JPMorgan Chase last week released an all-company memo acknowledging it is assisting law enforcement agencies with investigations of alleged fraud related to U.S. government-backed Paycheck Protection Program (PPP) loans. The probe, which will focus on instances of customers misusing the coronavirus relief loans intended for small businesses, could potentially extend to employees as well.

In the same week, U.S. law enforcement officials announced criminal charges against 50 individuals who allegedly committed fraud in obtaining money from the PPP. In the United Kingdom, the head of HM Customs and Revenue advised fraudulent claims for furlough payments could be as high as £3.5 billion (U.S. $4.5 billion), equal to 10 percent of the total sum of government funds spent on the furlough program.

At the onset of the pandemic, governments all over the world moved quickly to protect businesses and jobs, rushing through legislation to ensure funds were expediently made available. Grateful business leaders and owners of small businesses accepted the government support. At the same time, criminal groups circled the pot of money that had been set aside and began to hatch plans to steal as much as they possibly could.

There is no escaping the fact the pandemic has presented criminals with opportunities to exploit our fears, vulnerabilities, and trust. The need for expediency and volume of legitimate claims for government loans gave bad actors enhanced opportunities to hide and ultimately get their fraudulent claims approved. In the United States, United Kingdom, and beyond, it has been suggested banks failed to apply adequate controls to prevent these frauds.

Evidence has reached some media outlets proposing countless instances of fraud gangs incorporating U.K. companies in May, June, and July, and then opening an account with a major U.K. bank and successfully applying for a “bounce-back loan.” Bouncing back from what? The companies are often registered at the same address—one of the addresses is a derelict, unoccupied flat; another is a pub; and neither were in business before March 1. Nonetheless, these companies—more pointedly, the fraudsters behind these companies—have received substantial loans up to individual values of £46,000 (U.S. $60,000).

The fraudsters used Gmail or Hotmail addresses; they had no business website, and although they self-represented they had been in business for over a year, they produced no accounts or bank statements to verify this. In one instance, the fraudsters used previously compromised bank data to apply for business loans as sole traders, stating they held an account with another bank in the same group, but as that bank was not an accredited lender, they were seeking a loan through the parent bank. Behold, the fraudsters secured the loans, but the funds were not then paid to the business account with the other bank, as would logically be expected.

None of the above is complex—indeed many of you will be astounded that banks accepted these applications from such commonplace and often previously abused email addresses. Others will fail to understand how and why the parent bank did not check with the other bank in the group as to the validity of such applications.

And so, many legitimate businesses in the United Kingdom have recently struggled to open new business accounts with some banks as the banks no doubt seek to review and enhance their financial crime, anti-fraud, and due diligence controls around new business accounts. These actions deal another blow to the U.K. economy as legitimate businesses cannot get going, start trading, employ people, and pay much needed taxes.

The lessons here are simple; balanced controls for these loans include:

  • Verifying the age of a registered company applying for a loan;
  • Securing some evidence of prior business/trading operations;
  • Seeking the Website address of such an ongoing and established trading business;
  • Rejecting or challenging Gmail, Hotmail, and Yahoo-type email addresses; and
  • For new customers, ensuring all loans are paid in full to the bank account that must have existed prior to March 1 or the relevant date in your country

Ultimately, ask yourself: If this were the bank’s money, or your money, would you let it go if you thought it was not a legitimate application for a loan? A loan that may ultimately be repaid in taxes by our children and grandchildren.

I will end on a positive note, as at the beginning of the pandemic Wells Fargo stated it would not profit from fees earned facilitating the provision of these relief loans and instead give all of the fee income to charities, good causes, and those in need. Thus far, Wells Fargo has generated $400 million in fees. It is anticipated other U.S. banks will follow this lead, and as a U.K. citizen, I hope the accredited lenders here will adopt a similar, commendable approach.