, risks, and indicators in SBA’s pandemic relief
programs. Additionally, in March 2021, we added emergency loans for
small businesses to GAO’s High Risk Program, in part because of the
1
American Rescue Plan Act of 2021 (ARPA), Pub. L. No. 117-2, 135 Stat. 4; Consolidated
Appropriations Act, 2021, Pub. L. No. 116-260, div. M and N, 134 Stat. 1182 (2020);
Paycheck Protection Program and Health Care Enhancement Act, Pub. L. No. 116-139,
134 Stat. 620 (2020); CARES Act, Pub. L. No. 116-136, 134 Stat. 281 (2020).
2
Fraud is the act of obtaining something of value through willful misrepresentation.
Whether an act is fraudulent is determined through the judicial or other adjudicative
system. When fraud risks can be identified and managed, fraud may be less likely to
occur.
Letter
Page 2 GAO-23-105331 COVID Relief
potential for fraud, significant risk to program integrity, and need for
improved program management and better oversight.
3
The CARES Act includes a provision for GAO to monitor and oversee the
federal government’s efforts to prepare for, respond to, and recover from
the COVID-19 pandemic.
4
This report (1) analyzes fraud cases charged
by the Department of Justice (DOJ) involving PPP and COVID-19 EIDL to
understand fraud schemes and impacts; (2) provides the results of select
data analyses to identify PPP and COVID-19 EIDL recipients with fraud
indicators, as well as fraud-related lender activity in PPP; and
(3) identifies opportunities for SBA to enhance its data analytics to
prevent and detect potential fraud.
5
For the first objective, we conducted a thematic analysis of criminal and
civil fraud cases involving PPP and COVID-19 EIDL charged by DOJ and
publicly announced as of December 31, 2021.
6
To identify cases, we
received DOJ press releases through a subscription to Westlaw (a legal
3
The High Risk Program highlights federal programs and operations that we have
determined are in need of transformation, and also names federal programs and
operations that are vulnerable to waste, fraud, abuse, and mismanagement. GAO, High-
Risk Series: Dedicated Leadership Needed to Address Limited Progress in Most High-
Risk Areas, GAO-21-119SP (Washington, D.C.: Mar. 2, 2021) and High-Risk Series:
Efforts Made to Achieve Progress Need to Be Maintained and Expanded to Fully Address
All Areas, GAO-23-106203 (Washington, D.C.: Apr. 20, 2023).
4
Pub. L. No. 116-136, § 19010(b), 134 Stat. 281, 580 (2020). All of GAO’s reports related
to the COVID-19 pandemic are available on GAO’s website at
https://www.gao.gov/coronavirus.
5
Fraud indicators are characteristics and flags that serve as warning signs suggesting a
potential for fraudulent activity. Indicators can be used to identify potential fraud and
assess fraud risk but are not proof of fraud, which is determined through the judicial or
other adjudicative system.
6
Fraud cases are those PPP and COVID-19 EIDL cases that involve fraud-related
charges. Fraud-related charges include criminal fraud charges associated with PPP or
COVID-19 EIDL fraud schemes, such as bank fraud or wire fraud, as well as other
charges for crimes used to execute fraud schemes, such as money laundering or
conspiracy charges. Alternatively, DOJ can pursue civil remedies for suspected fraud
under the False Claims Act, 31 U.S.C. § 3729-3733 and the Financial Institutions Reform,
Recovery, and Enforcement Act of 1989, 12 U.S.C. § 1833a.
We selected December 31, 2021, as the ending point of our research because after
December 31, 2021, SBA stopped accepting COVID-19 EIDL applications (per
Consolidated Appropriations Act, 2021). PPP closed in May 2021. We acknowledge that
DOJ has continued to bring charges involving PPP and COVID-19 EIDL since December
31, 2021, and that later cases may involve more complex fraud schemes that may take
longer to investigate and prosecute.
Page 3 GAO-23-105331 COVID Relief
news service), conducted periodic checks of the Westlaw database, and
used other available sources, such as the DOJ Fraud Section website.
For identified cases, we obtained relevant court documents by searching
Public Access to Court Electronic Records.
7
Using case information identified in court documents on charged
individuals, fraud mechanisms, and loan amounts, among other things,
we conducted a thematic analysis using the GAO Conceptual Fraud
Model.
8
The model is organized as an ontology, which is an explicit
description of categories of federal fraud, their characteristics, and the
relationships among them. We structured and organized this thematic
analysis using WebProtégé, an ontology modeling tool. We then analyzed
the aggregate data to describe the characteristics and areas of impact of
PPP and COVID-19 EIDL fraud cases. Based on data and information
from these cases, we determined actual and potential financial impacts as
well as non-financial impacts.
For the purposes of our analysis, we considered DOJ cases as closed
when they reached conclusion through settlement, dismissal of charges,
a guilty plea, or a verdict reached at trial.
9
We considered cases as
ongoing when they had not reached a conclusion as of December 31,
2021. The cases are not generalizable to all fraud cases or all potential
fraud involving PPP and COVID-19 EIDL. From the identified cases, we
selected closed cases to provide illustrative examples of how fraud
occurred.
For the second objective, we analyzed PPP and COVID-19 EIDL loan-
and advance-level data to identify recipients with fraud indicators. This
included matching that data to quarterly wage data in the National
Directory of New Hires (NDNH) for quarter 4 of 2019 and quarters 1
7
Public Access to Court Electronic Records is a service of the federal judiciary that
enables the public to search online for case information from U.S. district, bankruptcy, and
appellate courts. Federal court records available through this system include case
information (such as names of parties, proceedings, and documents filed) as well as
information on case status.
8
GAO, GAO Fraud Ontology Version 1.0, published January 10, 2022.
https://gaoinnovations.gov/antifraud_resource/howfraudworks
9
In criminal cases, after a finding of guilt, either through guilty plea or verdict, there is a
period of time before the defendant returns to court to be sentenced. Some of the cases
categorized as closed for our analysis had not yet completed the sentencing stage.
Page 4 GAO-23-105331 COVID Relief
through 3 of 2020.
10
By matching PPP and COVID-19 EIDL data to
NDNH wage data, we identified unique recipients with fraud indicators
associated with potential misrepresentations of business operating status,
employee counts, or payroll costs. We also reviewed the loan-level data
to determine whether applicants received multiple loans or advances, or if
loans were disbursed to multiple recipients using the same information.
Finally, we matched PPP data to COVID-19 EIDL data to identify unique
recipients who obtained funds from both programs, which was permitted,
but who (1) were associated with fraud indicators in both programs or
(2) provided different information to the two programs, which is a fraud
indicator. On the basis of our reliability assessment results, we
determined that the data were sufficiently reliable for the purposes of
matching and identifying discrepancies associated with fraud indicators.
The intent of our analyses was to understand the extent fraud indicators
existed, SBA’s exposure to fraud risk, and how some recipients may have
taken advantage of those risks. The results of our analyses, including the
identification of discrepancies associated with fraud indicators, should not
be interpreted as proof of fraud.
Additionally, we analyzed PPP lender origination of loans associated with
DOJ cases (identified in objective 1) as well as PPP fraud indicators
(identified in objective 2). Through this analysis, we identified the
characteristics of lenders with loans associated with DOJ cases or loans
that we flagged with fraud indicators. To determine the relevant
population of PPP loans, we matched businesses identified in DOJ cases
that received PPP loans with PPP loan-level data. Further, to provide
insight into associations among variables of lender and borrower
characteristics, we conducted logistic regressions to assess the statistical
significance of associations between fraud indicators, and lender and loan
characteristics with potentially fraudulent loans. A logistic regression
describes the relationship between a binary outcome variable—in this
case incidents of fraud and alleged fraud charged by DOJ—and select
factors of interest, such as loan- and lender-level characteristics and
select fraud indicators, while controlling for other factors.
10
NDNH is a national repository of new hire, quarterly wage, and unemployment insurance
information reported by employers, states, and federal agencies. The NDNH is maintained
and used by the U.S. Department of Health and Human Services for the federal child
support enforcement program, which assists states in locating parents and enforcing child
support orders. SBA does not have access to NDNH wage data. However, similar
information, such as number of employees and wages paid, can be found on the
employer’s federal tax return and other employer filings.
Page 5 GAO-23-105331 COVID Relief
For the third objective, we evaluated SBA’s data analytic efforts for
opportunities to enhance fraud prevention and detection by reviewing
previous GAO reports, the results of our fraud indicator analysis, and SBA
planning documents. We assessed SBA’s efforts against the leading
practices identified in GAO’s Fraud Risk Framework.
11
For more
information about our scope and methodology, see appendix I.
We conducted this performance audit from July 2021 to May 2023 in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
The COVID-19 pandemic had a significant effect on the nation and its
economy. Stay-at-home orders, social distancing requirements, and
reduced consumer demand early in the pandemic caused both temporary
and permanent business closures, particularly among small businesses.
To help support small businesses, in March 2020, Congress passed the
CARES Act that, among other things, provided funds for two new SBA
pandemic relief programs. Specifically, it created PPP, which was
authorized under SBA’s existing 7(a) small business lending program.
12
It
also established a COVID-19 EIDL program partially based on an existing
SBA-administered program providing EIDL disaster loans.
13
Both PPP
11
GAO, A Framework for Managing Fraud Risks in Federal Programs, GAO-15-593SP
(Washington, D.C.: July 2015).
12
The 7(a) loan guarantee program provides small businesses access to capital that they
would not be able to access in the competitive market.
13
EIDL, which is part of SBA’s Disaster Loan Program, provides low-interest loans to help
borrowers—small businesses and nonprofit organizations located in a disaster area—
meet obligations or pay ordinary and necessary operating expenses. In this report, we
refer to the Economic Injury Disaster Loan provisions of SBA’s Disaster Loan Program as
“traditional” EIDL and to the EIDL program designed to help small businesses recover
from the economic impacts of the COVID-19 pandemic as COVID-19 EIDL. For more
information on SBA’s Disaster Loan Program, see GAO, Small Business Administration:
Disaster Loan Processing Was Timelier, but Planning Improvements and Pilot Program
Evaluation Needed, GAO-20-168 (Washington, D.C.: Feb. 7, 2020).
Background
Four SBA Pandemic Relief
Programs
Page 6 GAO-23-105331 COVID Relief
and COVID-19 EIDL contained programmatic elements that were new
compared to the pre-pandemic programs.
PPP guaranteed over $800 billion to small businesses and nonprofits,
referred to collectively as “small businesses,” to help support payroll
costs, rent, utilities and other eligible operating costs during the
pandemic. Applicants could apply for
• first draw loans in PPP Round 1 between April and August of 2020,
and
• first or second draw loans in PPP Round 2 between January and May
2021.
14
PPP low-interest loans were fully SBA-guaranteed and made to recipients
through a network of participating lenders under program rules set by
Treasury and SBA’s Office of Capital Access. Under certain
circumstances, recipients are eligible for full loan forgiveness. For
example, to be eligible for full forgiveness, at least 60 percent of the loan
had to be used for payroll costs, with the remaining amount used for
eligible non-payroll costs, such as covered mortgage interest, rent, and
utility payments.
15
Participating PPP lenders included depository institutions (for example,
banks and credit unions) and non-depository lending institutions (for
example, SBA-certified development companies and state-regulated
financial companies). Existing 7(a) lenders were automatically allowed to
participate in PPP.
16
According to SBA and the Department of the
Treasury (Treasury) officials, they jointly approved certain new non-
14
A borrower’s first PPP loan, which could be received in either 2020 or 2021 is referred to
as a “first draw loan.” Borrowers that received first draw loans could apply for a second
draw PPP loan in 2021, based on different eligibility requirements.
15
SBA originally required borrowers to spend at least 75 percent of forgivable expenses on
payroll costs, but this requirement was modified by later legislation. Paycheck Protection
Program Flexibility Act of 2020, Pub. L. No. 116-142, § 3(b)(2)(B), 134 Stat. 641, 642
(2020).
16
In an interim final rule published April 2, 2020, SBA announced that any federally insured
depository institution, credit union, or farm credit institution in good standing with its
regulator would automatically qualify to participate in PPP upon submission of SBA’s PPP
Lender Agreement. 85 Fed. Reg. 20,811 at 20,815 (Apr. 15, 2020).
Page 7 GAO-23-105331 COVID Relief
federally regulated lenders
17
that had to attest they met Bank Secrecy Act
and related anti-money laundering requirements (BSA/AML).
18
SBA’s
requirements for lenders were limited to actions such as confirming
receipt of borrower certifications and supporting payroll documentation.
19
With regard to lender supervision, federally insured depository institutions
are generally supervised through a dual federal-state financial regulatory
system. Specifically, federal banking agencies examine their supervised
banks’ BSA/AML compliance programs as part of safety and soundness
examinations.
20
State regulators also supervise nonbank lenders, such as
financial technology companies and money transmitters, based on state
regulatory requirements.
COVID-19 EIDL provided over $355 billion to businesses from March
2020 to December 2021 to assist their recovery from the economic
effects of the pandemic. SBA managed the COVID-19 EIDL program
directly, initially led by its Office of Disaster Assistance and later by the
Office of Capital Access.
21
The program included two types of funding:
loans and grants, otherwise known as advances. Advances—new
programmatic elements in the COVID-19 EIDL—include EIDL advances
(in 2020) and targeted advances and supplemental targeted advances (in
17
SBA and Treasury were jointly responsible for approving lenders new to SBA to issue
PPP loans. According to SBA officials, SBA approved new federally regulated lenders,
while new non-federally regulated and insured lenders required joint SBA and Treasury
approval.
18
The Currency and Foreign Transactions Reporting Act, generally referred to as the Bank
Secrecy Act (BSA), as revised, imposes a number of reporting and recordkeeping
obligations on covered financial institutions in an effort to prevent money laundering and
the financing of terrorism, including, among other things, verifying the identity of
customers, conducting ongoing customer due diligence, and filing suspicious activity
reports with Treasury’s Financial Crimes Enforcement Network (FinCEN).
19
Because of limited PPP loan underwriting, lenders and SBA had less information from
applicants to detect errors or fraud. The requirement in SBA’s first interim final rule that
lenders follow applicable BSA requirements may have required lenders to collect
additional identifying information from borrowers before they approved a PPP loan.
20
Federal banking agencies include the Board of Governors of the Federal Reserve
System, Federal Deposit Insurance Corporation, the National Credit Union Administration,
and the Office of the Comptroller of the Currency. FinCEN has delegated its authority to
examine financial institutions for compliance with the Bank Secrecy Act to the federal
banking agencies. 31 C.F.R. § 1010.810(b).
21
In July 2021, SBA transitioned administration of COVID-19 EIDL from the Office of
Disaster Assistance to the Office of Capital Access. This program did not rely on a
network of lenders to distribute pandemic relief funds.
Page 8 GAO-23-105331 COVID Relief
2021) for applicants located in low-income communities and meeting
other eligibility requirements. Recipients could use these low-interest
loans and advances as working capital to cover operating expenses to
alleviate economic injury caused by the pandemic.
In December 2020 and March 2021, Congress passed the Consolidated
Appropriations Act, 2021 and the American Rescue Plan Act of 2021,
respectively, which appropriated additional funds to PPP and COVID-19
EIDL and made changes to PPP, including allowing a second loan under
certain conditions. Congress also enacted two new programs—RRF and
SVOG.
RRF provided about $29 billion in award funds (which did not need to be
repaid) to recipients—businesses in the food service industry—to use for
eligible expenses such as payroll, business debt, maintenance, or
construction of outdoor seating. SBA’s Office of Capital Access managed
the program directly. RRF accepted applications between May and July
2021.
SVOG provided about $15 billion in grant funds to recipients, which
included live performing arts and entertainment businesses affected by
the pandemic. Recipients could use the funds for eligible expenses that
enable business operations such as payroll, rent or mortgage, and utility
payments. SBA’s Office of Disaster Assistance managed the program
directly. SVOG accepted applications between April and August 2021.
The CARES Act and subsequent legislation allowed for cross-program
participation, in some circumstances. For example, PPP recipients could
also receive COVID-19 EIDL, RRF, and SVOG funds, with some
limitations. In the case of RRF and SVOG, recipients could obtain
COVID-19 EIDL and PPP funds, with certain limitations, but recipients
could not obtain both RRF and SVOG funds.
See table 1 for additional characteristics of the four SBA pandemic relief
programs, including eligibility requirements.
Page 9 GAO-23-105331 COVID Relief
Table 1: Characteristics of Small Business Administration’s (SBA) Pandemic Relief Programs
Characteristic
Paycheck Protection
Program (PPP)
Economic Injury
Disaster Loan
(COVID-19 EIDL)
Restaurant
Revitalization
Fund (RRF)
Shuttered Venue
Operators Grant
(SVOG)
Initial authorizing
legislation
CARES Act; Paycheck
Protection Program
Flexibility Act of 2020
Coronavirus
Preparedness and
Response Supplemental
Appropriations Act of
2020; CARES Act
American Rescue
Plan Act of 2021
Consolidated
Appropriations
Act, 2021
Purpose
To assist small
businesses and
nonprofits economically
affected by COVID-19
To assist small
businesses and
nonprofits economically
affected by COVID-19
To assist small
businesses in the food
service industry affected
by COVID-19
To assist small
businesses in the live
performing arts and
entertainment industry
affected by COVID-19
Transaction type
Forgivable loan
Loan, advances (grants)
Award
Grant
Appropriated funding
a
$813.7 billion
$105 billion
$28.6 billion
$16.3 billion
Funding distributed to
recipients
b
$799 billion
$378 billion in loans
$7 billion in advances
c
$28.6 billion
$14.6 billion
Number of loans,
advances, awards
issued
11.4 million
3.9 million loans
6.8 million advances
100,572
13,011
Page 10 GAO-23-105331 COVID Relief
Characteristic
Paycheck Protection
Program (PPP)
Economic Injury
Disaster Loan
(COVID-19 EIDL)
Restaurant
Revitalization
Fund (RRF)
Shuttered Venue
Operators Grant
(SVOG)
Eligible businesses
•
Generally, not more
than 500 employees
or meet SBA size
standards (either the
industry size
standard or the
alternative size
standard)
• Sole proprietors,
independent
contractors, and self-
employed persons
• Certain nonprofit
organizations, certain
veterans
organizations, or
tribal businesses
• Businesses in the
accommodations and
food services sector
with more than one
physical location may
be eligible if fewer
than 500 people are
employed per
physical location
• Business was in
operation as of
February 15, 2020
• For second draw
loans, businesses
must have no more
than 300 employees
unless “per location”
size standard
applies. SBA
industry-based or
alternative size
standards do not
apply
Loans:
• Not more than 500
employees or meet
SBA size standards
• Small businesses
including small
agricultural
cooperatives,
Employee Stock
Ownership Plans,
tribal concerns, sole
proprietorships,
independent
contractors,
agricultural
enterprises, and
most private
nonprofit
organizations
d
• Business was
established on or
before January 31,
2020
Advances:
• Not more than 500
employees for
advances in 2020
• Not more than 300
employees and low-
income community
and losses to income
greater than 30
percent for targeted
advances
• Not more than 10
employees and low-
income community
and economic losses
greater than 50
percent for
supplemental
targeted advances
• Most agricultural
enterprises were not
eligible for targeted
advances or
supplemental
targeted advances
•
Businesses such as
restaurants, food
stands, food trucks,
caterers, bars, and
similar places of
business that serve
food or drink
• Businesses must
have no more than
20 locations
• Businesses’
operating status
could be open,
temporarily closed,
or opening soon, with
expenses incurred as
of March 11, 2021
•
Venues and
promoters, live
performing arts,
movie theaters,
museums, talent
representatives, and
theatrical producers
• Business was in
operation as of
February 29, 2020
Page 11 GAO-23-105331 COVID Relief
Characteristic
Paycheck Protection
Program (PPP)
Economic Injury
Disaster Loan
(COVID-19 EIDL)
Restaurant
Revitalization
Fund (RRF)
Shuttered Venue
Operators Grant
(SVOG)
Eligible expenses
For loan forgiveness: 60
percent on payroll with
the rest spent on
business rent, mortgage
interest payments, or
utilities, among other
eligible expenses
Payroll, business rent,
certain mortgage
payments and fixed debt
payments
Payroll (including paid
sick leave), rent or
mortgage payments,
utilities, debt service,
construction of outdoor
seating, maintenance,
supplies, food and
beverage (including raw
materials), covered
supplier costs, and
operating expenses
Those that enabled
ongoing business
operations (e.g., payroll
costs, rent, mortgage
payments)
Repayment period
Loans issued prior to
June 5, 2020: 2 years,
unless mutually
extended. Loans issued
on or after June 5, 2020:
5 years.
Loan can be forgiven
when at least 60 percent
used for payroll costs
Up to 30 years; 30-month
deferred repayment.
Advances do not need to
be repaid
Not applicable (NA)
NA
Interest rate for loans
1 percent
3.75 percent for
businesses; 2.75 percent
for nonprofits
NA
NA
Allowed participation
across programs
(Limitations for cross-
program participation)
COVID-19 EIDL, RRF,
SVOG (the amount of a
SVOG grant to be
reduced by the total
amount of a PPP loan
received on or after
December 27, 2020;
entities are ineligible for a
PPP loan after they
receive a SVOG grant)
PPP, RRF, SVOG
PPP, COVID-19 EIDL
(RRF awards adjusted
based on PPP value;
recipients cannot obtain
both RRF and SVOG
funds)
PPP, COVID-19 EIDL
(SVOG awards adjusted
if PPP received on or
after December 27, 2020;
recipients cannot obtain
both RRF and SVOG
funds)
Source: GAO analysis of SBA information. | GAO-23-105331
a
Data as reported by GAO in September 2021 (PPP), July 2021 (COVID-19 EIDL), July
2022 (RRF), and October 2022 (SVOG). SBA provided the following net appropriations
amounts as of September 2022, inclusive of rescissions and transfers: PPP – $820 billion;
COVID-19 EIDL – $75.2 billion; RRF – $28.6 billion; SVOG – $15.1 billion. These amounts
include net funding considerations from laws from fiscal year 2020 through fiscal year
2022.
b
Data as reported by SBA in the Agency Financial Report, Fiscal Year 2022.
c
Distributed amount for COVID-19 EIDL is higher than appropriated amount due to
COVID-19 EIDL loan credit subsidy. Loan credit subsidy covers the government’s cost of
extending or guaranteeing credit and is used to protect the government against the risk of
estimated shortfalls in loan repayments. The loan credit subsidy amount is about one-
seventh of the cost of each disaster loan in 2020.
d
Agricultural enterprises did not become eligible until April 24, 2020, based on the
Paycheck Protection Program and Health Care Enhancement Act.
Page 12 GAO-23-105331 COVID Relief
Fraud is challenging to detect because of its deceptive nature. Generally,
once potential fraud is detected and investigated, alleged fraud cases
may be charged. If a court determines that fraud took place through a
violation of relevant law, then fraudulent spending may be recovered.
The life cycle of fraud in SBA pandemic relief programs, including those
involving PPP and COVID-19 EIDL, started with applicants who
circumvented existing controls. Some of the potentially fraudulent
applications were declined by lenders or by SBA through the use of
upfront controls. Other applications were approved, but potential fraud
was later detected through SBA fraud controls or by others such as law
enforcement, whistleblowers, or financial institutions. Some fraudulent
applications will never be detected.
Law enforcement agencies, such as the SBA OIG and U.S. Secret
Service, investigated instances of suspected fraud and violations of
relevant statutes (investigation stage).
22
DOJ has pursued and continues
to pursue a portion of the cases investigated by law enforcement. DOJ
has done this by filing fraud-related criminal charges against individuals
or businesses that submitted the applications, or, less commonly, by
bringing a civil case against an individual or business (prosecution
stage).
23
A criminal case is resolved by a guilty plea, a guilty verdict after trial, an
acquittal after trial, or dismissal of the charges (resolution stage). In the
context of PPP and COVID-19 EIDL cases, DOJ officials stated that the
vast majority of cases are resolved through plea agreements, with few
cases dismissed or resulting in acquittals. Only criminal cases resulting in
a guilty plea or guilty verdict after trial reach the sentencing phase where
22
In April 2023, the SBA Inspector General testified that his office had assisted the U.S.
Secret Service in the seizure of more than $1 billion stolen by fraudsters from the COVID-
19 EIDL program. Office of Inspector General Reports to Congress on Investigations of
SBA Programs, Before the House Subcommittee on Oversight, Investigations, and
Regulations of the Committee on Small Business, 118
th
Cong., April 19, 2023.
23
Criminal cases involve federal prosecutors filing charges against an accused for violation
of one or more criminal statute, and punishment may result in imprisonment. Civil cases
involve the government alleging violation of civil statute and may result in seeking financial
compensation but no imprisonment.
Fraud in SBA Pandemic
Relief Programs
Page 13 GAO-23-105331 COVID Relief
the court determines penalties, and funds from fraudulently obtained
loans may be subject to restitution and forfeiture (sentencing stage).
24
See figure 1 for an illustration of the life cycle involving criminal cases.
This life cycle involves a range of agency, investigative, prosecutorial,
and judicial resources to attempt to recover fraudulently obtained
taxpayer funds. Furthermore, this process underscores the resources
involved in a “pay-and-chase” approach to dealing with fraud and the
importance of preventive controls to manage fraud risks.
25
24
Civil cases are resolved through settlement or after proceedings that result in a civil
judgment. The amount of any damages to be paid is determined by the parties as part of
their settlement or is reflected in the civil judgment.
25
“Pay-and-chase” refers to the practice of detecting fraudulent transactions and
attempting to recover funds after payments have been made. The Fraud Risk Framework
describes “pay-and-chase” as a costly and inefficient model.
Page 14 GAO-23-105331 COVID Relief
Figure 1: Illustrative Life Cycle of Fraudulent Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster
Loan (COVID-19 EIDL) Applications Involving Criminal Cases
Note: The numbers and proportions of applications and cases in the figure are illustrative.
a
Although cases that were resolved with acquittals may have had fraud-related charges, the
defendants were formally determined to not be guilty of the charges.
Page 15 GAO-23-105331 COVID Relief
To help combat fraud in government agencies and programs—both
during normal operations and emergencies—GAO published A
Framework for Managing Fraud Risks in Federal Programs (Fraud Risk
Framework).
26
Issued in 2015, the Fraud Risk Framework identifies
leading practices for managing fraud risks and encompasses control
activities to prevent, detect, and respond to fraud, with an emphasis on
prevention. As discussed in the Fraud Risk Framework, strategic fraud
risk management involves more than having controls to prevent, detect,
and respond to fraud. Rather, it also encompasses structures and
environmental factors that influence or help managers achieve their
objective to mitigate fraud risks.
The Fraud Risk Framework describes leading practices in four
components: commit, assess, design and implement, and evaluate and
adapt, as depicted in figure 2.
26
GAO-15-593SP.
Fraud Risk Management
Page 16 GAO-23-105331 COVID Relief
Figure 2: The Four Components of the Fraud Risk Management Framework and Selected Leading Practices
In June 2016, Congress enacted the Fraud Reduction and Data Analytics
Act of 2015. This act required the Office of Management and Budget
(OMB) to establish guidelines for federal agencies to create controls to
identify and assess fraud risks and to design and implement antifraud
control activities.
27
The act further required OMB to incorporate the
leading practices from GAO’s Fraud Risk Framework in these guidelines.
In its 2016 Circular No. A-123 guidelines, OMB directed agencies to
adhere to the Fraud Risk Framework’s leading practices as part of their
efforts to effectively design, implement, and operate an internal control
27
Pub. L. No. 114-186, 130 Stat. 546 (2016).
Page 17 GAO-23-105331 COVID Relief
system that addresses fraud risks.
28
Although the act was repealed in
March 2020, the Payment Integrity Information Act of 2019 requires these
guidelines to remain in effect.
29
GAO also has ongoing work developing a framework to provide principles
and practices that can help federal managers mitigate improper
payments, including those resulting from fraudulent activity, in emergency
assistance programs. Specifically, the framework will incorporate
standards for internal controls and for financial and fraud risk
management practices as well as requirements from relevant laws and
guidance on improper payments.
In our first government-wide CARES Act report issued in June 2020, we
reported that the public health crisis, economic instability, and increased
flow of federal funds associated with the COVID-19 pandemic increased
pressures and opportunities for fraud.
30
We noted that recognizing fraud
risks and deliberately managing them in an emergency environment can
help federal managers safeguard public resources while providing
needed relief.
We also reported that because the government needed to provide funds
and other assistance quickly to those affected by COVID-19 and its
economic effects, federal relief programs—including those implemented
by SBA—were vulnerable to significant risk of fraudulent activities. We
further stated that managers may perceive a conflict between their
priorities to fulfill the program’s mission—such as efficiently disbursing
funds or providing services to beneficiaries, particularly during
emergencies—and taking actions to safeguard taxpayer dollars from
improper use. However, we noted that the purpose of proactively
28
Office of Management and Budget, Management’s Responsibility for Enterprise Risk
Management and Internal Control, OMB Circular No. A-123 (Washington, D.C. July 15,
2016). In October 2022, OMB issued a Controller Alert, which reminded agencies that
they must establish financial and administrative controls to identify and assess fraud risks.
In addition, OMB reminded agencies that they should adhere to the leading practices in
GAO’s Fraud Risk Management Framework as part of their efforts to effectively design,
implement, and operate an internal control system that addresses fraud risks. OMB, CA-
23-03, Establishing Financial and Administrative Controls to Identify and Assess Fraud
Risk (Oct. 17, 2022).
29
Pub. L. No. 116-117, § 2(a), 134 Stat. 113, 131-32 (2020) (codified at 31 U.S.C. §3357).
These guidelines may be periodically modified by OMB in consultation with GAO, as OMB
and GAO may determine necessary.
30
GAO, COVID-19: Opportunities to Improve Federal Response and Recovery Efforts,
GAO-20-625 (Washington, D.C.: June 25, 2020).
Prior Reporting on Fraud
Risks and Financial
Control Weaknesses in
SBA Pandemic Relief
Programs
Page 18 GAO-23-105331 COVID Relief
managing fraud risks, even during emergencies, is to facilitate, not hinder,
the program’s mission and strategic goals by ensuring that taxpayer
dollars and government services serve their intended purposes.
We further reported that when emergency response situations limit the
use of preventive controls—which are the most effective means of
managing fraud risks—agencies can leverage detective controls, such as
through data collection and analysis, to help identify potential fraud more
readily and to assist in response and recovery. Specifically, the use of
data analytic tools and techniques can help programs detect potential
fraud and better understand existing and emerging risks.
In February 2023, the Comptroller General testified on fraud and improper
payments in COVID-19 pandemic relief programs.
31
He noted that SBA’s
initial approach to managing fraud risks in PPP and the COVID-19 EIDL
program, as well as in its long-standing programs, had not been strategic.
For example,
• SBA did not designate a dedicated antifraud entity until February
2022. This new entity—the Fraud Risk Management Board—is to
oversee and coordinate SBA’s fraud risk prevention, detection, and
response activities.
• SBA did not develop its fraud risk assessments for the programs until
October 2021, at which point PPP had already stopped accepting new
applications, and the COVID-19 EIDL program would stop at the end
of that year. Fraud risk assessments are most helpful in developing
preventive fraud controls to avoid costly and inefficient “pay-and-
chase” activities. For example, while the PPP fraud risk assessment
can help SBA identify potential fraud as it continues to review the PPP
loans for forgiveness, it could not be used to inform SBA’s efforts
during the initial application process.
See appendix II for additional details regarding SBA’s management of
fraud risks as the pandemic began and as SBA adapted its fraud risk
management approach for the four pandemic relief programs. See
appendix III for our recommendations to improve fraud risk management
in SBA’s pandemic relief programs, along with information on actions
taken by SBA to address them.
31
GAO, Emergency Relief Funds: Significant Improvements Are Needed to Address Fraud
and Improper Payments, GAO-23-106556 (Washington, D.C.: Feb. 1, 2023).
Page 19 GAO-23-105331 COVID Relief
Other federal accountability and oversight bodies, namely the SBA OIG
and the Pandemic Response Accountability Committee (PRAC), have
reported on SBA’s efforts to manage fraud risks in these programs.
32
Many of the reports produced by these bodies also contained
recommendations to SBA.
33
In addition, since 2020, SBA’s independent financial statement auditor
has made multiple recommendations to SBA to address material
weaknesses identified in controls related to SBA’s pandemic relief
programs.
34
Specifically:
• In December 2020, the auditor issued a disclaimer of opinion on
SBA’s consolidated financial statements as of and for the year ended
September 30, 2020, meaning the auditor was unable to express an
opinion due to insufficient evidence.
35
As the basis for the disclaimer,
the auditor stated that SBA was unable to provide adequate
documentation to support a significant number of transactions and
account balances related to PPP and COVID-19 EIDL due to
inadequate processes and controls.
The auditor identified several material weaknesses in controls related
to SBA’s pandemic relief programs. In total, the auditor identified
seven material weaknesses including those related to PPP loan
approvals, COVID-19 EIDL loans and advance approvals, and overall
management controls (e.g., ineffective control environment, risk
assessment processes, control activities, information and
communication processes, and monitoring processes). Overall, the
32
The Pandemic Response Accountability Committee (PRAC) was established by the
CARES Act to conduct oversight of the federal government’s pandemic response and
recovery effort. The PRAC is composed of 21 federal inspectors general.
33
SBA OIG and PRAC reports, including information on recommendations and their status,
can be found on the PRAC’s website
(https://www.pandemicoversight.gov/oversight/reports).
34
A deficiency in internal control exists when the design or operation of a control does not
allow management or employees, in the normal course of performing their assigned
functions, to prevent, or detect and correct, misstatements on a timely basis. A material
weakness is a deficiency, or combination of deficiencies, in internal control over financial
reporting, such that there is a reasonable possibility that a material misstatement of the
entity’s financial statements will not be prevented, or detected and corrected, on a timely
basis.
35
SBA OIG, Independent Auditors’ Report on SBA’s FY 2020 Financial Statements, 21-04
(Dec. 18, 2020).
Page 20 GAO-23-105331 COVID Relief
auditor made 46 recommendations to SBA management. In
commenting on the audit, SBA stated it supported the requirements
for auditability of its financial statements and was working to correct
shortcomings for future audits.
• In November 2021, the auditor issued a disclaimer of opinion on
SBA’s consolidated balance sheet as of September 30, 2021.
36
As the
basis for the disclaimer, the auditor stated that SBA was unable to
provide adequate documentation to support a significant number of
transactions and account balances related to PPP, COVID-19 EIDL,
RRF, and SVOG due to inadequate processes and controls.
In total, the auditor identified six material weaknesses. This included
weaknesses related to PPP (both the approval and forgiveness,
among others), COVID-19 EIDL (both loans and advances), and the
accounting and monitoring of RRF and SVOG programs. Overall, the
auditor made 41 recommendations to SBA management. In
commenting on the audit, SBA stated that it did not concur with the
severity of five material weaknesses in the auditor’s report, including
those related to PPP, COVID-19 EIDL, RRF, and SVOG. SBA stated
that it had worked to establish internal controls, policies, and
procedures that addressed new legislative programs as a result of the
pandemic, and that it would take corrective actions to remediate
weaknesses and strengthen internal controls where necessary.
• In November 2022, the auditor issued a disclaimer of opinion on
SBA’s consolidated balance sheet as of September 30, 2022.
37
The
basis of the disclaimer was related to SBA being unable to provide
adequate documentation related to PPP, COVID-19 EIDL, RRF, and
SVOG.
In total, the auditor identified six material weaknesses, including those
related to controls in the PPP, COVID-19 EIDL, RRF, and SVOG
programs. Overall, the auditor made 42 recommendations to SBA
36
SBA OIG, Independent Auditors’ Report on SBA’s FY 2021 Financial Statements, 22-05
(Nov. 15, 2021). The OIG contracted with the independent auditor to conduct an audit of
SBA’s consolidated balance sheet as of September 30, 2021, and the related notes. As a
result, the auditor was not engaged to express an opinion on the other statements within
the consolidated financial statements.
37
SBA OIG, Independent Auditors’ Report on SBA’s FY 2022 Financial Statements, 23-02
(Nov. 15, 2022). The OIG contracted with the independent auditor to conduct an audit of
SBA’s consolidated balance sheet as of September 30, 2022, and the related notes. As a
result, the auditor was not engaged to express an opinion on the other statements within
the consolidated financial statements.
Page 21 GAO-23-105331 COVID Relief
management. In commenting on the audit, SBA noted that it had
continued making progress strengthening internal controls for
pandemic-focused programs and was dedicated to accountability and
transparency to the American public. SBA also noted that the audit
process continued to provide the agency with beneficial
recommendations that support SBA’s ongoing efforts to further
enhance its financial management practices.
Our analysis, which identified hundreds of cases and individuals charged
by DOJ as well as associated businesses, illustrates how
misrepresentations and deliberate exploitation of the programs facilitated
fraud. Our analysis also determined that the financial and non-financial
impacts of PPP and COVID-19 EIDL fraud are far reaching, but the full
extent is not yet known.
Our analysis of hundreds of cases charged by DOJ illustrates how fraud
was committed in closed cases or may have been committed in ongoing
cases, through misrepresentations and deliberate exploitation of PPP and
COVID-19 EIDL.
38
The cases and associated individuals and businesses
in our analysis are based on publicly announced fraud-related charges
38
We identified fraud cases from DOJ press releases and other public information, which
may not include all cases pursued by DOJ. Additionally, some fraud may never be
detected. Furthermore, fraud-related administrative actions levied by regulators or brought
through lawsuits by private entities or individuals are not included in our analysis. As a
result, the 330 cases we identified and analyzed may not be representative of all cases
pursued by DOJ or others. In addition, case details, such as businesses involved and
numbers of loan applications submitted, were not always available in publicly available
case documentation. Our findings, including counts of cases, individuals, and businesses,
therefore represent the lower bound of the possible characteristics of cases we identified
for this analysis.
Analysis of PPP and
COVID-19 EIDL
Charges Illustrates
Fraud Schemes and
Their Actual and
Potential Impacts
Analysis of PPP and
COVID-19 EIDL Charges
Shows the Role of
Misrepresentation and
Deliberate Exploitation in
Facilitating Fraud
Analysis of Hundreds of PPP
and COVID
-19 EIDL Cases
Identified Associated
Individuals and Businesses
Page 22 GAO-23-105331 COVID Relief
involving PPP and COVID-19 EIDL funds as of December 31, 2021.
39
Specifically, we identified 330 criminal and civil fraud cases brought by
DOJ involving PPP or COVID-19 EIDL, 91 of which involved both
programs (see fig. 3).
40
The number of cases will continue to grow. For
example, as of January 25, 2023, the SBA OIG had 536 ongoing
investigations involving PPP, COVID-19 EIDL, or both. Additionally,
Congress extended the statute of limitations for criminal and civil
enforcement for all forms of PPP and COVID-19 EIDL loan fraud from
5 years to 10 years.
41
39
We selected December 31, 2021, as the ending point of our research because on
December 31, 2021, SBA stopped accepting COVID-19 EIDL applications (per
Consolidated Appropriations Act, 2021). PPP closed in May 2021. We acknowledge that
DOJ has continued to bring charges involving PPP and COVID-19 EIDL since December
31, 2021, and that later cases may involve more complex fraud schemes that may take
longer to investigate and prosecute. In a separate analysis of DOJ public statements and
court documentation, we reported on February 1, 2023, that from March 2020 through
January 13, 2023, 535 individuals or entities had pleaded guilty or received a guilty verdict
at trial involving PPP fraud, and 293 involving COVID-19 EIDL fraud (with 185 having
fraud-related charges involving both programs).
40
A single case—which involves fraud-related charges associated with PPP, COVID-19
EIDL, or both programs—may involve (1) a single individual or business or (2) multiple
individuals or businesses that applied for a single or multiple loans or grants. A single
case may contain a single or multiple fraud mechanisms. Out of the 330 fraud cases we
identified, 322 were criminal cases and eight were civil cases. The civil cases included in
our analysis were closed cases that reached a conclusion through settlement or judgment
of forfeiture. Ongoing civil cases were not included in our analysis.
41
PPP and Bank Fraud Harmonization Act of 2022, Pub. L. No. 117-166, 136 Stat. 1365
and COVID-19 EIDL Fraud Statute of Limitations Act of 2022, Pub. L. No. 117-165, 136
Stat. 1363.
Page 23 GAO-23-105331 COVID Relief
Figure 3: Cases Charged by the Department of Justice Involving Paycheck
Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19
EIDL) Fraud, as of December 31, 2021
As of December 31, 2021, 155 of the 330 cases were categorized as
closed because they reached a conclusion through guilty pleas,
settlements, guilty verdicts, or dismissals.
42
At that time, 175 cases had
not yet reached conclusion and, therefore, were considered ongoing for
the purposes of our analysis (see fig. 4).
42
Our definition of a closed case also included acquittals, but no acquittals were identified
in our population of cases. Of the 155 closed cases, five had been dismissed.
Page 24 GAO-23-105331 COVID Relief
Figure 4: Ongoing and Closed Cases Involving Paycheck Protection Program (PPP)
and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) Fraud, as of
December 31, 2021
Notes: This analysis is limited to the cases we identified from public sources, which may not include
all criminal and civil cases charged by the Department of Justice as of December 31, 2021.
Additionally, the status of ongoing cases may have changed since December 31, 2021.
Multiple federal law enforcement agencies investigated these 330 cases.
Federal prosecutors across the United States filed bank fraud, wire fraud,
money laundering, identity theft, and other charges against
524 individuals associated with these cases. Additionally, our analysis
identified 989 businesses that were associated with these 330 fraud
cases (see fig. 5).
Page 25 GAO-23-105331 COVID Relief
Figure 5: Individuals and Businesses Associated with Paycheck Protection
Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL)
Fraud Cases, as of December 31, 2021
Our analysis of PPP and COVID-19 EIDL cases shows ineligible, non-
operating businesses applied for and obtained program funds or were
alleged to have done so. Such businesses include shell companies,
which have no employees or operations, and fictitious entities. Of the
330 PPP and COVID-19 EIDL cases, 221 (or about 67 percent) involved
or allegedly involved non-operating businesses. Specifically, of the
989 businesses identified in court documents, approximately 72 percent
were identified as or alleged to be shell companies or fictitious entities,
which would make them ineligible for PPP and COVID-19 EIDL funding
(see fig. 6).
43
43
Because documents did not always explicitly note whether the businesses they named
were legitimate or fictitious, the remaining category of businesses includes potentially
fictitious businesses.
Most Charges Involved
Allegations of Non
-Operating
Businesses and
Misrepresentations of Business
and Individual Eligibility
Glossary of Key Terms
fictitious entity: fake business that is
presented as real in order to obtain Paycheck
Protection Program or COVID-19 Economic
Injury Disaster Loan funds.
shell company: a business or company that
has no employees or operations.
Source: GAO. | GAO-23-105331
Page 26 GAO-23-105331 COVID Relief
Figure 6: Types of Businesses Identified in Paycheck Protection Program and
COVID-19 Economic Injury Disaster Loan Fraud Cases, as of December 31, 2021
a
Because documents did not always explicitly note whether the businesses they named were
legitimate or fictitious, the remaining category of businesses includes potentially fictitious businesses.
Among the cases involving shell companies or fictitious entities, those
charged obtained or, for the ongoing cases, are alleged to have obtained
approximately $388.9 million in PPP and COVID-19 EIDL funds. (See text
box for illustrative example.)
Page 27 GAO-23-105331 COVID Relief
Fraudster used multiple ineligible businesses to receive pandemic relief funds.
A fraudster submitted four Paycheck Protection Program (PPP) and 10 COVID-19
Economic Injury Disaster Loan (COVID-19 EIDL) applications for 10 different
businesses. Those businesses included one legitimate business, eight shell companies
that had no operations or employees, and one fictitious entity. The applications used
stolen personally identifiable information and falsified monthly payroll documents and
tax forms for the businesses. The fraudster received $109,552 in PPP and $642,800 in
COVID-19 EIDL funds based on these submissions. At the same time, the fraudster
applied for a state pandemic-related relief grant and received $70,000 through that
program. The fraudster misused pandemic relief funds for personal expenses including
a diamond ring, luxury hotel stays, living expenses, and payments for personal credit
cards and student loans. The fraudster pled guilty and was sentenced to 4 years in
prison and 3 years of supervised release. The fraudster was also ordered to pay
$1,998,097 in restitution.*
*The sentencing and restitution amount for this individual were based on the fraudulent
funds received from the Small Business Administration’s PPP and COVID-19 EIDL as
well as the state COVID-19 relief fund and an equipment financing fraud scheme not
related to the pandemic.
Source: GAO analysis of Department of Justice information and court documents. | GAO-23-105331
Some individuals who applied for PPP and COVID-19 EIDL funds on
behalf of legitimate businesses misrepresented or allegedly
misrepresented their business eligibility based on program requirements.
In 52 cases, involving 89 legitimate businesses, individuals either
misrepresented or allegedly misrepresented business eligibility with false
statements on applications about their criminal record, federal debt, or
principal place of residence, among others. (See text box for illustrative
example.)
Page 28 GAO-23-105331 COVID Relief
Fraudsters misrepresented eligibility to receive pandemic relief funds.
Two fraudsters, an owner of a legitimate automotive business and an employee of the
business, applied for a Paycheck Protection Program (PPP) loan certifying no prior
felony charges. However, at the time the owner was facing charges of wire fraud and
money laundering. The fraudsters received $210,000 in PPP funds based on the
application. In addition to misrepresenting eligibility, the fraudsters misused loan
proceeds. While agreeing on the application to use PPP funds for payroll, they paid
past-due truck payments and purchased various truck parts. Both pled guilty. The
owner was sentenced to 3 years in prison and 3 years of supervised release. The
employee was sentenced to 1 year and a day in prison and 3 years of supervised
release.* The employee was ordered to pay $220,500 in restitution for the PPP loan
application fraud.
*The sentencing for the business owner is based on the fraudulent funds received from
PPP, as well as other charges not related to SBA pandemic relief.
Source: GAO analysis of Department of Justice information and court documents. | GAO-23-105331
The 330 fraud cases we analyzed showed that individuals used or were
alleged to have used various and multiple types of falsehoods to obtain
PPP and COVID-19 EIDL funds. This could involve the falsification of
documents, such as tax forms, payroll documentation, and bank
statements to apply for funds. Additionally, allegations involving false
information about other elements of PPP and COVID-19 EIDL loan
applications, such as employee counts and payroll amounts, were
prevalent in DOJ cases.
Our analysis showed that 227 of the 330 PPP and COVID-19 EIDL cases
(or 69 percent) involved falsification or alleged falsification of tax or other
documents, such as payroll documentation or bank statements.
Specifically, 190 (or 58 percent) of the cases involved allegations of tax
document falsification, showing that tax forms may have been commonly
forged or altered. Further, 240 cases (or 73 percent) involved schemes in
which individuals created fictitious employees and inflated employee
counts to obtain more funds or were alleged to have done so.
The cases also involved allegations of various types of identity theft. This
involves the theft of personally identifiable and business information or
the use of synthetic identities to obtain PPP and COVID-19 EIDL funds.
Our analysis showed that 63 of the 330 PPP and COVID-19 EIDL cases
(or 19 percent) involved allegations of theft of personally identifiable
information and 17 cases (or 5 percent) involved allegations of using
another business’s information to obtain PPP or COVID-19 EIDL funds.
Additionally, we identified 50 cases (or 15 percent) that involved
Charges Involved Allegations
of Individuals Obtaining PPP
and COVID
-19 EIDL Funds by
Falsifying Documentation and
Stealing Identities
Glossary of Key Terms
false attestation: falsified statement(s) on an
application.
synthetic identity: a fabricated identity using
fictitious information in combination with
stolen information, such as a Social Security
number.
Source: GAO. | GAO-23-105331
Page 29 GAO-23-105331 COVID Relief
allegations of individuals stealing and wrongfully using Social Security
numbers (SSN) to apply for PPP and COVID-19 EIDL funds. Another
11 cases (or 3 percent) involved allegations of synthetic identity fraud
where individuals fabricated an identity by using fictitious information in
combination with stolen information such as an SSN. (See text box for
illustrative example.)
Fraudster used stolen personal information, shell companies, and false
attestation to obtain pandemic assistance.
A fraudster applied for five Paycheck Protection Program (PPP) loans for three
different shell companies that had no operations or employees. On one application, the
fraudster used a deceased victim’s name to apply for a PPP loan for the shell
company. On another PPP application, the fraudster created a synthetic identity by
combining his name with his father’s Social Security number (SSN) instead of using his
own SSN. On one of the applications, the fraudster certified no prior felony charges,
when he had charges of tampering with a government record. The fraudster also
falsely represented that the businesses had multiple employees, when they had none.
The fraudster misused the PPP funds to purchase a 2020 Ford F-350 truck, a 2019
Lamborghini Urus, and a Rolex watch, among other ineligible expenses. In total, the
fraudster applied for $4,618,111 and received $1,689,952 in PPP funds. After pleading
guilty, the fraudster was sentenced to 9 years and 2 months in prison and 3 years of
supervised release. The fraudster was also ordered to pay $1,689,952 in restitution.
Source: GAO analysis of Department of Justice information and court documents. | GAO-23-105331
Our analysis found some cases involved allegations of multiple
individuals conspiring to fraudulently apply for PPP and COVID-19 EIDL
funds. Specifically, in 79 of 330 PPP and COVID-19 EIDL cases (or
24 percent) two or more individuals were charged. Further, 11 cases
involved charges against more than five individuals, with the highest
number of individuals charged in a case being 18. Our analysis found that
90 of 330 cases (or 27 percent) involved conspiracy-related charges.
44
This indicates a potentially significant role of organized activity in PPP
and COVID-19 EIDL fraud.
Our analysis identified 38 of 330 cases that were related, meaning that
two or more cases involved individuals allegedly involved in the same
fraud scheme. We identified 13 clusters of related criminal cases in which
44
Conspiracy-related charges involve an agreement by two or more individuals to commit a
crime and one or more overt acts in furtherance of the conspiracy. In our analysis, in
certain cases individuals were charged alone in a conspiracy case but were involved in
fraud schemes involving other individuals, who may have been separately charged.
Charges against Multiple
Individuals per Case and
Linked Cases Indicate
Coordinated Efforts to Defraud
Programs
Page 30 GAO-23-105331 COVID Relief
individuals allegedly participated in separate schemes to defraud PPP or
COVID-19 EIDL. The number of cases and program applications in each
cluster ranged from two to eight and two to 202, respectively (see fig. 7).
Cumulatively, 112 individuals were charged across all 38 of the related
fraud cases, obtaining about $119 million in PPP and COVID-19 EIDL
funds.
Figure 7: Clusters of Related Cases Charged by the Department of Justice Associated with Paycheck Protection Program and
COVID-19 Economic Injury Disaster Loan Fraud, as of December 31, 2021
Notes: This analysis includes closed cases, which reached a conclusion through guilty pleas,
convictions after trial, or dismissals, and ongoing cases, which had not reached a conclusion as of
December 31, 2021. Not all individuals may have participated in all applications associated with a
scheme. Our analysis of the number of applications is limited to the numbers identified in court
documents and thus may undercount the total number of applications submitted.
One example of a cluster of six related cases involved 23 individuals
charged with submitting 202 PPP and COVID-19 EIDL applications (see
cluster C in figure 7). These cases allege a scheme that involved several
groups of individuals in multiple states that used shell companies to apply
for PPP and COVID-19 EIDL funds. One such group is charged with
developing falsified documentation, such as bank statements, payroll, and
tax documents for their own applications and for others in exchange for a
kickback fee of approximately 25 percent. Two other groups include
Page 31 GAO-23-105331 COVID Relief
registered agents who are charged with using recently registered
businesses to apply for loans using false documentation supplied by the
first group.
45
Other individuals are alleged to have acted as recruiters to
seek out additional individuals to participate in the scheme.
Our analysis of fraud schemes in DOJ cases showed that some cases
involved or allegedly involved the assistance of complicit individuals who
facilitated PPP and COVID-19 EIDL fraud for others. Sometimes this may
have been done in return for a kickback payment. Of the 524 individuals
associated with the cases, we found that 126 (or 24 percent) were linked
to 52 cases involving allegations of kickbacks. (See text box for illustrative
example.)
Source: GAO analysis of Department of Justice information and court documents. | GAO-23-105331
Our analysis also identified registered agents charged with fraudulently
obtaining PPP and COVID-19 EIDL funds. As professional service
providers who have access to business information, including shell
companies, and business formation functions, registered agents in these
cases took advantage of their role, or were alleged to have done so, to
obtain PPP and COVID-19 EIDL funds for themselves and others.
46
Our
analysis identified 105 registered agents charged across 70 cases that
cumulatively obtained about $197.6 million in PPP and COVID-19 EIDL
funds.
45
Registered agents are persons or entities authorized to accept service of process or
other important legal or tax documents on behalf of a business and are frequently involved
in business formation. Additional information about registered agents is provided in the
following section.
46
Registered agent functions can be performed by company formation agents—individuals
or entities that provide business formation services, including business registration with
the secretary of state.
Charges Indicate that Some
Schemes May Have Involved
Facilitators Who Shared
Knowledge of How to
Circumvent Controls
Glossary of Key Terms
complicit facilitator: individual who
knowingly assisted, recruited, or provided
guidance to Paycheck Protection Program
and COVID-19 Economic Injury Disaster Loan
applicants on how to circumvent SBA
controls.
kickback: a portion of loan or grant funds
paid to individual(s) in exchange for illicit help
with loan applications.
Source: GAO. | GAO-23-105331
Fraudster received kickbacks for submitting fraudulent Paycheck Protection
Program (PPP) loan applications for other individuals. A fraudster and a co-
conspirator applied for approximately 12 PPP loans, both in their own names and in the
names of others to receive kickback payments. For one loan, the fraudster and the co-
conspirator charged $5,000 in cash up front to apply for a $20,000 PPP loan on behalf
of other individuals. On the applications, they falsely claimed hundreds of thousands of
dollars in business income, forged tax forms, and used stolen business identities. For
one of the other loans, they resubmitted fraudulent loan applications. In total, the
fraudster and the co-conspirator obtained approximately $220,000 in PPP funds. The
fraudster pled guilty to bank fraud conspiracy.
Page 32 GAO-23-105331 COVID Relief
Our analysis of DOJ charges showed that some fraud against PPP and
COVID-19 EIDL was allegedly perpetrated in conjunction with other
crimes and by criminal groups. Of the 330 PPP and COVID-19 EIDL
cases we identified, 91 involved both programs, illustrating an effort to
target multiple SBA pandemic relief programs. In addition, in 46 of the
330 cases (or 14 percent) DOJ filed charges against individuals for
defrauding other pandemic relief programs as well as PPP and COVID-19
EIDL. For example, in some cases associated with PPP and COVID-19
EIDL funds, individuals also allegedly defrauded state unemployment
insurance programs or offered fraudulent COVID-19 tests or personal
protective equipment (see text box for illustrative example).
47
Fraudster received disaster funds from Small Business Administration and
another pandemic relief program. A fraudster applied for and obtained Paycheck
Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19
EIDL) funds using shell companies that had no operations or employees. The
applications falsely represented monthly payroll and gross income, and included
falsified tax forms. The fraudster applied for two PPP loans and obtained funds based
on both applications, and also received funds based on one of eight COVID-19 EIDL
advance applications. In total, the fraudster received $542,714 in PPP and COVID-19
EIDL funds, which were misused to purchase a BMW vehicle and a Rolex watch.
At the same time, while obtaining small business relief funds, the fraudster received
unemployment benefits claiming an active job search but inability to find employment.
In 2020, the fraudster received $15,550 in unemployment benefits. The fraudster was
sentenced to 2 years and 3 months in prison and 3 years of supervised release, as well
as ordered to pay $542,714 in restitution for the PPP and COVID-19 EIDL fraud.
Source: GAO analysis of Department of Justice information and court documents. | GAO-23-105331
Our analysis further shows that 56 of 330 cases (or 17 percent) involved
allegations of other crimes in addition to PPP and COVID-19 EIDL fraud,
such as health insurance fraud, tax fraud, or romance scams.
48
Additionally, 10 PPP and COVID-19 EIDL cases involved criminal
groups—which we define as domestic or international criminal
47
In our analysis, COVID-19 related crimes included, for example, unemployment benefits
fraud, theft of government funds, small business grant fraud, healthcare fraud, Economic
Impact Payment (stimulus check) fraud, fraudulent COVID-19 tests and personal
protective equipment, and RRF fraud.
48
Romance scams occur when a criminal adopts a fake online identity to gain a victim’s
affection and trust. The scammer then uses the illusion of a romantic or close relationship
to manipulate or steal from the victim.
Some Charges Indicate that
Individuals May Have Targeted
Multiple P
andemic Relief
Programs and Committed
Other Crimes
Page 33 GAO-23-105331 COVID Relief
organizations involved in illicit activity—that allegedly engaged in SBA
pandemic relief fraud alongside other criminal activity. This includes
criminal charges for trade-based money laundering, identity theft, and
illegal gambling.
49
Although the full extent of fraud associated with PPP and COVID-19 EIDL
is not yet known, we analyzed the 330 DOJ cases to identify the known
fraud-related financial and non-financial impacts associated with PPP and
COVID-19 EIDL, as well as the potential impacts.
50
We determined the
financial impacts of these fraud cases, both actual for closed cases and
potential for ongoing cases, by calculating losses based on the amounts
of PPP and COVID-19 EIDL funding obtained. We calculated potential
offsets based on the amounts of seizures and restitution. We also
identified various types of non-financial impacts of fraud and potential
fraud associated with PPP and COVID-19 EIDL. These downstream
effects of fraud emphasize the importance of fraud prevention to avoid
costly and far-reaching impacts of the “pay-and-chase” approach to
managing fraud risks.
Our analysis of the closed and ongoing PPP and COVID-19 EIDL cases
revealed potentially several hundred million dollars in financial losses for
both programs. Specifically, for the 155 closed cases, we calculated
about $188 million in direct losses. For the 175 ongoing cases, we
calculated about $314 million in potential losses. We also measured
49
Trade-based money laundering is the process of moving the value of the proceeds of
crime through trade transactions to attempt to disguise its origins and integrate it into the
formal economy. Basic techniques of trade-based money laundering include over- and
under-invoicing of goods and services, multiple invoicing of goods and services, over- and
under-shipments of goods and services, and false descriptions of goods and services.
50
The full extent of fraud is difficult to measure, particularly at this time. Investigations and
prosecution of PPP and COVID-19 EIDL cases are ongoing at the time of this report and
will continue. As previously discussed, the statute of limitations is 10 years for all forms of
PPP and COVID-19 EIDL loan fraud. Additionally, fraud is difficult to measure because
some fraud schemes may remain undetected by the government.
Financial and Non-
Financial Impacts of PPP
and COVID-19 EIDL Fraud
Are Far Reaching, but Full
Extent Is Not Yet Known
Financial Losses Associated
with Closed and Ongoing
Cases Potentially Involve
Hundreds of Millions of Dollars
Page 34 GAO-23-105331 COVID Relief
potential offsets from restitution orders, seizures, and recoveries
associated with PPP and COVID-19 EIDL cases.
51
Our analysis to determine the financial impacts of the 330 cases provides
insights into losses for closed cases and potential losses for ongoing
cases as well as potential offsets associated with closed and ongoing
cases, but it has limitations. This analysis is limited to the 330 cases we
identified from public sources and may not include all criminal and civil
cases charged by DOJ as of December 31, 2021. Additionally, details of
fraud cases and schemes presented in court documents may not be
complete. For example, the dollar amounts applied for and obtained could
not be identified in all court documents. Further, cases at the prosecution
stage in the life cycle of fraudulent applications represent a small number
of the potential cases that exist in the overall population.
For our financial impact analysis, we categorized cases based on whether
they were closed or ongoing as of December 31, 2021. Then we summed
amounts across cases to measure direct losses for closed cases,
potential losses for ongoing cases, and potential offsets for PPP and
COVID-19 EIDL.
52
Sums of potential offsets cannot be subtracted from
losses to arrive at the total cost of fraud for these programs because
potential offsets include restitution that has been ordered but not
51
For this analysis, we describe losses as “direct losses” for closed cases because they
involve direct monetary costs to the federal government. We also describe losses as
“potential losses” for ongoing cases because these cases have not been resolved through
the judicial process. Additionally, we define potential offsets as monetary recoveries
ordered, received, or retained by the government. For closed cases, we measured PPP
and COVID-19 EIDL amount of restitution, recovery, seizure, or payment made, and for
ongoing cases, we measured PPP and COVID-19 EIDL amount seized. For restitution, we
included funds ordered to be paid to the government or the lender in connection with an
adjudicated finding of fraud. However, restitution is not always likely to be paid, which is
why we characterize the offsets as potential. We previously reported that collecting federal
criminal restitution is a long-standing challenge. GAO, Federal Criminal Restitution:
Department of Justice Has Ongoing Efforts to Improve Its Oversight of the Collection of
Restitution and Tracking the Use of Forfeited Assets, GAO-20-676R (Washington, D.C.:
Sept. 30, 2020).
52
For this analysis, we defined financial losses as monetary losses—excluding time and
costs associated with fraud investigations—incurred by the federal government through
PPP and COVID-19 EIDL direct lending, grants, or government guarantees. We measured
these losses separately for ongoing and closed cases. For closed cases, we measured
(1) PPP and COVID-19 EIDL amounts obtained and (2) PPP lender fee amount. For
ongoing cases, we measured (1) PPP and COVID-19 EIDL amounts obtained and
(2) PPP lender fee amount at risk.
Costs of Investigation and Prosecution
Beyond direct losses from Paycheck
Protection Program (PPP) and COVID-19
Economic Injury Disaster Loan (COVID-19
EIDL) fraud, other costs associated with
detecting, investigating, and prosecuting fraud
cases can be significant. For example, there
are monetary costs to the federal government
associated with law enforcement
investigations and Department of Justice
prosecutions. The 330 fraud cases associated
with PPP and COVID-19 EIDL, as well as
detection activities, ongoing investigations,
and prosecutions have required government
resources that are difficult to measure. Such
costs are not included in our calculation of the
financial impact of PPP and COVID-19 EIDL
fraud.
Source: GAO. | GAO-23-105331
Page 35 GAO-23-105331 COVID Relief
necessarily repaid. Additionally, potential offsets may include costs to the
government, such as maintenance of seized assets, among others.
To calculate losses from the 330 cases, we used the reported amount of
PPP and COVID-19 EIDL funding obtained, as identified in court
documentation. For PPP, we also calculated lender fees associated with
the cases.
53
See table 2 for a breakdown of direct and potential losses,
which totaled about $502 million for PPP and COVID-19 EIDL based on
fraud case status as of December 31, 2021.
Table 2: Financial Losses (in Millions of Dollars) in Paycheck Protection Program (PPP) and COVID-19 Economic Injury
Disaster Loan (COVID-19 EIDL) Based on Analysis of Department of Justice Fraud Cases, as of December 31, 2021
Type of financial loss
PPP cases
a
COVID-19 EIDL cases
a
Direct
(127 closed cases)
Potential
(133 ongoing cases)
Direct
(71 closed cases)
Potential
(90 ongoing cases)
Funding provided
$168.6
$272.8
$14.4
$34.2
Lender fees
$4.6
$6.9
NA
b
NA
b
Total financial losses
$173.2
$279.7
$14.4
$34.2
Source: GAO analysis of Department of Justice information and court documents. | GAO-23-105331
a
Although our analysis includes 91 cases that involve both PPP and COVID-19 EIDL, we identified
and calculated funding provided to PPP and COVID-19 EIDL recipients separately for each program.
b
Lender fees for COVID-19 EIDL cases are not applicable (NA) because COVID-19 EIDL funds were
administered by Small Business Administration, without lender involvement.
Our analysis of potential offsets for financial losses included restitution
from closed cases and seizures from ongoing cases. We were able to
identify about $154.2 million in potential offsets for PPP and COVID-19
EIDL as of December 31, 2021. However, the case documentation we
reviewed did not always identify potential offset amounts.
54
53
Lender fees are the processing fees SBA paid to the lender once the PPP loan was fully
disbursed, as mandated by the CARES Act, Pub. L. No. 116-136, § 1102 (as added at 15
U.S.C. § 636(a)(36)(P)). To calculate lender fees, we matched businesses identified in
DOJ cases that received PPP loans with PPP loan-level data. For matched businesses,
we calculated lender fees based on the amount of the loan and applicable percentages
established by SBA. According to an interim final rule published on June 1, 2020, lender
fees are subject to clawback if SBA determines that a lender has not fulfilled its obligations
under PPP regulations, with some limitations.
54
Offset amounts were available for 79 closed and 29 ongoing cases involving PPP and
44 closed and 12 ongoing cases involving COVID-19 EIDL (38 cases involved both PPP
and COVID-19 EIDL).
Page 36 GAO-23-105331 COVID Relief
Fraud measurement is a challenging endeavor, subject to varying
definitions, measurements, and available data, among other limitations.
As such, other federal agencies may develop different fraud
measurements that may also cover different time periods. For example,
SBA OIG officials told us that, as of May 31, 2022, PPP and COVID-19
EIDL potential losses amounted to roughly $1.15 billion. This figure was
calculated based on amounts identified in indictments and other charging
court documents.
Beyond financial losses directly associated with PPP and COVID-19 EIDL
funds, our analysis of 330 fraud cases identified several types of non-
financial impacts, or nonmonetary effects of fraudulent activity, associated
with PPP and COVID-19 EIDL. Both directly and indirectly, PPP and
COVID-19 EIDL fraud affected businesses, individuals, and stakeholders.
For example, fraud affected SBA’s achievement of economic relief goals,
some businesses could not immediately access needed funds, and lives
of numerous individuals were affected by fraudsters using their identities
to commit fraud. See table 3 for the types of non-financial impacts
associated with PPP and COVID-19 EIDL fraud we identified.
Table 3: Non-Financial Impacts of Fraud in Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan
(COVID-19 EIDL)
Non-financial impact type
Affected parties and impact
Economic relief goal
Federal government’s ability to achieve PPP and COVID-19 EIDL goals to assist small
businesses adversely affected by COVID-19
Stakeholder
Federal partners’ and lender stakeholders’ resource commitments in responding to PPP and
COVID-19 EIDL fraud
Security
Local communities and U.S. security interests harmed through misuse of pandemic relief funds
by criminal groups
Reputation
U.S. government institutions distrusted by the public
Impact on victim
Fraud victims harmed through identity theft
Impact on fraudster
Fraudsters suffered consequences after being caught
Source: GAO analysis. | GAO-23-105331
Note: The impact types are not all encompassing or inclusive of all possible ways pandemic relief
fraud can manifest itself.
Economic Relief Goal Impact
The diversion of funds from PPP and COVID-19 EIDL by fraudsters
mitigated the broader effectiveness of economic relief goals to assist
small businesses and their employees affected by the pandemic. Funds
diverted by fraudsters were unavailable to eligible businesses who could
Non-Financial Impacts of PPP
and COVID
-
19 EIDL Fraud Are
Wide Ranging
Page 37 GAO-23-105331 COVID Relief
have used them for payroll, rent, or other qualified business expenses.
Specifically, in 2020, PPP and COVID-19 EIDL advance ran out of funds,
leaving some small businesses temporarily unable to obtain needed
relief.
Further, some fraudulently obtained funds were redirected from
supporting payroll and other small business needs into other economic
activity. Specifically, fraudsters placed unlawfully obtained funds into
communities and the economy through the purchases of luxury goods
such as apparel and jewelry, real estate, and vehicles and by paying
debts, making home improvements, and securing investments, among
other things. Individuals were charged with using PPP and COVID-19
EIDL funds to purchase luxury goods, such as Rolex watches and items
from Louis Vuitton, Burberry, Christian Louboutin, Dolce & Gabbana, and
Gucci. A number of individuals were also charged with purchasing luxury
vehicles, such as products from Cadillac, Ferrari, Mercedes, Rolls Royce,
or Tesla, as well as a Harley-Davidson motorcycle. Individuals were also
charged with purchases involving cryptocurrency, firearms, farm animals,
radio air time, and a political campaign donation.
Our analysis identified 203 of 330 cases (or 62 percent) and about
$449.3 million in PPP and COVID-19 EIDL funds that involved charges of
asset misappropriation.
55
Specifically, individuals were charged with
redirecting PPP and COVID-19 EIDL funds to a broad range of ineligible
expenses, as shown in figure 8. In some cases, they were charged with
redirecting funds to multiple categories of ineligible expenses.
55
Not all PPP and COVID-19 EIDL funds in fraud cases may have been misappropriated
and redirected to ineligible purposes.
Page 38 GAO-23-105331 COVID Relief
Figure 8: Number of Paycheck Protection Program and COVID-19 Economic Injury Disaster Loan Cases Involving Department
of Justice Charges of Asset Misappropriation, by Type of Ineligible Expense, as of December 31, 2021
Note: The types of expenses are not mutually exclusive, and a single case may have more than one
expense type.
a
Personal financial transactions include, but are not limited to, personal debt payoff, domestic
investments, kickback payments, and purchases of cryptocurrency.
b
Examples of items in this category include personal property, alcohol, farm animals, political
campaign donations, and firearms.
Further, rather than benefitting small businesses and the economy in the
United States, fraudsters redirected a portion of PPP and COVID-19 EIDL
funds internationally. Specifically, in 19 closed cases, fraudsters diverted
$4.5 million to other countries around the world (see fig. 9).
Page 39 GAO-23-105331 COVID Relief
Figure 9: Foreign Jurisdictions to Which Fraudsters Redirected Funds from Paycheck Protection Program and COVID-19
Economic Injury Disaster Loan, as of February 2023
Cases involving PPP and COVID-19 EIDL funds being redirected
overseas will likely continue to emerge. According to SBA OIG officials,
as law enforcement continues to investigate instances of suspected fraud,
there will be a greater focus on international fraud schemes. However,
they noted that such cases take time to bring to prosecution, in part
because of the time needed to obtain information from foreign
jurisdictions.
Stakeholder Impact
Fraud and potential fraud in PPP and COVID-19 EIDL affected SBA’s
stakeholders—law enforcement and PPP lenders in the private sector.
Investigation and prosecution of PPP and COVID-19 EIDL fraud cases
demanded the resources of law enforcement agencies and DOJ. Our
analysis of the 330 fraud cases determined that 48 federal law
enforcement agencies conducted investigations of suspected PPP and
COVID-19 EIDL fraud, with agencies frequently collaborating to
investigate cases. According to SBA OIG officials, investigating pandemic
relief fraud has consumed significant law enforcement resources. They
explained that despite doubling the number of OIG agents, the scale of
pandemic relief fraud still exceeds their investigative capacity. For
example, in a June 2022 testimony, the SBA Inspector General reported
Page 40 GAO-23-105331 COVID Relief
that with almost 70 criminal investigators, the office was outmatched by
hundreds of thousands of investigative leads and had 399 open
investigations involving PPP and COVID-19 EIDL fraud.
56
Our analysis of the 330 fraud cases further indicates that U.S. Attorneys
in 78 of 94 federal districts had filed fraud-related charges involving PPP
and COVID-19 EIDL. According to DOJ officials, prosecution of
pandemic-related fraud cases placed a strain on the agency by adding to
existing workloads without additional resources.
Lenders targeted by PPP-related fraud schemes can also incur costs
associated with the time and resources needed to conduct internal
investigations and report suspicious activity. As we previously reported,
from April to October 2020, over 1,400 financial institutions filed over
21,000 suspicious activity reports related to PPP.
57
Further, as cases are
being investigated, financial institutions must respond to subpoenas,
which require production of records and interviews with agents. Additional
impact on lenders is associated with potential compliance risks such as
violations of anti-money laundering requirements and potential liability for
aiding unlawful activity by borrowers or perpetuating that activity through
complacency, along with associated reputational impacts.
58
Security Impact
Funds fraudulently obtained from SBA pandemic relief programs were
used to fund criminal activity, such as drugs and guns, putting
communities at risk. Our analysis of the 330 PPP and COVID-19 EIDL
fraud cases identified charges in 10 cases involving criminal groups. For
56
Examining Federal Efforts to Prevent, Detect, and Prosecute Pandemic Relief Fraud to
Safeguard Funds for All Eligible Americans, Before the House Select Subcommittee on
the Coronavirus Crisis of the Committee on Oversight and Reform, 117
th
Cong., 117-86,
June 14, 2022.
57
GAO, COVID-19: Critical Vaccine Distribution, Supply Chain, Program Integrity, and
Other Challenges Require Focused Federal Attention, GAO-21-265 (Washington, D.C.:
Jan. 28, 2021).
58
Lenders must comply with the applicable lender obligations set forth in SBA interim final
rules. Lenders, however, will be held harmless for borrowers’ failure to comply with
program criteria and will not be subject to any enforcement action or penalty relating to
loan origination or forgiveness of the PPP loan if the lender acts in good faith relating to
the origination or forgiveness of the PPP loan and satisfies all other applicable federal,
state, local, and other statutory or regulatory requirements. Pub. L. No. 116-260, div. N, tit.
III, § 305, 134 Stat. 1182, 1996-97 (2020).
Page 41 GAO-23-105331 COVID Relief
example, in December 2020, members of an organized crime group were
charged with bank fraud and money laundering associated with PPP as
well as racketeering and extortion involving illegal gambling. Also, a
September 2022 SBA OIG report stated that the SBA OIG has ongoing
investigations into international organized crime operations that applied
for and obtained pandemic relief funds.
59
Reputational Impact
High incidence of fraud can lead to public perception that pandemic relief
funds are easy to obtain fraudulently and make the government a target
for further and future exploitation. Additionally, public perception of
widespread fraud in pandemic relief programs can erode trust in
government—confidence in the ability to manage taxpayer dollars,
prevent fraud, and pursue justice. According to DOJ officials, instances of
fraud can normalize additional fraudulent behavior, which increases
cynicism and leads the public to believe that “fraud happens all the time.”
The officials further emphasized that DOJ prosecutes fraud to restore
faith in government by seeking justice, recovering stolen funds, and
illustrating that the government holds bad actors accountable. As such,
according to DOJ officials, most cases of pandemic relief fraud are
publicized in press releases to deter others from committing fraud and to
promote trust in government.
Impact on Victim
Through identity theft, pandemic relief fraudsters victimized individuals by
inflicting damage to their financial as well as psychological health.
According to DOJ, victims of identity theft have had their bank accounts
wiped out, credit histories ruined, and jobs and valuable possessions
taken away. In pandemic relief fraud cases, according to DOJ officials,
identity theft affected victims through (1) negative impacts on credit,
(2) inability to access benefits to which victims were entitled but denied
because prior claims had been filed using their identity, (3) susceptibility
to other types of fraud, and (4) time and effort spent rectifying issues
related to identity theft.
Identity theft also can affect victims’ physical and psychological health, by
contributing to anxiety, sleeplessness, and depression, among other
59
SBA OIG, COVID-19 Economic Injury Disaster Loan Applications Submitted from
Foreign IP Addresses, 22-17 (Washington, D.C.: Sept. 12, 2022).
Page 42 GAO-23-105331 COVID Relief
symptoms. According to DOJ, the emotional trauma associated with
identity theft can be as devastating as many of the most violent offenses.
Impact on Fraudster
When crime is committed, fraudsters may experience a sense of
satisfaction from illicit enrichment. Once caught, however, they can
experience prison time, financial penalties, loss of employment, and
unfavorable publicity, while also inflicting emotional distress on their
families. For example, one couple that fled before sentencing in a PPP
and COVID-19 EIDL case admitted that their actions brought danger and
fear to their children. Another fraudster, who lost his job as a senior
government official, expressed shame and remorse for abusing the
program while being entrusted to be a good steward of government
resources.
In addition to the costs of incarceration and supervision borne by the
federal government and ultimately U.S. taxpayers, loss of personal
freedom as a result of PPP and COVID-19 EIDL fraud affected many
fraudsters. Our analysis identified 80 closed PPP and COVID-19 EIDL
criminal cases where individuals were sentenced to prison, supervised
release, or probation. Across these cases, 94 individuals had been
sentenced to prison, cumulatively sentenced to serving over
3,500 months, with an average sentence of about 37 months. Eighty-nine
individuals were sentenced to a cumulative 3,400 months of supervised
release. Additionally, nine individuals were sentenced to serve a
cumulative 310 months of probation. Some defendants had sentences
that included prison and supervised release. According to DOJ,
individuals who are sentenced under certain statutes are mandated to
also receive a term of supervised release after the term of incarceration.
See figure 10 for information on sentencing ranges for individuals
sentenced to prison, probation, and supervised release.
Page 43 GAO-23-105331 COVID Relief
Figure 10: Sentencing Ranges for Individuals Sentenced to Prison, Probation, and Supervised Release for Crimes Involving
Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL), as of December 31, 2021
Notes: This analysis is based on 80 closed PPP and COVID-19 EIDL criminal cases that reached the
sentencing phase as of December 31, 2021. Some defendants received sentences requiring
supervised release following their prison term, and thus may be represented more than once in this
figure.
Page 44 GAO-23-105331 COVID Relief
Our analysis of PPP and COVID-19 EIDL data identified over 3.7 million
out of 13.4 million total unique recipients with discrepancies associated
with potential fraud.
60
We compared loan- and advance-level data to
National Directory of New Hires (NDNH) wage data to identify unique
recipients with fraud indicators associated with potential
misrepresentations of business operating status, employee counts, or
payroll costs.
61
We further analyzed loan- and advance-level data for the
presence of fraud indicators associated with the potential
misrepresentation of business or identification information. Finally, we
compared our results of PPP and COVID-19 EIDL data analyses to
60
Throughout this section of the report, we refer to “unique recipients” of loans and
advances. In doing so, we refer specifically to unique individuals or entities who received
PPP or COVID-19 EIDL funds. As discussed in appendix I, to identify these unique
recipients we matched certain identifiers, such as business name and address, within and
across programs. Some unique recipients appear only once in either program, while
others appear multiple times within or across programs. In all of the analyses described in
this section, a unique recipient is counted only once in the results being described,
regardless of how many loan or advance records were associated with that recipient. All
unique recipient counts throughout this section are presented rounded to the nearest
multiple of 100, except where the count is less than 1,000 or more than one million.
61
PPP loan-level data were submitted to SBA by PPP lenders. For the purposes of our
analyses, these lender-submitted data are considered to be the information submitted by
the applicants.
NDNH is a national repository of new hire, quarterly wage, and unemployment insurance
information reported by employers, states, and federal agencies. The NDNH is maintained
and used by the U.S. Department of Health and Human Services for the federal child
support enforcement program, which assists states in locating parents and enforcing child
support orders. SBA does not have access to NDNH wage data. However, similar
information, such as number of employees and wages paid, can be found on the
employer’s federal tax return and other employer filings.
Our Analysis Reveals
Millions of PPP and
COVID-19 EIDL
Recipients with Fraud
Indicators, and
Certain Lenders
Originated Higher
Rates of Fraudulent
PPP Loans
Results of Select Data
Analyses Identified Over
3.7 Million Unique PPP
and COVID-19 EIDL
Recipients with Fraud
Indicators
Page 45 GAO-23-105331 COVID Relief
determine the extent to which unique recipients had fraud indicators
across both programs.
Fraud indicators are characteristics and flags that serve as warning signs
suggesting a potential for fraudulent activity. Indicators can be used to
identify potential fraud and assess fraud risk but are not proof of fraud,
which is determined through the judicial or other adjudicative system. The
fraud indicators we identified are based on discrepancies found in the
data consistent with characteristics and flags that suggest a potential for
fraudulent activity.
It is possible that the results of our analyses include non-fraudulent
recipients with one or more data discrepancies that were identified as
fraud indicators. There are multiple factors that may explain why a non-
fraudulent recipient has a discrepancy consistent with a fraud indicator.
One such factor is data entry errors by recipients or those involved in the
approval of funds. There may also be other types of factors contributing to
the identification of non-fraudulent recipients. Consequently, the results of
our analyses should not be interpreted as proof of fraud. As discussed
below, we took steps to reduce the number of non-fraudulent recipients
identified. Additional review, investigation, and adjudication is needed to
determine if and the extent to which fraud exists.
Additionally, the results of our analyses may also include recipients
(1) whom DOJ has prosecuted for fraud, (2) who may be subject to
ongoing investigations,
62
(3) whose loans or advances were flagged by
SBA for other reasons but not pursued as potential fraud, or (4) whose
loans or advances were not flagged by SBA based on fraud indicators.
Therefore, this may include recipients already flagged by SBA or the SBA
OIG as potentially fraudulent.
For both PPP and COVID-19 EIDL, SBA has developed oversight plans
that include automated and manual reviews to help identify and refer
potentially fraudulent loans and advances to the SBA OIG.
63
According to
SBA,
62
Investigative agencies do not typically comment on ongoing investigations.
63
As part of our objectives, we did not assess SBA’s processes for conducting automated
and manual reviews to help identify and refer potentially fraudulent loans and advances to
the SBA OIG. We, therefore, do not opine on the appropriateness of its processes or the
accuracy and completeness of its referrals to the SBA OIG. We plan to undertake a
comprehensive review of SBA’s review processes.
Page 46 GAO-23-105331 COVID Relief
• for PPP, it conducted automated screenings of all 12.5 million
approved PPP applications, using 19 alert categories for potential
fraud and ineligibility. This step identified about 2.9 million loans and
applications. SBA then employed data analytics to prioritize loans that
presented the highest risk of fraud or ineligibility. SBA employees and
contractors then examined about 315,000 loans and applications
prioritized as representing the highest risk to determine if fraud or
ineligibility was likely. Based on this examination, SBA referred over
134,000 PPP loans it determined likely to be fraudulent to the SBA
OIG.
• for COVID-19 EIDL, it conducted automated and manual screenings
of 36.7 million applications for inconsistencies and indicators
associated with ineligibility or fraud. SBA then employed data
analytics, flagging about 3.4 million applications. When notified of a
fraud concern, SBA loan officers performed manual reviews of the file.
Based on this review, SBA referred approximately 2.5 million
applications and 535,000 disbursed COVID-19 EIDL loans and
advances to the SBA OIG.
Given that differences exist between the indicators used and how we did
our analyses and how SBA conducted its reviews, it is possible that we
flagged a recipient who also had a loan or advance flagged by SBA for
different reasons. Therefore, even if SBA determined through its process
that a loan or advance disbursed to a recipient we flagged did not
represent the highest risk of fraud and therefore did not refer it to the SBA
OIG, the recipients we flagged warrant further review based on our
analyses.
SBA does not have access to the NDNH wage data we used for certain
analyses and therefore could not have performed the same analyses as
us.
64
The intent of our analyses was to identify recipients with fraud
indicators who may warrant further review and investigation and to
understand SBA’s exposure to fraud risk and how some recipients may
have taken advantage of those risks in pandemic relief programs. Our
analyses were limited to identifying recipients with fraud indicators and,
therefore, did not include additional reviews necessary to identify
recipients who represented the highest risk of fraud.
64
Federal law restricts access to the NDNH database to authorized persons and entities,
and for authorized uses. As of May 2023, SBA was not an authorized user of the NDNH
database and, as such, did not have access to NDNH wage data.
Page 47 GAO-23-105331 COVID Relief
Where applicable, as described with our analyses’ results and in
appendix I, we established thresholds when associating unique recipients
with fraud indicators. These thresholds allowed variability in business
characteristics (e.g., number of employees, payroll costs) over time. The
use of such thresholds also helped minimize the inclusion of non-
fraudulent recipients (false positives) where possible. For example, for the
purposes of our analysis, if a business was recorded in NDNH as having
150 employees, that recipient would not be associated with a fraud
indicator if it reported 160 employees on its PPP application. However, if
that recipient reported 166 or more employees on its PPP application, we
associated it with a fraud indicator because the employee count
discrepancy exceeded our threshold.
See figure 11 for the fraud indicators and summary results of our
analyses. These fraud indicators are consistent with characteristics we
identified in DOJ cases and related fraud schemes.
Page 48 GAO-23-105331 COVID Relief
Figure 11: Unique Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL)
Recipients with Fraud Indicators
a
Unique recipients were identified by a combination of business and personal identifiers. As such, one
unique recipient may be associated with more than one loan or advance. Unique recipient counts in
this table greater than 1,000 are presented rounded to the nearest multiple of 100. Throughout the
remainder of the section, counts are presented rounded to the nearest multiple of 100, except where
the count is less than 1,000 or more than one million.
b
COVID-19 EIDL loan amounts were not related to employee counts as PPP forgiveness amounts
were. Therefore, our analyses related to different employee totals considered only PPP recipients and
did not include COVID-19 EIDL recipients.
c
COVID-19 EIDL loan and advance amounts were not directly related to payroll costs as PPP loan
amounts were. Therefore, our analyses related to wages paid or payroll expenses considered only
PPP recipients and did not include COVID-19 EIDL recipients.
Page 49 GAO-23-105331 COVID Relief
d
The fraud indicator related to providing different information to each program compares PPP and
COVID-19 EIDL information where unique recipients were identified in both programs. There are no
unique recipients for this indicator who were identified in only one of the programs.
e
The total number of unique recipients with fraud indicators may include (1) recipients who the
Department of Justice has prosecuted for fraud, (2) recipients who may be subject to ongoing
investigations, (3) recipients whose loans or advances were flagged by the Small Business
Administration (SBA) for other reasons but not pursued as potential fraud, (4) recipients whose loans
or advances were not flagged by SBA based on fraud indicators, and (5) non-fraudulent recipients
with data discrepancies consistent with fraud indicators. This may, therefore, include recipients
already flagged by SBA or the SBA Office of Inspector General (OIG) as potentially fraudulent. The
results of our analyses, including the identification of discrepancies associated with a fraud indicator,
should not be interpreted as proof of fraud.
Of the over 3.7 million unique recipients with fraud indicators in at least
one of the programs, we identified almost 394,300 unique recipients with
fraud indicators in both programs.
65
Further, we identified 672 unique
recipients with at least three fraud indicators in both programs, indicating
a higher risk of fraud for those recipients.
We referred the over 3.7 million unique recipients with fraud indicators
that we identified through our analyses to the SBA OIG for review,
investigation, and further action as appropriate. Our referral provides the
SBA OIG with additional data, particularly as it relates to our NDNH
analyses, to inform and prioritize its investigative efforts. In making our
referral, we requested that the SBA OIG provide us with information on
how many of those unique recipients had already been identified by or
referred to that office for investigation. This could include, for example,
recipients referred to the SBA OIG by SBA. However, the SBA OIG
explained it is currently developing and assessing a dataset that includes
information received through its hotline and other sources that pertain to
potential fraud. As such, the dataset is not currently available for the
match we requested. The SBA OIG indicated that when the dataset is
available, which is anticipated in late spring 2023, it will endeavor to
respond to our request.
66
Other auditors have also identified instances of potential fraud and fraud
risks in SBA’s pandemic relief programs. For example, SBA’s financial
auditor found material weaknesses with PPP loan guarantees for fiscal
year 2022. Specifically, the auditor found issues with SBA’s ability to
65
Approximately 2.1 million unique recipients received funds from both PPP and COVID-19
EIDL.
66
According to the SBA OIG, the development of this dataset is part of an ongoing fraud
landscape review to develop a comprehensive estimate of the potential fraud in the PPP
and EIDL portfolios.
Page 50 GAO-23-105331 COVID Relief
conduct complete and accurate reviews of eligibility flags due to the
inadequate design and implementation of controls.
67
This led the auditor
to recommend that SBA perform a thorough review of 2021 PPP loan
guarantees and, for loans that it determines to be not in conformance with
statutory and program requirements, identify the impact on the
outstanding loan guarantee and the eligibility for forgiveness.
Similarly, the auditor determined that for COVID-19 EIDL, SBA disbursed
funds to borrowers
• with fraudulent tax identification numbers (ID);
• flagged by SBA as potentially fraudulent, a victim of identity theft, or
with an associated SBA OIG investigation; and
• with eligibility concerns.
Further, according to the financial auditor, there were a total of
182,298 approved and disbursed loans (with a total value of $15.6 billion)
flagged within SBA’s loan repository system that were potentially issued
to ineligible borrowers as of September 30, 2022. This led the auditor to
recommend that SBA perform a thorough review of loans under COVID-
19 EIDL and determine which transactions were not in conformance with
the CARES Act and related legislation and provided to ineligible
recipients.
As noted in our April 2023 High Risk update, SBA will need to develop a
corrective action plan to address the material weaknesses related to PPP
and COVID-19 EIDL.
67
SBA OIG, 23-02 (Nov. 15, 2022). Similarly, for fiscal year 2021, the financial auditor
found that SBA did not adequately design and implement controls to ensure the 2020
cohort of PPP loan guarantees were completely and accurately reviewed to address their
respective eligibility flags and ultimately determine their eligibility for forgiveness. See SBA
OIG, 22-05. For fiscal year 2020, the financial auditor noted that there were over 2 million
approved PPP loan guarantees (with an approximate total value of $189 billion) flagged by
SBA that were potentially not in conformance with the CARES Act and related legislation.
See SBA OIG, 21-04.
Page 51 GAO-23-105331 COVID Relief
PPP and COVID-19 EIDL limited eligibility to businesses in operation as
of February 15, 2020, and January 31, 2020, respectively.
68
Our
comparison of PPP and COVID-19 EIDL loan- and advance-level data to
NDNH wage data identified almost 2.2 million unique recipients who
claimed two or more employees on their applications but did not match
any NDNH wage data available for our analyses (for the period from
October 2019 through September 2020).
69
This indicates that these
recipients may have obtained PPP and COVID-19 EIDL funds for non-
operating businesses, such as shell companies or fictitious businesses, or
for businesses that were not in operation by the respective eligibility cut-
off dates. Our analysis of the 330 PPP and COVID-19 EIDL fraud cases
charged by DOJ showed that over two-thirds of the cases involved or
allegedly involved non-operating businesses. See sidebar, as well as
appendix I, for further details on how we performed our analysis.
Specifically, our analysis identified the following:
• PPP. Almost 772,500 unique PPP recipients did not match any NDNH
wage data. Of these, almost 15,000 had received 100 percent
forgiveness for loans totaling approximately $10 billion as of
December 31, 2021.
70
Although PPP provided “safe harbor”
exceptions to allow for employee reductions, these recipients received
100 percent loan forgiveness though they did not match any wage
68
SBA allowed COVID-19 EIDL businesses in the process of starting operations as of
January 31, 2020, to participate as long as certain documentation was provided to show
that the business was in the organizing stage.
69
SBA program guidance directed individuals without employees to report themselves as
the sole employee on their applications. Our analysis compared only those applicants who
claimed two or more employees on their applications. Independent contractors and self-
employed individuals—who do not pay employees and therefore do not submit wage
data—were not considered in our analysis if they claimed one employee on their
application. Seasonal businesses that were in operation prior to October 2019, but did not
submit wage data between October 2019 and September 2020, may be included in the
unique recipients with fraud indicators identified in this analysis. Businesses that were in
the organizing stages and had not yet paid employees were eligible for COVID-19 EIDL
funds and would not be considered in this analysis if they did not claim employees.
70
One general requirement for 100 percent forgiveness of PPP loans was to maintain
employee counts through the period following loan disbursement (ranging from 8 to
24 weeks). Program rules allowed that, if the average employee count during the loan
coverage period was less than the average employee count referenced on the loan
application, the total amount of loan forgiveness could be equivalently reduced. For
example, if 90 percent of employees were retained, 90 percent of the total loan amount
may have been forgiven.
Almost 2.2 Million Unique
Recipients Claimed Employees
but Did Not Match Wage Data
We Compared Businesses that Claimed
Two or More Employees to Wage Data
Our analysis of Paycheck Protection Program
and COVID-19 Economic Injury Disaster Loan
data identified 13.4 million unique recipients
across both programs. Of these, 6.1 million
unique recipients claimed two or more
employees on their applications. Self-
employed individuals with no employees were
to report no more than one employee on an
application for either program. Consequently,
they are not included in this analysis.
We compared the 6.1 million unique recipients
who claimed two or more employees to
National Directory of New Hires (NDNH) wage
data to identify recipients with fraud indicators.
Specific analyses included identifying
recipients without matching NDNH wage data
and recipients with discrepancies between
application and NDNH wage data and
employee counts.
Source: GAO. | GAO-23-105331
Page 52 GAO-23-105331 COVID Relief
data and did not claim those exceptions. “Safe harbors” enabled SBA
to allow applicants exceptions to general forgiveness requirements
due to circumstances beyond their control, including mandated
shutdowns or employees who chose not to return to work when
offered the opportunity to do so.
71
• COVID-19 EIDL. Almost 1.6 million unique COVID-19 EIDL recipients
did not match any NDNH wage data. Approximately 672,000 of these
recipients received approximately $3.8 billion in COVID-19 EIDL
advances—which do not need to be repaid—but were denied loans or
withdrew their applications after the advance was approved. The
CARES Act required that SBA distribute advances based on applicant
self-certification and provided that an applicant shall not be required to
repay an advance even if subsequently denied a loan. However, a
denial or withdrawal could indicate that the recipient did not meet
program eligibility requirements and may have falsely self-certified.
About 155,400 of the 2.2 million unique recipients identified in our
comparison to NDNH wage data received both PPP and COVID-19 EIDL
funds. These cross-program recipients who claimed two or more
employees on their applications but did not match NDNH wage data
collectively received over $27.2 billion in funds. (See text box for
illustrative example.)
71
As of December 31, 2021, 7.3 million unique PPP loan recipients had applied for any
amount of loan forgiveness. Loan forgiveness data indicated that, of these, approximately
67,200 claimed safe harbor related to employee counts on the full-length forgiveness
application, 6.3 million applied for forgiveness using SBA form 3508S (by signing form
3508S, applicants agree that they either met forgiveness requirements or met safe harbor
requirements), and 1.1 million applied using the simplified form 3508EZ (SBA forgiveness
data did not indicate if 3508EZ applicants claimed to meet safe harbor requirements or to
meet forgiveness requirements). This forgiveness-related discussion considers only the
approximately 143,600 unique recipients who used the full-length application form and did
not claim safe harbor. For 32 of the 595 days considered in our analysis (5 percent of the
days) the full-length forgiveness application did not include the checkboxes for applicants
to indicate that safe harbor requirements were met. As a result, forgiveness-related
discussions may include some recipients who met safe harbor requirements during this
timeframe.
Out of about 3.1 million unique PPP recipients we matched to NDNH wage data, almost
3 million requested any amount of forgiveness as of December 31, 2021. Over 2.9 million
of these received 100 percent loan forgiveness.
Page 53 GAO-23-105331 COVID Relief
Individual provided falsified documentation to support application for non-
existent businesses.
Our analysis identified one recipient who submitted applications to both the Paycheck
Protection Program and the COVID-19 Economic Injury Disaster Loan program for
two separate businesses. The individual claimed more than 100 total employees, but
neither business had matching National Directory of New Hires (NDNH) wage data.
According to Department of Justice (DOJ) case documentation, the recipient also
claimed average monthly payroll costs in excess of $100,000 per month for each
business and submitted falsified documents to support those claims. This individual
obtained over $1.1 million in combined funds from both programs. This individual pled
guilty to charges of bank fraud and money laundering.
Source: GAO analysis of DOJ information, court documents, and Small Business Administration and NDNH data. | GAO-23-105331
Some non-fraudulent PPP or COVID-19 EIDL recipients who claimed two
or more employees on their applications may not match NDNH wage data
for legitimate reasons. For example, SBA officials suggested that
businesses may not have filed or were late to submit wage-related
information to state workforce agencies, which are a source of NDNH
wage data. We acknowledge the possibility that some PPP or COVID-19
EIDL recipients were not in compliance with state workforce agency
reporting requirements. This possibility does not negate the risk that the
same individuals misrepresented information on their PPP and COVID-19
EIDL applications.
Another possible reason that some unique recipients may not match
NDNH wage data relates to reporting requirements for specific business
types. For example, sole proprietors and independent contractors who do
not pay employees are not required to report wage-related data that is
eventually housed in the NDNH. We sought to mitigate the possibility of
identifying sole proprietors and independent contractors as potentially
non-operating businesses by limiting our comparison to recipients who
claimed two or more employees on their PPP or COVID-19 EIDL
applications. However, in October 2021, the SBA OIG found that SBA
had distributed $4.5 billion in COVID-19 EIDL advances to sole
proprietors and independent contractors who incorrectly claimed
employees.
72
Specifically, the SBA OIG found:
• 542,897 sole proprietors, who received an advance of more than
$1,000, applied for the COVID-19 EIDL advances without an
72
SBA OIG, SBA’S Emergency EIDL Grants to Sole Proprietors and Independent
Contractors, 22-01 (Oct. 7, 2021).
Page 54 GAO-23-105331 COVID Relief
employer identification number (EIN) and claimed two or more
employees on their applications. The absence of an EIN indicates the
sole proprietor applicants should have claimed no employees.
• 161,197 independent contractors, who received an advance of more
than $1,000, also applied but did not provide an EIN and claimed two
or more employees on their COVID-19 EIDL applications.
The sole proprietors and independent contractors identified by SBA OIG
would be associated with a fraud indicator as a result of our analyses, as
they incorrectly claimed two or more employees on their applications but
did not have corresponding records in NDNH wage data.
There are also specific categories of businesses that are not always
required to report wage-related data to the systems that feed into NDNH.
For example, many states do not require the following business types to
report:
• religious organizations,
• agricultural enterprises,
• nonprofit organizations, or
• “very small” businesses paying less than $10,000 per year in wages.
To the extent possible based on available data, we excluded these
business types, as well as businesses with tribal affiliation, from the
results of our analysis of recipients who did not match NDNH wage data
(see appendix I for additional details). As such, the results of our
comparison of loan- and advance-level data to wage data presented
above do not include approximately 113,200 recipients who applied as
nonprofit organizations, 93,100 religious organizations, or
248,500 agricultural enterprises that received PPP or COVID-19 EIDL
funds but that we could not match to NDNH wage data.
73
However, there
have been fraud cases involving some of the business types we excluded
from our analysis of recipients who did not match NDNH wage data (see
text box for illustrative examples).
73
No “very small” businesses were identified in this analysis.
Page 55 GAO-23-105331 COVID Relief
Neighbors obtained COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL)
funds for nonexistent farms.
According to Department of Justice (DOJ) case information, two neighbors submitted
four fraudulent applications for over $1.1 million in Paycheck Protection Program (PPP)
and COVID-19 EIDL funds. After obtaining PPP loans by making false representations
regarding the number of employees and payroll for at least two businesses, the
neighbors also submitted COVID-19 EIDL applications. One neighbor claimed to
employ five individuals on a farm based in her yard, while the other neighbor claimed to
employ 10 individuals. These farms and employees did not exist. The individuals
received $287,500 in COVID-19 EIDL funds. Both neighbors pled guilty to conspiracy
to commit wire fraud.
Individual obtained Paycheck Protection Program (PPP) funds for non-
operational nonprofit.
According to DOJ case information, the chief executive officer (CEO) of a nonprofit that
had been established in 2018 submitted loan applications through both PPP and
COVID-19 EIDL. On the loan applications, the CEO claimed that the nonprofit had
25 employees and supported that claim with falsified tax documentation. In reality, the
nonprofit had no employees, income, or regular operations. SBA denied the application
for COVID-19 EIDL funds. However, the CEO obtained $305,854 in PPP funds, which
were used to purchase personal items. The CEO pled guilty to wire fraud.
Source: GAO analysis of DOJ information and court documents. | GAO-23-105331
We were able to match 116,900 recipients who applied as nonprofit
organizations, 15,600 religious organizations, 72,900 agricultural
enterprises and 1,300 very small businesses to the NDNH wage data. We
included these unique recipients in our other analyses, such as those
related to employee counts and payroll.
Page 56 GAO-23-105331 COVID Relief
PPP loan forgiveness was directly related to maintaining employee
numbers for up to 24 weeks following funding, except when previously
discussed safe harbor exceptions applied.
Our comparison of PPP loan application data to paid employees in NDNH
wage data identified over 291,100 unique recipients who may have
overstated employee totals. See sidebar, as well as appendix I, for further
details on how we performed our analysis. Our analysis of the 330 PPP
and COVID-19 EIDL fraud cases charged by DOJ showed that 73 percent
involved schemes in which individuals created fictitious employees and
inflated employee counts to obtain more funds.
Over 137,400 of the recipients we identified were associated with 10 or
more employees in NDNH wage data. Within these 137,400, we identified
• over 61,600 unique recipients who reported between 10 and
50 percent more employees on their PPP applications;
• almost 16,600 unique recipients who reported 51 to 100 percent more
employees on their PPP applications; and
• almost 29,300 unique recipients who reported more than 100 percent
more employees on their PPP applications.
74
One of the requirements for 100 percent PPP loan forgiveness, except
where safe harbor exceptions applied, was retaining employees for up to
24 weeks following funding. Of the 291,100 unique recipients who
reported different employee totals, over 12,600 claimed to meet
forgiveness requirements. They received 100 percent loan forgiveness
74
All percentages discussed in these bullets are the percentage in excess of the 10 or
50 percent buffer used in the analysis. For example, if a recipient was recorded in NDNH
as having 150 employees, that recipient would be identified as potentially overstating
employee counts if it reported 166 employees on the PPP application but not if it reported
165 employees (10 percent buffer equivalent to 15 employees). That recipient would be
included in the numbers described in these bullets if it reported 182, 249, or
331 employees (10, 51, and more than 100 percent greater than the expected
165 employees, respectively).
Over 291,100 Unique PPP
Recipients Reported Different
Employee Totals
Employee Counts Are Not Static
It is logical to assume that a business’s
employee count will change over time. Our
analyses provided a 10 percent buffer for
recipients with 10 or more employees and a
50 percent buffer for recipients with fewer
than 10 employees to allow for variations
across time.
In addition, as many businesses were
required to shut their doors to slow the
spread of the pandemic, it is expected that
many businesses had few or no paid
employees in the months during which most
PPP applications were submitted. Other
factors, such as seasonal business, could
also affect employee counts.
However, Paycheck Protection Program
(PPP) applicants were generally instructed to
provide their average employee count for the
12-month period of their choice: 2019, 2020,
or the 12 months prior to the date of
application.
To be conservative, we used the highest—
rather than the average—count of paid
employees in National Directory of New
Hires wage data prior to the PPP application
date.
Although there may be some variability
between the employee counts, differences
that exceed the 10 or 50 percent buffers we
provided may indicate fraudulent application
information.
Source: GAO. | GAO-23-105331
Page 57 GAO-23-105331 COVID Relief
amounting to almost $13.5 billion as of December 31, 2021, although the
NDNH wage data do not support their claims of employee retention.
75
For example, one recipient identified in our analysis was a trucking
company that reported 499 employees on its April 2020 PPP application.
According to NDNH wage data, this business had paid no more than
32 employees in any single quarter between October 2019 and June
2020. This recipient received a $10 million loan that was 100 percent
forgiven.
SBA officials raised concerns that the difference between the PPP loan
application employee counts, which we used for our analysis, and the
NDNH paid employee counts could result from the amount of time
between when a recipient applied for a PPP loan and the available NDNH
employee data. However, as discussed previously and in appendix I, we
applied thresholds and buffers to limit the application of fraud indicators to
recipients who provided average employee counts for a period partially or
entirely outside the timeframe of the available NDNH wage data. In
addition, SBA OIG officials noted that that the employee counts provided
on forgiveness applications may be more accurate. The employee count
on the forgiveness application was to reflect the number of individuals
employed at the time of the original loan application, while the employee
count on the loan application was to generally reflect the average number
of employees over a defined 12-month period.
When we analyzed loan-level forgiveness data as of December 31, 2021,
we found that approximately 171,500 of the over 291,100 unique
recipients we identified in this analysis using the employee count on the
loan application reported lower initial employee counts on the forgiveness
application than they had reported on the loan application. Almost
125,900 of these recipients received 100 percent loan forgiveness,
despite the decrease in employee counts between applications. We then
repeated our analysis using employee counts reported at loan
forgiveness and found that approximately 1,700 of these 125,900 were
75
PPP offered “safe harbors” to provide forgiveness without retaining employees, including
one that allows employers to exclude employees from their calculations if the employee
declined a written offer to return to work, was fired for cause, voluntarily resigned, or
requested a reduction in hours. See previous discussion of safe harbor claims and
forgiveness applications. This description of forgiven recipients considers only those
143,600 unique recipients who applied for loan forgiveness using the full-length
forgiveness form, SBA Form 3508, and did not claim safe harbor related to employee
counts as of December 31, 2021.
Page 58 GAO-23-105331 COVID Relief
still identified as reporting employee counts not supported by the NDNH
wage data and had received 100 percent loan forgiveness totaling over
$2.1 billion as of December 31, 2021, though they did not claim safe
harbor.
76
In addition, recipients may have overstated employee counts to support
greater forgivable loan amounts. PPP rules allowed recipients to consider
no more than $100,000 in annual wages per employee when reporting
payroll costs used to calculate total loan amounts. We identified over
291,100 unique PPP recipients who reported employee counts on their
applications that were more than 10 or 50 percent greater than the
number of paid employees in the NDNH wage data. Overstating the
number of employees on the application could potentially mask the
inclusion of individual employee wages in excess of $100,000 per year
since reporting more employees lowers the average payroll cost per
employee and consequently increases the forgivable loan amount.
SBA officials raised concerns that the methods and buffers we used in
our analyses were not sufficient to account for variations in business size,
especially during the pandemic, and as a result may overstate the extent
to which there were discrepancies between PPP loan-level data and
NDNH wage data. We believe our methods and buffers appropriately
account for such variations. Our results reflect SBA’s exposure to the risk
that otherwise eligible recipients may have inflated employee counts in an
effort to obtain more funds than they were entitled to. We also recognize
that the results of our analyses may include non-fraudulent recipients.
Additionally, SBA officials noted the possibility that some of the unique
recipients flagged in our analysis of employee counts may have been
businesses that underreported information to state workforce agencies,
which are a source of NDNH wage data. We acknowledge that it is
possible that some PPP recipients may have reported incorrect
information to state workforce agencies. This possibility does not negate
the risk that the same individuals may also have misrepresented
information on their PPP applications. The only way to determine the
76
According to an SBA official, lenders inconsistently provided employee counts when
initially submitting applications on behalf of borrowers. Subsequently, some borrowers
directly submitted forgiveness applications. In addition, SBA OIG officials noted that the
employee count on the forgiveness applications may be more accurate than the employee
counts provided on the original loan application. This description of forgiven recipients
considers only those 143,600 unique recipients who applied for loan forgiveness using the
full-length forgiveness form, SBA Form 3508, and did not claim safe harbor related to
employee counts as of December 31, 2021.
Page 59 GAO-23-105331 COVID Relief
reason for the indicator’s presence is through additional inquiry or
investigation.
SBA officials also explained that some of the unique recipients we flagged
may have made good-faith errors on their PPP applications regarding
employee counts. Specifically, they explained that there was confusion
early in the program about counting full-time employees versus
calculating full-time equivalents. This confusion created the opportunity
for errors in, for example, how recipients accounted for part-time workers.
As we have acknowledged, the results of our analysis may include
recipients who made errors though they acted in good faith. However,
while the application forms and their instructions may have created
confusion that resulted in good-faith errors, the risk remains that the same
confusion may have provided opportunities for individuals seeking to
defraud the programs to do so.
The amount of individual PPP loans was based primarily on the
applicant’s average monthly payroll costs.
77
As such, one indicator of
fraud is payroll costs on a PPP application greater than the costs
supported by NDNH wage data, potentially to obtain a larger loan. We
identified over 446,500 unique PPP recipients who received loans larger
than expected based on our calculations using NDNH wage data.
77
Payroll costs include paid wages and additional employer costs related to employee
compensation such as paid leave, health care premiums, retirement plan maintenance
fees, and state and local taxes assessed on employee compensation.
Over 446,500 Unique PPP
Recipients Reported Different
Payroll Costs for Calculating
Loan Amounts
Estimating Wage-Based Payroll Costs
We used available National Directory of New
Hires (NDNH) wage data to estimate wage-
based payroll costs. We then used these
wage-based payroll costs to estimate
maximum eligible Paycheck Protection
Program loan amounts.
We used the following data to estimate wage-
based payroll costs:
• Paid wages (NDNH)
• Employer payroll costs (Bureau of Labor
Statistics)
Payroll costs include both wages paid directly
to employees and non-wage employer
expenses. Non-wage employer expenses are
not reported to NDNH.
Source: GAO. | GAO-23-105331
Page 60 GAO-23-105331 COVID Relief
The maximum allowable PPP loan was generally 2.5 times the recipient’s
average monthly payroll costs.
78
Recipients could also apply for additional
funds to pay down COVID-19 EIDL loans (but not advances). We
estimated the maximum eligible loan amount for recipients matched to
NDNH wage data using payroll costs based on paid wages recorded in
NDNH and on PPP application loan request formulas. For PPP recipients
who had also received COVID-19 EIDL loans, we added the total amount
of COVID-19 EIDL loan funds disbursed as of December 31, 2021,
(excluding advance funds) to the maximum loan amount estimate. We
compared our estimated maximum eligible PPP loan amount to the total
approved PPP loan amount. We identified those recipients with greater-
than-expected approved loan amounts as potentially overstating payroll
costs on their applications. See sidebar, as well as appendix I, for further
details on how we performed our analysis.
Of the 3.1 million unique PPP recipients with matched NDNH wage data,
we identified over 446,500 unique recipients who were approved for total
loan amounts larger than expected based on our wage-based payroll cost
estimates. Within these 446,500, we further identified:
• Over 121,000 unique recipients who were approved for loans at least
twice as large as expected, including 27,000 who each received
approval for loans of $100,000 or greater.
• Almost 36,000 unique recipients who were approved for loans more
than five times as large as expected, including over 1,200 unique
recipients who each received approval for loans of $2 million or
greater.
(See text box for illustrative example.)
78
First draw PPP loans were capped at 2.5 times monthly payroll, plus the amount of
outstanding EIDL funds (excluding advances) for recipients seeking to refinance COVID-
19 EIDL loans. Second draw loans were capped at 2.5 times monthly payroll costs for
most recipients. However, for businesses with specific business identification codes
related to “accommodation and food services,” the cap for second draw loans was
3.5 times monthly payroll, up to a maximum of $2 million. We accounted for these different
caps in our analysis.
Page 61 GAO-23-105331 COVID Relief
Individual inflated payroll costs to support larger loans.
One recipient identified in our analysis of loan data has already been convicted of fraud
related to these loans. This individual received approximately $2.9 million in total
Paycheck Protection Program funds, but wage data supports total eligible funding of
less than $92,000. Our analysis showed this individual received four separate loans,
but only one business was matched to wage data, and the highest paid monthly wage
amount for that business was $26,077. According to Department of Justice (DOJ) case
information, this individual applied for multiple loans and claimed average employee
wages of over $1.5 million per month. This individual pled guilty to multiple fraud
counts, including major fraud against the United States and bank fraud.
Source: GAO analysis of DOJ information, court documents, and Small Business Administration and National Directory of New Hires
data. | GAO-23-105331
SBA officials again raised concerns that the methods and buffers we used
for our analyses did not sufficiently account for variations in payroll costs,
particularly variations that may have occurred during the pandemic, and
as a result fraud indicators may be associated with recipients who did not
overstate payroll costs on their PPP applications. They specifically noted
that our analysis may have associated recipients with above-average
non-wage employer expenses—costly employee insurance or retirement
benefits packages, for example—with fraud indicators. While recognizing
that the results of our analyses may include non-fraudulent recipients, the
methods and buffers used, as well as the results, reflect SBA’s exposure
to the risk that otherwise eligible recipients may have inflated payroll
costs to obtain more funds than they were entitled to.
SBA officials also explained that the complexity of the maximum loan
amount calculations may have led to good-faith errors on the part of both
recipients and lenders.
79
They added that, in addition to the complexity of
the loan request calculation, there was much confusion in 2020 about
how to account for refinancing a COVID-19 EIDL loan as part of the PPP
loan amount. Specifically, recipients may have incorrectly included
COVID-19 EIDL advance amounts or the amounts of COVID-19 EIDL
loans that had been requested but not yet approved at the time of the
PPP loan application. We acknowledge the possibility of good-faith errors
on the part of recipients or lenders due to confusion related to the
application forms and their associated instructions. These conditions do
79
In January 2021, SBA issued a Procedural Notice that explained that PPP recipients will
not receive forgiveness for good-faith excess loan amount errors.
Page 62 GAO-23-105331 COVID Relief
not negate the risk that this confusion may have provided opportunities
for individuals seeking to defraud the program to do so.
SBA officials also noted that the Economic Aid to Hard-Hit Small
Businesses, Nonprofits, and Venues Act (Economic Aid Act) allowed
certain recipients to base loan amount calculations on gross income
rather than payroll.
80
We acknowledge it is possible that loan applications
received after enactment of the Economic Aid Act in December 2020 may
have used this alternative calculation. We recognize that the results of our
analyses may include non-fraudulent recipients. However, these results
also reflect SBA’s exposure to the risk that otherwise eligible recipients
may have inflated payroll costs to obtain more funds than they were
entitled to.
Additionally, SBA officials observed the possibility that some of the unique
recipients flagged in our payroll analysis may have been businesses that
underreported information to state workforce agencies, which are a
source of NDNH wage data. We acknowledge that it is possible that some
PPP recipients may have done so. This possibility does not negate the
risk that the individuals may also have misrepresented information on
their PPP applications.
PPP and COVID-19 EIDL recipients were generally limited to a single
approved and funded application per business entity per program.
However, according to our analysis, almost 22,000 unique recipients
received multiple unique loans or advances, potentially in violation of this
limitation. Each program had certain provisions by which additional funds
might be distributed, such as a second draw PPP loan.
81
Our analysis
does not include those recipients whom the data indicate were funded
more than once within the rules of the programs.
80
Title III of Pub. L. No. 116-260, § 307; 134 Stat 1998 (2020).
81
A “unique loan or advance” refers to a funded first draw PPP loan, associated loan
increases, and an optional second draw loan; or to any loan or advance funds disbursed
based on a single approved COVID-19 EIDL application. PPP recipients who received
both first and second draw PPP loans, and COVID-19 EIDL recipients who received
increases and advances associated with only one application, are not included in the
unique recipients with fraud indicators described here. The recipients we discuss in this
section received separate unique first draw PPP loans or separate unique COVID-19 EIDL
loans or advances, as both programs limited individual businesses to one unique funding
opportunity per program.
Almost 22,000 Unique
Recipients May Have Received
Multiple Unique Loans or
Advances
Page 63 GAO-23-105331 COVID Relief
For the purposes of these programs, a business entity is defined by its tax
filing. If a business with three locations submits one tax return under a
single EIN, that business should have submitted a single PPP or COVID-
19 EIDL application representing the three locations. Businesses can
have different EINs for different segments of the business, including
locations. If a business submits individual tax returns under unique EINs
for each of the three locations, the locations would be treated as
individual businesses. Therefore, each of the three locations could submit
corresponding PPP or COVID-19 EIDL applications as an individual
business entity within the rules of the programs.
Our analysis of the loan- and advance-level data identified almost
22,000 unique recipients who submitted multiple separate applications
that were approved and funded, though both programs generally limited
individual businesses to a single application. This indicates that these
recipients may have misrepresented business information on their
applications to obtain additional funds they were not eligible for. See
sidebar, as well as appendix I, for further details on how we performed
our analysis.
Specifically:
• PPP. We identified almost 2,500 unique recipients who received at
least two unique PPP loans, contrary to program limits of one loan for
each unique business. Of these recipients, over 1,500 had received
loan forgiveness totaling approximately $109 million as of December
31, 2021.
• COVID-19 EIDL. We identified about 19,500 unique recipients who
received at least two unique COVID-19 EIDL loans or advances. Of
these recipients, almost 16,600 received approximately $95 million in
advances that are not required to be repaid.
In addition, we identified 13 unique recipients who received multiple
unique PPP loans and multiple unique COVID-19 EIDL loans or
advances.
For example, we identified one recipient approved for one unique first
draw PPP loan in June 2020 and another first draw PPP loan in April
2021. This recipient also received COVID-19 EIDL loan and advance
funds from two separate applications accepted on different dates in June
2020. This recipient received over $967,000 from both programs.
Identifying Unique Recipients from Unique
Loans and Advances
There were a total of 18.3 million unique loans
or advances distributed through the Paycheck
Protection Program (PPP) and the COVID-19
Economic Injury Disaster Loan program
(COVID-19 EIDL). However, we describe the
results of our analyses in terms of the
13.4 million unique recipients, not unique
loans or advances.
Our initial review of PPP loan-level data
showed that applicants frequently used
business information (employer identification
number and business name) for the first draw
application and personal information (Social
Security number and owner name) for the
second draw application, or vice versa.
To avoid double-counting these recipients,
and to identify other individuals that received
more than one unique loan or advance, we
used combinations of key identifying
information to determine if multiple loan or
advance records belonged to the same
unique recipient.
For example, if the same tax identification
number (tax ID), business name, and address
were associated with more than one record,
all records were associated with a single
unique recipient. This could be a recipient of
multiple loans within one program, or a
recipient who received one PPP loan and one
COVID-19 EIDL loan or advance.
We also considered all records with the same
business name and address but a different
tax ID as a single unique recipient. In some
cases, the different tax ID may be a data entry
error. However, it is also an indicator of fraud
by an individual potentially altering a single
identification field to avoid detection.
Source: GAO. | GAO-23-105331
Page 64 GAO-23-105331 COVID Relief
We identified almost 894,400 unique recipients who were approved for
and received funding—once or multiple times—based on applications
with the same business information as other unique recipients of funds
from the same program (either PPP or COVID-19 EIDL). This identical
business information includes information such as tax IDs, business
names, and addresses.
Of the almost 894,400 unique recipients who appear to have received
funds in violation of program limits on the number of loans or advances
per business entity per program, the majority were approved once using
the same information as another unique approved and funded recipient.
We also identified almost 2,100 unique recipients who were approved
multiple times, either as the same business or appearing to be different
businesses.
This analysis of recipients who may have used the same information is in
contrast to our previously discussed analysis, in which we considered
only those recipients that we identified as unique entities or individuals
who received funds as a result of more than one application. Where
possible, we attempted to minimize the inclusion of non-fraudulent
recipients by using thresholds. For example, we applied the fraud
indicator related to duplicate internet protocol (IP) addresses only when
data showed the same IP address was used ten or more times to apply
for COVID-19 EIDL funds.
82
See appendix I for additional information on
these thresholds and how we did our analysis.
In some cases, recipients with the same business information may have
been independent contractors that provided parent company information.
This suggests the possibility of error, as opposed to potentially fraudulent
activity. For example, we identified over 1,600 unique recipients who
provided the name and address combinations of rideshare agency
locations. These recipients received combined program funds totaling
over $26 million. Both PPP and COVID-19 EIDL applications required the
legal business name and business address of the recipient, which should
82
Some of the business information we considered may be expected to match more than
one unique business. For example, more than one non-fraudulent loan recipient may have
business addresses in the same office building. To account for these situations, we set a
threshold above which there is a higher chance that the duplication is an indication of
fraud. Where we set a threshold, we indicated that threshold in our results. For example,
we did not consider matching addresses to be a fraud indicator until the same address
was provided for five or more unique recipients.
Almost 894,400 Unique
Recipients May Have Applied
for Funds Using the Same
Identifying Information as
Other Recipients
Page 65 GAO-23-105331 COVID Relief
be the individual’s home or contracting business address, not the address
of the company for which the individual is a contractor.
According to SBA officials, one of the challenges for independent
contractors was that the forms were not always specific as to which
address to use. While the application forms and their instructions may
have created confusion for legitimate applicants and resulted in errors,
they may have also provided opportunities for those seeking to defraud
the programs. For example, our analysis identified 35 unique COVID-19
EIDL applications that provided the address of a two-bedroom apartment
as the business address and a rideshare agency as the business name.
SBA officials raised concerns that the methods and thresholds we used
for our analyses were not sufficient to account for variations in business
type or organizational strategy. Specifically, SBA stated that the methods
and thresholds used may overstate the extent to which recipients may
have inappropriately applied for funds using the same identifying
information as other recipients. They noted that a business owner could
maintain more than one distinct business entity with unique tax IDs but
share legal names and address, as well as number of employees. We
recognize that the results of our analyses may include non-fraudulent
recipients, and we have incorporated thresholds or buffers into these
analyses to account for scenarios in which shared information may be
expected. However, our results reflect SBA’s exposure to the risk that
recipients may have inappropriately used another recipient’s information
to obtain funds. Our analysis of the 330 PPP and COVID-19 EIDL fraud
cases charged by DOJ showed that 19 percent involved allegations of
theft of personally identifiable information and 5 percent involved
allegations of using another business’s information to obtain PPP or
COVID-19 EIDL funds.
The SBA OIG has also reported on the risk of identity theft by applicants
seeking pandemic relief funds.
83
Specifically, the SBA OIG reported that
as of January 31, 2021, SBA had referred 846,611 COVID-19 EIDL
applications to the OIG. This total includes the loan applications that
originated identity theft complaints (once individuals indicated that they
did not apply for a loan and believed they were a victim of identity theft)
and any related applications (applications with the same email address,
phone number, or physical address). For the 846,611 applications, SBA
83
SBA OIG, SBA’s Handling of Identity Theft in the COVID-19 Economic Injury Disaster
Loan Program, 21-15, (Washington, D.C.: May 2021).
Page 66 GAO-23-105331 COVID Relief
disbursed $6.7 billion in COVID-19 EIDL funds. The SBA OIG further
found that the bank account numbers for 29,435 of the 112,196 disbursed
loans, totaling $1.7 billion, were changed from the original number
submitted on the application to another number used for disbursement,
which is an additional indicator of potential fraud.
PPP
We identified almost 524,600 unique PPP recipients who received funds
using the same business information as at least one other unique
recipient. These recipients received almost $51.1 billion in total funds,
approximately $39.6 billion of which had been forgiven as of December
31, 2021.
Specifically, we identified
• 31,400 unique recipients who provided the same business name and
address as at least one other recipient but different tax IDs;
• 231,900 unique recipients who provided the same business address
and business identifying information—such as business type and
employee count—as at least one other recipient but different business
names and tax IDs; and
• 323,700 unique recipients who provided a business address
associated with at least five unique recipients. Recipients in the same
office building will have similar addresses. However, multiple
applications with the same address could also indicate potentially
ineligible applicants re-using information. (See text box for illustrative
example.)
Individuals successfully submitted multiple applications using the same business address.
Our analysis identified one recipient who received over $453,000 from three separate
Paycheck Protection Program loan applications that used the same street address.
Further review of Department of Justice (DOJ) case data found that the recipient was
named as a defendant in a case along with co-conspirators who submitted a total of
22 applications for 12 different businesses. Ten of the businesses shared the same
address but were described with different business names, owners, and business
descriptions. Although 17 of the applications were denied by lenders, DOJ case
information indicates that these recipients received a total of more than $995,000 from
five funded applications. One of the individuals involved pled guilty to bank fraud and
another pled guilty to bank fraud and identity theft. A third individual was found guilty of
multiple charges, including bank fraud conspiracy and identity theft.
Source: GAO analysis of Small Business Administration data, DOJ information, and court documents. | GAO-23-105331
Page 67 GAO-23-105331 COVID Relief
COVID-19 EIDL
We identified over 408,800 unique COVID-19 EIDL recipients who
received funds using the same business information as at least one other
unique recipient. These recipients received almost $16.4 billion in total
funds, including approximately $1.2 billion in advances.
Specifically, we identified
• 18,700 unique recipients who provided the same business name and
address as at least one other recipient but different tax IDs;
• 175,600 unique recipients who provided the same business address,
business type, and employee count as at least one other recipient but
different business names and tax IDs;
• 201,300 unique recipients who provided a business address
associated with at least five unique recipients;
• 37,100 unique recipients with an IP address—automatically collected
by SBA—associated with at least 10 unique recipients;
• 28,200 unique recipients who provided the same bank account
information as at least one other recipient; and
• 1,200 unique recipients who provided the same owner tax ID as at
least one other recipient but different owner names.
For example, the same owner tax ID was provided in loan- and advance-
level data for 103 unique COVID-19 EIDL recipients, though different
owner names were provided. These 103 recipients received $3.4 million
in total COVID-19 EIDL funds. Even though submitting different business
information, such as different owner names, may not be fraudulent by
itself, it is an indicator that fraud may have occurred.
Our analyses identified almost 39,000 unique recipients with fraud
indicators in both PPP and COVID-19 EIDL loan- and advance-level data
related to using the same business information as other recipients of
funds from the same program.
We found that almost 383,000 of the 2.1 million unique recipients who
received both PPP and COVID-19 EIDL funds used different business
information when they applied to each program. For example, one
corporate recipient self-reported as having over 100 employees on its
COVID-19 EIDL application in March 2020. However, on its April 2020
Almost 383,000 Unique
Recipients May Have Provided
Different Information to
Each
Program
Page 68 GAO-23-105331 COVID Relief
PPP application, that same recipient reported fewer than five employees
and identified as a nonprofit organization (see fig. 12).
Figure 12: Example of Information Mismatch between Paycheck Protection Program (PPP) and COVID-19 Economic Injury
Disaster Loan (COVID-19 EIDL) Data
There are potentially non-fraudulent reasons for each application having
different information. This could include two different people who have
different levels of familiarity with the business submitting each application.
It could also include variations over time. For example, a recipient may
have applied for a PPP loan as a corporation in April 2020 and then
applied for a loan under COVID-19 EIDL in December 2021 as a nonprofit
organization, having legitimately restructured its business during that
time.
However, conflicting descriptions for businesses providing the same
identification information can indicate that applications may have been
falsified. It can also be an indicator that the identifying information from a
legitimate business in one program was used to submit an application
with false information to the other.
PPP loans were made to recipients through a network of participating
lenders. Certain lenders originated a disproportionate share of fraudulent
and potentially fraudulent loans compared to the share of all PPP loans
issued by those lenders, according to our analysis of PPP fraud cases
charged by DOJ as of December 31, 2021, and PPP loan-level data. We
Certain Lenders
Originated Higher Rates of
Fraudulent and Potentially
Fraudulent PPP Loans
Page 69 GAO-23-105331 COVID Relief
identified 1,191 PPP loans associated with the 260 closed and ongoing
PPP fraud cases and found the origination of those loans to be
concentrated among 245 lenders.
84
Most PPP lenders did not have a loan associated with a DOJ fraud case,
as of December 31, 2021. Of the roughly 5,500 lenders that participated
in PPP, 95.5 percent of lenders did not have a loan associated with a
fraud case. In addition, of the 245 lenders we identified with a loan in a
fraud case, 80 percent of those lenders had issued three or fewer loans
associated with a DOJ case.
Our analysis identified a small number of lenders that issued a
disproportionate share of loans with a DOJ fraud case. We found that
five lenders (including both bank and nonbank lenders) issued about
34 percent of all loans associated with at least one fraud case identified
as of December 31, 2021 (see table 4). In contrast, these five lenders had
issued about 14 percent of all PPP loans.
Table 4: Top Five Lenders by Number of Paycheck Protection Program (PPP) Loans Associated with a Department of Justice
(DOJ) Fraud Case, as of December 31, 2021
Lender
Lender
category
a
Chartering or
licensing
authority
b
Number of
loans in fraud
cases
Percent of
loans in fraud
cases
Number of
PPP loans
issued by
lender
Loans by
lender as a
percent of all
PPP loans
Lender A
Bank
c
State
122
10.2
182,825
1.5
Lender B
Bank
c
State
92
7.7
518,912
4.2
Lender C
Bank
Federal
89
7.4
507,174
4.1
Lender D
Bank
State
54
4.5
327,951
2.6
Lender E
Nonbank
c
State
45
3.8
258,545
2.1
Total
402
33.6%
1.8 million
14.4%
Source: GAO analysis of DOJ information and Small Business Administration data. I GAO-23-105331
a
While banks are depository institutions, nonbanks generally provide lending services but do not
accept deposits.
b
An institution’s primary supervisor depends on whether its charter or license was issued by a federal
or state entity. Supervisors conduct on-site examinations to assess banks’ condition and monitor
compliance with banking laws. For institutions with state primary supervisors, examinations may
alternate between state and federal supervisors. However, both state- and federally-chartered banks
must apply to the Federal Deposit Insurance Corporation (FDIC) for deposit insurance, which
provides FDIC with backup examination and regulatory authority over all insured banks.
c
We identified these institutions as fintech lenders, which are defined as technology-based firms that
operate online and may use nontraditional data to make loan decisions.
84
Associated cases include 84 closed PPP and 42 closed PPP and EIDL cases as well as
85 ongoing PPP and 48 ongoing PPP and EIDL cases.
Page 70 GAO-23-105331 COVID Relief
Four of the top five lenders with loans identified in fraud cases were
primarily state-supervised institutions. Specifically, one is a state-licensed
nonbank lender and three are state-chartered banks. In processing PPP
loan applications, lenders were required to comply with BSA
requirements, as discussed below. The adequacy of an institution’s BSA
compliance program, which includes requirements for financial institutions
to verify the identity of all new customers and monitor and report
suspicious activity, among other things, is assessed during the
institution’s safety and soundness exam. While all federally-insured banks
are subject to safety and soundness examinations by their federal
regulator every 12 to 18 months, state-chartered banks are examined on
an alternating schedule between the appropriate federal and state
regulator and, accordingly, may face less frequent federal examinations.
85
However, nonbank lenders may not have federal supervisors to examine
their BSA compliance programs, depending on the nonbank lender’s prior
lending activities and existing relationships with banks.
We found that lenders with the top five highest rates of loans associated
with PPP fraud cases tended to use financial technology to automate
PPP loan origination (fintech). Specifically, three of the top five lenders
with loans identified in fraud cases are bank or nonbank institutions that
used fintech to automate their loan origination processes. One of the
fintech lenders identified among our top five stated that over 75 percent of
the PPP applications it approved were processed without human
intervention or manual review.
86
Prior studies found that fintech lenders
were disproportionately represented as lenders of potentially fraudulent
PPP loans. For example, based on analysis of fraud indicators, a 2022
85
While state-chartered, federally-insured banks are required to undergo safety and
soundness exams every 12 to 18 months, such institutions may be examined in alternate
12-month periods if the appropriate federal banking agency determines that an
examination of the insured depository institution conducted by the state banking authority
during the intervening 12-month period carries out the purpose of the regulation.
12 U.S.C. § 1820.
86
Fintech lenders are defined as technology-based firms that operate online and may use
nontraditional data to make loan decisions. For this analysis, we categorized fintech
lenders as any nonbank lender that participated in the program as well as any online
direct bank, which generally only have one physical branch location. See Isil Erel and Jack
Liebersohn, Does FinTech Substitute for Banks? Evidence from the Paycheck Protection
Program (Cambridge, MA: December 2020).
Page 71 GAO-23-105331 COVID Relief
study found that fintechs were more likely to issue potentially fraudulent
loans than non-fintech lenders.
87
SBA has taken action against certain fintech lenders and companies
based on evidence of inadequate controls to prevent fraudulent
applicants from obtaining PPP loans. On December 7, 2022, SBA
announced the suspension of two fintech companies that partnered with
lenders to facilitate PPP loan approvals from working with SBA. Further,
SBA announced its investigation of eight fintech and fintech-partnered
PPP lenders related to deficiencies in these entities’ fraud identification
and prevention capabilities.
Our analysis of the characteristics of PPP loans identified in DOJ cases
compared to all PPP loans found that new lenders issued a slightly higher
percentage of loans associated with a fraud case than existing SBA
lenders based on their share of the total loan amount disbursed.
According to SBA, Treasury and SBA jointly reviewed and approved
848 new lenders to participate in PPP, in addition to the 4,837 lenders
already authorized to participate in SBA’s programs. However, consistent
with CARES Act requirements, all lenders were allowed to rely on
applicants’ documents and self-certifications, and SBA committed to hold
lenders harmless for applicants’ failure to comply with program rules.
Such reduced underwriting requirements limited lenders’ role in mitigating
fraud risks.
Moreover, all PPP lenders had to demonstrate the ability to comply with
applicable BSA requirements. The BSA generally requires financial
institutions to implement an anti-money laundering program to help
prevent and detect money laundering and terrorist financing. For certain
types of federally insured depository institutions such as banks this
includes, among other things, requirements for implementing appropriate
risk-based procedures for conducting ongoing customer due diligence,
which requires obtaining and verifying customer identities and
understanding the potential risks associated with customers.
88
Federally insured depository institutions undergo examinations by federal
and state financial supervisors, which, among other things, assess
87
John Griffin, Samuel Kruger, and Prateek Mahajan, Did FinTech Lenders Facilitate PPP
Fraud? (Aug. 18, 2022).
88
See 31 C.F.R. § 1020.210(a)(2)(v).
Page 72 GAO-23-105331 COVID Relief
federally insured depository institutions’ ability to meet applicable BSA
requirements as part of the safety and soundness examination.
89
In prior
work, we reported that banks in our analysis said costs associated with
meeting customer due diligence requirements were greater than those of
any other BSA/AML requirements.
90
Treasury officials told us that they
conducted phone interviews to determine the presence of BSA/AML
compliance programs for certain prospective PPP lenders.
Although PPP rules allowed lenders to rely on borrower self-certifications,
SBA required all PPP lenders to comply with federal BSA requirements.
In January 2023, the Board of Governors of the Federal Reserve System
(Federal Reserve) assessed a $2.3 million penalty against a PPP lender
for approving six PPP loans despite detecting significant indicators of
potential fraud. The Federal Reserve found that the lender’s failure to
promptly report the potential fraud resulted in violations of the lenders’
internal BSA protocols.
According to officials from the Federal Deposit Insurance Corporation
(FDIC), examinations conducted through December 2021 had not
identified widespread BSA deficiencies among institutions under their
supervision related to PPP lending across lender types. The officials
identified eight instances of deficiencies among three institutions involving
compliance requirements related to customer due diligence for PPP loans
between March 2020 and December 2021.
According to our statistical analysis of key factors associated with DOJ
cases compared to PPP loans overall, loans issued by nonbank lenders
were associated with a higher likelihood of being identified in a fraud case
relative to bank lenders, holding all other factors constant. In addition,
loans issued by lenders (bank and nonbank) with smaller asset sizes
($1 billion to less than $10 billion) were associated with a higher likelihood
of being identified in a fraud case, relative to lenders with larger asset
sizes ($10 billion or greater), holding all other factors constant.
89
As noted above, FinCEN has delegated its authority to examine financial institutions for
compliance with the Bank Secrecy Act to the federal banking agencies. 31 C.F.R.
§ 1010.810(b).
90
GAO, Anti-Money Laundering: Opportunities Exist to Increase Law Enforcement Use of
Bank Secrecy Act Reports, and Banks’ Costs to Comply with the Act Varied, GAO-20-574
(Washington, D.C.: Sept. 22, 2020).
Page 73 GAO-23-105331 COVID Relief
The same analysis also examined borrower characteristics and select
indicators of fraud. This analysis indicates that loans for businesses
based in urban localities or self-employed businesses are more likely to
be identified in a fraud case, relative to business loans from rural localities
or employer business, holding all other factors constant. Similarly,
controlling for other factors, we found that loans flagged as having
overstated payroll or flagged as a non-existent business were more likely
to be identified in a fraud case, relative to loans that were not flagged.
91
PPP rules also required lenders to monitor and report suspected
instances of fraud even after loans were issued. Based on our analysis of
data provided by Treasury’s Financial Crimes Enforcement Network
(FinCEN), institutions filed at least 174,000 suspicious activity reports
(SAR) to FinCEN in cases of suspected fraud related to PPP, as of
December 31, 2021 (see fig. 13).
92
Of those filed, nearly 90 percent of
SARs related to PPP were filed by depository institutions, such as banks
and credit unions, according to our analysis of the same FinCEN data.
93
SARs can assist law enforcement agencies in their efforts to initiate or
supplement investigations involving money laundering and other crimes.
91
For more information, see appendix IV.
92
FINCEN identified SARs using defined search terms.
93
Due to data limitations, it is unknown whether the depository institution that reported a
given SAR was also the originator of the PPP loan being reported.
Page 74 GAO-23-105331 COVID Relief
Figure 13: Number of Suspicious Activity Reports Filed on Paycheck Protection Program Loans, by Month
In addition to fraudulent borrower activity, law enforcement and regulators
have identified potentially fraudulent activity conducted directly by
lenders. For example, DOJ charged one lender for its fraudulent lender
activity. The business allegedly claimed to have prior lending experience
and was approved as a PPP lender. This company issued $832 million in
PPP loans, earning approximately $71 million in lender fees. As of
December 31, 2021, DOJ charged 10 cases involving 12 potentially
fraudulent PPP loans issued by this lender, which represents
0.03 percent of all PPP loans issued by this lender. In addition, FDIC has
removed one individual from banking for PPP loan fraud as of June
2022.
94
FDIC officials told us they are investigating additional cases of
suspected fraud by institution-affiliated parties.
94
Other federal supervisors have taken similar actions. For example, the Federal Reserve
Board prohibited a bank employee from future employment in the banking industry for
fraudulently obtaining PPP and COVID-19 EIDL loans. See Board of Governors of the
Federal Reserve System, Federal Reserve Board announces it has prohibited five former
bank employees from future employment in the banking industry for fraudulently obtaining
loans and grants administered under the Coronavirus Aid, Relief, and Economic Security
(CARES) Act (Washington, D.C.: Oct. 13, 2022). Accessed Jan. 5, 2023, at
https://www.federalreserve.gov/newsevents/pressreleases/enforcement20221013a.htm.
Page 75 GAO-23-105331 COVID Relief
Data analytics can help detect potentially fraudulent activity and, if used
before the distribution of funds, can help prevent fraud. These types of
analytics can also inform risk assessment efforts. A robust data analytics
program consists of many elements, including internally available data
and data from external sources. As discussed in the Fraud Risk
Framework, a leading practice in data analytics is to conduct data mining
and matching, such as cross-checking of data and using external data
sources to validate information, to identify suspicious activities.
SBA has used data analytics to facilitate fraud detection within its
pandemic relief programs. As previously discussed, SBA incorporated the
use of data analytics into its oversight plans for PPP and COVID-19 EIDL
to identify potentially fraudulent loans and advances. Based on those
analytic efforts along with manual reviews, SBA made over
669,000 referrals for criminal investigation. Additionally:
• In response to our June 2020 recommendation, SBA’s loan review
contractors conducted automated screenings for all PPP loans made
before September 2020.
95
Starting in January 2021, SBA’s
contractors began using a rules-based tool to screen all PPP loan
applications with potential indicators of ineligibility or fraud risk. After
manually reviewing these flagged loans, SBA determined that some
borrowers were ineligible for the related loan amounts or used the
loan proceeds for unauthorized uses. These reviews resulted in PPP
loan proceeds with a net present value of about $4.7 billion not being
forgiven.
• In response to our January 2021 recommendation, SBA developed
and implemented portfolio-level data analytics across COVID-19 EIDL
as a means to detect potentially ineligible and fraudulent
applications.
96
• In response to our July 2022 recommendation pertaining to the
Restaurant Revitalization Fund (RRF), SBA officials told us in January
2023 that SBA is taking steps to execute data analytics across the
95
GAO-20-625. Additional information on SBA’s PPP loan review process can be found in
GAO, Paycheck Protection Program: SBA Added Program Safeguards, but Additional
Actions Are Needed, GAO-21-577 (Washington, D.C.: July 29, 2021).
96
GAO-21-265. Additional information on SBA’s review process for COVID-19 EIDL can be
found in GAO, Economic Injury Disaster Loan Program: Additional Actions Needed to
Improve Communication with Applicants and Address Fraud Risks, GAO-21-589
(Washington, D.C.: July 30, 2021).
Enhanced Data
Analytics Can Help
SBA Identify
Potentially Fraudulent
Recipients
Page 76 GAO-23-105331 COVID Relief
portfolio, with plans to incorporate the results into post-award review
procedures.
97
Across its pandemic relief programs, however, SBA did not fully leverage
information to help prevent fraud and identify applicants who tried to
defraud more than one program. In the case of PPP and COVID-19 EIDL,
SBA officials told us that they did not cross-check applicants’ information
between the two programs because they lacked a mechanism for doing
so. They also noted they did not cross-check PPP recipients with COVID-
19 EIDL recipients because an applicant may qualify for one program and
not another because of eligibility differences. Nevertheless, a denial in
one program may be related to suspected fraud, and cross-checking
program data can help identify questionable applications.
Further, we found in July 2022, that SBA was cross-checking certain
information for RRF recipients, but the agency was not cross-checking
other information to prevent and detect potential fraud in the program.
98
Specifically, SBA used PPP data, as well as data from its Shuttered
Venue Operators Grant program, to screen RRF applicants, but it was not
cross-checking data on RRF recipients against information on suspicious
borrowers from the PPP program provided by DOJ and the SBA OIG. As
of January 2023, SBA had begun reviewing a sample of all RRF awards
to confirm eligibility and use of funds compliance. We continue to review
information provided to us by SBA that focuses on the use of enforcement
data on suspected fraud in other SBA programs.
Regarding the use of external data sources, over the course of its
COVID-19 response, SBA enhanced its use of these data to facilitate
efforts to validate applicant information and detect potential fraud. For
example:
• For COVID-19 EIDL, SBA began validating bank routing numbers for
COVID-19 EIDL applicants in May 2020. In August 2020, it began to
revalidate bank account information whenever the loan applicant
changed this information.
• For PPP Round 2, which began in January 2021, SBA implemented
controls using public records to validate information such as whether
97
GAO, Restaurant Revitalization Fund: Opportunities Exist to Improve Oversight,
GAO-22-105442 (Washington, D.C.: July 14, 2022).
98
GAO-22-105442.
Page 77 GAO-23-105331 COVID Relief
the business was in operation as of February 15, 2020, consistent
with program eligibility requirements.
• For all of its pandemic relief programs, in April 2021, SBA
implemented pre-award procedures to screen applicants against
Treasury’s Do Not Pay service.
99
SBA experienced initial restrictions and delays in being able to validate
some applicant information using IRS data. SBA officials told us the
CARES Act’s restriction on obtaining applicants’ tax returns from the IRS
presented a challenge for validating COVID-19 EIDL applications. The
Consolidated Appropriations Act, 2021, enacted on December 27, 2020,
removed this restriction. SBA officials told us that beginning in April 2021,
the agency started incorporating tax information as part of its validation
process for loan applications to confirm that businesses existed on or
before January 31, 2020, and to verify business revenue. However, the
SBA OIG found that between when Congress removed the restriction and
when SBA began using tax information, SBA disbursed more than
$92 million in COVID-19 EIDL funds disbursements to businesses with
suspect tax ID numbers.
100
The lapse of about 4 months was attributable,
in part, to the time needed to negotiate an agreement with the IRS so that
SBA could request and receive tax data.
SBA has access to various government and private sector databases,
such as Treasury’s Do Not Pay service and Lexis-Nexis, to help prevent
and detect fraud. While SBA said it has access to some external
databases, it does not have access to some other external data sources
that could benefit its efforts to detect and prevent fraud. Specifically, SBA
does not have statutory access to the quarterly NDNH data we used in
our fraud indicator analysis. If SBA had access, these data could have
served as an alternate means of validating applicant information when it
was restricted from using IRS data or while it was negotiating for the use
of IRS data. Further, such access could allow SBA to conduct indicator
99
SBA OIG, COVID-19 EIDL Program Recipients on the Department of Treasury’s Do Not
Pay List, 22-06 (Washington, D.C.: Nov. 30, 2021). Treasury’s Do Not Pay service is an
analytics tool that helps federal agencies detect and prevent improper payments made to
vendors, grantees, loan recipients, and beneficiaries. Agencies can use the service to
check multiple data sources to make payment eligibility decisions.
100
SBA OIG, Follow-up Inspection of SBA’s Internal Controls to Prevent COVID-19 EIDLs
to Ineligible Applicants, 22-22 (Washington, D.C.: Sept. 29, 2022).
Page 78 GAO-23-105331 COVID Relief
analyses not only with emergency relief programs but also with the range
of programs it administers.
Other data sources could also be beneficial for SBA’s purposes. For
example, in January 2023, the PRAC noted the benefit of a consent-
based verification process to authenticate basic applicant information—
such as name, date of birth, and Social Security number—to ensure
applicant eligibility and to prevent program and identity fraud.
101
The
PRAC urged SBA to work with the Social Security Administration to
explore information-sharing agreement(s) that will allow for verifications
across all SBA-funded grant, loan, and benefit programs that are
vulnerable to identity fraud. SBA informed us that it has communicated
with the Social Security Administration on this matter, but as of April
2023, the legal authority to share information with SBA has not been
established.
SBA has recognized that it would benefit from further developing its data
analytics program. According to planning documents for SBA’s Fraud
Risk Management Board, this analytics program is to be in place by the
end of fiscal year 2023. As the Board develops and implements
enhancements, it has the opportunity to build upon the agency’s
experiences with data analytics for the pandemic relief programs to
facilitate analytics within and across its various programs going forward.
This effort could include ensuring that mechanisms are in place and are
used to facilitate cross-checking of information across programs. Doing
so would be consistent with the Fraud Risk Framework’s leading practice
for agencies to combine data across programs and from separate
databases. It would help managers identify potential instances of fraud
that may not be evident when analyzing data from separate programs or
within separate databases.
Further developing its data analytics program could also include ensuring
that SBA continues to identify the range of external data sources that
101
In January 2023, the PRAC issued an alert in which it identified over 69,000
questionable Social Security numbers that were used to obtain $5.4 billion from PPP and
COVID-19 EIDL. PRAC data scientists used publicly available information from the Social
Security Administration to identify a target selection of Social Security numbers that may
have been invalid or not assigned prior to 2011. Then using legal authorities included in
the CARES Act, PRAC requested that SSA provide it with verification information for these
SSNs. PRAC, FRAUD ALERT: PRAC Identifies $5.4 Billion in Potentially Fraudulent
Pandemic Loans Obtained Using Over 69,000 Questionable Social Security Numbers
(Jan. 30, 2023).
Page 79 GAO-23-105331 COVID Relief
would aid it in preventing and detecting potential fraud. This includes
sources that could be used if other sources cannot be accessed or
accessed in a timely manner. As noted in the Fraud Risk Framework,
using data from other federal agencies or third-party sources is a leading
practice that can help managers identify potential instances of fraud.
However, as we have previously reported and as SBA experienced with
the pandemic relief programs, there are statutory and other obstacles that
make it difficult to share available data.
102
As a result, once SBA has
identified additional external data sources, it may need to pursue statutory
authority or enter into data-sharing agreements to gain timely access to
those sources.
Until such an enhanced analytics program is in place that fully leverages
data across SBA programs and accesses external data to the fullest
extent possible, SBA will miss opportunities to effectively use data to
achieve the objective of mitigating the likelihood and impact of fraud.
Our analyses emphasize the importance of preventing and readily
detecting fraud, particularly when the scale of potential fraud is significant.
Our analysis of PPP and COVID-19 EIDL data identified over 3.7 million
out of 13.4 million total unique recipients with discrepancies associated
with potential fraud. The presence of fraud indicators is not proof of fraud
and requires further review and investigation, which is why we have
referred those recipients to the SBA OIG. Further, as of December 2021,
DOJ filed PPP and COVID-19 EIDL fraud-related charges against
524 individuals, and that number continues to grow. Given limited law
enforcement and DOJ resources, pursuing millions of potentially
fraudulent loan and advance recipients may ultimately not be feasible or
cost effective. When pay-and-chase becomes too difficult or costly to
pursue, the taxpayers are left to pay for the fraud, bearing its financial and
non-financial impacts.
Our fraud indicator analyses demonstrate the value of data analytics in
fraud detection. Such value can be further realized in fraud prevention.
The use of internal and external data for mining and matching are
elements of a robust data analytics program. The Fraud Risk
Management Board has recognized the benefits of further developing
SBA’s data analytics program, but the agency does not have the
mechanisms in place to consistently check applicant information across
102
GAO, Highlights of a Forum: Data Analytics for Oversight and Law Enforcement,
GAO-13-680SP (Washington, D.C.: July 15, 2013).
Conclusions
Page 80 GAO-23-105331 COVID Relief
programs and may not have timely access to some external data sources
that could support fraud prevention and detection. Enhancements to its
data analytics program, involving cross-program data checks and external
data sources for verification purposes, could facilitate strategic
management of fraud risks in SBA’s ongoing and future programs.
We are making the following two recommendations to SBA for further
enhancement of its data analytics program for fraud prevention and
detection:
The Administrator of SBA, in coordination with the Fraud Risk
Management Board, should ensure that SBA has mechanisms in place
and utilizes them to facilitate cross-program data analytics.
(Recommendation 1)
The Administrator of SBA, in coordination with the Fraud Risk
Management Board, should ensure that SBA has identified external
sources of data that can facilitate the verification of applicant information
and the detection of potential fraud across its programs. It should then
develop a plan for obtaining access to those sources, which may involve
pursuing statutory authority or entering into data-sharing agreement to
obtain such access. (Recommendation 2)
We provided a draft of this report to SBA, DOJ, Treasury, and FDIC for
review and comment. We received written comments from SBA, which
are reproduced in appendix V and summarized below. SBA, DOJ,
Treasury, and FDIC provided technical comments that we incorporated as
appropriate.
In its comments, SBA concurred with both of our recommendations. SBA
further stated that it already engages in both of these suggested activities.
Regarding our first recommendation, SBA noted it has developed cross-
program analytics for pandemic relief programs to identify awardees
suspected of identity theft or fraud who received awards and loans
through multiple programs. Such actions are consistent with our
recommendation, particularly as it relates to fraud detection. However,
SBA should also ensure that it has mechanisms in place and utilizes them
to facilitate cross-program data analytics before funds are disbursed to
help prevent fraud. Regarding our second recommendation, SBA
indicated that it is currently developing additional applicant verification
capabilities that will leverage third-party data sources. According to SBA,
it has met with several federal agencies to explore data-sharing
opportunities.
Recommendations for
Executive Action
Agency Comments
and Our Evaluation
Page 81 GAO-23-105331 COVID Relief
SBA raised several concerns regarding our methodology and
presentation of findings. Specifically, SBA expressed concerns with our
use of the term “fraud indicator” as it relates to our second objective. SBA
appears to limit the use of “fraud indicator” to characteristics that warrant
criminal investigation after program officials have substantially reviewed
an application and determined it represents the highest risk of fraud. As
explained in detail in both the draft and final report, GAO uses fraud
indicator to mean discrepancies found in the data consistent with
characteristics and flags that suggest a potential for fraudulent activity.
We maintain that our methods and use of the term are appropriate. As
intended, our analyses provide insight into the extent fraud indicators
were present, SBA’s exposure to fraud risks, and how some recipients
may have taken advantage of those risks.
SBA also stated that it is likely that the majority of the 3.7 million
recipients we flagged with fraud indicators likely have “no true fraud
indicators.” We disagree. SBA’s statement reflects a fundamental
disagreement about what constitutes a fraud indicator and a lack of
understanding of what a fraud indicator is. Whether a recipient we
identified with a fraud indicator is ultimately found to have engaged in
fraudulent activity is a legal determination usually adjudicated in the
courts. While every fraud indicator may not result in a determination of
fraud, a fraud indicator serves as a red flag for further review and
investigation.
SBA further commented that the draft report omitted any discussion of its
processes to identify potentially fraudulent recipients. We acknowledged
in the draft and final report that SBA established processes to detect
potential fraud. However, the intent of our audit was not to evaluate those
processes and, therefore, our discussion of those processes was limited
and confined primarily to appendix II. Where appropriate, we added
information to the final report on these processes for context. We also
clarified the wording of our third objective, which identifies opportunities
for SBA to enhance its data analytics efforts to facilitate fraud prevention
and detection. Additionally, we plan to review SBA’s antifraud approach
and specifically its four-step process to detect potentially fraudulent loans
and advances and refer them to the SBA OIG in future work.
SBA raised concerns that the results of our fraud indicator analyses did
not account for the inclusion of false positives, or non-fraudulent
recipients, in our results. In its comments, SBA listed various scenarios
that could explain potential false positives. The purpose of our analyses
was to identify the presence of indicators suggesting a recipient may have
Page 82 GAO-23-105331 COVID Relief
misrepresented information to appear eligible or receive approval for a
larger amount, rather than to identify recipients with the highest
probability of having committed fraud. Our analyses to identify the
presence of indicators also help to provide insights related to SBA’s
exposure to fraud risks, particularly since we were able to use a dataset
that SBA does not have access to. This identification step is the precursor
to additional verification, such as the steps SBA has suggested, to
quantify false positive results. Although we constructed our analyses to
reduce false positives, we repeatedly acknowledge that false positive
results may be included in our results.
Additionally, in the report, we address at length the various false positive
scenarios SBA provided in its comments, as well as provide detailed
information on our methods and tolerances. Specifically, see the following
that address each of the scenarios provided by SBA:
• Borrower does not appear in NDNH data between October 2019–
September 2020
• Borrower name is different: page 98 (for PPP) and 103 (for
COVID-19 EIDL) in appendix I, where we explain that the matches
were based on more than business name
• Borrower is a house of worship, religious affiliated private school,
s
mall nonprofit, farm, or tribal business: report pages 54-55
and
pages
98-99 (for PPP) and 103-104 (for COVID-19 EIDL) i
n
appendi
x I, as well as below
• Legitimate business did not file or was late to file with state
w
orkforce agency: report page 53, as well as below regarding tax
non-compliance
• Input error: report page 45
• Change in EIN: page 98 (for PPP) and 103 (for COVID-19 EIDL)
in appendix I, where we explain that the matches were bas
ed on
m
ore than EIN
• Borrower’s employee count does not match that in the NDNH
database
• When borrower applied for loan: report pages 56-57 (including
s
idebar) and page 100 in appendix I, as well as below
• Mistake due to confusion regarding calculation of full-time
equi
valent versus full-time employees: report page 59
Page 83 GAO-23-105331 COVID Relief
• Borrower’s loan amount based on payroll costs does not match wage
information in the NDNH database and corresponding payroll
estimates
• Borrower’s calculation of payroll: pages 100-102 in appendix I, as
well as below
• Above-average non-wage employer expenses: report page 61 and
pages 100-102 in appendix I
• Borrower used allowable alternative calculation: report page 62
• Borrower or lender made good-faith error in calculation, such as
incorrectly accounting for COVID-19 EIDL advances: report pages
61-62
• Appearance of more than one application with the same information
• Number of non-fraudulent reasons: report pages 64-67
• Matching methodology not disclosed: pages 102-103 (for PPP)
and pages 104-105 (for COVID-19 EIDL) in appendix I
• Appearance of more than one application with some of the same
information
• Borrower is part of a business that maintains multiple legal entities:
report page 65
• Borrower is a rideshare driver: report pages 64-65
• Borrower reported different information on the COVID-19 EIDL
application than the PPP application
• Borrower applied for a PPP loan and a COVID-19 EIDL loan at
different times: report page 68
Ther
e are two sets of scenarios that warrant further discussion.
First, in its scenarios related to false positives for the no wage data fraud
indicator, SBA incorrectly stated that we did not remove from our match
with the NDNH database certain types of borrowers such as houses of
worship, small nonprofits, or farms, among others. As discussed in the
report and in appendix I, because of exceptions and variations in wage
data reporting requirements among states, we excluded religious
organizations, agricultural enterprises, nonprofit organizations, and very
small businesses from the results of this indicator analysis to the extent
possible based on available data.
Page 84 GAO-23-105331 COVID Relief
Second, in the scenarios SBA identified for the different employee totals
or payroll costs indicators, SBA suggested that false positives could be
the result of timing differences between when a recipient applied for a
PPP loan and the NDNH data we used. In doing so, SBA incorrectly
characterizes our analyses as matching only against one quarter of data.
For our different employee total count analysis, as discussed in appendix
I, we compared the employee count value provided with the PPP loan-
level data to the highest number of paid employees in any of the available
quarters of NDNH wage data prior to and including the quarter of loan
approval. Similarly, for our different payroll costs analysis, we used the
largest (not the average) quarterly wage recorded in NDNH to estimate
monthly payroll costs for the entire reference period recipients were to
use when calculating payroll costs for their PPP application. Therefore,
contrary to SBA’s comments, no recipients were flagged based on a
mismatch between the application employee count or payroll and a single
quarter of NDNH wage data.
Related to its concerns about false positives, SBA suggested that our
results are unreliable because of our use of the NDNH database. SBA
characterized the NDNH as an employee records database, as opposed
to a corporation and business entity database maintained by a secretary
of state. Given that PPP and COVID-19 EIDL eligibility was tied to
whether the business was in operation as of a certain date and the
number of employees and payroll amount affected PPP loan amounts, we
maintain that the use of the NDNH database, with its information related
to employees and their wages, is appropriate. A corporation and business
entity database would not have provided us with relevant insights.
SBA correctly stated that the NDNH database is only made available to
select government agencies through congressional action. However, it
incorrectly stated that the database is not used by government institutions
to verify information and that it is untested. As discussed in a 2019 report,
at least five federal agencies have authority to use NDNH data to verify
employment and income information as part of their program integrity
efforts.
103
That report also describes efforts undertaken to ensure NDNH’s
accuracy and completeness. We recognize that the NDNH database is
one that SBA currently cannot access; we, therefore, performed our
103
Congressional Research Service, The National Directly of New Hires: In Brief, RS22889
(Washington, D.C,: Oct. 1, 2019). This report also discusses the penalties for the failure of
employers to report required information.
Page 85 GAO-23-105331 COVID Relief
analyses to identify the presence of fraud indicators and provide fraud risk
insights from a relatively unique position.
Further, SBA questioned the completeness of the NDNH database given
its reliance on self-reporting, citing figures that suggest that employment
tax non-compliance is about 9 percent of businesses. This
characterization on the extent of employment tax non-compliance is not
accurate. After analyzing the source SBA cited in its comments, we
determined that the 9 percent rate is based on estimated dollar amounts
rather than the proportion of businesses.
104
Additionally, only a small
proportion of the noncompliance rate is attributed to nonfiling. Specifically,
the estimated rate includes three types of noncompliance – nonfiling,
underreporting and underpayment. The noncompliance rate attributable
to nonfiling is less than 1 percent (0.65 percent). As a result, we
acknowledge that the nonfiling rate may reduce the completeness of the
NDNH wage data. However, it does so at a rate that is significantly less
than what SBA stated. Given that most of our identified fraud indicators
relate to nonfiling, we determined that this potential error rate is
acceptable for the purposes of our analysis.
105
SBA raised the concern that the public will be misled and believe that all
3.7 million unique recipients we identified were likely fraudulent. It also
stated that law enforcement, with limited resources, will be forced to
investigate good-faith errors and non-fraudulent actors. We disagree. We
provide explanations to help readers understand what the presence of a
fraud indicator means and does not mean. This includes explaining that
additional review, investigation, and adjudication is needed to determine if
fraud exists.
Further, we made the referral to the SBA OIG consistent with our policy
and only after coordinating with the SBA OIG. Upon receiving the referral,
the SBA OIG indicated it would enrich that office’s ongoing efforts. As
discussed in the report, this includes informing and prioritizing
104
Internal Revenue Service, Federal Tax Compliance Research: Tax Gap Estimates for
Tax Years 2011–2013, Publication 1415 (Rev. 9-2019).
105
In addition, the underreporting noncompliance rate in the source SBA cited could also
affect our indicators related to employee counts and payroll amounts. However, the
underreporting estimate in the source SBA cited mainly consists of self-employment tax
underpayment and, as already described in our methodology, we removed applicants who
did not indicate they had other employees from our analysis. The applicable
underpayment rate estimate is less than 3 percent. Given that these fraud indicators make
up a small proportion of our findings, we determined that this potential error rate is
acceptable for the purposes of our analysis.
Page 86 GAO-23-105331 COVID Relief
investigative efforts. Additionally, our referral can contribute to the SBA
OIG’s landscape review to develop a comprehensive estimate of the
potential fraud related to PPP and COVD-19 EIDL. This is because, in
part, our referral may include those who have not already been referred
by SBA or identified through ongoing law enforcement efforts. Even for
those who have already been referred or identified, our analyses with the
use of NDNH data may provide new information that warrants further
review.
In discussing our first objective, SBA stated that we did not use any
observations from our analysis of DOJ cases to inform our indicator
analyses. The intent of the first objective was to illustrate how fraud was
committed in closed cases or may have been committed in ongoing
cases, as well as understand the impact of fraudulent activity. Throughout
our indicator analyses discussion, we note consistencies between the
results of our analyses and characteristics we identified in the DOJ cases
and related fraud schemes. For example, our analysis of the 330 DOJ
cases showed that over two-thirds of the cases involved or allegedly
involved non-operating businesses. This is consistent with our “no wage
data” indicator.
SBA further suggested that, based on our analysis of the DOJ cases,
there is no indication that “reused information” is a fraud indicator.
However, our review of the cases showed that individuals made multiple
attempts to defraud the programs, some of whom reused information. For
example, we highlight in the report a case involving a recipient whom we
flagged in our fraud indicator analysis and who, along with co-
conspirators, fraudulently received PPP funds after submitting multiple
applications, including 10 for businesses with the same addresses but
different business names, owners, and descriptions.
SBA also questioned the value of including the regression analysis in our
discussion of lenders that originated higher rates of fraudulent and
potentially fraudulent PPP loans. In addition, SBA critiqued the model for
not being predictive. In describing our regression analysis methods in
detail to allow for replication, we acknowledge limitations and judiciously
use the results in supporting our findings. Specifically, we acknowledge
that these results are not predictive of whether a loan is fraudulent.
Because of the limited information available in the PPP data—for
example, not being able to control for demographic characteristics of loan
applicants due to high rates of missing data—it would be inappropriate to
assume this model explains a majority of the variation in fraudulent loan
Page 87 GAO-23-105331 COVID Relief
activity, and is neither meant to classify loans as fraudulent, nor predict
and explain fraud.
The value of our analysis is to provide insight into associations between
specific characteristics and indicators of fraud as well as to inform any
future analyses of PPP lender activity to further examine such variables
and associations. Additionally, because of the extremely large size of the
analyzed dataset, we did not rely solely on the statistical significance of
parameter estimates due to the increased likelihood of significance due to
random chance alone. Our method of model assessment and inclusion of
model control variables, as discussed in appendix IV, means that our
analysis and findings are conservative in nature. As a result, there is a
higher chance of not detecting associations that may actually exist.
Finally, SBA stated that the draft report did not acknowledge SBA
leadership in making fraud risk management a top priority and that we
have not reflected the work SBA has done to reduce fraud risks in its
programs. We disagree. For example, appendix II contains information on
how SBA’s efforts to manage fraud risks evolved over the course of the
pandemic. As such, we note the important efforts undertaken by SBA in
2021 and 2022 to establish the Fraud Risk Management Board and
conduct fraud risk assessments. Similarly, our discussion in appendix III
of the status of GAO recommendations highlights areas where SBA has
made progress. Finally, in the third objective, we discuss SBA’s data
analytic efforts, including those that resulted in referrals to the SBA OIG
and determinations that some PPP loans were not eligible for
forgiveness.
Page 88 GAO-23-105331 COVID Relief
We are sending copies of this report to the appropriate congressional
committees, the SBA Administrator, the SBA OIG, the Attorney General,
the Secretary of the Treasury, the FDIC Chairman, and other interested
parties. In addition, the report is available at no charge on the GAO
website at http://www.gao.gov.
If you or your staff members have any questions about this report, please
Offices of Congressional Relations and Public Affairs may be found on
the last page of this report. GAO staff who made major contributions to
this report are listed in appendix VI.
Johana Ayers
Managing Director, Forensic Audits and Investigative Service
Page 89 GAO-23-105331 COVID Relief
List of Committees
The Honorable Patty Murray
Chair
The Honorable Susan Collins
Vice Chair
Committee on Appropriations
United States Senate
The Honorable Ron Wyden
Chairman
The Honorable Mike Crapo
Committee on Finance
United States Senate
The Honorable Bernard Sanders
Chair
The Honorable Bill Cassidy
Ranking Member
Committee on Health, Education, Labor, and Pensions
United States Senate
The Honorable Gary C. Peters
Chairman
The Honorable Rand Paul, M.D.
Ranking Member
Committee on Homeland Security and Governmental Affairs
United States Senate
The Honorable Ben Cardin
Chair
The Honorable Joni K. Ernst
Ranking Member
Committee on Small Business and Entrepreneurship
United States Senate
The Honorable Kay Granger
Chair
The Honorable Rosa L. DeLauro
Ranking Member
Committee on Appropriations
House of Representatives
Page 90 GAO-23-105331 COVID Relief
The Honorable Cathy McMorris Rodgers
Chair
The Honorable Frank Pallone, Jr.
Committee on Energy and Commerce
House of Representatives
The Honorable Mark E. Green, MD
Chairman
The Honorable Bennie G. Thompson
Ranking Member
Committee on Homeland Security
House of Representatives
The Honorable James Comer
Chairman
The Honorable Jamie Raskin
Ranking Member
Committee on Oversight and Accountability
House of Representatives
The Honorable Roger Williams
Chairman
The Honorable Nydia M. Velázquez
Ranking Member
Committee on Small Business
House of Representatives
The Honorable Jason Smith
Chairman
The Honorable Richard Neal
Ranking Member
Committee on Ways and Means
House of Representatives
Appendix I: Objectives, Scope, and
Methodology
Page 91 GAO-23-105331 COVID Relief
Our objectives were to (1) analyze fraud cases charged by the
Department of Justice (DOJ) involving Paycheck Protection Program
(PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) to
understand fraud schemes and impacts; (2) provide the results of select
data analyses to identify PPP and COVID-19 EIDL recipients with fraud
indicators, as well as fraud-related lender activity in PPP; and (3) identify
opportunities for SBA to enhance its data analytics to prevent and detect
potential fraud.
1
For all of our objectives, we interviewed officials from the Small Business
Administration’s (SBA) Office of Capital Access, Office of Disaster
Assistance, and Office of Continuous Operations and Risk Management,
as well as senior officials who were members of SBA’s Fraud Risk
Management Council and Fraud Risk Management Board. Additionally,
we interviewed officials from the Department of the Treasury (Treasury),
DOJ, the Federal Deposit Insurance Corporation (FDIC), and the SBA
Office of Inspector General (OIG).
For objective 1, to conduct thematic analysis of fraud cases charged by
DOJ, we identified 330 criminal and civil cases involving PPP and
COVID-19 EIDL based on publicly announced DOJ cases and federal
court documents from May 2020 to December 31, 2021.
2
We identified
the 330 cases included in our analysis by subscribing to alerts from
Westlaw, a legal news service, using search terms “Paycheck Protection
Program” and “Economic Injury Disaster Loan.” We also conducted
periodic checks of the Westlaw database and used other available
1
Fraud indicators are characteristics and flags that serve as warning signs suggesting a
potential for fraudulent activity. The indicators can be used to identify potential fraud and
assess fraud risk but are not proof of fraud, which is determined through the judicial or
other adjudicative system.
2
Fraud cases are those PPP and COVID-19 EIDL cases that involve fraud-related
charges. Fraud-related charges include criminal fraud charges associated with PPP or
COVID-19 EIDL fraud schemes, such as bank fraud or wire fraud, as well as other
charges for crimes used to execute fraud schemes, such as money laundering or
conspiracy charges. Alternatively, DOJ can pursue civil remedies for suspected fraud
under the False Claims Act, 31 U.S.C. § 3729-3733 and the Financial Institutions Reform,
Recovery, and Enforcement Act of 1989, 12 U.S.C. § 1833a.
We selected December 31, 2021, as the ending point of our research because on
December 31, 2021, SBA stopped accepting COVID-19 EIDL applications (per
Consolidated Appropriations Act, 2021). PPP closed in May 2021. We acknowledge that
DOJ has continued to bring charges involving PPP and COVID-19 EIDL since December
31, 2021, and that later cases may involve more complex fraud schemes that may take
longer to investigate and prosecute.
Appendix I: Objectives, Scope, and
Methodology
Appendix I: Objectives, Scope, and
Methodology
Page 92 GAO-23-105331 COVID Relief
sources such as the DOJ Fraud Section website.
3
For identified cases,
we used Public Access to Court Electronic Records to access and
download documents used in the court proceedings, such as indictments,
criminal information, and plea agreements.
4
To conduct the thematic analysis of the 330 cases, we used the GAO
Conceptual Fraud Model. The model is organized as an ontology, which
provides an explicit description of categories of federal fraud, their
characteristics, and the relationships among them.
5
This thematic
analysis was structured and organized using WebProtégé, an ontology
modeling tool developed by the Stanford Center for Biomedical
Informatics Research at the Stanford University School of Medicine. For
each case, we documented structured information about the case, each
charged individual, and, when identified in court documents, businesses
that applied for the loans or advances. After entering and verifying
information in WebProtégé, we analyzed the aggregate data to describe
the characteristics of PPP and COVID-19 EIDL fraud cases.
For the purposes of our analysis, we considered DOJ cases as closed
when they reached conclusion through a guilty plea, settlement,
dismissed charges, or a verdict at trial. We considered cases as ongoing
when they had not reached a conclusion as of December 31, 2021. Some
of our ongoing cases have since reached conclusions, but those
conclusions are not reflected in our analysis. Also, a single case—which
involves fraud-related charges associated with PPP, COVID-19 EIDL, or
both programs—may involve a single or multiple individuals or
businesses, that applied for a single or multiple loans or grants, and
contain a single or multiple fraud mechanisms.
Our analysis is limited to the 330 DOJ cases we identified from public
sources, which may not include all criminal and civil cases related to PPP
and COVID-19 EIDL charged by DOJ as of December 31, 2021.
Additionally, our analysis is based on known information presented in
3
DOJ, Fraud Section Enforcement Related to the CARES Act,
https://www.justice.gov/criminal-fraud/cares-act-fraud
4
Public Access to Court Electronic Records is a service of the federal judiciary that
enables the public to search online for case information from U.S. district, bankruptcy, and
appellate courts. Federal court records available through this system include case
information (such as names of parties, proceedings, and documents filed) as well as
information on case status.
5
GAO, GAO Fraud Ontology Version 1.0, published January 10, 2022.
https://gaoinnovations.gov/antifraud_resource/howfraudworks
Appendix I: Objectives, Scope, and
Methodology
Page 93 GAO-23-105331 COVID Relief
court documents. The specific details of fraud cases and schemes in the
court documents may not be complete. For example, names of
businesses that applied for loans, dollar amounts applied or obtained, or
all fraud mechanisms may not be identified in court documents. Also,
DOJ generally pursues prosecution when officials are confident they can
prove criminal intent beyond a reasonable doubt, and therefore not all
investigations are pursued into litigation.
To identify illustrative cases of fraud involving PPP and COVID-19 EIDL
funds, we used the case information we had documented to judgmentally
select examples within key areas of findings.
6
We selected cases that
contained sufficient levels of detail in available documentation for use as
illustrative examples and that collectively represented a range of
jurisdictions and programs involved (PPP, COVID-19 EIDL, or both).
We limited our selection to closed cases and generally to cases that had
a loan amount obtained within the 2nd or 3rd quartile of all loan amounts
obtained to avoid cases with unusually high or low loan amounts. Cases
selected through this analysis are intended to illustrate examples of how
fraud occurred (closed cases) or may have occurred (ongoing cases).
The illustrative cases are not generalizable to all fraud cases or all
potential fraud involving PPP or COVID-19 EIDL.
To calculate actual and potential financial impacts associated with
criminal PPP and COVID-19 EIDL cases, we categorized the cases
based on whether they were closed or ongoing. We characterized losses
for closed cases as direct losses and for ongoing cases as potential
losses. We characterized all offsets for closed and ongoing cases as
potential offsets because potential offsets include restitution that has
been ordered, but not necessarily repaid. As a result, sums of potential
offsets cannot be subtracted from losses to arrive at the total cost of fraud
for these programs. Additionally, potential offsets may include costs to the
government, such as maintenance of seized assets, among others. We
reported totals in the following two categories:
6
The key areas of findings are (1) eligibility misrepresentation cases where individuals
misrepresented eligibility and program rules were circumvented; (2) false information or
identity theft cases where individuals used false information or used another person’s
personally identifiable information or a business’s information; (3) facilitators cases where
individuals knowingly assisted, recruited, or provided guidance to PPP and COVID-19
EIDL applicants on how to circumvent SBA controls; and (4) broader fraud related to
COVID-19, including pandemic relief programs, or other crimes.
Appendix I: Objectives, Scope, and
Methodology
Page 94 GAO-23-105331 COVID Relief
• Losses: monetary losses incurred by the federal government through
PPP and COVID-19 EIDL government guarantees, lender fees, or
direct lending, excluding costs associated with fraud investigations
and prosecution.
7
• Potential offsets: monetary recoveries received, retained, or both, by
the government, including funds ordered to be paid to the government
or the lender in connection with an adjudicated finding of fraud.
8
Finally, to describe non-financial impact of fraudulent and potentially
fraudulent activity associated with PPP and COVID-19 EIDL, we
developed a framework that identified non-financial ways in which fraud
against SBA pandemic relief programs can manifest itself. We primarily
relied on areas of impact identified in the GAO Conceptual Fraud Model
and the International Public Sector Fraud Forum’s (IPSFF) Guide to
Understanding the Total Impact of Fraud.
9
Based on our review of the
areas of impact identified in GAO’s Conceptual Fraud Model and IPSFF
guide, and considering relevance of impact areas in the context of SBA
pandemic relief programs that provide emergency loans and grants to
small businesses, we selected six areas of non-financial impact to
examine further in our analysis:
(1) economic relief goal;
(2) stakeholder;
(3) security;
7
We measured financial impact separately for closed and ongoing cases. For closed
cases, we measured: (1) PPP and COVID-19 EIDL amounts obtained and (2) PPP lender
fee amount. For ongoing cases, we measured: (1) PPP and COVID-19 EIDL amounts
obtained and (2) PPP lender fee amount at risk. To calculate lender fees, we matched
businesses identified in DOJ cases that received PPP loans with PPP loan-level data. For
matched businesses, we calculated lender fees based on the amount of the loan and
applicable percentages established by SBA.
8
For ongoing cases, we measured potential direct offsets using PPP and COVID-19 EIDL
total amount seized. For closed cases, we measured actual direct offsets using PPP and
COVID-19 EIDL amount subject to restitution.
9
International Public Sector Fraud Forum, Guide to Understanding the Total Impact of
Fraud, February 2020. The Forum was established in 2017 by government officials from
Australia, Canada, New Zealand, the United Kingdom, and the United States. The goal of
the forum is to use shared knowledge to reduce the risk and harm of fraud and corruption
in the public sector across the world.
Appendix I: Objectives, Scope, and
Methodology
Page 95 GAO-23-105331 COVID Relief
(4) reputational;
(5) impact on victim; and
(6) impact on fraudster.
For each identified area of non-financial impact, we developed definitions
relevant to the SBA context and informed by GAO’s Conceptual Fraud
Model and the areas of impact developed by the IPSFF. To develop
statements of impact for each selected area of impact above, we obtained
three or more separate sources relevant to each area of impact, to
include government and industry reports, DOJ fraud case examples,
media reports, and interview with DOJ officials. These statements of
impact are not all encompassing or inclusive of all possible ways the non-
financial impact of pandemic relief programs fraud can manifest itself.
For objective 2, we analyzed PPP and COVID-19 EIDL loan- and
advance-level data for indicators of fraud. Fraud indicators are
characteristics and flags (for simplicity of discussion, we generally use the
term “flags” or “flagged” throughout this section of the appendix) that
serve as warning signs of potentially fraudulent activity. These flags can
be used to identify potential fraud and assess fraud risk but are not proof
of fraud, which is determined through the judicial or other adjudicative
system. Our identifications of unique recipients with fraud indicators are
based on discrepancies we found in the data consistent with
characteristics and flags that suggest a potential for fraudulent activity.
It is possible that the results of our analyses may include non-fraudulent
recipients with one or more data discrepancies that were identified as
fraud indicators. There are multiple factors that may explain why a non-
fraudulent recipient has a discrepancy consistent with a fraud indicator.
One such factor is data entry errors by recipients or those involved in the
approval of funds. There may also be other factors contributing to the
identification of non-fraudulent recipients, including those related to
confusion about how to complete an application. In presenting the results
of our specific analyses, we also noted other factors that may explain why
a non-fraudulent recipient has a discrepancy consistent with a particular
fraud indicator and the steps we took to reduce the number of non-
fraudulent recipients identified. The results of our analyses should not be
interpreted as proof of fraud. Additional review, investigation, and
adjudication is needed to determine if and the extent to which fraud
exists.
Appendix I: Objectives, Scope, and
Methodology
Page 96 GAO-23-105331 COVID Relief
Additionally, the results of our analyses may also include recipients
(1) whom DOJ has prosecuted for fraud, (2) who may be subject to
ongoing investigations,
10
(3) whose loans or advances were flagged by
SBA for other reasons but not pursued as potential fraud, or (4) whose
loans or advances were not flagged by SBA based on fraud indicators.
Therefore, this is may include recipients already flagged by SBA or the
SBA OIG as potentially fraudulent.
We reviewed eligibility requirements for PPP and COVID-19 EIDL loans
and advances and determined fraud indicators that could be identified in
the available data. Specifically, we identified
• recipients who did not have wage data, suggesting the possibility a
business may be a shell company or may not have been in operation
prior to October 2020;
• PPP recipients who had different employee totals or estimated payroll
costs than expected based on wage data, suggesting the possibility of
inflated employee counts or payroll costs to appear eligible for larger
loans or greater forgiveness; and
• recipients of funds based on multiple applications though both
programs limited each unique business entity to one funded
application in each program.
We also identified recipients who successfully submitted applications
using contact, identifying, or business information identical to at least one
other recipient.
To conduct our analyses, we obtained PPP and COVID-19 EIDL loan-
and advance-level data from SBA. This included PPP loan-level data as
of June 30, 2021, and PPP forgiveness and COVID-19 EIDL loan- and
advance-level data as of December 31, 2021 (the most-current data
available when we began our review). We also obtained one year of
national quarterly wage data from the Department of Health and Human
Services’ National Directory of New Hires (NDNH) for the period ending
September 30, 2020, which provided business data, including employee
counts and paid wages before and during the pandemic. NDNH is a
national repository of new hire, quarterly wage, and unemployment
insurance information reported by employers, states, and federal
agencies. The NDNH is maintained and used by the Department of
10
Investigative agencies do not typically comment on ongoing investigations.
Appendix I: Objectives, Scope, and
Methodology
Page 97 GAO-23-105331 COVID Relief
Health and Human Services for the federal child support enforcement
program, which assists states in locating parents and enforcing child
support orders. SBA does not have access to NDNH information.
11
However, similar information such as number of employees and wages
paid can be found on the employer’s federal tax return and other
employer filings. See figure 14 for the time periods and data covered.
Figure 14: National Directory of New Hires (NDNH) and Small Business Administration (SBA) Pandemic Relief Data Obtained
for GAO Analysis
Note: PPP and COVID-19 EIDL limited eligibility to businesses in operation as of February 15, 2020,
and January 31, 2020, respectively. SBA allowed COVID-19 EIDL businesses in the process of
starting operations as of January 31, 2020, to participate as long as certain documentation was
provided to show that the business was in the organizing stage.
For our analyses to identify unique recipients with indicators of PPP fraud,
we matched PPP loan-level data for approximately 3.1 million unique
recipients to four quarters of NDNH wage data using a combination of
employer identification numbers (EIN), Social Security numbers (SSN),
business names, addresses, and states identified in PPP application
data. This allowed us to compare provided PPP application data to
11
Federal law restricts access to the NDNH database to authorized persons and entities,
and for authorized uses. As of May 2023, SBA was not an authorized user of the NDNH
database and, as such, did not have access to NDNH wage data.
Appendix I: Objectives, Scope, and
Methodology
Page 98 GAO-23-105331 COVID Relief
corresponding NDNH wage data to identify unique recipients with fraud
indicators related to the number of employees, payroll expenses, and
existence of wage data.
We also reviewed the loan-level data to determine whether applicants
used the same underlying information to submit multiple applications with
different identifying or business information, and to determine if loans
were disbursed to multiple recipients using the same information.
Our PPP analyses consisted of the steps described below.
• Our initial review of the PPP loan-level data revealed several
recipients who received first draw and second draw loans using
different tax identifiers (e.g., used the business EIN for the first draw
loan and the owner’s SSN for the second draw loan).
12
In order to
identify unique recipients, we used a waterfall matching entity
resolution technique. This technique uses multiple combinations of
different variables such as tax identifier, business name
(standardized), and business address (standardized through United
States Postal Service address matching software) to identify unique
entities. For example, the first match could include variables A, B, and
C while a second match might include variables A, C, and D to identify
a unique recipient.
• To determine whether the business was in operation before February
15, 2020, we compared recipients in the loan-level data to those
recipients matched to NDNH wage data. We flagged unique recipients
who reported two or more employees on their PPP application but did
not match any NDNH wage data. Independent contractors and self-
employed individuals—who do not pay employees and therefore do
not submit wage data—were not considered in our analysis if they
claimed one employee on their PPP application.
After obtaining the results of an initial match of PPP and NDNH wage
data, we took steps to exclude business types that do not consistently
have to report wage data. There are exceptions to quarterly wage
reporting requirements that vary by state and by business type. To
identify business types that do not consistently have to report wage
data, we reviewed the reporting requirements for the ten states that
accounted for almost 60 percent of all funded recipients. These ten
12
A borrower’s first PPP loan, which could be received in either 2020 or 2021, is referred to
as a “first draw loan.” Borrowers that received first draw loans could apply for a second
draw PPP loan in 2021, based on different eligibility requirements.
Appendix I: Objectives, Scope, and
Methodology
Page 99 GAO-23-105331 COVID Relief
states collectively do not always require the following business types
to report wage data:
• religious organizations,
• agricultural enterprises,
• nonprofit organizations, or
• “very small” businesses paying less than $10,000 per year in
wages.
Then, to the extent possible based on available data, we excluded
these business types from the results of our analysis. As a result, we
excluded 167,200 unique PPP recipients from our analysis related to
the no matching wage data indicator. Specifically, the results of our
analysis do not include 102,800 recipients who applied as nonprofit
organizations, 70,900 religious organizations, or 64,600 agricultural
enterprises that received PPP loans but that we could not match to
NDNH wage data.
13
However, we were able to match 112,400 recipients who applied as
nonprofit organizations, 13,500 religious organizations,
63,600 agricultural enterprises, and 1,300 very small businesses that
received PPP loans to the NDNH wage data.
To identify recipients who applied as very small businesses—paying
less than $10,000 per year in wages—we used the following
equations. These equations use the approved PPP loan amount to
determine a) the payroll costs used to calculate that loan amount and
b) the amount of payroll costs attributable to wages paid. See text box
for calculation of payroll costs estimated from approved first draw PPP
loan amount and estimate of paid wages.
14
See later discussion on
discrepancies related to payroll costs for explanation of paid wages
estimated as 78 percent of total payroll costs.
13
No PPP recipients were identified as very small businesses who claimed two or more
employees but were not matched to NDNH wage data. Unique recipients may be
associated with more than one category of potentially excluded business types, so
individual categories will not sum to 167,200.
14
We used the example calculation to estimate payroll costs based on first draw PPP loan
amounts only. Payroll costs used to calculate second draw PPP loans were estimated by
reversing the calculations on SBA Form 2483-SD. For applicants with North American
Industry Classification System codes beginning with “72,” estimated payroll costs =
[approved second draw PPP loan] ÷ 3.5; for other second draw applicants, estimated
payroll costs = [approved second draw PPP loan] ÷ 2.5.
Appendix I: Objectives, Scope, and
Methodology
Page 100 GAO-23-105331 COVID Relief
Reported payroll costs calculation
Estimated payroll costs = ([Approved first draw Paycheck Protection Program loan] –
[COVID-19 Economic Injury Disaster Loan]) ÷ 2.5
Paid wages calculation
Paid wages = [Estimated payroll costs] x 0.78
Source: GAO. | GAO-23-105331
Recipients that we could match to NDNH wage data regardless of
business type were included in our other analyses, such as those
related to employee counts and payroll costs.
Businesses that were in operation prior to October 2019 but did not
submit wage data between October 2019 and September 2020 may
be included in the unique recipients flagged in this analysis. This
includes seasonal businesses that did not operate at all during this
time period. Seasonal business operations can fluctuate and result in
businesses closing for parts of the year. However, a lack of a match to
NDNH wage data indicates that a business may not have paid any
employees from October 2019 through September 2020, raising the
possibility that it was a shell company or non-operational business.
• To determine whether there were discrepancies in employee counts,
we compared the employee count value provided with the PPP loan-
level data to the highest number of paid employees in any of the
available quarters of NDNH wage data—as opposed to the average
number of employees across all quarters—prior to and including the
quarter of loan approval. We limited this comparison to those unique
recipients who indicated two or more employees on their PPP
applications. To account for PPP application employee counts based
on a 12-month timeframe other than October 2019 through
September 2020—for example, new employees hired after September
2020 and included in the application employee count average—we
added a 10 or 50 percent buffer to the paid employee count in NDNH.
Specifically:
• For business with 10 or more paid employees in the NDNH wage
data, we flagged unique recipients who reported greater than
10 percent more employees than were recorded in NDNH.
• For businesses with fewer than 10 paid employees in the NDNH
wage data, we flagged unique recipients who reported more than
50 percent more employees than were recorded in NDNH.
• To identify discrepancies related to payroll costs, we estimated the
expected PPP loan amount using the monthly equivalent of the
Appendix I: Objectives, Scope, and
Methodology
Page 101 GAO-23-105331 COVID Relief
highest total wages paid in any single quarter of available NDNH
wage data—not the average of wages paid across all available
quarters—prior to and including the quarter of loan approval, as well
as any associated COVID-19 EIDL loan amounts, to estimate monthly
payroll costs. We then compared the estimated loan amount to the
approved loan amount in the PPP loan-level data.
The maximum PPP loan amount was based on payroll costs, which
include additional employer expenses beyond employee wages.
However, the NDNH data reflect wages paid, which are one
component of payroll costs. As a result, we estimated overall payroll
costs using NDNH wage data and the Department of Labor’s Bureau
of Labor Statistics data. According to the Bureau of Labor Statistics
data, non-wage employer expenses in the private industry averaged
approximately 19.3 percent of total payroll costs in 2019 and 2020.
15
We rounded this to 20 percent and added an additional 2 percent to
account for potential variation across businesses. This brought the
total percentage of non-wage employer expenses to 22 percent.
Therefore, we estimated wages paid—and recorded in NDNH—were
78 percent of total payroll costs. After estimating payroll costs (as
monthly wages estimated from NDNH wages paid divided by 78
percent), we added an additional 10 percent buffer to further mitigate
variations across businesses and limitations of available data. See
text box for calculation of total estimated payroll costs.
Total estimated payroll cost calculation
Total estimated payroll costs = (Highest monthly wages estimated from National
Directory of New Hires quarterly wage data ÷ 0.78) * 110%
Source: GAO. | GAO-23-105331
Using the estimated payroll costs, we used equations provided on first
draw and second draw PPP loan applications to calculate maximum
15
This percentage is based on Bureau of Labor Statistics private industry data for June
2019 and March 2020. Non-wage employer costs averaged 19.3 percent of total
employee compensation (18.8 to 19.8 percent at the 95 percent confidence level). These
non-wage employer costs are composed of insurance, retirement and savings, and legally
required benefits costs—which include costs for Social Security, Medicare, workers’
compensation, and both state and federal unemployment insurance—as described by the
Bureau of Labor Statistics. Bureau of Labor Statistics data are derived from approximately
6,400 private industry entities for June 2019 costs and 6,300 private industry entities for
March 2020 costs. U.S. Department of Labor, Bureau of Labor Statistics, Employer Costs
for Employee Compensation – June 2019, USDL-19-1649, p.4. U.S. Department of Labor,
Bureau of Labor Statistics, Employer Costs for Employee Compensation – March 2020,
USDL-20-1232, p.4.
Appendix I: Objectives, Scope, and
Methodology
Page 102 GAO-23-105331 COVID Relief
eligible loan amounts (2.5 or 3.5 times payroll costs, depending on the
business industry and if it was a first or second draw loan). First draw
PPP loans could also be increased to refinance COVID-19 EIDL
loans. For PPP recipients who had also received COVID-19 EIDL
loans, we added the total amount of COVID-19 EIDL loan funds
disbursed as of December 31, 2021 (excluding advance funds) to the
calculated PPP loan amount prior to conducting our final analysis.
See text box for an example of our calculation of a maximum eligible
first draw PPP loan amount.
16
Maximum eligible loan calculation
Estimated first draw Paycheck Protection Program loan = 2.5 x [Total estimated payroll
costs] + [COVID-19 Economic Injury Disaster Loan]
Calculation notes:
Total estimated payroll costs = (Highest monthly wages estimated from National
Directory of New Hires quarterly wage data ÷ 0.78) * 110%
COVID-19 Economic Injury Disaster Loan = COVID-19 Economic Injury Disaster Loan
amount associated with matched recipient
Source: GAO. | GAO-23-105331
We flagged those unique recipients whose approved PPP loan
amounts exceeded the loan amounts we estimated using the above
payroll cost calculation, actual wages recorded in the NDNH, and
associated COVID-19 EIDL loan amounts. We limited this comparison
to those recipients with matching NDNH wage data.
• To determine if recipients may have received funds in violation of
program limits on the number of loans per business entity, we flagged
unique recipients who received more than one funded loan that were
identified as the same unique recipient using the waterfall matching
technique discussed above. This analysis considered only unique
recipients who received more than one first draw PPP loan and did
not flag recipients who received one first and one second draw loan
for the same business.
• To determine if multiple loans were disbursed to recipients using the
same information, we reviewed and compared recipient information
16
The example calculation provided was used to estimate maximum eligible first draw PPP
loans only. Maximum eligible second draw loan estimates were calculated using the
equation on SBA Form 2483-SD. For applicants with North American Industry
Classification System codes beginning with “72,” estimated second draw PPP loans = 3.5
x [payroll costs]; for other applicants, estimated second draw PPP loans = 2.5 x [payroll
costs]. These calculations applied only to those unique recipients who matched NDNH
wage data.
Appendix I: Objectives, Scope, and
Methodology
Page 103 GAO-23-105331 COVID Relief
such as EIN, SSN, business name, business address, business type,
and reported employee count.
We flagged unique recipients who provided
• the same business name and address as at least one other
unique recipient but a different EIN or SSN;
• the same address and business information as at least one other
unique recipient but a different business name and EIN or SSN; or
• a business address associated with at least five unique recipients.
For our analysis to identify unique recipients with indicators of COVID-19
EIDL fraud, we matched loan- and advance-level data on almost
1.5 million unique recipients to four quarters of NDNH wage data using a
combination of the EINs, business names, addresses, and states
identified in COVID-19 EIDL loan and advance application data. This
allowed us to compare provided COVID-19 EIDL application data to
corresponding NDNH wage data to identify unique recipients with fraud
indicators related to the existence of the business. We also reviewed the
loan- and advance-level data to identify unique recipients who used the
same underlying information to submit multiple applications with different
identifying or business information, and to determine if loans or advances
were disbursed to multiple recipients using the same information.
Our COVID-19 EIDL analyses consisted of the steps described below:
• As with our PPP analysis, we used a waterfall matching entity
resolution technique to identify unique COVID-19 EIDL recipients.
• To determine whether businesses were in operation on or before
January 31, 2020, we compared recipients in the loan- and advance-
level data to those recipients matched to NDNH wage data.
17
We
flagged unique recipients who indicated two or more employees on
their COVID-19 EIDL application but did not match any NDNH wage
data. As with the PPP analysis, independent contractors and self-
employed individuals were not considered in our analysis if they
claimed one employee on their COVID-19 EIDL application.
We also excluded those business types that do not consistently have
to report wage data from the results of our analysis, as discussed
above. This resulted in us excluding 225,300 unique COVID-19 EIDL
17
SBA allowed COVID-19 EIDL businesses in the process of starting operations as of
January 31, 2020, to participate as long as certain documentation was provided to show
that the business was in the organizing stage.
Appendix I: Objectives, Scope, and
Methodology
Page 104 GAO-23-105331 COVID Relief
recipients from our analysis related to the wage data indicator.
Specifically, the results of our analysis do not include
13,200
recipients who applied as nonprofit organizations,
28,100 religious organizations, or 190,200 agricultural enterprises that
received COVID-19 EIDL funds but that we could not match to NDNH
wage data.
18
However, we were able to match 9,100 recipients who applied as
nonprofit organizations, 3,200 religious organizations, and
17,300 agricultural enterprises that received COVID-19 EIDL funds to
NDNH wage data.
• Similar to our PPP analysis to determine if recipients received multiple
loans, we flagged COVID-19 EIDL recipients who received more than
one funded loan or advance that were identified as the same unique
recipient using the waterfall matching technique. This analysis
considered only unique recipients who received funds from more than
one approved COVID-19 EIDL loan or advance application. It did not
flag recipients who received increases after the initial loan
disbursement or multiple types of COVID-19 EIDL advances (such as
an advance disbursed prior to the initiation of targeted advances as
well as a targeted advance) based on a single application.
• As with our PPP analysis to determine if multiple loans were
disbursed to unique recipients using the same information, we
reviewed and compared recipient information such as EIN, SSN,
business name, business address, bank account and internet protocol
(IP) address; and business information such as business type,
reported employee count, and owner EIN and name.
We flagged unique recipients who provided
• the same business name and address as at least one other
unique recipient but a different EIN or SSN;
• the same address and business information as at least one other
unique recipient but a different business name and EIN or SSN;
• a business address associated with at least five unique recipients;
• an IP address associated with at least 10 unique recipients;
18
COVID-19 EIDL loans and advances were not payroll- or wage-dependent, as PPP
loans were. We, therefore, could not determine which recipients applied as very small
businesses. As a result, no very small businesses were excluded from the results of our
comparison of COVID-19 EIDL loan- and advance-level data to NDNH wage data. Unique
recipients may be associated with more than one category of potentially excluded
business types, so individual categories do not sum to 225,300.
Appendix I: Objectives, Scope, and
Methodology
Page 105 GAO-23-105331 COVID Relief
• the same bank routing number and account number as at least
one other unique recipient; or
• the same owner EIN as at least one other unique recipient but a
different owner name.
In addition, we compared PPP loan-level data to COVID-19 EIDL loan-
and advance-level data to identify unique recipients of funds from both
programs. We reviewed matching unique recipients to determine if
corresponding applications had consistent information between programs
and if fraud indicators, where identified, could have informed each
program.
To assess the reliability of the NDNH, PPP, and COVID-19 EIDL data, we
reviewed documents related to the data, interviewed knowledgeable
officials, and performed electronic testing to determine the validity of
specific data elements used to perform our work. On the basis of our
reliability assessment results, we determined that the data were
sufficiently reliable for the purposes of matching and identifying
discrepancies that indicate potential fraud. The results of our analyses,
including the identification of discrepancies associated with a fraud
indicator, should not be interpreted as proof of fraud.
We also sought to report the number of unique recipients identified in our
analyses who were already associated with SBA OIG records. To do so,
we provided SBA OIG a list of all unique recipients associated with at
least one fraud indicator based on our analyses and the associated PPP
loan number(s) or COVID-19 EIDL application number(s). However, the
SBA OIG informed us that it is currently developing and assessing the
dataset necessary to conduct such a match. As such, the SBA OIG was
unable to provide a response in time for inclusion in this report.
To analyze lending activity for PPP loans issued to borrowers charged by
DOJ, we leveraged information on fraud cases as discussed in objective
1. We matched businesses identified through DOJ fraud cases to PPP
loan-level data, which contained associated lender information. We
analyzed matched data to identify characteristics of lenders with fraud
cases, including lenders with the most fraud cases. Further, to provide
insight into associations among variables of lender and borrower
characteristics as well as to inform any future analyses, we conducted a
statistical analysis using logistic regressions. A logistic regression
describes the relationship between a binary outcome variable—in this
case incidents of alleged fraud charged by DOJ—and select factors of
interest, such as loan- and lender-level characteristics and select fraud
Appendix I: Objectives, Scope, and
Methodology
Page 106 GAO-23-105331 COVID Relief
indicators, while controlling for other factors. See appendix IV for
information on our regression analysis.
Finally, we collected and analyzed data on suspicious activity reports filed
by financial institutions for PPP from the Treasury’s Financial Crime
Enforcement Network from April 2020 through December 31, 2021. We
categorized each unique suspicious activity report by month and reporting
lender type.
For objective 3, we evaluated SBA’s data analytic efforts for opportunities
to enhance fraud prevention and detection. We did so by reviewing
previous GAO reports, the results of our own fraud indicator analyses,
and SBA documents. We assessed SBA’s efforts against the leading
practices identified in GAO’s Fraud Risk Framework we determined to be
most relevant. Specifically, those practices relate to conducting (1) data
mining to identify suspicious activities and transactions and (2) data
matching to verify key information.
19
In appendix II, we summarized SBA fraud risk management efforts
throughout the pandemic across its four pandemic relief programs. We
reviewed prior GAO, SBA OIG, and Pandemic Response Accountability
Committee reports to gain information about the prior oversight work and
recommendations that had been made regarding SBA’s fraud risk
management of the pandemic relief programs.
20
We reviewed SBA
documentation, such as (1) fraud risk assessments; (2) antifraud
procedures related to PPP, COVID-19 EIDL, the Restaurant
Revitalization Fund, and the Shuttered Venue Operators Grant; (3) Fraud
Risk Management Council meeting minutes; and (4) the Fraud Risk
Management Board charter and meeting minutes, among other
documents.
We also interviewed SBA officials to learn about fraud risk management
efforts across pandemic relief programs. In reporting on SBA fraud risk
management efforts, we considered all four components of GAO’s Fraud
19
GAO, A Framework for Managing Fraud Risks in Federal Programs, GAO-15-593SP
(Washington, D.C.: July 2015). Data mining analyzes data for relationships that have not
previously been discovered. Data matching is a process in which information from one
source is compared with information from another, such as government or third-party
databases, to identify any inconsistencies.
20
The Pandemic Response Accountability Committee (PRAC) was established by the
CARES Act to conduct oversight of the federal government’s pandemic response and
recovery effort. The PRAC is composed of 21 federal inspectors general.
Appendix I: Objectives, Scope, and
Methodology
Page 107 GAO-23-105331 COVID Relief
Risk Framework—commit, assess, design and implement, and evaluate
and adapt—as well as relevant leading practices of the Framework under
each component.
We conducted this performance audit from July 2021 to May 2023, in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 108 GAO-23-105331 COVID Relief
The Small Business Administration (SBA) moved quickly under
challenging circumstances to develop and launch four pandemic relief
programs to help offset the economic hardships facing small businesses.
However, early in the pandemic, external factors—such as legislative
design and the large scale of the programs—increased fraud risks across
SBA’s pandemic relief programs. These external factors along with SBA’s
lack of strategic fraud risk management in its ongoing programs prior to
the pandemic—such as a lack of dedicated antifraud entity and fraud risk
assessments—contributed to missed opportunities for SBA to
strategically manage fraud risks.
Throughout the pandemic, SBA adapted its fraud risk management
approach and added controls as fraud schemes emerged. However,
these actions were reactive and may not have been fully effective.
Further, key actions, such as formally assessing fraud risks as called for
in GAO’s Fraud Risk Framework, occurred after most funds were
distributed.
1
These actions nevertheless represent important steps in
SBA’s efforts to mature its fraud risk management.
In its initial response to the pandemic, SBA moved quickly under
challenging circumstances to develop and launch the Paycheck
Protection Program (PPP) and the COVID-19 Economic Injury Disaster
Loan (COVID-19 EIDL). SBA was tasked with delivering pandemic relief
programs that far exceeded the size of SBA’s prior disaster relief and
ongoing lending programs. The legislative design that eliminated certain
verification requirements coupled with the large scale of the programs,
increased fraud risks.
1
GAO, A Framework for Managing Fraud Risks in Federal Programs, GAO-15-593SP
(Washington, D.C.: July 2015).
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Legislative Design, Scale
of Pandemic Relief
Programs, and Lack of
Strategic Fraud Risk
Management Contributed
to Missed Opportunities
for SBA
Legislative Design and Large
Scale of Pandemic Relief
Programs Increased
Fraud
Risks
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 109 GAO-23-105331 COVID Relief
As illustrated in figure 15, the CARES Act changed some fraud-related
requirements in PPP, as compared to the 7(a) program, and COVID-19
EIDL, as compared to traditional EIDL.
2
Figure 15: Examples of Changes to Traditional Small Business Administration (SBA) Programs Made by the CARES Act
2
CARES Act, Pub. L. No. 116-136, 134 Stat. 281 (2020). The PPP was authorized under
SBA’s existing 7(a) small business lending program. The 7(a) loan guarantee program
provides small businesses access to capital that they would not be able to access in the
competitive market. The COVID-19 EIDL program was partially based on an existing SBA-
administered program providing EIDL disaster loans. EIDL, which is part of SBA’s Disaster
Loan Program, provides low-interest loans to help borrowers—small businesses and
nonprofit organizations located in a disaster area—meet obligations or pay ordinary and
necessary operating expenses. In this report, we refer to the Economic Injury Disaster
Loan provisions of SBA’s Disaster Loan Program as “traditional” EIDL and to the EIDL
program designed to help small businesses recover from the economic impacts of the
COVID-19 pandemic as COVID-19 EIDL.
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 110 GAO-23-105331 COVID Relief
SBA officials explained that when Congress created PPP and COVID-19
EIDL, it removed safeguards that had been in place for the 7(a) and
traditional EIDL programs pre-pandemic in an effort to expedite loan
processing. SBA officials further noted that the CARES Act’s restriction
on using applicants’ tax information made it challenging to verify applicant
eligibility for COVID-19 EIDL. They said that they built in as much fraud
prevention and protection as they could within the time they had.
Moreover, the size of PPP and COVID-19 EIDL far exceeded any other
disaster relief program SBA had previously administered. For example,
an SBA official testified during a July 2020 congressional hearing that
since SBA was founded in 1953, SBA had approved a total of 2.2 million
disaster loans for $66.7 billion.
3
Amid the urgency to help adversely
affected small businesses and within the confines of the authorizing
legislation, SBA launched PPP and COVID-19 EIDL early in the
pandemic with limited upfront safeguards against fraud.
PPP. In 2020, the CARES Act and the Paycheck Protection Program and
Health Care Enhancement Act provided $659 billion for SBA-guaranteed
PPP loans.
4
As of August 8, 2020, when Round 1 of PPP closed, lenders
had approved 5.2 million PPP loans, totaling about $525 billion. To put
this figure in context, SBA’s largest single year in 7(a) lending volume
before PPP was about $25 billion, in fiscal year 2017.
As we reported in June 2020, SBA moved swiftly to implement PPP so
that lenders could begin making and disbursing loans as quickly as
possible.
5
SBA launched PPP 1 week after the CARES Act was signed
into law. To implement the program as quickly as possible, SBA
streamlined the application and review process, which largely rested on
borrower certifications. As set forth in the CARES Act, borrowers had to
certify in good faith that
1. current economic uncertainty made the loan request necessary to
support the applicant’s ongoing operations, and
3
U.S. House of Representatives, Small Business Committee, The Economic Injury
Disaster Loan Program: Status Update from the Administration, 116th Cong., 2d sess.,
July 1, 2020.
4
CARES Act, Pub. L. No. 116-136, 134 Stat. 281 (2020); Paycheck Protection Program
and Health Care Enhancement Act, Pub. L. No. 116-139, 134 Stat. 620 (2020).
5
GAO, COVID-19: Opportunities to Improve Federal Response and Recovery Efforts,
GAO-20-625 (Washington, D.C.: June 25, 2020).
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 111 GAO-23-105331 COVID Relief
2. funds would be used to retain workers and maintain payroll or make
payments for other covered expenses.
SBA, consistent with the CARES Act, required minimal loan underwriting
from lenders—limited to actions such as (1) confirming receipt of
borrower certifications, (2) confirming receipt of information demonstrating
that the borrower had employees for whom the borrower paid salaries
and payroll taxes on or around February 15, 2020, (3) reviewing
supporting payroll documentation, and (4) following applicable Bank
Secrecy Act requirements, including a customer identification program.
6
This left the program susceptible to fraudulent applications. SBA officials
told us that this approach for PPP was intentionally developed with more
fraud and eligibility controls implemented post-origination (at the loan
forgiveness and review stages) rather than up front, and characterized it
as a model focused on speed.
7
The result of limited upfront safeguards
and the lenders’ rapid review of loan applications increased the risk of
fraud. In effect, a “pay and chase” approach, relying on fraud detection
after funds had been disbursed, was adopted for PPP.
The SBA OIG reported that SBA’s efforts to hurry capital to businesses
were at the expense of controls that could have reduced the likelihood of
ineligible or fraudulent businesses obtaining a PPP loan. Specifically, in
January 2021, the SBA OIG found that lenders approved more than
6
According to SBA, in the Economic Aid Act, Congress agreed with SBA’s approach by
expanding the lender hold harmless provision found in 15 U.S.C. § 636m(h) to allow PPP
lenders to rely on any certification or documentation supplied by an applicant. Section 305
of the Economic Aid Act provides that the expanded hold harmless language shall be
effective as if included in the CARES Act and shall apply retroactively to any loan made
before the date of enactment of the Economic Aid Act.
7
The post-origination loan review process developed by SBA and Treasury combined
automated screenings of all PPP loans made in 2020 and manual reviews of selected
loans to test for compliance with program requirements, which includes testing for
eligibility and fraud. SBA officials told us that SBA also applied machine learning to the
results of the automated screening process to focus loan review resources on the areas of
greatest risk of fraud or ineligibility. SBA used a contractor to conduct the automated and
manual loan reviews to test for compliance with program requirements and evaluate the
accuracy of PPP borrowers’ self-certifications. We discuss controls that SBA added in
2021 later in the appendix.
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 112 GAO-23-105331 COVID Relief
$402 million in PPP loans to approximately 5,000 potentially ineligible
businesses that registered their businesses after February 15, 2020.
8
COVID-19 EIDL. As of October 2020, SBA had disbursed over
$373 billion in COVID-19 EIDL loans and advances, an amount which
exceeded all disaster loans made by SBA in all years combined since the
agency’s creation in 1953. In part to help small businesses quickly early
in the pandemic, the COVID-19 EIDL program, with its loans and
advances, was implemented with fewer safeguards than the traditional
EIDL program. For example, SBA reduced existing controls by removing
the rule of two reviewers for each loan application, setting high production
goals, approving loans in batches with minimal review, and not requiring
comments on all system flags of potential fraud.
A 2020 SBA OIG report found that in expediting the COVID-19 EIDL
process to make emergency capital available to struggling small
businesses, SBA “lowered the guardrails,” or relaxed internal controls.
9
This significantly increased the risk of fraud in the program. In May 2021,
the SBA OIG reported that as of January 31, 2021, SBA had referred
almost 850,000 COVID-19 EIDL applications to the OIG because of
identity theft complaints.
10
Of those referrals, SBA had disbursed
approximately 112,000 COVID-19 EIDL loans totaling $6.2 billion and
99,000 advances for $468 million.
11
8
SBA OIG, Inspection of SBA’s Implementation of the Paycheck Protection Program, 21-
07 (Washington, D.C.: January 2021). To qualify for PPP, a business must have been in
operation since at least February 15, 2020.
9
SBA OIG, Inspection of SBA’s Initial Disaster Assistance Response to the Coronavirus
Pandemic, 21-02 (Washington, D.C.: October 2020).
10
SBA OIG, SBA’s Handling of Identity Theft in the Covid-19 Economic Injury Disaster
Loan Program, 21-15, (Washington, D.C.: May 2021). SBA officials told us that they have
continued to refer loans and advances involving identity theft to the SBA OIG. Specifically,
according to SBA, as of November 2022, it had flagged and was in the process of
referring approximately 195,250 loans for confirmed or suspected identity theft (for
approximately $10.2 billion disbursed) and approximately 155,565 advances for confirmed
or suspected identity theft (for approximately $792.8 million disbursed).
11
According to SBA, as of November 2022, SBA has confirmed identity theft on
7,700 COVID-19 EIDL loans. The confirmation of identity theft is an administrative function
separate from a law enforcement investigation that prevents adverse action or harm to an
identity theft victim by disassociating the loan record from the victim’s identity. It includes
the issuance of a letter stating that the victim is not responsible for repayment of the debt
and release of collateral (if the loan is secured), among other actions.
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 113 GAO-23-105331 COVID Relief
In administering COVID-19 EIDL, SBA experienced initial shortages of
loan officers, attorneys, and call center staff, which likely created
challenges to loan screening and fraud response. According to the SBA
OIG, by July 31, 2020, SBA’s Office of Disaster Assistance, which was
responsible for COVID-19 EIDL, had increased staff from 3,483 to 9,000
to address loan processing demands. SBA also used contractors to
expand its capacity to process and review applications. For example,
because SBA did not have the capacity to handle the number of COVID-
19 EIDL applications, it turned to a contractor for a system to provide
automated initial recommendations to approve or decline applications and
flag applications with issues for further review by SBA.
The environment in which SBA was operating as it initially implemented
PPP and COVID-19 EIDL had several factors that contributed to
heightened fraud risks. The Fraud Risk Framework highlights factors that
increase the risk of improper payments, including those that are the result
of fraudulent activity. These factors, which were present in PPP and
COVID-19 EIDL, include
• whether the program is new to the agency;
• the volume of payments made annually; and
• recent major changes in program funding, authorities, practices, or
procedures.
As outlined in the Fraud Risk Framework, effective fraud risk
management takes into consideration the environment, including legal
requirements. While legislative provisions limited SBA’s ability to
implement specific control activities, strategic fraud risk management
takes into account these factors when designing controls. As such, SBA
had opportunities to engage in strategic fraud risk management despite
the environment it was in as it implemented PPP and COVID-19 EIDL.
The first component of the Fraud Risk Framework calls for agencies to
commit to combating fraud by creating an organizational culture and
structure conducive to fraud risk management. Specifically, one of the
component’s leading practices is for agencies to designate an entity to
design and oversee fraud risk management activities. The antifraud
entity, among other things, serves as a central repository of knowledge on
fraud risks and controls, manages the fraud risk assessment process,
leads or assists with trainings and other fraud awareness activities, and
coordinates antifraud initiatives across programs.
SBA’s Lack of a Dedicated
Antifraud Entity before the
Pandemic Hindered Its Initial
Ability to Manage Fraud Risks
in Pandemic Relief Programs
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 114 GAO-23-105331 COVID Relief
When the pandemic began, SBA did not have a dedicated antifraud entity
that it could leverage for fraud risk management in the pandemic relief
programs. In 2019, SBA had established the Fraud Risk Management
Council (Council) to oversee and coordinate agency-wide fraud risk
management. However, according to SBA officials, when the pandemic
began, the Council did not have the infrastructure to conduct agency-wide
fraud risk management in alignment with the Fraud Risk Framework’s
leading practices.
SBA had two other offices that were generally responsible for working
with program offices to identify and respond to potential risks, including
those related to fraud. The Office of Continuous Operations and Risk
Management is responsible for, among other things, agency-wide
recovery response for disasters and the evaluation and assessment of
SBA’s critical risks and nonfinancial internal controls. In addition,
according to an SBA official, when SBA implements a new program, the
Office of Internal Controls coordinates with the program office to plan
proper internal controls and ensure they are implemented. However, SBA
officials indicated neither of these offices served as SBA’s dedicated
antifraud entity.
The lack of a dedicated antifraud entity presented challenges and missed
opportunities for SBA as it worked to establish and implement programs
early in the pandemic. For example, SBA officials told us that neither the
Council, nor the Office of Continuous Operations and Risk Management,
nor the Office of Internal Controls were involved in the design or initial
implementation of program controls—including antifraud controls—for
PPP or COVID-19 EIDL. As a result, program offices responsible for PPP
and COVID-19 EIDL drew upon their own knowledge to develop controls,
without coordinated guidance and support.
Moreover, without a dedicated antifraud entity to provide agency-wide
leadership, not all SBA staff received ongoing training focused on fraud
risk management. As outlined in the Fraud Risk Framework, fraud
awareness initiatives, including training, can enable managers,
employees, and stakeholders to better detect potential fraud. Leading
practices include requiring all employees to attend training upon hiring
and on an ongoing basis thereafter. SBA officials told us that they have
held annual enterprise risk management training for managers and
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 115 GAO-23-105331 COVID Relief
supervisors since 2018.
12
However, while the Fraud Risk Framework
acknowledges that agencies may use initiatives like enterprise risk
management efforts to assess their fraud risks, the Fraud Risk
Framework does not eliminate the separate and independent fraud risk
management requirements. Additionally, SBA officials said that the Office
of Disaster Assistance has conducted fraud awareness training for loan
officers and case managers since 2010.
13
However, agency-wide, there
was no required, ongoing fraud awareness training for all employees,
including employees managing PPP and COVID-19 EIDL programs
during the pandemic.
A key responsibility of a dedicated antifraud entity is to manage the fraud
risk assessment process. The second component of the Fraud Risk
Framework directs agencies to plan regular fraud risk assessments and
assess risks to determine a fraud risk profile.
14
As part of this effort,
agencies should (1) plan regular fraud risk assessments that are tailored
to the program and (2) identify and assess risks to determine the
program’s fraud risk profile. The results of such assessments are then to
be used to design and implement a strategy with specific control activities
to mitigate assessed fraud risks.
Further, assessments can help program officials determine whether
certain controls are effectively designed and implemented to reduce the
likelihood or impact of a fraud risk to a tolerable level. A fraud risk
assessment for an existing program can be used as a starting point for a
revised or new fraud risk assessment for a modified or new program,
providing a baseline of likely risks that would need to be revisited given a
new emergency environment, including legislative changes and
restrictions.
12
Enterprise risk management is a forward-looking management approach that allows
agencies to assess threats and opportunities that could affect the achievement of their
goals.
13
SBA officials also stated that a fraud team has functioned within the Office of Disaster
Assistance since before 2005, reviewing files suspected of fraud and referring matters to
the SBA OIG, among other things. This team was expanded during COVID-19 EIDL to
address needs and take on additional roles. However, this team did not perform the roles
of a dedicated antifraud entity, as described in the Fraud Risk Framework.
14
As described in the Fraud Risk Framework, a fraud risk profile includes the analysis of
the types of internal and external fraud risks facing the program, their perceived likelihood
and impact, managers’ risk tolerance, and the prioritization of risks.
SBA Had Not Conducted
Fraud Risk Assessments that
Could Have Informed
Implementation of Pand
emic
Relief Programs
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 116 GAO-23-105331 COVID Relief
Before the pandemic, SBA had taken steps to aid program offices in
assessing fraud risks. Specifically, it had developed a tool to assist
programs in completing fraud risk assessments. However, the Council did
not officially adopt the tool for agency-wide use until September 2021,
after most of the pandemic relief funds were distributed.
SBA had not conducted formal fraud risk assessments for its programs,
including 7(a) and traditional EIDL, in alignment with the Fraud Risk
Framework’s leading practices before the pandemic. SBA officials told us
that they considered fraud risks when designing PPP and COVID-19
EIDL and that they had “zero tolerance” for fraud.
15
Further, according to
SBA officials, they conducted what they characterized as informal fraud
risk assessments during the pandemic. For example, as we reported in
March 2021, SBA brought together subject matter experts from SBA and
Treasury, as well as contractors, to identify fraud risks and mitigating
controls for PPP.
16
However, SBA was not able to provide us with
documentation related to these assessments and their results.
Consequently, such informal assessments were limited in the extent to
which they could inform program officials who did not participate in the
initial effort to assess and mitigate PPP fraud risks and could not serve as
a basis for fraud risk management strategies. Further, it does not appear
that these informal assessments contained all of the key elements of the
fraud risk assessment process, as described in the Fraud Risk
Framework.
As a result, SBA could not leverage fraud risk assessments from its
existing programs as it sought to quickly implement the pandemic relief
programs. SBA officials told us that although they did not have formal
fraud risk assessments, they did informally consider fraud risks and
sought to mitigate them when administering PPP and COVID-19 EIDL.
15
The Fraud Risk Framework does not indicate that the purpose of fraud risk management
is to have zero fraud. The Fraud Risk Framework calls on agencies to develop a fraud risk
tolerance that takes into account circumstances of individual programs and other
objectives beyond mitigation of fraud risks. For example, when responding to natural
disasters, managers of an assistance program may have a higher fraud risk tolerance,
such as “low” rather than “very low,” for making payments to potentially fraudulent
applicants if the applicants live in a severely damaged area.
16
GAO, COVID-19: Sustained Federal Action Is Crucial as Pandemic Enters Its Second
Year, GAO-21-387 (Washington, D.C.: Mar. 31, 2021).
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 117 GAO-23-105331 COVID Relief
However, conducting a formal fraud risk assessment could have better
helped SBA prioritize risks and allocate resources early in the pandemic.
For example, although the programs had some key differences,
previously conducted assessments for the 7(a) and traditional EIDL
programs, including information on known fraud risks and effective
controls, could have informed the design of PPP and COVID-19 EIDL,
respectively. Such assessments could have been readily leveraged as
SBA officials considered how changes, such as the restriction on the use
of tax information, affected their prioritization of risks and the suitability of
existing fraud controls. Given the limited timeframes SBA had to
implement both PPP and COVID-19 EIDL, the presence of existing,
related fraud risk assessments could have allowed SBA to conduct new
assessments more quickly. Likewise, the existence of a standard and
widely understood tool for doing assessments could have enabled
program officials to conduct an assessment readily as PPP and COVID-
19 EIDL were being implemented.
As noted in the third component of the Fraud Risk Framework, managers
who effectively manage fraud risks develop and document an antifraud
strategy. This strategy, which is to be informed by the fraud risk profile,
should describe the program’s approach for addressing the prioritized
fraud risks identified during the fraud risk assessment. The antifraud
strategy, among other items, describes how the agency will (1) allocate
resources to respond to residual fraud risks; (2) prevent, detect, and
respond to fraud, as well as monitor risks; and (3) establish roles and
responsibilities for those involved in fraud risk management. Absent a
formal fraud risk assessment and resulting fraud risk profile, SBA did not
have assurances that it was identifying, assessing, and prioritizing risks
effectively. Likewise, without an antifraud strategy based on a fraud risk
profile, SBA was not positioned to ensure that it was strategically
addressing its most significant fraud risks.
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 118 GAO-23-105331 COVID Relief
The fourth component of the Fraud Risk Framework calls on agencies to
evaluate outcomes using a risk-based approach and adapt activities to
improve fraud risk management. Managers are to monitor and evaluate
the effectiveness of preventive activities, including fraud risk assessments
and the antifraud strategy, as well as establish controls to detect fraud
and implement response efforts.
In the absence of formal fraud risk assessments and an antifraud
strategy, SBA responded to risks as they arose. SBA officials attributed
this approach to pandemic-related resource constraints and pressure to
distribute funds quickly.
PPP. SBA made changes from Round 1 to Round 2 of PPP to address
some fraud risks. In Round 1, SBA rules allowed lenders to rely on
borrower self-attestation to determine borrower eligibility and use of loan
proceeds. SBA relied on lenders with delegated authority under the
CARES Act to make and approve covered loans, and SBA did not
conduct any review of loan or borrower information beyond looking for
duplicate applications before issuing an SBA loan number, thus
guaranteeing the loan.
17
To prevent potential fraud in PPP and consistent with our June 2020
recommendation, SBA added certain upfront controls for Round 2. For
example, in Round 2, which began in January 2021, SBA used an
automated screening system to validate some applicant data and
17
Although lenders were not required to conduct detailed underwriting of PPP applications,
they had to apply relevant Bank Secrecy Act (BSA) program requirements. The BSA, as
revised, imposes a number of reporting and recordkeeping obligations on covered
financial institutions in an effort to prevent money laundering and the financing of
terrorism, including, among other things, verifying the identity of customers, conducting
ongoing customer due diligence, and filing suspicious activity reports with Treasury’s
Financial Crimes Enforcement Network.
SBA Adapted Its Approach
During the Pandemic, but
Its Actions Were Reactive
and Not Timely and May
Not Have Been Fully
Effective
SBA Added Controls as Fraud
Schemes Emerged, but Its
Actions Were Reactive and
May Not Have Been Fully
Effective
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 119 GAO-23-105331 COVID Relief
eligibility responses prior to loan approval.
18
As discussed in the Fraud
Risk Framework, automated controls tend to be more reliable than
manual controls (such as document reviews) because they are less
susceptible to human error.
Although SBA added upfront controls in Round 2, the controls may not
have been as effective as they could have been at preventing some types
of fraud. Specifically, in January 2022, the PRAC reported that SBA’s
additional upfront controls to screen all Round 2 loans likely would not
have detected some of the PPP fraud found in 2020 criminal cases.
19
Specifically, the controls would not have been effective in preventing
fraudulent activities such as ones related to falsified documentation and
certifications.
20
PRAC reported that a key underlying factor contributing to
the control gaps in SBA’s antifraud controls was the lack of a formal fraud
risk assessment during the design and implementation of the 2021
controls.
COVID-19 EIDL. Over the course of its COVID-19 response, SBA made
some changes to enhance its application review process and identify
potential fraud. These changes applied to both the automated validation
system and the manual review process.
Validating application inputs. SBA made several changes to validate
applicant information. For example, in May 2020, SBA
• required applicants to check each eligibility criterion before being able
to proceed,
18
SBA rolled out a new PPP loan origination platform in 2021, embedding 89 digital
application checks and notifying lenders in real time of data errors or suspect information.
Additionally, SBA began screening all loans in the aggregate to identify and analyze
relationships across loans, borrowers, and lenders to identify potentially suspicious
relationships and activities.
19
PRAC, Small Business Administration Paycheck Protection Program Phase III Fraud
Controls (Jan. 21, 2022).
20
SBA officials told us that based on their review of the PRAC report, they conducted their
own analysis of the criminal cases included in the PRAC’s analysis. According to SBA’s
analysis, the controls put in place in 2021 would have likely identified 88 percent of cases.
However, those controls would likely not have identified potentially fraudulent applicants
associated with 12 percent of the cases. According to SBA, effective lender due diligence
actions could have also played a role in preventing loans from being disbursed for the
cases that would have circumvented SBA’s controls.
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 120 GAO-23-105331 COVID Relief
• added validation of bank account routing numbers, and
• added a function to identify mismatches between ZIP codes and
states.
In August 2020, SBA began to revalidate bank account information
whenever the loan applicant changed this information.
Changing the application review process. The SBA OIG found that
until August 2020, applications that did not contain certain fraud alerts
flagged by the automated validation system were approved by team
leaders in batches and with little to no additional review by the team
leaders.
21
After August 2020, SBA stopped approving loans in batches
and began requiring staff to review all applications prior to approval and
to mitigate all system alerts.
Validating tax information. SBA made changes to the loan application
review process in response to new legislation. SBA officials told us the
CARES Act’s restriction on obtaining applicants’ tax returns presented a
challenge for validating applications. The Consolidated Appropriations
Act, 2021, enacted on December 27, 2020, removed this restriction.
22
SBA officials told us that beginning in April 2021, the agency started
incorporating tax information as part of its validation process for loan
applications to confirm that businesses existed on or before January 31,
2020, and to verify business revenue.
23
Between April 2021 and July
2022, SBA verified tax information for roughly 1.9 million applications with
the Internal Revenue Service (IRS), which represents 72 percent of total
21
SBA OIG, Inspection of Small Business Administration’s Initial Disaster Assistance
Response to the Coronavirus Pandemic, 21-02 (Washington, D.C.: October 2020). The
SBA OIG found that SBA approved batches of 25 to 50 COVID-19 EIDL loans with little or
no vetting of individual loan information, increasing fraud risk.
22
Consolidated Appropriations Act, 2021, Pub. L. No. 116-260, div. M and N, 134 Stat.
1182 (2020).
23
SBA required COVID-19 EIDL applicants to submit 2019 federal income tax returns. It
also required applicants to submit 2020 federal income tax returns, if available. If a
business began operations in January 2020 and had not yet filed federal income taxes,
SBA required applicants to submit business financial statements, including a balance
sheet and profit-and-loss statement.
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 121 GAO-23-105331 COVID Relief
applications and 99 percent of approved applications during this time
period.
24
Additionally, SBA reported improvements in loan processing beginning in
September 2021. Specifically, SBA stated that application processing
capacity increased from an average of 2,000 to more than
37,000 applications per day. SBA attributed the increased productivity in
part to its ability to obtain tax transcript data directly from IRS. SBA
officials said that tax transcripts provided directly to SBA were critical in
combatting fraud because transcripts helped verify the existence of
legitimate businesses.
In response to SBA’s experience with PPP and COVID-19 EIDL, SBA
officials told us they designed the agency’s later pandemic relief
programs with an emphasis on pre-award controls. SBA accepted
Restaurant Revitalization Fund (RRF) and Shuttered Venue Operators
Grant (SVOG) applications in 2021.
RRF. To verify an applicant’s identity and eligibility, SBA designed the
RRF application process to include a series of automated and manual
reviews. The RRF application portal included a variety of automated
controls to verify applicants’ self-reported information against third-party
information. For example, automated controls verified applicants’ bank
account information, taxpayer identification numbers and tax returns
(against IRS information), and addresses (against U.S. Postal Service
address data).
25
SBA staff manually reviewed applications that were
flagged by the automated controls and applications it deemed to be
higher risk, such as those for larger awards. Before payment, applications
were routed through SBA’s payment system, which included additional
24
Applications include new applications, modifications, reconsiderations, and appeals. SBA
officials told us that incomplete and declined COVID-19 EIDL applications did not advance
to the stage where IRS verification was requested. SBA approved 1 percent of
applications without obtaining an IRS tax transcript because these files could be approved
without requesting transcripts, such as applications for nonprofit entities that are exempt
from filing or entities that were not established until 2020 (and therefore did not have a
2019 tax transcript).
25
Applicants had to provide the following supporting documents: (1) IRS Form 4506-T;
(2) documentation of gross receipts and eligible expenses including business tax returns
(IRS Form 1120 or IRS 1120-S); (3) IRS Forms 1040 Schedule C or Schedule F;
(4) partnership’s IRS Form 1065 (including K-1s); and (5) bank statements; externally or
internally prepared financial statements such as income statements or profit and loss
statements; and point-of-sale report(s), including IRS Form 1099-K.
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 122 GAO-23-105331 COVID Relief
checks. The payment system compared RRF applicants with the
Treasury’s sanctions and Do Not Pay service.
26
The system also
performed public records searches for inactive businesses, criminal
offenses, and bankruptcies.
SVOG. To verify business identities, SBA required SVOG applicants to
register with business data and contracting sites—Dun & Bradstreet and
the System for Award Management (SAM.gov).
27
Applicants were also
required to upload applicable entity formation documents, such as articles
of incorporation or tax-exempt certificates. Before disbursing an award,
the SVOG applicant review team was also to check that an applicant was
not listed on Treasury’s Do Not Pay service. Application reviewers were
to verify that applicants met general eligibility requirements. For example,
reviewers were to verify bankruptcy status and criminal history using
Lexis-Nexis.
SBA adapted its approach to include more upfront controls throughout the
pandemic, but its approach was not universal or consistent. For example,
despite its experience with COVID-19 EIDL, SBA did not universally verify
RRF and SVOG tax information with IRS before disbursing awards even
though it had originally planned to do so. SBA officials told us that IRS
could not handle the volume of verifications SBA requested for RRF
applicants and consequently some awards did not go through this step.
According to SBA, challenges and extended time frames associated with
interagency coordination resulted in SBA removing automatic reviews of
applicant tax information against IRS data for low-risk SVOG funding
requests with proposed grant awards below a certain dollar threshold. As
an alternative, SBA verified financial information against additional
documentation.
Further, SBA did not fully leverage fraud-related information across the
pandemic relief programs to help identify applicants trying to defraud
multiple programs. For example, we found that PPP and RRF programs
disbursed almost $11.5 million to an applicant that was denied COVID-19
26
Treasury’s Do Not Pay service is an analytics tool that helps federal agencies detect and
prevent improper payments made to vendors, grantees, loan recipients, and beneficiaries.
Agencies can use the service to check multiple data sources to make payment eligibility
decisions.
27
Dun & Bradstreet (a business data analytics firm) issues and verifies a DUNS number,
which is a unique nine-digit identifier assigned to a business. Businesses use SAM.gov (a
federal website) to register to do business with the U.S. government.
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 123 GAO-23-105331 COVID Relief
EIDL. This individual applied using fictitious business entities, and all of
the applications were submitted online from the individual’s computer.
This individual pled guilty to fraud-related charges in September 2022.
28
SBA officials indicated they did not cross-check PPP or RRF recipients
with COVID-19 EIDL recipients because an applicant may qualify for one
program and not another due to eligibility differences. In addition, SBA
officials told us that they did not have mechanisms in place to cross-
check PPP and COVID-19 EIDL application information. SBA had
mechanisms to cross-check some identifiers for RRF recipients—such as
addresses and emails—with cases of confirmed, rather than suspected,
COVID-19 EIDL fraud. Nevertheless, a denial in one program may be due
to suspected fraud, and cross-checking program data can help identify
questionable applications.
SBA officials acknowledged to us that their fraud risk management
efforts—specifically as they relate to implementing the Fraud Risk
Framework’s leading practices—are in the developmental phase. While
SBA had antifraud controls in place and adapted those controls for its four
pandemic relief programs, SBA’s key fraud risk management activities—
such as conducting fraud risk assessments and designating an antifraud
entity—occurred after some pandemic relief programs stopped accepting
applications and most of the program funds were distributed (see fig. 16).
They nevertheless represent important steps in SBA’s efforts to mature its
fraud risk management.
28
Department of Justice, Former Oregon Dentist Pleads Guilty to Stealing Nearly
$11.5 million in Covid-Relief Program Funds (Portland, Or.: Sept. 13, 2022). Accessed
Sept. 15, 2022, at https://www.justice.gov/usao-or/pr/former-oregon-dentist-pleads-guilty-
stealing-nearly-115-million-covid-relief-program.
SBA Conducted Fraud Risk
Assessments and Designated
an Antifraud Entity After Most
Pandemic Relief Funds Were
Distributed
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 124 GAO-23-105331 COVID Relief
Figure 16: The Small Business Administration’s (SBA) Key Fraud Risk Management Activities Occurred after Most Program
Funds Were Distributed
Note: SBA had controls in the pandemic relief programs prior to conducting a formal fraud risk
assessment. Additional legislation passed during this period includes the Paycheck Protection
Program Flexibility Act of 2020. Enacted on June 5, 2020, the Paycheck Protection Program
Flexibility Act of 2020 amended the Small Business Act to require a minimum maturity of 5 years for
PPP loans. Pub. L. No. 116-142, § 2, 134 Stat. 641 (2020) (codified as amended at 15 U.S.C.
§ 636(a)(36)(K)). The application period for PPP initially ended on June 30, 2020. On July 4, 2020,
legislation was enacted that extended the application period until August 8, 2020. Pub. L. No. 116-
147, 134 Stat. 660 (2020).
a
The PPP Extension Act of 2021 extended the application period from March 31, 2021, to May 31,
2021, and allowed SBA until June 30, 2021, to process those applications. On May 4, 2021, the PPP
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 125 GAO-23-105331 COVID Relief
general fund was exhausted and closed to new applications, except those processed by a community
financial institution lender.
b
After Congress deemed COVID-19 a disaster, SBA began to declare states and territories eligible for
COVID-19 EIDL loans beginning on March 16, 2020. The declarations allowed SBA to begin using
about $1.1 billion of its existing disaster loan credit subsidy to make COVID-19 EIDL loans before the
CARES Act was enacted.
c
The distributed amount for COVID-19 EIDL is higher than the net appropriated funding of
$75.2 billion due to COVID-19 EIDL loan credit subsidy. Loan credit subsidy covers the government’s
cost of extending or guaranteeing credit and represents the estimated long-term cost of providing
loans and takes into account expected future performance, including loan repayments, prepayments,
and defaults. The loan credit subsidy amount was about one-seventh of the cost of each disaster loan
in fiscal year 2020 and one-eleventh in fiscal year 2021.
d
The portal for SVOG opened on April 8, 2021, but shut down the same day because of a software
problem, reopening on April 26, 2021.
SBA conducted formal fraud risk assessments for its pandemic relief
programs in fall 2021, after most funds had been distributed. The Fraud
Risk Framework indicates that fraud risk assessments are most helpful in
developing preventive fraud controls to avoid costly and inefficient “pay-
and-chase” activities. Assessing fraud risks is an iterative process. Had
SBA conducted initial fraud risk assessments before or even shortly after
launching the programs, it could have targeted and refined its controls to
further minimize risks and allocated resources to the most pressing fraud
risks. It also could have updated the fraud risk assessments as new risks
were identified. The timing of the assessments limited their usefulness for
fraud prevention.
Furthermore, SBA did not use the assessments to inform post-award
fraud detection efforts. For example, we found in October 2022 that
SVOG post-award draft monitoring procedures did not link to the risks
SBA identified in its fraud risk assessments.
29
Consequently, we
recommended that SVOG post-award monitoring procedures address the
risks the agency identified. According to SBA, it finalized the SVOG fraud
risks assessment in March 2023, which directly addresses the risks
identified in the post-award monitoring procedures. This recommendation
will remain open until SBA provides documentation of updated post-
award monitoring procedures. Similarly, when SBA developed a data
analytics approach to help identify potential fraud in COVID-19 EIDL in
response to a GAO recommendation, SBA did not link the data analytics
to the risks identified in its fraud risk assessment.
29
GAO, COVID Relief: SBA Could Improve Communications and Fraud Risk Monitoring for
Its Arts and Entertainment Venues Grant Program, GAO-23-105199 (Washington, D.C.:
Oct. 11, 2022).
Appendix II: Overview of SBA’s Fraud Risk
Management Efforts Implementing the
Pandemic Relief Programs
Page 126 GAO-23-105331 COVID Relief
SBA formed the Fraud Risk Management Board (the Board) in February
2022 and designated it as the agency’s dedicated antifraud entity.
30
According to SBA documentation, the Board—composed of agency
executives across SBA—serves primarily in a guidance and oversight role
and is to meet at least quarterly. The Board is to be supported by at least
one program manager. SBA officials said there is an expectation that
program offices will work collaboratively with the Board. Program offices
remain responsible for design and implementation of fraud risk
management activities for their programs.
In June 2022, SBA issued a Fraud Risk Management Action Plan that
identifies the Board’s priorities in its role as the dedicated antifraud entity.
The priorities listed for fiscal year 2022 include (1) retaining a program
manager; (2) using data analytics to assess for indicators of fraud in PPP
and COVID-19 EIDL; and (3) developing and offering antifraud training. In
July 2022, SBA officials told us the Board had designated an interim
program manager and approved a cross-disciplinary advisory team with a
range of subject matter expertise including data analytics, fraud litigation,
occupational fraud, and training. SBA also offered fraud prevention
training to some of its employees in 2022.
In September 2022, the Board approved SBA’s fraud risk management
strategic plan, which it described as a forward-leaning, multi-year plan
designed to advance the maturity of SBA’s enterprise-wide fraud risk
management capabilities. The plan seeks to encompass leading practices
from GAO’s Fraud Risk Framework along with lessons learned from PPP
and COVID-19 EIDL implementation. Among the plan’s strategic goals is
fraud risk monitoring, which includes planned actions for developing a
robust data analytics program that focuses on identification of
transactional anomalies that are further investigated and communicated.
30
Once the SBA formed the Fraud Risk Management Board, the Fraud Risk Management
Council was disbanded.
Appendix III: Prior GAO Recommendations to
Address Fraud Risks and SBA Actions
Page 127 GAO-23-105331 COVID Relief
In prior reports, we made multiple recommendations to improve fraud risk
management in the Small Business Administration’s (SBA) pandemic
relief programs.
Paycheck Protection Program (PPP). We made four recommendations
related to oversight of and fraud in PPP from June 2020 to March 2021.
As of March 2023, SBA implemented three of them.
• In June 2020, we recommended that SBA develop and implement
plans to identify and respond to risks in PPP, including fraud risks.
1
At
that time, SBA neither agreed nor disagreed with this
recommendation. Since then, SBA has developed a Master Review
Plan that included an approach to use an automated rules-based tool
to flag loans with attributes of ineligibility, fraud, or abuse, and then
manually review them. As such, we have closed this recommendation
as implemented.
• In November 2020, we recommended that SBA expeditiously estimate
improper payments—including improper payments resulting from
fraudulent activity—and report estimates and error rates for PPP.
2
At
that time, SBA neither agreed nor disagreed with this
recommendation. However, as part of its Fiscal Year 2022 Agency
Financial Report, SBA reported an improper payment rate of
4.2 percent (or $29 billion). As such, we have closed this
recommendation as implemented.
• In March 2021, we recommended that SBA
1. conduct a fraud risk assessment for PPP and
2. develop a strategy to address fraud risks on a continuous basis.
3
SBA agreed with both recommendations. Since then, SBA has
implemented the first recommendation, and we have closed it.
1
GAO, COVID-19: Opportunities to Improve Federal Response and Recovery Efforts,
GAO-20-625 (Washington, D.C.: June 25, 2020).
2
GAO, COVID-19: Urgent Actions Needed to Better Ensure and Effective Federal
Response, GAO-21-191 (Washington, D.C.: November 30, 2020). An improper payment is
defined as any payment that should not have been made or that was made in an incorrect
amount (including overpayments and underpayments) under statutory, contractual,
administrative, or other legally applicable requirements. It includes, but is not limited to,
any payment to an ineligible recipient. See 31 U.S.C. § 3351(4). While improper payments
may be the results of errors, they may also be the result of fraudulent activities.
3
GAO, COVID-19: Sustained Federal Action Is Crucial as Pandemic Enters Its Second
Year, GAO-21-387 (Washington, D.C.: Mar. 31, 2021).
Appendix III: Prior GAO Recommendations
to Address Fraud Risks and SBA Actions
Appendix III: Prior GAO Recommendations to
Address Fraud Risks and SBA Actions
Page 128 GAO-23-105331 COVID Relief
Specifically, in December 2021, SBA provided a fraud risk assessment for
the program that had been prepared by its contractor. This assessment
adhered to many but not all fraud risk management leading practices. For
example, the assessment documented known and emerging fraud risks;
identified existing prevention, detection, and response activities; and
determined gaps within fraud risk management to enhance mitigation of
fraud risks. However, the assessment did not include a fraud risk
tolerance for the program. In April 2022, SBA established a fraud risk
tolerance for PPP that identified potential risks that exceeded SBA’s
willingness to tolerate them. SBA identified mitigating activities to
minimize those risks that exceeded SBA’s tolerance.
Regarding the second recommendation, although SBA has created a
fraud risk management action plan and other review and oversight plans
for PPP, none of these documents individually or collectively fully align
with the Fraud Risk Framework. Further, an antifraud strategy should
clearly communicate to employees and other relevant stakeholders SBA’s
approach for managing fraud risks in the program and link those antifraud
efforts to other risk management activities. To date, SBA has not fully
articulated a strategic approach to managing fraud risks in PPP—through
detection and response—on a continuous basis. Although SBA is not
issuing new PPP loans, there remains a risk of fraud in the program,
which the strategy should seek to manage through detection and
response. As of March 2023, this recommendation remains open.
COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) Program.
We made four recommendations related to fraud risk management in
COVID-19 EIDL in January and March 2021. As of March 2023, SBA has
implemented three of them.
• In January 2021, we recommended that SBA develop and implement
portfolio-level data analytics across COVID-19 EIDL as a means to
detect potentially ineligible and fraudulent applications.
4
At the time of
our report, SBA neither agreed nor disagreed with this
recommendation. In June 2022, SBA officials provided us with a
demonstration of a COVID-19 EIDL data analytics and loan anomaly
detection project that the agency had initiated. In September 2022,
they provided additional information, including sample reports, on the
4
GAO, COVID-19: Critical Vaccine Distribution, Supply Chain, Program Integrity, and
Other Challenges Require Focused Federal Attention, GAO-21-265 (Washington, D.C.:
Jan. 28, 2021).
Appendix III: Prior GAO Recommendations to
Address Fraud Risks and SBA Actions
Page 129 GAO-23-105331 COVID Relief
project. We have therefore closed this recommendation as
implemented.
• In March 2021, we recommended that SBA
1. conduct a fraud risk assessment for COVID-19 EIDL,
2. develop a strategy to address fraud risks on a continuous basis,
and
3. implement a comprehensive oversight plan to identify and respond
to risks, including fraud risks.
5
SBA agreed with these three recommendations. To address the first two
recommendations, SBA took the same actions as it did to address similar
PPP recommendations involving a fraud risk assessment and fraud risk
management strategy. We have closed the fraud risk assessment
recommendation as implemented. The fraud risk management strategy
recommendation remains open as of March 2023. To address the third
recommendation, in August 2022, SBA provided an updated oversight
plan for the COVID-19 EIDL program. The plan described controls SBA
had or planned to implement to identify and address fraud risks in the
COVID-19 EIDL program, including fraud reviews SBA indicated it had
conducted on a sample of disbursed COVID-19 EIDL loans. In February
2023, SBA provided additional documentation on certain controls, such
as manual reviews of delinquent loans, to address fraud risks in the
program. We have closed this recommendation as implemented.
Restaurant Revitalization Fund (RRF). We made three
recommendations related to fraud risk management in our July 2022
report on RRF. As of March 2023, these recommendations have not yet
been implemented. Specifically, we recommended that SBA
1. develop and implement data analytics across RRF awards as a
means to detect potentially fraudulent award recipients;
2. develop, document, and implement procedures to use
enforcement data on suspected fraud in other SBA programs,
such as PPP, to identify potential fraud in RRF recipients; and
3. develop and implement a plan to respond to potentially fraudulent
and ineligible RRF awards in a prompt and consistent manner.
6
5
GAO-21-387.
6
GAO, Restaurant Revitalization Fund: Opportunities Exist to Improve Oversight,
GAO-22-105442 (Washington, D.C.: July 14, 2022).
Appendix III: Prior GAO Recommendations to
Address Fraud Risks and SBA Actions
Page 130 GAO-23-105331 COVID Relief
SBA partially agreed with our recommendation to use data analytics to
identify potentially fraudulent RRF recipients and disagreed with our
remaining two recommendations. We continue to believe that
implementing these recommendations would enhance fraud risk
management in RRF.
Shuttered Venue Operators Grant (SVOG). We made one
recommendation related to SVOG fraud risk management in our October
2022 report, which has not yet been implemented. We recommended that
post-award monitoring procedures for SVOG specifically address the
risks the agency has assessed, including fraud risks, and clearly link them
to monitoring activities.
7
As part of this effort, we explained that SBA
should document its tolerance for the risks it has identified. SBA partially
agreed with this recommendation. According to SBA, it finalized the
SVOG fraud risks assessment in March 2023, which directly addresses
the risks identified in the post-award monitoring procedures as well as risk
tolerance. This recommendation will remain open until SBA provides
documentation of updated post-award monitoring procedures.
7
GAO, COVID Relief: SBA Could Improve Communications and Fraud Risk Monitoring for
Its Arts and Entertainment Venues Grant Program, GAO-23-105199 (Washington, D.C.:
Oct. 11, 2022).
Appendix IV: Regression Analysis
Page 131 GAO-23-105331 COVID Relief
To analyze lending activity for Paycheck Protection Program (PPP) loans
issued to borrowers charged by the Department of Justice (DOJ), we
conducted generalized linear regressions using logistic modeling. We
conducted the regressions using PPP data to explore associations
between loan and lender characteristics and select fraud indicators, and
identified incidents of fraud and alleged fraud charged by DOJ, while
controlling for other factors.
1
Such a model allowed us to test the
association between incidents of fraud charged by DOJ and selected
business-, loan-, and lender-level characteristics, and fraud indicators,
such as whether or not the recipient reported inflated employee counts,
while holding constant other factors, such as lender type and business
type.
We limited our analysis to PPP loans that were approved and funded.
This was a universe of approximately 12,500,000 applications and
approximately 11,464,000 approved and funded loans. The amount of
characteristics with complete data were limited to a small set of variables.
Of these, we used subject matter expertise from prior GAO work on fraud
to identify potential control variables and their association with outcomes.
In particular, we used several fraud indicators, which were developed and
calculated by GAO, while also controlling for characteristics of the loan,
the applying business, and the lender. See appendix I for more
information on the indicators of fraud. For the purposes of our analysis we
created composite or recoded variables as identified in table 5 and
included the variables as shown in table 6.
1
Typically, a generalized linear regression model is appropriate when the model
assumption of normality is not appropriate, as is the case with a binary (e.g., yes/no)
outcome for logistic regressions.
Appendix IV: Regression Analysis
Appendix IV: Regression Analysis
Page 132 GAO-23-105331 COVID Relief
Table 5: Created Variables Used in the Regression Analysis of the Small Business Administration (SBA) Paycheck Protection
Program Loans, Years 2020-2021
GAO category
Original value(s)
Recoded value(s)
Business ownership type
1 = 501(c) Nonprofit (except 3, 6, 19)
2 = 501(c)19 Nonprofit Veteran
3 = 501(c)3 Nonprofit
4 = 501(c)6 Nonprofit Membership
5 = Cooperative
6 = Corporation
7 = Employee Stock Ownership Plan
8 = Housing Co-op
9 = Independent Contractors
10 = Joint Venture
11 = Limited Liability Company (LLC)
12 = Limited Liability Partnership
13 = Nonprofit Childcare Center
14 = Nonprofit Organization
15 = Partnership
16 = Professional Association
17 = Qualified Joint-Venture
18 = Rollover as Business Start-Ups
19 = Self-Employed Individuals
20 = Single Member LLC
21 = Sole Proprietorship
22 = Subchapter S Corporation
23 = Tenant in Common
24 = Tribal Concerns
25 = Trust
•
Self-employed business (17, 19, 20, 21)
• Non self-employed business (all else)
Asset size
Numeric dollar amount of lender assets
•
Unknown
• Small (less than $1 billion)
• Medium ($1 billion to less than $10 billion)
• Large ($10 billion or greater)
Loan size
Numeric dollar amount of loan
•
Small (less than or equal to $350,000)
• Medium (greater than $350,000 to $2 million)
• Large (greater than $2 million)
Source: GAO analysis of SBA data. | GAO-23-105331
Appendix IV: Regression Analysis
Page 133 GAO-23-105331 COVID Relief
Table 6: Variables Included in GAO Regression Models Using the Small Business
Administration (SBA) Paycheck Protection Program Loans, Years 2020-2021
Control—
independent variables
Outcome—
dependent variables
Model
specification
Loan characteristics: loan size
Lender characteristics: lender
type (lender/nonbank lender),
asset size
Business characteristics:
business ownership type, locale
(urban/rural)
Fraud indicators: did not pay
employees, overstated payroll
expenses, non-existent
businesses
Whether or not a loan was
associated with a Department
of Justice (DOJ) case as of
December 31, 2021 (yes/no)
Logistic
Regression
Source: GAO analysis of DOJ information and SBA data. | GAO-23-105331
To account for the presence of multiple correlated fraud indicators, a
generalized linear model was run using a penalized logistic regression to
determine an optimal combination of characteristics and fraud indicators.
In particular, we used a least absolute shrinkage and selection operator—
known as LASSO—regularization model, which is a specific type of
penalized logistic regression model. Regularization methods are useful
for assessing which variables are most important to the model when
collinearity exists among control variables, or the number of potential
control variables is large. In this case there is strong collinearity among
the fraud indicators. It is important to also note that such methods can be
conservative in nature, which means there is a higher chance of not
detecting an association when one exists. Such a model allowed us to
identify an optimal set of factors significantly associated with the outcome
and which factors we should exclude.
All regression models are subject to limitations. For this model, we
encountered the following limitations:
• The outcome we analyzed was created using statistical software to
match fraud cases to the loan-level data. However this outcome is a
subset of the population of fraudulent loans, and associations cannot
be generalized to the population of fraudulent loans. Furthermore, the
outcome is not dichotomous since the inability to associate a loan with
a DOJ case does not imply that the loan is not fraudulent but rather
that it is unknown whether the loan is fraudulent or not.
Appendix IV: Regression Analysis
Page 134 GAO-23-105331 COVID Relief
• Using this matching process, we were able to match 1,197 loan
applications. Because we limited our analysis to approved and funded
loans, only 944 matched loans remained out of the 11,464,173 funded
loans, which represents an extremely small percentage
(0.008 percent) of the total.
• Data analyzed for these regression analyses were by loan rather than
by lender, with limited information about lender characteristics.
Additionally, many loan- and lender-level characteristics had high
rates of missing values, which made them unsuitable for use in our
analyses. Consequently, we are not able to describe the association
between our independent variables and a lender’s association with
loans in DOJ cases, while controlling for other characteristics.
• Results of our analyses are associational and do not imply a causal
relationship because, for example, the data are observational in
nature and were not gathered by a randomized controlled trial where
loan applications would be randomized to lenders with certain
characteristics. Additionally, we do not imply that the set of control
variables explains the variation of fraud in loans or predict whether or
not a loan is fraudulent.
• It is likely that variables that may be related to loan and lender
characteristics and fraud cases are not available in the data. As an
example, in this context, it could be that an applicant’s annual income
adjusted for family size could be associated with the likelihood of a
fraud case.
• Additionally, all data are subject to non-sampling error. Non-sampling
error could occur for many reasons, such as inability to obtain
complete information for all loan applications, inability or unwillingness
of applicants to provide correct information, mistakes by applicants,
and errors made in the collection or processing of data (such as data
quality checks).
A logistic regression model provides an estimated odds ratio of an event
occurring, such as whether a lender or loan characteristic is associated
with higher or lower odds of an identified fraud conviction, holding other
factors constant.
For the estimated odds ratio, a value greater than one indicates a higher
or positive association, and a value less than one indicates lower or
negative association, when the factor is present. For example, an
estimated odds ratio less than one indicates lower odds of an identified
fraud conviction when a factor is present.
Appendix IV: Regression Analysis
Page 135 GAO-23-105331 COVID Relief
Given the limitations of our data and models, we present a general
summary of associations by providing the direction, rather than estimated
odds of an identified fraudulent loan case, as shown in table 7. “Increase”
means that a particular variable was significantly associated with an
increase in the odds of identified fraud case at the p-value < 0.05 level;
“decrease” indicates a decrease in the odds, while holding all other
variables in the model constant. A blank “—” indicates the variable is not
significantly associated with identified fraud at the p-value < 0.05 level.
For categorical variables, we provided the comparison (reference)
characteristic in brackets. For example, the results should be interpreted
to show loans for sole proprietor businesses are more likely to be
identified in a fraud case, relative to businesses that are not sole
proprietorships, holding other factors constant, because the association is
significantly positive.
Table 7: Associations of Logistic Regression Model Variables Based on the Small
Business Administration’s (SBA) Paycheck Protection Program Loans, Years 2020-
2021
Variable
Effect: groups compared
in odds ratio estimate Association
Asset size of lender
Medium vs. large
Small vs. large
Increase
—
a
Business ownership type
Self-employed vs. not self-employed
Increase
Overstated payroll
Yes vs. no
Increase
Unpaid employees
Yes vs. no
—
Non-existent businesses
Yes vs. no
Increase
Lender type
Nonbank lender vs. lender
Increase
Size of business loan
Medium vs. large
Small vs. large
—
Decrease
Locale
Urban vs. rural
Increase
Source: GAO analysis of Department of Justice information and SBA data. | GAO-23-105331
a
A blank “—” indicates the variable is not significantly associated with identified fraud at the p-value <
0.05 level.
Appendix V: Comments from the Small
Business Administration
Page 136 GAO-23-105331 COVID Relief
Appendix V: Comments from the Small
Business Administration
Appendix V: Comments from the Small
Business Administration
Page 137 GAO-23-105331 COVID Relief
Appendix V: Comments from the Small
Business Administration
Page 138 GAO-23-105331 COVID Relief
Appendix V: Comments from the Small
Business Administration
Page 139 GAO-23-105331 COVID Relief
Appendix V: Comments from the Small
Business Administration
Page 140 GAO-23-105331 COVID Relief
Appendix V: Comments from the Small
Business Administration
Page 141 GAO-23-105331 COVID Relief
Appendix V: Comments from the Small
Business Administration
Page 142 GAO-23-105331 COVID Relief
Appendix V: Comments from the Small
Business Administration
Page 143 GAO-23-105331 COVID Relief
Appendix V: Comments from the Small
Business Administration
Page 144 GAO-23-105331 COVID Relief
Appendix VI: GAO Contact and Staff
Acknowledgments
Page 145 GAO-23-105331 COVID Relief
In addition to the contact named above, Tonita Gillich (Assistant Director),
Philip Reiff (Assistant Director), Irina Carnevale (Analyst-in-Charge),
James Ashley, Priyanka Sethi Bansal, Miranda Berry, Mariana Calderón,
Leia Dickerson, Ranya Elias, Colin Fallon, Meredith Graves, Marshall
Hamlett, Kristy Hammon, Jacob Harwas, Davis Judson, Kailas Menon,
Maria McMullen, Brenda Mittelbuscher, Lisa Moore, Daniel Newman,
Stephanie Palmer, Julia Robertson, Paige Smith, Sabrina Streagle,
Frances Tirado, Ariel Vega, and Monique Williams made key
contributions to this report.
Appendix VI: GAO Contact and Staff
Acknowledgments
GAO Contact
Staff
Acknowledgments
Related GAO Products
Page 146 GAO-23-105331 COVID Relief
COVID Relief: SBA Could Improve Communications and Fraud Risk
Monitoring for Its Arts and Entertainment Venues Grant Program.
GAO-23-105199. Washington, D.C.: October 11, 2022.
Restaurant Revitalization Fund: Opportunities Exist to Improve Oversight.
GAO-22-105442. Washington, D.C.: July 14, 2022.
COVID-19: Current and Future Federal Preparedness Requires Fixes to
Improve Health Data and Address Improper Payments. GAO-22-105397.
Washington, D.C.: April 27, 2022.
GAO Fraud Ontology Version 1.0, published January 10, 2022.
https://gaoinnovations.gov/antifraud_resource/howfraudworks
Economic Injury Disaster Loan Program: Additional Actions Needed to
Improve Communication with Applicants and Address Fraud Risks.
GAO-21-589. Washington, D.C.: July 30, 2021.
Paycheck Protection Program: SBA Added Program Safeguards, but
Additional Actions Are Needed. GAO-21-577. Washington, D.C.: July 29,
2021.
COVID-19: Sustained Federal Action Is Crucial as Pandemic Enters Its
Second Year. GAO-21-387. Washington, D.C.: March 31, 2021.
High Risk Series: Dedicated Leadership Needed to Address Limited
Progress in Most High-Risk Areas. GAO-21-119SP. Washington, D.C.:
March 2, 2021.
COVID-19: Critical Vaccine Distribution, Supply Chain, Program Integrity,
and Other Challenges Require Focused Federal Attention. GAO-21-265.
Washington, D.C.: January 28, 2021.
COVID-19: Opportunities to Improve Federal Response and Recovery
Efforts. GAO-20-625. Washington, D.C.: June 25, 2020.
A Framework for Managing Fraud Risks in Federal Programs.
GAO-15-593SP. Washington, D.C.: July 28, 2015.
Related GAO Products
The Government Accountability Office, the audit, evaluation, and investigative
arm of Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability of the
federal government for the American people. GAO examines the use of public
funds; evaluates federal programs and policies; and provides analyses,
recommendations, and other assistance to help Congress make informed
oversight, policy, and funding decisions. GAO’s commitment to good government
is reflected in its core values of accountability, integrity, and reliability.
The fastest and easiest way to obtain copies of GAO documents at no cost is
through our website. Each weekday afternoon, GAO posts on its website newly
released reports, testimony, and correspondence. You can also subscribe to
GAO’s email updates to receive notification of newly posted products.
The price of each GAO publication reflects GAO’s actual cost of production and
distribution and depends on the number of pages in the publication and whether
the publication is printed in color or black and white. Pricing and ordering
information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card, MasterCard,
Visa, check, or money order. Call for additional information.
Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Subscribe to our RSS Feeds or Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.
Contact FraudNet:
Website:
https://www.gao.gov/about/what-gao-does/fraudnet
Automated answering system: (800) 424-5454 or (202) 512-7700
A. Nicole Clowers, Managing Director, ClowersA@gao.gov, (202) 512-4400, U.S.
Government Accountability Office, 441 G Street NW, Room 7125, Washington,
DC 20548
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548
Stephen J. Sanford, Managing Director, spel@gao.gov, (202) 512-4707
U.S. Government Accountability Office, 441 G Street NW, Room 7814,
Washington, DC 20548
GAO’s Mission
Obtaining Copies of
GAO Reports and
Testimony
Order by Phone
Connect with GAO
To Report Fraud,
Waste, and Abuse in
Federal Programs
Congressional
Relations
Public Affairs
Strategic Planning and
External Liaison
Please Print on Recycled Paper.
