The Paycheck Protection Program Fraud

The Paycheck Protection Program Fraud

Due to the vulnerabilities created by COVID-19, individuals and organizations operating around the globe are actively seeking to exploit and profit from the pandemic. From financial fraud schemes targeting vulnerable populations, to the importation of counterfeit pharmaceuticals and medical supplies, to websites defrauding consumers, these illicit activities compromise legitimate trade and financial systems and endanger the safety and security of the American public.

One of the programs criminals and fraudsters are seeking to exploit includes the benefits available through the relief package passed by Congress under the federal Paycheck Protection Program (PPP) as established by the Coronavirus Aid, Relief and Economic Security (CARES) Act. Since its inception, this program has provided over $900 billion in funding to business owners and companies impacted by the devastating effects of COVID-19.

One of the primary questions that come up is “Can I use these funds for anything I want?” To answer this let us dive further into the specifics of the CARES Act to clarify what the funds can be legitimately used for, and to provide an example of potential misuse, the CARES Act provided two funding sources for small businesses affected by the pandemic, as defined by the approved legislation.1 These two programs are the PPP and the Economic Injury Disaster Loans (EIDL). These funds are provided for a specific purpose and can be used to support payroll costs and employee benefits. These loans can also be used to pay mortgage interest, rent, utilities, worker protection costs related to COVID-19, uninsured property damage costs caused by looting or vandalism during 2020 and certain supplier costs as well as expenses for the business operation. Therefore, the answer to the question above is a resounding no. The U.S. Department of the Treasury provides additional information on CARES Act requirements.2 The following table provides a great summary of these two programs.

EIDL and PPP Summary

EIDL and PPP Summary
Source: Small Business Administration (SBA)

In order to best address COVID-19 related PPP fraudulent activity, it is imperative that financial institutions track and modify know your customer (KYC) and customer due diligence (CDD) processes as needed to identify and disrupt criminal networks that attempt to exploit these programs each and every day for personal gains. Any weakness in the process could be the entry gate for these criminals to penetrate and exploit the financial system. At the heart of this assistance program is “timeliness.” Specifically, each financial institution’s ability to rapidly issue these loans. However, if risk management tools and KYC processes are not up to date, then an institution may run into several operational, reputational, concentration and legal risks. While fast and nimble processes are key to the success and recovery of the economy under these financial relief programs, they are not an exception or a waiver from compliance responsibilities. For example, a PPP loan could be disbursed to the proper person/business, but if the KYC/CDD programs failed to identify that said business recently closed its doors for good, then the noted business owner could use the funds for a purpose not aligned with the goals and guidelines of the program. Misused funds are not eligible for forgiveness, and the business owner could face legal repercussions. The unintended result of this scenario is that the financial institution could end up with a default loan in the very near future.

Although it has been over a year, PPP fraud is a new and emerging vulnerability for the anti-money laundering (AML) community. One of the primary questions is “What else can we do?” If efforts are framed around knowledge and understanding, then we will be positioned to prevent the exploitation of the financial system. PPP loan fraud can be rather difficult to identify, and the schemes will vary depending on the nefarious actors behind the scheme. Using the financial institution’s data and transactional driven monitoring tools to assess, identify and prevent risk will certainly support underlying operational endeavors while reducing exposure to fraud and ensuing institutional risks. As financial crimes evolve, it is exceedingly important to update training topics and the curriculum to meet current risks and threats.

Through its cornerstone program, the Homeland Security Investigations (HSI) is continually partnering with private sector stakeholders and has dedicated subject-matter experts that can provide relevant training upon request on the newest and emerging vulnerabilities as well as red flags and mitigation strategies within the financial sector. Additional information or training can be requested at:, by calling 1-866-347-2423 or via the local HSI office.

The following are some of the red flags that are closely related to KYC and deserve particular attention:

  • Payroll estimates do not relate to the business size—higher payroll numbers equal higher loan amounts.
  • Application for newly opened business—identify newly issued Employer Identification Numbers (EIN).
  • Attention should be given to applications completed by criminal networks engaged in “phishing” followed by loans being electronically disbursed to an account under an unrelated third person.
  • Lack of documentation during the forgiveness phase.
  • Misuse of funds after loan disbursement to include purchases not aligned with the intended use of funds.

Law enforcement is a proud member of the AML community. Utilizing their unique and expansive authorities, strategic footprint, partnerships worldwide and robust cyber capabilities, HSI launched Operation Stolen Promise to protect the homeland from the increasing and evolving threat posed by COVID-19-related fraud and criminal activity. The efforts by Operation Stolen Promise are further supported by its four central pillars listed below and the vital role the private sector plays in each of these four pillars:

  1. Establish public/private sector and cyber security partnerships on combating counterfeit vaccines and treatments.
  2. Develop actionable investigative and intelligence leads.
  3. Disrupt and dismantle fraud schemes, take down illicit web sites and other online marketplaces as well as seize counterfeit or illicit vaccines and treatments.
  4. Launch a robust public awareness campaign.

As criminal activity stemming from COVID-19 continues to surge, including a dramatic increase in criminal schemes designed to steal personal identifiable information such as spoof websites and calls, HSI has recognized that the response must be equally as robust. HSI’s unique customs and border search authorities—combined with the expertise in cyber and intellectual property rights and financial investigations—best positions the agency to lead these efforts to combat fraud associated with the pandemic. Moreover, the public is encouraged to report suspected illicit criminal activity or fraudulent schemes related to COVID-19 via email at:

As mentioned before, this is a task that requires an all “hands-on deck” approach and there is nothing one agency can do alone. Therefore, the COVID-19 Fraud Enforcement Task Force was launched by the Department of Justice in May 2021 to work closely with federal interagency partners. However, this effort is not complete without the involvement and support of private sector stakeholders to combat COVID-19 related fraud. Whether in the pharmaceutical or financial fields, everyone plays a critical role in preventing COVID-19 related fraud. As it pertains to financial industry partners, we will continue to jointly utilize Bank Secrecy Act (BSA) data and reporting to enhance leads and support ongoing investigations. Furthermore, we are continuing to utilize our cornerstone approach to further share our knowledge, red flags and best practices with private sector partners.

Since April 2020, HSI has been actively identifying and targeting fraud schemes involving financial relief related to PPP and EIDL loan programs, state unemployment insurance benefits programs and distribution of consumer stimulus checks. Through an HSI led COVID-19 Virtual Task Force, HSI is working closely with numerous federal agencies to analyze data associated with individuals and businesses attempting to exploit the economic stimulus package and defraud the U.S. government. HSI has increased timely information sharing of typologies and red flag indicators with financial institutions to combat fraud as it occurs. For example, as we jointly combat PPP and EIDL fraud, financial institutions must take a closer look at companies that are applying for loans using newly created employer identification numbers, new bank accounts or multiple accounts with unusual patterns of activity, inflated payrolls, unqualified borrowers or the use of consumer accounts rather than business accounts, amongst other indicators. Congress has requested HSI and other agencies to aggressively work on COVID-19 related investigations. Therefore, these investigations are a priority for HSI.

In June 2020, an investigation into an accountant was initiated after HSI and Small Business Administration (SBA) Office of the Inspector General (OIG) agents learned that the subject was recruiting customers to apply for PPP loans, charging up to 50% of the loan proceeds. Six other individuals were also identified as co-conspirators who submitted false and fraudulent PPP loan applications in the names of certain entities to various banks and lenders. All seven defendants created fraudulent documents to make the businesses that were applying for a PPP loan appear to be active and legitimate.

As part of the conspiracy, the defendants hid the true nature of the fraud by writing purported paychecks to fake employees. The defendants submitted at least 80 fraudulent PPP loan applications seeking nearly $30 million in PPP loan funds, ultimately obtaining approximately $16 million in fraudulent PPP loan funds, which they used for their personal benefit.

The defendants were subsequently indicted and arrested for wire fraud and money laundering, among other crimes. Additionally, HSI special agents served 46 seizure warrants at different banks and lenders and have seized and recovered over $3 million. They also seized a 2013 Lamborghini Gallardo Spyder and a 2014 Porsche Panamera and are in the process of forfeiting a million-dollar home purchased with the proceeds of the scheme.

On another case, in May 2021, HSI arrested an individual for violations of federal law concerning aggravated identity theft, wire fraud, bank fraud and money laundering. The subject orchestrated a criminal scheme in which he defrauded the PPP.  From May 2020 through December 2020, the subject submitted four PPP loan applications in excess of $5 million. Subsequently, federal agents seized three luxury vehicles valued over $700,000 purchased from fraudulent PPP loans and a bank account containing over $2 million in funds from fraudulent PPP loans.

These two examples out of many highlight that the AML continuum involves all parties working in a coordinated fashion. While the private sector is the first line of defense to assess, identify, mitigate and manage risk, law enforcement is here to support their efforts and to deliver a judicial consequence to those who find ways to exploit systemic vulnerabilities within our financial system. We are in this together!

HSI currently has over 1,000 open cases related to COVID-19 schemes that have resulted in the seizure of over $52 million in criminal proceeds, over $36 million in financial fraud seizures and over 280 arrests. Many of these cases are in support of SBA efforts and include a great deal of partnering with our public and private sector stakeholders.

In conclusion, COVID-19 related fraud is here and rapidly evolving. The PPP should be considered and treated as a new product and service. Thus, it is of utmost importance that risk assessments, management and processes are updated to include applying stringent KYC and CDD rules coupled with proactive reporting moving forward. It is important to keep in mind that in one year there have been several evolutions and changes within these types of fraudulent efforts. Therefore, constant evaluation, training and fine tuning of tools is more important than ever. The law enforcement community is here to support your efforts as an integral part of the AML community of interest. It is important to remember that AML efforts involve several strategies to include assessment, mitigation, identification and enforcement thus delivering consequences to deter future activity.

Raymond Villanueva, CAMS, special agent in charge, Homeland Security Investigations, Washington DC, LinkedIn

Villanueva is a law enforcement executive with over 27 years of experience investigating and managing money laundering investigations as well as supporting and leading joint AML efforts with the overall financial community.

  1. “H.R.748 - CARES Act,”,
  2. “Assistance for Small Business,” The U.S. Department of the Treasury,

Leave a Reply