Skip to main content

COVID Relief: Fraud Schemes and Indicators in SBA Pandemic Programs

GAO-23-105331 Published: May 18, 2023. Publicly Released: May 18, 2023.
Jump To:

Fast Facts

The Small Business Administration provided $1 trillion to help small businesses during the pandemic. But in some instances funds went to fraudsters—the Department of Justice charged hundreds of individuals and is investigating many more.

We flagged 3.7 million recipients of SBA funds as having warning signs consistent with potential fraud. Such "indicators" aren’t proof of fraud, which is why we referred them for further review and possible law enforcement investigation.

SBA hasn't had timely access to some external data sources—such as IRS data—that could help prevent fraud. We recommended that SBA develop a plan for accessing such data.

Sign in the front of the U.S. Small Business Administration with the agency's name and official seal

Skip to Highlights

Highlights

What GAO Found

The Small Business Administration (SBA) moved quickly under challenging circumstances to develop and launch pandemic relief programs to help small businesses. These programs, including the Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL), totaled over $1 trillion and assisted more than 10 million small businesses. However, in some instances relief funds went to those who sought to defraud the government. As schemes emerged, SBA adapted its fraud risk management approach and added controls to help prevent, detect, and respond to fraud.

GAO analyzed 330 PPP and COVID-19 EIDL fraud cases. Federal prosecutors across the United States filed bank fraud, wire fraud, money laundering, identity theft, and other charges against 524 individuals associated with these cases. This analysis is based on fraud cases publicly announced by the Department of Justice (DOJ) as of December 2021.

Cases Charged by the Department of Justice Involving Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) Fraud, as of December 31, 2021

Unique Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) Recipients with Fraud Indicators

In those cases, DOJ charged individuals with

  • misrepresenting eligibility, falsifying documents, using stolen identities, and
  • deliberately exploiting the programs by conspiring with each other, sharing knowledge on how to circumvent controls, and obtaining kickbacks.

For the 155 of the 330 cases that reached conclusion through guilty pleas or convictions, GAO calculated about $188 million in direct financial losses. Across these cases, as of December 2021, 94 individuals had been sentenced to an average of about 37 months in prison. The number of cases will continue to grow. As of January 2023, the SBA Office of Inspector General (OIG) had 536 ongoing investigations, and the statute of limitations has been extended to 10 years to prosecute individuals who committed PPP and COVID-19 EIDL-related fraud.

Select GAO analyses of PPP and COVID-19 EIDL data, including comparisons with National Directory of New Hires (NDNH) wage data, identified over 3.7 million unique recipients with fraud indicators out of a total of 13.4 million (see figure). Fraud indicators can be used to identify potential fraud and assess fraud risk. They are not proof of fraud. Additional review, investigation, and adjudication is needed to determine if fraud exists. To that end, GAO referred the unique recipients with fraud indicators it identified to the SBA OIG for further review and investigation. The unique recipients identified include potentially non-existent businesses or businesses that may have misrepresented employee counts to obtain more funds. However, it is possible that the analysis identified non-fraudulent recipients with data discrepancies consistent with an indicator. While SBA has conducted its own analyses to identify recipients with fraud indicators, it does not have access to the NDNH database and could not have performed the same analyses as GAO.

Unique Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) Recipients with Fraud Indicators

Unique Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) Recipients with Fraud Indicators

SBA has employed data analytics to enhance fraud prevention and detection. For example, the use of analytics contributed to SBA determining that some PPP borrowers were ineligible for loan amounts or used them for unauthorized purposes, resulting in $4.7 billion in loan proceeds not being forgiven. In addition, SBA referred over 669,000 potentially fraudulent PPP and COVID-19 EIDL loans to the SBA OIG for investigation after using data analytics and conducting manual reviews. SBA enhanced its analytic capabilities during the pandemic and has recognized that it would benefit from further development of its data analytics program. SBA has opportunities to continue to improve its ability to prevent and detect potentially fraudulent transactions. For example, SBA did not fully leverage information to help identify applicants who tried to defraud multiple pandemic relief programs. While it has access to multiple external data sources, SBA does not have access to other external data sources that could aid in fraud detection and prevention. Leveraging information across programs and obtaining access to external data are consistent with leading fraud risk management practices. SBA has the opportunity to ensure that it fully leverages data across programs and accesses external data to the fullest extent possible to mitigate the likelihood and impact of fraud. Obtaining such access could necessitate pursuing statutory authority or entering into data-sharing agreements with other agencies to gain timely access to those sources.

Why GAO Did This Study

Congress established four programs to support small businesses during the pandemic: PPP, COVID-19 EIDL, Restaurant Revitalization Fund, and Shuttered Venue Operators Grant. Widely reported incidents of fraud raised questions about SBA's management of these programs. For this and other reasons, GAO added small business emergency loans to its High Risk Program in 2021.

The CARES Act includes a provision for GAO to monitor COVID-19 pandemic relief funds. This report (1) analyzes fraud cases charged by DOJ involving PPP and COVID-19 EIDL to understand fraud schemes and impacts, (2) provides the results of select data analyses regarding fraud indicators in PPP and COVID-19 EIDL, and (3) identifies opportunities for SBA to enhance its data analytics.

GAO analyzed DOJ press releases and court documents related to PPP and COVID-19 EIDL cases publicly announced as of December 2021 for fraud schemes and impacts. GAO analyzed 2020 and 2021 PPP and COVID-19 EIDL data, comparing these data to NDNH wage data to identify the presence of fraud indicators. GAO also evaluated SBA's data analytic efforts against leading practices.

Recommendations

GAO recommends that SBA (1) ensures it has and utilizes mechanisms to facilitate cross-program data analytics and (2) identifies external data sources that could aid in fraud prevention and detection and develop a plan to obtain access to those sources. SBA concurred with both recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Small Business Administration
Priority Rec.
The Administrator of SBA, in coordination with the Fraud Risk Management Board, should ensure that SBA has mechanisms in place and utilizes them to facilitate cross-program data analytics. (Recommendation 1)
Open
In November 2023, SBA reported that it was running detective cross-program analyses for SBA's major COVID-19 loan and grant programs as well as for the agency's 7(a), 504, and regular disaster loan programs, with results provided to appropriate program office personnel on a monthly basis. Further, SBA has started a Data Analytics Strategy Project to perform a comprehensive review of the current and future states of fraud prevention and mitigation analytics within SBA as well as the development of a road map to achieve a mature data analytics program. Specifically, SBA plans to conduct a gap analysis between the current and future states of SBA's fraud prevention and mitigation analytics along with the implementation of a road map to include establishing key performance indicators (KPIs) that will be used to measure the success of the data analytics strategy. Finally, the SBA Fraud Risk Management Board (FRMB), in conjunction with the relevant program offices, plans to develop policy pertaining to program office actions relating to cross program results, management of inventory, and parameters of operation. As of May 2024, SBA expanded its cross-program analyses beyond primary borrower information to cover a wider range of loan-related entities and was in the process of developing and implementing FRMB-led efforts. As of November 2024, the FRMB continued to work on policy pertaining to program office actions for cross-program analysis results, management of inventory, and parameters of operation. Additionally, the FRMB approved the Fraud Data Analytics Strategy, and the agency established the Fraud Data Analytics Team (FDAT). The FDAT is comprised of subject matter experts from SBA program offices for the purpose of executing the Fraud Data Analytics Strategy to mature fraud risk management in the agency. One of the SBA offices began performing cross-program data analytics using taxpayer identification numbers for new loan approvals. We will continue to monitor SBA's progress in this area.
Small Business Administration
Priority Rec.
The Administrator of SBA, in coordination with the Fraud Risk Management Board, should ensure that SBA has identified external sources of data that can facilitate the verification of applicant information and the detection of potential fraud across its programs. It should then develop a plan for obtaining access to those sources, which may involve pursuing statutory authority or entering into data-sharing agreement to obtain such access. (Recommendation 2)
Open
In November 2023, SBA reported that it has procured third-party services to implement its Know Your Customer initiative for validating customer identity and improving payment integrity. SBA also reported that it has engaged with other federal agencies regarding data sharing to improve SBA's fraud risk management capabilities. Specifically, SBA reported that it was engaging with the Payment Integrity Center of Excellence (PICOE) within the U.S. Department of the Treasury's (Treasury) Bureau of Fiscal Service on its Do Not Pay (DNP) services and solutions to evaluate if new tools and services such as Account Verification Services (AVS), Email and Social Intelligence, and DNP Data Analytics (i.e., Electronic Verification of Vital Events, which includes death data and the WorkNumber income verification, among others) can be utilized to improve payment integrity. As of November 2024, SBA was still in the process of implementing its efforts to identify and develop a plan to obtain access to external data, including ongoing discussions with the Treasury to pursue AVS as well as potential data sharing by SBA on fraud actors. We will continue to monitor SBA's progress in this area.

Full Report

GAO Contacts

Johana Ayers
Managing Director
Forensic Audits and Investigative Service

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Disaster reliefFraud and abusepandemicsProgram integrityProgram managementPublic health emergenciesRisk managementSmall businessLaw courtsPayroll