For a few months this year, a U.S. government aid program meant for struggling small-business owners was handing out $10,000 to just about anyone who asked. All it took was a five-minute online application. You just had to say you owned a business with at least 10 employees, and the grant usually arrived within a few days.
People caught on fast. In some neighborhoods in Chicago and Miami, it seemed like everyone made a bogus application to the Small Business Administration’s Covid-19 Economic Injury Disaster Loan program. Professional thieves from Russia to Nigeria cashed in. Low-level employees at the agency watched helplessly as misspent money flew out the door.
Even after the $20 billion in funding for grants dried up in July, the fraud continued, as scammers looted a separate $192 billion pot of money set aside for loans. “I’ve never seen anything like it,” said an SBA customer-service representative who spoke on the condition of anonymity to protect her job. “I don’t think they had any processes in place. They just sent the money out.”
This account of the disaster-aid program is based on interviews with frontline SBA workers and outside fraud investigators, and on a review of thousands of social-media postings. The unprecedented scale and urgency of the pandemic response made some missteps inevitable, and lawmakers explicitly ordered the agency to prioritize speed over thrift. But decisions by agency leaders contributed to the chaos.
The SBA’s much-vaunted new computer system, built by an outside contractor for $750 million, proved blind to certain types of fraud and sometimes awarded grants even when it spotted disqualifying features. The agency pressured loan officers with little training to churn through applications quickly, while making it difficult for them to detect or report suspicious ones. When officials eventually tightened fraud controls, the result was often delays and rejections for legitimate applicants.
The amount stolen from the program, if it’s ever tallied, will almost certainly be measured in the billions of dollars. But that’s only part of the cost. Many legitimate applicants were denied grants because scammers got the money first. And identity thieves pocketing loan proceeds left an unknown number of Americans saddled with bogus debts.
“It’s too bad that it got this far,” said Richard Maier, an investigator at a credit union in Florida who documented dozens of cases of disaster-aid fraud involving his customers. “Some of these innocent people are being taken advantage of because someone didn’t do the due diligence on the front side.”
The SBA said in a statement that it “proactively initiated stringent fraud-prevention safeguards that have so far prevented the processing of thousands of invalid applications, balancing the agency’s fiduciary responsibilities against the urgent need to provide the small-business sector” with aid. “These rigorous and comprehensive controls included an end-to-end infrastructure of internal controls comprised of automated tools, scores of system rules to validate borrower identity and business eligibility, and an application review process consisting of multiple checks.” The agency added that it has been referring suspected fraud to its inspector general. It declined to answer detailed questions for this story.
A report released Wednesday by the agency’s inspector general, Hannibal “Mike” Ware, identified tens of billions of dollars in potentially fraudulent transactions, including multiple loans sent to applicants using the same bank account or address. But as the agency pointed out in a rebuttal, many of the loans flagged by Ware were legitimate, and Ware didn’t even hazard a guess as to how much fraud actually took place. He disclosed that $450 million in doubtful payments have already been seized by law enforcement.
As the economic threat of the pandemic became clear in March, Congress hatched a two-pronged bailout for small businesses. The biggest was the Paycheck Protection Program, which grew to $525 billion and used thousands of banks to issue forgivable, SBA-backed loans to cover payroll. The other, the disaster-aid program, is run directly by the SBA and is still approving loans of as much as $150,000. More than 3.6 million loans have been issued in addition to 5.8 million grants that don’t have to be repaid.
To get money out quickly, Congress instructed the agency to relax its normal fraud safeguards, declaring that applicants should be considered eligible if they swore they were.
Designed for regional calamities such as hurricanes and earthquakes, the SBA’s disaster-aid program was unprepared for a nationwide pandemic that disrupted millions of small businesses simultaneously. So in March, it asked one of its contractors, Herndon, Virginia-based consulting firm RER Solutions Inc., to build a computer system from scratch. RER, in turn, subcontracted much of the work to Rocket Loans, an arm of billionaire Dan Gilbert’s Detroit-based mortgage-lending empire.
The system developed by RER and Rocket was known as “Rapid Decision,” and it lived up to its name. It would take in loan applications submitted to the SBA website and check them against a list of indicators of fraud or ineligibility. Among other things, it was supposed to flag applicants who had already received a loan or submitted a dead person’s Social Security number. By late April, Rapid Decision was churning through more than 100,000 applications a day, a rate of more than one per second.
Each application was screened for both a grant and a loan. Grants were meant to provide borrowers with quick cash while they waited for a loan decision. Most went out quickly, with no human intervention, based on Rapid Decision’s recommendation. A human sign-off was required for loans, but even then the computer played a crucial role. The results of the program’s automated checks would be placed in each loan file. Loan officers were given only a few minutes to process a request.
In a letter defending the program in July, SBA Administrator Jovita Carranza boasted of the “sophisticated technology” behind Rapid Decision, supporting “robust” internal controls. “This is the path forward,” one of her deputies, James Rivera, told Congress that month. “It has increased the productivity. It’s helped us provide quicker, faster service.”
Rapid Decision looked very different to loan officers on the front lines.
The computer system was designed to run fraud checks on the person submitting the application, the bank account designated to receive the money, even the Internet address used to submit it. But it had no reliable way of checking to see if a small business actually existed.