By Steven MinskyWith a second round of funding breathing new life into the Small Business Administration’s Paycheck Protection Program—and SBA opening its systems for new applications this morning—banks need to be prepared for an increased risk of fraud as they lend to small businesses. This was less of a concern during the first round of PPP lending, because banks and credit unions worked primarily with existing customers who were known to them.
This time, many may broaden their lending to new customers. In this scenario, criminal entities may pose as legitimate new customer applicants, which introduces new enormous operational risks for lenders. There are several strategic steps banks can take now to strengthen their operational risk and fraud detection programs:1 Risk identification. Engage your enterprise and operational risk managers in their design of their loan application approval processes and provide them an authority to perform a robust risk assessment to identify the operational risks of loan applicants. ERM leadership and teams need empowerment to identify the risks presented by the new PPP program. Do not outsource this authority to consultants or other third parties. We saw this mistake in the recession of 2007-09, where organizations relied on third-party rating agencies that had shifted their advice to be favorable to earn fees and were not held accountable for their advice. 2 Risk assessment. Mobilize a cross-functional expert team through a common loan application and evaluation framework to assess potential borrowers. These corporate resources need to be made available in an ad hoc manner through a workflow to systematically help front line lending staff. After the operational risks have been identified, empower your ERM teams to engage with internal security professionals, process experts, legal experts, compliance, auditors and other internal bank professionals to score these risks on a repeatable, standardized and objective set of evaluation criteria. This approach will create an apples-to-apples comparison of the risks by different experts. 3 Mitigation transparency. The PPP rules and guidance have already changed several times and are expected to be ongoing, meaning that new risks will appear at a much faster pace. Policy changes that take place on an ad hoc basis can be traced back to a date, but banks may struggle to trace back a loan to a policy change which would shorten investigations and provide compliance evidence that span multiple levels, business silos and third-party technologies. Connecting mitigations through a taxonomy to risks and regulation requirements also provides compliance with evidence that the bank was using best efforts to enforce all the requirements that were in place at that time to mitigate liabilities. 4 Risk-based incident management. Providing a channel for customers, employees and partners to provide anonymous tips for fraud dedicated to the PPP program is very important. For example, a banking customer might report through a bank’s web-based incident form that they had received a statement for a loan they hadn’t applied for. This kind of situation can arise when a bank’s background checks are only looking for fake identities, but a fraud ring using actual stolen identities could circumvent this screening.
Steven Minsky is the CEO and founder of LogicManager.