COVID-19 Relief: Improved Controls Needed for Referring Likely Fraud in SBA's Pandemic Loan Programs

What GAO Found

According to Small Business Administration (SBA) officials, the four-step process for managing fraud risks in its pandemic loan programs generally consisted of the following components for both the Paycheck Protection Plan (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) programs:

• Screening: automated review, sometimes with additional manual components, that compared each application with several public and private databases and checked for internal inconsistencies that indicated data anomalies.
• Data analytics: various data analytic tools to examine data anomalies, sometimes using a type of artificial intelligence called machine learning for the PPP to help identify files with data anomalies in need of review.
• Human-led reviews: manual reviews of files with data anomalies to determine if the file was ineligible or likely fraudulent.
• OIG referrals: referrals of likely fraudulent applications to SBA's Office of Inspector General (OIG).

This process and its various steps were introduced at different times for COVID-19 EIDL and the PPP and were implemented iteratively over the course of the pandemic. However, SBA did not implement the process until more than half of the programs' funding had been approved, thus limiting its impact in preventing fraud. Specifically, for COVID-EIDL, over $210 billion of an eventual $385 billion (or about 55 percent) had already been disbursed before the full process was implemented. For the PPP, over $525 billion of an eventual $800 billion (or about 66 percent) had already been approved.

The four-step process as applied to COVID-19 EIDL and the PPP had weaknesses, as several audit entities, including GAO, SBA's OIG, and SBA's independent financial statement auditor, have previously reported. For example, as part of its screening step, SBA compared loan applications against the Treasury's various Do Not Pay (DNP) databases and public records. A June 2024 SBA OIG report found, however, that SBA awarded and disbursed funds to potentially ineligible entities listed in DNP without sufficient evidence to support the loan decision. In response to this report, SBA agreed, among other things, to review and address those loans and grants with an alert in the file that was not previously addressed. According to SBA's OIG, the proposed action did not fully meet OIG's recommendation to review all loans identified as potentially ineligible.

In its work, GAO identified a weakness in SBA's process for referring cases of likely fraud to its OIG—that is, step four of its four-step process. As part of its referral step for COVID-EIDL, SBA submitted almost 3 million referrals to its OIG. SBA OIG officials told GAO that of these referrals, about 2 million were not actionable because they did not contain enough data elements to allow for further investigation or had quality issues, such as duplicates or incorrect information. Without an effective referral process, the SBA OIG is not able to fully investigate instances of likely fraud and make follow-on referrals to, for example, the Department of Justice for prosecution, as necessary.

Why GAO Did This Study

SBA distributed over $1 trillion in loans and grants to over 10 million small businesses in 2020-2022 during the COVID-19 pandemic. Through the CARES Act and other laws, Congress provided funding for PPP and COVID-19 EIDL to support small businesses. In June 2020, GAO found that SBA had not yet developed and implemented plans to identify and respond to risks for the PPP to ensure program integrity. GAO reported in May 2023 that SBA moved quickly under challenging circumstances to develop and launch its pandemic relief programs but that some of the relief funds went to those who sought to defraud the government.

The CARES Act includes a provision for GAO to monitor COVID-19 pandemic relief funds. In this report, GAO examines SBA's four-step antifraud process by describing (1) how the process for detecting and referring likely fraud cases was designed and implemented for COVID-19 EIDL and the PPP and identifying (2) any control weaknesses in the process for detecting and referring likely fraud cases for COVID-19 EIDL and the PPP.

GAO examined SBA documentation, interviewed SBA officials, and reviewed prior reports by GAO, SBA's OIG, and SBA's independent financial statement auditor, and reports by the Pandemic Response Accountability Committee.