Payroll Protection Program and the Bank Secrecy Act: Balancing Aid to Small Businesses with Financial Crime Risks

20 min read

For further information, please visit the White & Case Coronavirus Resource Center.

In implementing the Paycheck Protection Program, the Small Business Administration has issued instructions concerning compliance with the anti-money laundering requirements of the Bank Secrecy Act. While the SBA's goals may be laudable, its instructions have injected confusion into an already complex process and apparently led some lenders to balk at issuing loans to new, as opposed to preexisting, borrowers. As discussed below, swift action by the US Treasury Department could provide much needed clarity and relief.



On Friday, March 27, 2020, the President signed the Coronavirus Aid, Relief, and Economic Security Act ("CARES Act") into law. The Cares Act provides for $2.2 trillion in emergency aid to ease the financial impact of the COVID-19 pandemic, including $349 billion for new, partially forgivable small business loans to cover, among other things, certain payroll costs, mortgage interests, rent and utilities payments (the PPP). As the program's name implies, PPP loans are designed to provide cash to small businesses, including sole proprietors and independent contractors.

The Small Business Administration ("SBA"), which administers the PPP, published an interim final rule1 on April 2, 2020, outlining specific requirements for borrowers and lenders under the program. As part of its requirements for lenders, the SBA provided instructions regarding compliance with the Bank Secrecy Act ("BSA") in connection with PPP loans.

First, the SBA indicated that all PPP-approved lenders must comply with their existing BSA requirements, signalling that while expediting loans is absolutely critical, lenders must still be cognizant of and account for financial crime risks. Second, the SBA indicated that lenders need not re-verify existing customers under applicable BSA requirements. That this indication came from the SBA is unusual, as Congress granted the US Treasury Secretary the authority to administer the BSA, and the Secretary has delegated that authority to the Financial Crimes Enforcement Network ("FinCEN"). While it is clear that the US Treasury Department was deeply involved in the SBA's rulemaking and has taken a position that it will abide by the guidance provided by the SBA,2 typically, for lenders to rely on the type of relief identified in the SBA's interim final rule, the US Treasury Department must grant the relief itself. Third, the SBA requires lenders that are not otherwise subject to the BSA to adopt anti-money laundering ("AML") compliance programs equivalent to those of comparable, federally regulated financial institutions in order to participate in the PPP.

As noted below, FinCEN and the US Treasury Department have provided some additional guidance on the application of the BSA to PPP loans, but given concerns from the industry, they should consider additional guidance and relief.


Complying with Existing BSA Requirements

In discussing the BSA obligations of SBA-approved lenders for the PPP, the SBA first reminds federally insured depository institutions and federally insured credit unions that they should continue to follow their existing BSA policies and procedures when making PPP loans. This reminder serves as confirmation that, while the PPP encourages lenders to issue loans expeditiously, the SBA does not want them to do so at the expense of other policy interests, such as preventing fraud. PPP lenders should look to FinCEN's March 16, 2020 guidance,3 which warns financial institutions to remain alert to several scams that FinCEN had observed from public and BSA reporting, including Imposter Scams, Investment Scams, Product Scams, and Insider Trading.


Re-Verification of Existing Customers Not Required

SBA Relief

In an apparent attempt to streamline the process of originating PPP loans, the SBA's interim final rule provides that: "PPP loans for existing customers will not require reverification under applicable BSA requirements, unless otherwise indicated by the institution's risk-based approach to BSA compliance." However, "re-verification" is not a term commonly used with regards to BSA compliance, and the term "verification" only refers to two obligations: the duty to verify the identities of (1) a covered financial institution's customers (the Customer Identification Program ("CIP") requirement)4 and (2) the beneficial owners of a covered financial institution's legal entity customers (the beneficial ownership ("BO") requirement).5 The SBA does not indicate to which requirement this relief should be directed, referring simply to "applicable BSA requirements." Nevertheless, it appears more likely that the relief applies to the BO requirement because the CIP obligation only applies with regards to a "customer," and the regulations do not include persons with an existing account with the bank as "customers" for purposes of the CIP obligation.6

Assuming the relief applies only to the BO requirements, it does not achieve much. FinCEN has already provided some relief allowing financial institutions to rely on and not re-verify identifying information of the beneficial owners of their legal entity customers if they already have collected that information to fulfill either the CIP or BO requirements, provided the customer certifies that the previous information is up-to-date and accurate.7Although some financial institutions are wary of the re-certification requirement, this concern is not necessarily addressed in the SBA's interim final rule.

This attempt to streamline PPP loan origination by the SBA is laudable, but it is not particularly effective and, in any event, may not actually provide any relief to financial institutions. The SBA does not have any authority to administer the BSA, though it is clear that the SBA has been working closely with the US Treasury. That authority is reserved for the US Treasury Secretary, whom Congress tasked with promulgating the regulations implementing the BSA and who has the authority to grant exemptions from the requirements of the BSA.8

US Treasury Guidance

Subsequent to the SBA's interim final rule, the US Treasury Department put its imprimatur on the relief suggested by the SBA. On April 3, 2020, FinCEN published a notice9 that copies the SBA's proposed relief word-for-word, which at least makes the relief actionable by financial institutions, but does not resolve the concerns discussed above. However, a few days later, on April 6, 2020, the US Treasury Department amended its Frequently Asked Questions document regarding the PPP to clarify and expand upon the relief:10

Question: Are PPP loans for existing customers considered new accounts for FinCEN Rule CDD purposes? Are lenders required to collect, certify, or verify beneficial ownership information in accordance with the rule requirements for existing customers?

Answer: If the PPP loan is being made to an existing customer and the necessary information was previously verified, you do not need to re-verify the information.

Furthermore, if federally insured depository institutions and federally insured credit unions eligible to participate in the PPP program have not yet collected beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender's risk-based approach to BSA compliance.

US Treasury's guidance expands on the proposed relief in a helpful way by expanding the relief from collecting and verifying BO information to those situations where a financial institution has not yet collected such information because the customer has not yet opened a new account, such that the new account opening triggers the collection requirement. While indeed helpful, it may also represent a missed opportunity to ease BSA requirements that may meaningfully interfere with the timely origination of PPP loans.11 As discussed below, US Treasury could frame more expansive relief.


Equivalent AML Compliance Programs

The SBA interim final rule also requires approved lenders not already covered by the BSA to implement AML compliance programs that are equivalent to that of a comparable federally regulated institution. Such lenders could include private banks, non-federally insured credit unions, certain trust companies, business development companies ("BDCs"), other direct lending funds, or on-line marketplace lenders, as examples.

Many of these institutions already have some sort of AML compliance program in place to comply with state banking or licensure requirements, but for those that do not, it may be difficult to identify the type of federally regulated institution to which it is most comparable. For some non-federally-regulated institutions, such as private banks, non-federally-insured credit unions, and certain trust companies, it seems clear that the most comparable institution would be a federally regulated bank. However, for BDCs and other direct lenders or online marketplace lenders, there may be other comparable institutions, including banks, brokers or dealers of securities, and even money transmitters. In fact, many BDCs are already affiliated with brokers or dealers of securities and may find those affiliates to be a comparable federally regulated institution that can serve as a template for appropriate AML programs.

Comparable Institutions

There are some significant differences between the AML compliance program requirements applicable to banks and brokers or dealers in securities as opposed to those applicable to money transmitters. For example, banks and brokers or dealers in securities are subject to customer CIP, BO, and specific customer due diligence obligations to which a money transmitter and other money services businesses are not subject.

In all cases, it appears that the SBA may expect approved lenders to identify and report certain suspicious activities to FinCEN. While most of the types of entities for PPP participation are identified as "financial institutions" for the purposes of the BSA12 and its Suspicious Activity Report ("SAR") requirement, there may be some lenders, possibly including certain on-line marketplace lenders, who are not defined as "financial institutions" and are therefore not subject to the SAR requirement. Such lenders could voluntarily file SARs, but it is an open question as to whether they would be protected from liability for disclosing such information to the government under the SAR safe harbor.13

Other Issues

The SBA also leaves open the question of whether non-federally-regulated lenders must comply with other aspects of the BSA to which comparable financial institutions may be subject, such as certain recordkeeping or registration requirements. It is also unclear how the SBA will enforce this requirement. A PPP lender is only required to self-certify that "it is in compliance and will maintain compliance with all applicable requirements" of the PPP.14 Moreover, the SBA does not appear to have the authority, capability, or capacity to supervise such lenders' compliance with the BSA.


Exceptive Relief from Beneficial Ownership Requirements

Because US Treasury did not provide any explanations when it granted the relief from BO requirements, we do not know the premise of this relief and whether it could be extended in any way. However, there are two likely mechanisms that US Treasury could use to justify this relief: (1) narrowly defining the term "account" to exclude PPP loans or (2) granting exceptive relief after balancing all of the relevant policy interests.

Definitional Exclusions

US Treasury may be defining the term "account" for the purposes of BSA obligations to exclude PPP loans. The relief US Treasury provides is consistent with current obligations under the BO requirements, if the PPP loan were not considered to be an account that would otherwise trigger a financial institution's responsibility to collect, verify, and certify information regarding the identities of a legal entity customer's beneficial owners. In general, the BO regulation does not require financial institutions to collect such BO information on legal entity customers who opened their accounts before the compliance date of the rule, but requires the financial institution to collect the information when the legal entity opens an account after the rule's compliance date. By not requiring a financial institution to update the BO information of an existing customer who has not otherwise opened a new account after the compliance date of the rule, US Treasury, effectively, does not treat a PPP loan as an "account" for the purposes of BSA obligations.

Exceptive Relief

If US Treasury does not treat a PPP loan as a new account for purposes of BSA obligations, then it would follow that a financial institution would not be required to collect BO information regarding entities receiving PPP loans, regardless of whether they are existing customers. Like BO requirements, CIP requirements are triggered by the opening of an account. If the definition of account is re-defined to exclude PPP relationships, then, by extension, CIP requirements would not apply to PPP loans.

Given that such an interpretation by US Treasury of the definition of "account" would be inconsistent with the black letter definition of the term in the BSA regulations,15 it is unlikely that US Treasury could practically redefine the term outside of a formal rulemaking by US Treasury. It would therefore make more sense that US Treasury's guidance is based on its exceptive relief authority.

The authority to make exceptions or exemptions from BSA requirements is broad. According to the rule authorizing such things: "Such exceptions or exemptions may be conditional or unconditional, may apply to particular persons or to classes of persons, and may apply to particular transactions or classes of transactions. They shall, however, be applicable only as expressly Stated [sic] in the order of authorization, and they shall be revocable in the sole discretion of the Secretary."16 The regulatory text provides little else in the way of explanation as to how such exceptions or exemptions should be made.

From a practical perspective, however, US Treasury—through FinCEN as the delegated administrator of the BSA—provides exceptions to BSA obligations by balancing various interests, including the extent of the money laundering risk, the information available to law enforcement, the costs to industry, and the public interest. In applying this analysis to the application of BO requirements to PPP loans, a compelling case could be made to completely exempt PPP loans from the BO requirements.

Money Laundering Risk

The rationale for transparency in BO is the prevention of bad actors who could otherwise use certain types of legal entities, such as shell companies, to move illicit proceeds without connecting the transaction to its ultimate beneficiary. The PPP, as designed, mitigates some of those concerns by17:

  1. Restricting funding to the payment of payroll expenses, which must be documented. This not only indicates that the borrower is an operating entity and not a shell company, but restricts the purposes for which funds can be used. Both limit the opportunity and desirability of this program to launder funds. On the other side of the transaction, there is clear transparency about the source of funds for these loans, which is through a program guaranteed by the government.
  2. Requiring entity borrowers to attest to any owners with a 20% or greater ownership interest in the entity borrower, which provides some level of transparency into who the beneficial owners are.

Moreover, the fraud risks associated with the PPP would likely lie with misrepresentations as to a borrower's eligibility for the program or the values of the borrower's eligible expenses, neither of which would be addressed by compliance with the BO requirement.

Additionally, even if we address the fraud risk described by FinCEN's March 16, 2020, alert discussed above, which would not appear to be mitigated by the collection of BO information, the PPP appears to represent only a modest AML risk.

Information to Law Enforcement

Currently, law enforcement agencies are able to request the identity and certain identifying information (name, date of birth, address, and tax ID number) from certain financial institutions regarding any individual with at least a 25% equity ownership in a legal entity customer of the financial institution, as well as the same information regarding an individual that exercises day to day control over the legal entity customer. Financial institutions are only required to verify that the identifying information about the beneficial owners is accurate by examining certain proofs of identity. Financial institutions, however, are not required to verify that an individual is actually a beneficial owner.

The SBA borrower application requires the borrower to identify 20% or greater equity owners of the borrower and include some information, including name, address, and tax ID number, regarding persons (not individuals) who own 20% or more of the equity of the borrower. Therefore, it would appear that law enforcement would lose some information about beneficial owners, particularly those individuals who beneficially own interests in a borrower through a complex corporate ownership structure, if the PPP requirements did not include BO obligations. Additionally, BO information about an individual that controls the day-to-day operations of the borrower may be lost, though at least some information about an "authorized representative" of the borrower will be contained on the PPP Borrower Application Form. Finally, the identifying information provided under the PPP loan application process will not be verified to the same extent it would under the BO obligations. However, the current BO requirement is already recognized to be imperfect and dependent on customer representation, so it is not clear to what extent that any information lost by not requiring the information collection under the BO obligation will substantially disrupt law enforcement activities.

Cost to Industry

As noted, many of the types of financial institutions that the SBA authorizes to originate PPP loans are already subject to an obligation to collect BO information of legal entity customers. The types of borrowers that are eligible for the PPP are not so unique that financial institutions systems would not be able to account for them. Therefore, financial institutions might not face additional costs to upgrade their systems to collect the BO information. However, the reverse may be true; the volume of applications for PPP loans, given the demand created by the COVID-19 pandemic, may create a challenge for many financial institutions that could significantly escalate the BO compliance costs associated with PPP loans. These costs would be on top of other BSA compliance costs, including due diligence to understand the nature and purpose of the accounts and ongoing monitoring for suspicious activity and potential changes the customer's beneficial ownership.

Other Policy Interests

It is clear that the government's interest in providing funds to distressed employers to ensure they are capable of weathering the current crisis without compromising the long-term prospects of the economy is substantial and immediate. It is also clear that the government is willing to act quickly to ensure that working Americans will have access to a paycheck during this unique and, hopefully, temporary economic disruption. It is equally clear that the government accepts that some of these funds will be lost to fraud or other criminality as a necessary cost of providing this type of funding on an emergency basis. The government is not ignoring the fraud risk, and as noted above, it has warned financial institutions to guard against fraudulent transactions, but the controlling policy objective for the PPP must be to streamline the loan origination process as much as possible to disburse funds to borrowers quickly, while maintaining risk conscious controls against money laundering.


While the US Treasury Department has created some relief from BO requirements for existing customers of a financial institution that are seeking a PPP loan, a balancing of the various interests that form the bases for BSA requirements suggests that broader relief, to exclude all PPP loans from the requirement to collect BO information regardless of whether a borrower is an existing customer, appears to be appropriate.

Other Considerations

Similar relief from CIP requirements does not necessarily follow the same analysis. The CIP requirements to identify and verify the identities of customers more clearly protect against some of the types of fraud previously identified by FinCEN, and consequently it may be less appropriate to loosen such requirements at this time. That said, the CIP regulations already contemplate that a bank may, on a risk basis, verify the identity of a customer within a reasonable amount of time after the account is open.18 If a bank does delay verification of a customer's identity on a risk basis, the bank should document its approach in its policies and procedures. Furthermore, in its April 3, 2020 notice, FinCEN appears to be open to some flexibility in a financial institution's reasonable approach to managing its risk, recognizing that "a risk-based approach taken by financial institutions may result in reasonable delays in compliance." Notably, the Office of the Comptroller of the Currency agreed with this approach: "When evaluating a bank's BSA compliance program, the OCC will consider the actions taken by banks to protect and assist employees, customers, and others in response to the COVID-19 pandemic, including any reasonable delays in BSA report filings, beneficial ownership verification or re-verification requirements, and other risk management processes. Banks are encouraged to contact their examiners if they anticipate delays."19



In rolling out its framework for PPP loans, the SBA attempted to balance its primary goal of getting funds to small businesses quickly against the need to maintain safeguards in the financial system against money laundering and other financial crimes. In so doing, the BSA has potentially become an unnecessary obstacle to the timely origination of these critical loans -- at least to new customers -- and may be frustrating the legislative purpose of the PPP, a source of consternation for the government, lenders and borrowers. US Treasury should act quickly to provide financial institutions relief from some BSA requirements to ensure that financial institutions can process the loans of all those that require them. This issue is not likely to dissipate as lending will necessarily continue to be used as a vital tool to support the economy, with Congress now discussing a subsequent round of appropriations to add additional funds for PPP lending.


This article was originally published on Bloomberg Law on April 16, 2020.

Click here to download 'Payroll Protection Program and the Bank Secrecy Act: Balancing Aid to Small Businesses with Financial Crime Risks' PDF.


1 "Business Loan Program Temporary Changes; Paycheck Protection Program," Interim Final Rule, Docket No. SBA-2020-0015, Small Business Administration, Apr. 2, 2020, at
2 "Paycheck Protection Program Frequently Asked Questions (FAQs)," Financial Crimes Enforcement Network, updated Apr. 13, 2020, at
3 "The Financial Crimes Enforcement Network (FinCEN) Encourages Financial Institutions to Communicate Concerns Related to the Coronavirus Disease 2019 (COVID-19) and to Remain Alert to Related Illicit Financial Activity," Financial Crimes Enforcement Network, Mar. 16, 2020, at
4 For example, the CIP requirement for banks is found at 31 CFR §1020.220.
5 31 CFR §1010.230.
6 31 CFR §1020.100(c)(2)(iii).
7 See, Questions 7 and 10, "Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions," FIN_2018-G001, Financial Crimes Enforcement Network, Apr. 3, 2018, at
8 See, 31 U.S.C. §5318(a)(7). The Secretary further delegated their authority to administer the BSA to the Director of FinCEN in Treasury Order 180-01, at
9 "The Financial Crimes Enforcement Network Provides Further Information to Financial Institutions in Response to the Coronavirus Disease 2019 (COVID-19) Pandemic," Financial Crimes Enforcement Network, Apr. 3, 2020, at
10 "Paycheck Protection Program Loans; Frequently Asked Questions (FAQs)," US Department of the Treasury, updated on Apr. 8, 2020, Question 18, at
11 Treasury provided further guidance on Apr. 13, 2020, by adding Question 25 to the FAQs, copied at FinCEN's FAQs, (supra note 2), but the additional guidance does not otherwise appear to meaningfully expand the relief previously granted.
12 See, 31 U.S.C. §5312(a)(2).
13 See, 31 U.S.C. §5318(g)(3)(A).
14 "1102 Lender Agreement," Small Business Administration, Apr. 3, 2020, at
15 See, 31 CFR §1020.100(a).
16 31 CFR §1010.970(a).
17 See, "Paycheck Protection Program; Borrower Application," Small Business Administration, Apr. 3, 2020, at
18 See, 31 CFR §1020.220(a)(2)(ii).
19 "Bank Secrecy Act/Anti-Money Laundering: OCC Supports FinCEN's Regulatory Relief and Risk-Based Approach for Financial Institution Compliance in Response to COVID-19," OCC Bulletin 2020-34, Office of the Comptroller of the Currency, Apr. 7, 2020, at


Find out more about business response to the Coronavirus outbreak:
Coronavirus: Managing business impact and legal risks


This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP