Why PPP fraud hit fintechs harder than banks
At first blush, the data on fraud for the Paycheck Protection Program looks bad for fintechs.
According to the Project on Government Oversight, an independent watchdog, the Justice Department has brought charges against at least 82 individuals in 56 cases for Paycheck Protection Program. Lenders approved 97 loans related to these fraud cases, and nearly half of those were made by fintechs and banks working closely with fintech companies.
So does this mean fintechs were easier targets than banks? In some ways, perhaps. Banks often have historical data on borrowers that fintechs don’t, so it’s reasonable to believe that fraudsters would see fintechs as easier marks. Confirming a borrower’s identity can also be more challenging for fintechs.
Then again, the data could suggest that fintechs are better at catching and reporting fraud than banks are and that banks, at least at the outset of the PPP rollout, prioritized lending to existing customers.
Here are some reasons why fraud appeared to be more prevalent at fintechs and what can be done to curtail online fraud in the future.
Confirming digital identity is a growing struggle
At the heart of the problem of online loan fraud, in the PPP program and anywhere else, is the challenge of proving digital identities.
This was particularly difficult for fintechs. The criminal rings that used fake identities to apply for loans were automatically denied by the large banks that focused on their existing customers. They turned to fintechs that were approving loans on their digital platforms in as little as an hour.
“This pandemic has laid bare the inadequacies of the digital identity infrastructure in the United States,” said Jeremy Grant, managing director of technology business strategy at Washington, D.C. law firm Venable and co-founder of the Better Identity Coalition, a group of banks, fintechs and others seeking to improve the way online identities are established and verified. “The numbers we're seeing from the industry as well as from government for fraud during this pandemic have been off the charts.”
Banks may be better at performing due diligence
“Banks have been doing this since the beginning of time,” said David O’Connell, senior analyst at Aite Group. “Online lenders have been doing cash flow analysis since 2011. There's a shortage of institutional historical knowledge that makes them vulnerable.”
Bill Phelan, senior vice president of PayNet, an Equifax company, said it’s critical for lenders to cross-reference loan application data points against business records, public records and financial records.
“If you can cross-reference those three, it becomes very hard to game the system and commit fraud,” he said.
Ido Lustig, chief risk officer at BlueVine, said his fintech and others did their best to verify as much information as they could.
BlueVine conducted Know Your Business, Know Your Customer, anti-money laundering and Office of Foreign Asset Control sanctions checks, “which detect the vast majority of identity theft and other fraudulent activities,” Lustig said. BlueVine adapted quickly to patterns that were recognized as fraudulent in its systems, he said.
“Our goal for PPP was to provide as much access to the funds as possible while also protecting the integrity of the program,” Lustig said. “With these actions in place, we were able to continue and support large numbers of businesses and drastically reduce fraud and risk for BlueVine and our customers. During our involvement in PPP, we held daily gap-analysis sessions led by our risk team to review and continually improve our fraud prevention logic and models.”
But banks may be slower in spotting fraud once it occurs
In research Aite Group conducted recently on small-business loan fraud, bankers admitted they’re not good at detecting fraud.
Aite asked, “When you think about all of the losses you've likely suffered as a result of small- and medium-size business fraud, what percentage are accurately identified as fraud losses?” The average answer from bank executive respondents was 48%.
“That means they’re missing 52%,” O’Connell observed. “It could be that fintechs have better data and better reporting. And they're more likely to flag something as fraud rather than a credit loss.”
When Aite asked bankers what percentage of small- and medium-size business fraud losses they not only identified, but accurately accounted for as fraud losses rather than credit losses, the answer was 37%.
“So we're looking at 63% that don't get accounted for,” O’Connell said. “It could be that the banks’ blind spot is pretty big.”
Fintechs, on the other hand, say that every time there's an instance of confirmed or suspected fraud, they identify and submit it to the Small Business Administration’s Office of the Inspector General very quickly.
"As the DOJ has rolled out these public cases, fintechs have been included in them because frankly we are reporting them,” one fintech lender said.
Banks focused on giving loans to existing customers
“Many of the lenders that participated in the program limited their activity to their existing ecosystem,” said Lustig, whose company, BlueVine, made PPP loans to 160,000 small businesses. “Obviously with your existing clients, there is a very low risk of fraud. The main fraud that was seen was around fake businesses and fake identities. These are things that with your existing book, you wouldn't face.”
BlueVine and other fintech participants in the PPP, including Kabbage, Square and PayPal, tried to reach some of the smallest businesses that were hardest hit by the economic problems brought about by the pandemic.
“It’s impossible for us to know if fintechs were proportionally hit harder with PPP fraud than banks,” Lustig said. “BlueVine chose to safely support as many small business owners as we could, which included taking on a potentially larger risk of fraud and the need to put in place specific defenses to try to keep out bad actors without excluding good actors. Overall less than 2% of our PPP applicants were presumed fraudulent.”
The CEO of the American Bankers Association, Rob Nichols, recently confirmed that banks prioritized their existing customers for PPP loans.
“Banks of all sizes were always encouraged by the administration to process loans for both new and existing customers at the onset of the PPP program,” he wrote in a statement to CNBC in mid-October. “They were also encouraged to start processing loans as quickly as possible to support the deteriorating economy. To achieve that goal, many banks processed applications from existing borrowers first since they already had the necessary borrower information needed to meet regulatory requirements, including Know Your Customer rules.” Nichols was responding to a report from the House Select Subcommittee on the Coronavirus Crisis that found the Treasury Department privately encouraged banks to prioritize existing clients when implementing the PPP.
Better identity verification is at the heart of possible solutions
In the future, the government could help alleviate fraud in relief programs like the PPP, in the view of Grant and fintechs, by doing things like providing digital drivers licenses and sharing Internal Revenue Service data.
“Government is the only authoritative issuer of identity,” he said. “Every firm in the industry is trying to guess what only the government knows.” State governments, for instance, could upgrade the systems they use to issue drivers’ licenses and other types of identity credentials and provide digital identity verification.
A bill sponsored by Congressmen Bill Foster, D-Ill.; John Katko, R-N.Y.; Jim Langevin, D-R.I.; and Barry Loudermilk, R-Ga.; the Improving Digital Identity Act of 2020, would authorize grants to states to upgrade systems that provide drivers’ licenses or other types of identity credentials to support the development of interoperable state systems that enable digital identity verification. It would also uphold National Institute of Standards and Technology standards for security and privacy.
Better data sharing overall among lenders, credit seekers, borrowers’ banks and accountants would help deter a lot of online loan fraud, O’Connell said.
Fraudsters would quickly realize they would be exposed in such cross-checking.
“There's too much deterrence-enabled visibility that can arise there for us not to be doing it,” he said.
Lustig also would like to see more data sharing between government and lenders, for instance, letting banks and fintechs use APIs to get real-time access to business owners’ tax documents, such as IRS 4506T data, to quickly verify loan applicants’ information.
“If open government and open banking were available for everyone, then the verification of personal and business identity [for PPP loans] would have been much, much easier,” Lustig said.