Balancing Fraud Prevention and Effective Loan Processing Pt. 2

DOGE, SBA

SUMMARY:  SBA’s fraud prevention and efficiency efforts are not ad hoc – they are guided by a lattice of laws and policies. Emergency statutes can tilt the balance toward speed (as seen in 2020), whereas oversight laws like PIIA and the directives of OIG/GAO push for stronger controls. SBA must continually adjust within this framework, implementing congressional mandates and GAO/OIG recommendations. The legislative framework ultimately aims to ensure taxpayer funds are protected (through required controls and oversight), and that SBA remains accountable for both outcomes – program effectiveness and integrity. Recent legislative updates, such as extended fraud prosecution windows and proposed funding for fraud enforcement, signal that fraud risk management will remain a top priority expectation for SBA even as it fulfills its mission of supporting small businesses.

SBA’s Overarching Strategies for Fraud Risk Management

To manage these twin priorities, SBA has adopted an overarching fraud risk management strategy that emphasizes prevention, detection, and collaboration – all while streamlining legitimate lending. At a high level, SBA’s approach involves integrating fraud risk controls into each stage of the loan life cycle (from application through forgiveness or repayment) and continuously refining those controls based on emerging threats and past lessons. Several key strategies guide this approach:

  • Upfront Screening and Prevention: SBA increasingly focuses on preventing fraudulent loans from ever being approved, rather than relying solely on “pay and chase.” This involves embedding automated screening tools and data checks into application workflows to flag anomalies or ineligible applicants before funds go out. For example, after the initial PPP rollout, SBA quickly added proactive fraud filters so that loans triggering certain red flags would be paused for review . By 2021, SBA had instituted pre-disbursement checks – such as verifying applicant information against the Treasury’s Do Not Pay database and IRS records – for its COVID aid programs to catch identity thieves or fictitious businesses upfront . The agency’s goal is to make fraud detection as real-time as possible, leveraging technology to vet applications at the speed of processing.
  • Risk-Based Segmentation: A cornerstone of SBA’s strategy is risk-based lending, meaning not every loan gets the same level of scrutiny. Higher-risk loans or lenders receive enhanced due diligence, while lower-risk cases are fast-tracked, preserving efficiency. During the pandemic, SBA learned to segment applicants – for instance, implementing additional checks for loans over a certain size or second-draw PPP loans that appeared inconsistent with the first draw. In normal programs like 7(a) lending, SBA similarly uses risk-based approaches by delegating much of the process to trusted lending partners for standard cases, but closely monitoring and auditing out-of-pattern activities. The SBA’s Office of Capital Access has reported developing a “Risk Mitigation Framework” that ensures every loan is screened for fraud indicators prior to disbursement, without manual intervention on each one . This framework likely uses scoring models or rule-based engines to differentiate low-risk from high-risk applications, allowing the agency to focus investigative resources where they are most needed. The net effect is to maintain speed for the vast majority of honest borrowers while isolating the relatively few that warrant deeper review.
  • Strengthening Core Controls (without undue burden): SBA is also revisiting and reinforcing the fundamental controls in its loan programs. This includes measures like verifying borrower eligibility and identity, requiring supporting documents to substantiate claims (e.g. payroll records for PPP, financial statements for 7(a) loans), and ensuring lenders perform proper due diligence. The agency’s strategy has been to restore traditional controls that were waived in emergencies, but in a smarter way. For example, when reviving income verification in the COVID EIDL program in 2021, SBA did so by pulling IRS tax transcripts electronically to validate self-reported revenues – an approach that deters fraud but is relatively quick for honest applicants who filed truthful taxes. SBA has also expanded the use of identity verification tools to catch synthetic or stolen identities attempting to obtain loans. Importantly, SBA tries to communicate clear guidelines to lenders and borrowers about these requirements, so that legitimate participants understand the process and what documentation is needed, thereby reducing unnecessary delays. The overarching philosophy is “trust, but verify” – enabling fast access based on trust in borrower attestations and lender processes, but verifying key elements to ensure that trust is not being abused.
  • Continuous Monitoring and Post-Disbursement Oversight: Even after loans are made, SBA employs strategies to monitor for fraud signs and intervene if necessary. This could include reviewing loan forgiveness applications (for PPP) for inconsistencies, analyzing default patterns in the portfolio to spot potentially fraudulent borrowings, and auditing samples of loans. SBA’s strategy acknowledges that no upfront screen is perfect, so post-disbursement detection serves as a safety net. For instance, SBA has conducted millions of internal loan reviews in the wake of pandemic programs to identify suspicious loans that slipped through, referring over 669,000 loans to the Inspector General for investigation after detecting potential fraud through data analytics and manual review . While such “after the fact” efforts represent the chase part of “pay and chase,” they are crucial to claw back funds and hold perpetrators accountable, thus deterring future fraud. At the same time, SBA is working to minimize the need for such extensive after-the-fact action by improving upfront prevention.
  • Cross-Agency Collaboration and Information Sharing: Recognizing that it cannot tackle systemic fraud alone, SBA’s strategy heavily features partnerships with oversight bodies and other agencies (covered more later). At the strategic level, SBA established a Fraud Risk Management Board (FRMB) in 2022 to coordinate anti-fraud efforts across the agency and serve as a central governance structure . This board brings together experts internally to design agency-wide fraud policies and ensure consistent application of controls. Externally, SBA coordinates with the Department of Justice (DOJ), the Pandemic Response Accountability Committee (PRAC), the Secret Service, and others to exchange data on fraud schemes and actors. By feeding intelligence from law enforcement back into its risk models (e.g. known stolen identities or IP addresses used in scams), SBA can strengthen its front-end filters without broadly hampering legitimate users. This collaborative strategy underscores that fraud prevention is an all-of-government endeavor, and SBA leverages broader federal resources and data to augment its own capabilities.

Overall, these strategies reflect an understanding that fraud risk management must be embedded into SBA’s program DNA, not treated as an afterthought. The agency’s high-level game plan is to be proactive (prevent fraud upfront), smartly targeted (focus on risk hot spots), and collaborative (working with partners), all while refining processes to keep loans flowing efficiently to honest entrepreneurs.

 

Legislative and Regulatory Frameworks Guiding Fraud-Fighting Efforts

SBA’s efforts to combat fraud and expedite legitimate lending operate within a framework of laws, regulations, and official guidance. Key legislative and regulatory mandates provide both the authority and the guardrails for SBA’s actions in this arena. Understanding these frameworks is essential, as they often shape the balance SBA must strike between speed and control:

 

  • The Small Business Act and Program Regulations: The foundation is the Small Business Act (Public Law 85-536, as amended) and associated regulations (primarily Title 13 of the Code of Federal Regulations). These establish SBA’s loan programs (7(a) business loans, 504 loans, disaster loans, microloans, etc.) and typically include requirements aimed at preventing misuse. For example, SBA regulations require that 7(a) loan applicants be small business concerns as defined by SBA size standards, and that lenders certify borrower eligibility and creditworthiness. These rules create a framework where lenders must collect certain information and certifications from borrowers – a first line of defense against fraud. Program Standard Operating Procedures (SOPs) further detail the documentation and verification steps lenders should follow. Prior to the pandemic, these longstanding controls (like requiring proof of business operations, personal guarantees on certain loans, “credit elsewhere” tests to ensure SBA is lender of last resort) helped contain fraud in traditional programs. During the pandemic, some of these were statutorily waived for speed; now, SBA is largely returning to these baseline regulatory controls and reinforcing them to ensure only eligible, truthful borrowers benefit .
  • CARES Act and Emergency Relief Legislation: In crisis situations, Congress itself dictated the balance between speed and verification. The CARES Act of 2020, which created the PPP and expanded disaster loans, explicitly instructed SBA to streamline aid delivery – for instance, by requiring lenders to accept borrower self-certifications for PPP loan eligibility and forgiveness . The law also waived the typical SBA requirement to check that a borrower couldn’t get credit elsewhere, and it relaxed verification of collateral and personal guarantees for EIDL. These legislative decisions were pivotal in accelerating aid, effectively trading off some fraud control in favor of speed. Subsequent relief bills (such as the Paycheck Protection Program and Health Care Enhancement Act, the Economic Aid Act of December 2020, and the American Rescue Plan Act of 2021) introduced tweaks – for example, adding a second-draw PPP with stricter eligibility criteria (requiring a documented revenue loss) and allocating funds for audit and fraud detection purposes. They also established oversight mechanisms, like the Special Inspector General for Pandemic Recovery (SIGPR) and the PRAC, to monitor fraud and misuse. In essence, Congress set the initial parameters of fraud tolerance in these programs, then later supported efforts to tighten controls as issues surfaced. For SBA, this meant initially following a legal mandate to push money out quickly (with limited vetting) and then pivoting to implement new measures once authorized and funded.
  • Fraud Reduction & Data Analytics Act (FRDAA) and Payment Integrity Information Act (PIIA): Outside of specific programs, SBA is subject to government-wide integrity laws. The Fraud Reduction and Data Analytics Act of 2015 (subsequently built upon by the PIIA of 2019) requires agencies to adopt a fraud risk framework and develop controls to identify and combat fraud. OMB guidance under this act (and Circular A-123) compels agencies to perform fraud risk assessments, implement antifraud strategies, and report on fraud reduction progress. SBA has embraced the GAO’s Fraud Risk Framework as part of compliance – for example, standing up the Fraud Risk Management Board to oversee fraud risk assessments and strategies . Under PIIA, SBA must annually report on improper payments in its programs (improper payments include payments made due to fraud or error) and show it is working to reduce them. SBA’s large pandemic programs temporarily caused compliance challenges with PIIA, as estimating improper payment rates proved difficult amid evolving data . However, SBA has since been implementing corrective actions – such as quality assurance sampling and better tracking of program data – to meet these statutory requirements . The overarching effect of these laws is to formalize SBA’s fraud prevention efforts and ensure agency leadership prioritizes program integrity alongside program delivery.
  • Inspector General Act and Oversight Bodies: The Inspector General Act of 1978 establishes an independent Office of Inspector General at SBA, which is a crucial component of the fraud prevention framework. The SBA OIG conducts audits, evaluations, and investigations, and makes recommendations to strengthen controls. By law, SBA must respond to OIG recommendations and often implement changes based on them. For instance, OIG audits of PPP and EIDL throughout 2020–2022 identified weaknesses (like insufficient eligibility verification, and lack of controls to track loan agents who might facilitate fraud) . In response, SBA has had to tighten oversight of lenders and agents, and integrate verification steps such as using the Do Not Pay system more broadly . OIG’s annual report of Top Management Challenges also guides SBA’s priorities; in FY2025, OIG flagged fraud risk management and lender oversight as continuing challenges, pushing SBA to fully integrate fraud checks in all programs . Additionally, Congress has held oversight hearings – for example, reviewing SBA’s Office of Capital Access – reinforcing through public forums the expectation that SBA improve its fraud controls without unduly hampering lending . This external oversight framework effectively holds SBA accountable and often spurs legislative adjustments when needed (such as extending the statute of limitations for pandemic fraud to 10 years, via legislation in 2022, to give authorities more time to prosecute fraudsters ).
  • Interagency Task Forces and Enforcement Initiatives: From a regulatory perspective, SBA also participates in executive branch initiatives focused on fraud. In May 2021, the DOJ launched the COVID-19 Fraud Enforcement Task Force, bringing together agencies (including SBA) to enhance detection and prosecution of pandemic-related fraud. While not a law, this kind of initiative forms a collaborative framework that influences SBA’s internal protocols – for example, by encouraging data sharing with DOJ and joint investigative efforts. Similarly, SBA supports the DOJ’s Chief Pandemic Fraud Prosecutor and related enforcement drives , aligning its internal fraud referral processes to feed these efforts. Such collaboration is often underpinned by memoranda of understanding and aligns with broader regulatory goals like anti-money laundering compliance (banks administering SBA loans must file suspicious activity reports under Treasury/FinCEN regulations, which in turn assist SBA and law enforcement in identifying fraud patterns).

About the Author

Dorein Maykl is a Senior Assurance Advisor with expertise in government programs, specializing in the U.S. Small Business Administration’s impact on small businesses. He combines strategic insight with in-depth analysis to navigate complex challenges in fraud prevention and timely financial support.