Three Risk Management Steps to Take Now to Prepare for Post-PPP Scrutiny

By Lyn Farrell

The banking industry did a stand-up job responding to the federal government’s urgent request that it facilitate the funding of the Small Business Administration’s Paycheck Protection Program loans. The industry was called upon to work quickly (within a few days) to fund hundreds of billions of dollars of loans to American businesses—all through a government bureaucracy that normally handles a small fraction of the loan volume in a full year.

Most of the institutions went above and beyond the call—adding shifts of workers to push through applications, dealing with the SBA’s technology which broke down repeatedly, vetting new customers quickly and even making such small loans that the process ended up costing them money. However, these valiant efforts will not insulate banking institutions from scrutiny in the future. Inspectors general at the SBA and the banking agencies, and Congress itself, are likely to investigate how the money was delivered and any level of fraud that may have occurred during the process.

It’s time to employ proactive risk management processes to limit the risks banks may have for participating in the PPP. Risk managers in all areas of the bank can take steps to fix any problems that have already cropped up, look down the road to prepare for the next phase of the PPP process and to put their institutions in the best possible position to face government scrutiny that certainly is on the way.

There are three clear steps to take to repair as necessary and prepare for any scrutiny that comes your way.

1. Clarify what has already happened

More than most processes, the PPP happened quickly with almost no preparation time available. Institutions acted quickly and made decisions on the fly. I speak from experience when I say that it is critically important to memorialize now what happened and why. In a few months or even years, memories will be less clear, and some of the people that were central to the process will be gone. It is much harder after the fact to piece together the events that happened and, more importantly, why they happened.

I suggest that banks create a document that explains in an orderly and narrative fashion what happened, as well as the bank’s thinking behind the decisions that were made. Did you decide not to lend to non-customers? Why? The reason may be that you had so many loan applications from current customers that you could not process non-customer applications with the due diligence requirements quickly enough to get them in line for available funds. Even if you tried to lend to non-customers, this may be the reason many of them did not get loans funded.

If you had to change a procedure after you started the process, explain why that was the case. Maybe you went from a decentralized decision-making process to a centralized one after you started because the aggregate amount of loans was mounting so fast it was hard to keep track of it. Explain this in the document. Later it will be harder to remember.

If something happened that was negative, such as a fraud occurring or being attempted, explain what happened and the bank’s response. This is crucial to those who are later trying to piece together those events and the bank’s actions in response to agency questions.

2. Improve your practices for the next phase

Arguably, the forgiveness phase of the PPP carries the most risks. Since the organization has had more time to think through the risks, the decisions should be made carefully and procedures well thought out in advance and more refined than in the first phase. In some cases, the first phase happened so quickly that procedures, if they were written, were not done with the bank’s usual care. Make sure that processes for the forgiveness phase level of care are thoroughly communicated and written. The bank should implement training and the usual proactive risk practices like testing and daily monitoring of activities. Make sure the documentation trail is active and that decision-making criteria is followed and documented.

3. Remediate anything that can be fixed now

If there were errors or issues that could make the institution vulnerable, fully explain the reasons behind why decisions were made or why any mistakes happened and what actions were taken to fix them. Review your procedures as they were communicated to your bank’s staff against what actually happened across the entire enterprise. Follow up to learn why there was not uniform compliance with the communicated procedures. Train appropriate personnel if they did not follow them.

Learn what fraud typologies were prevalent in making PPP loans in your region (for example, falsified company documents or using payroll information for multiple companies) and review your portfolio for those and other anomalies. If there were serious issues or fraudulent behavior that was not caught, consult attorneys who are familiar with the law and with the SBA and IG procedures before acting. Decide whether and how to remediate these. Consider reviewing all loans to new customers to ensure that the companies are legitimate and that no fraud was involved.

While these are time-consuming steps, they will prove themselves to be valuable in the future. We all know that actions can look reasonable and innocent when they occur but be misconstrued by later investigations or reviews. Nailing down the truth now will pay off in the long run.

Lyn Farrell is the Regulatory Strategy Advisor for Hummingbird, a RegTech company. She is the 2012 recipient of the ABA’s Distinguished Service Award for compliance. She is the is author of ABA’s Reference Guide to Regulatory Compliance. She is an attorney and has been a CCO and in-house counsel in financial institutions and has practiced as a risk management consultant. She can be reached at