Door Opens to Non-Traditional SBA Lenders’ Participation in SBA’s Paycheck Protection Program

April 9, 2020

On March 27, 2020, President Trump signed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) into law. As we described in a previous alert, the law provides more than US$2 trillion in emergency economic relief to individuals and businesses affected by the coronavirus through numerous new stimulus and aid programs, including, among other things, an expansion of Small Business Administration (SBA) lending through the Paycheck Protection Program (PPP), described in our prior alert. The PPP allows approved lenders to make loans to small businesses, which will be 100% guaranteed by SBA in exchange for fees in the following amounts: 5% for loans up to US$350,000, 3% for loans between US$350,000 and US$2 million, and 1% for loans at or about US$2 million. Lenders are entitled to rely on the representations of the borrower in determining the eligibility for and amount of the loan, and SBA will hold lenders harmless for borrowers’ failure to comply with PPP criteria.

New Categories of SBA Lenders

SBA’s initial PPP Rules, effective April 3, 2020, open the door to lenders not previously eligible to participate in SBA’s loan programs. In an effort to increase the availability and processing speed for PPP loans, non-federally insured banks, credit unions, bank service providers, and loan and finance companies may now issue PPP loans, if eligible under these rules. This includes “[a]ny depository or non-depository financing provider that originates, maintains, and services business loans or other commercial financial receivables and participation interests” that:

  • maintains a formal compliance program;
  • has been operating since at least February 15, 2019 and either:
    • has originated, maintained, and serviced more than US$50 million in business loans or other commercial financial receivable during a consecutive 12 month period in the past 36 months, or
    • is a service provider to any depository institution that has a contract to support that institution’s lending services and is in good standing with the appropriate federal banking agency, if applicable; and
  • complies with the Bank Secrecy Act (BSA) requirements applicable to the company or an “equivalent federally regulated financial institution.”

The application for non-banks and non-insured depository institutions to become PPP lenders was issued by the Department of the Treasury on April 9, 2020. Beyond the BSA obligations, the application includes the following provisions:

  • Lenders will process and approve covered loans under delegated authority from SBA.
  • Lenders assume all obligations, responsibilities, and requirements associated with delegated processing of covered loans made under the PPP.
  • Lenders are responsible, to the extent set forth in the PPP Loan Program Requirements, for all decisions concerning the eligibility (including size) of a borrower for a covered loan.
  • Lenders may issue a covered loan approved under PPP procedures without prior SBA review and approval of the processing and underwriting of the loan by executing a PPP Authorization.

Lenders Must Meet BSA Obligations

For non-insured depository institutions not currently regulated by the federal government under the BSA, issuing PPP loans may require quick implementation of BSA programs that would apply to “equivalent federally regulated financial institution[s],” namely banks. The only loan and finance companies currently covered by the BSA are residential mortgage lenders and originators (“RMLOs”). Accordingly, non-bank loan and finance companies would likely have to apply the same BSA requirements as RMLOs.

To meet the BSA requirements of their bank and RMLO counterparts, these new SBA lenders will have to establish the following elements of a BSA program: an anti-money laundering (AML) program, suspicious transactions and large-dollar currency transactions reporting to the federal government, and procedures for maintaining records of transactions and borrowers.

AML Program

  • Adopt written policies, procedures, and internal controls related to lending activity, including to identify and monitor high-risk loan accounts.
    • PPP lenders should assess the risk of a loan based on the size of the loan, the type of entity (e.g., sole proprietorship, LLC, corporation, etc.), the borrower’s industry, in-person application vs. non-in-person application, and whether the lender has a pre-existing relationship with the borrower (i.e., an established or non-established customer).
    • Based on this assessment of risk, PPP lenders should apply enhanced scrutiny to those loans and borrowers that it determines are higher risk.
  • Designate a compliance officer to ensure the program is implemented effectively and updated as necessary. The compliance officer should have sufficient understanding of the BSA and the illicit finance risks associated with lending activity.
  • Provide for ongoing training of appropriate personnel, executives, and board members on their responsibilities under the program; training should commence immediately and then be updated on an annual basis going forward.
  • Implement independent testing of the program by a third party or employee of the company; annual testing will likely be sufficient for PPP lenders.

Suspicious Activity Reporting

These entities should also prepare to file Suspicious Activity Reports (SARs) and implement procedures to ensure that the filings are kept confidential:

  • SARs must be filed for “suspicious transactions” over US$5,000 in currency or other assets that the lender knows or has reason to suspect involve funds derived from illegal activity or intended to hide or conceal assets derived from illegal activity, are designed to evade BSA requirements, or have “no business or apparent lawful purpose” or are “not the sort in which the particular [borrower] would normally be expected to engage.”
  • SBA’s Interim Final Regulations require lenders to collect information from borrowers sufficient to establish their eligibility for PPP loans such as payroll processor records, payroll tax filings, Form 1099-MISC or income and expenses from a sole proprietorship, or, if such documents are not available, bank records sufficient to demonstrate the qualifying payroll amount.
  • Regarding this documentation, lenders should be alert for the following “red flags” that may indicate suspicious activity:
    • Borrower’s business clearly ineligible to receive PPP funding due to its size;
    • Borrower’s business has insufficient documentation to prove it was in operation prior to Feb. 15, 2020;
    • Borrower’s business appears to have been dormant for an unreasonable length of time before application;
    • Borrower is unable to provide necessary information regarding the business’s operations or its ownership structure;
    • Borrower’s document payroll information is unreasonable for a business of its size or industry;
    • Borrower’s supporting documents appear altered;
    • Borrower attempts to obtain funding for multiple related businesses; and
    • Borrower acts a representative of multiple persons as a financial agent and requests a “finder’s fee.”
  • In addition, the Financial Crimes Enforcement Network (FinCEN) has identified the following “red flags” that may indicate disaster relief funds are being used for suspicious activity: deposits of multiple emergency assistance checks into the same account, cashing of multiple emergency assistance checks by the same individual, payments from a business to an individual other than the accountholder, or opening of a new account with emergency assistance checks.

Additional Requirements for Non-Insured Depository Institutions

In addition to the above requirements, non-insured depository institutions will have to implement additional measures that apply to banks. Specifically, they will need to establish customer identification programs (CIP), apply risk-based procedures to conduct due diligence on borrowers, and identify the beneficial owners of legal entity borrowers.

Beneficial Ownership and Risk-Based Customer Due Diligence

Non-insured depository institutions will have to maintain written procedures designed to conduct customer due diligence (CDD) and identify and verify the beneficial owners of legal entity borrowers, such as corporations, limited liability companies, and general partnerships. While these procedures should be commensurate with the risk of the lender’s products, services, and customers, at a minimum the procedures should:

  • Provide the lender an understanding of the nature and purpose of the loan including the intended use of the loan funds, the borrower’s line of business, and the borrower’s intent to seek loan forgiveness;
  • Enable the lender to develop a borrower risk profile including by assessing the risk of the borrower’s line of business, the line of business of the borrower’s ownership, and the business’s historical financial and media profile;
  • Establish processes for conducting ongoing due diligence including events that would require updating due diligence and collecting additional information on the borrower. Lenders should consider whether additional due diligence is necessary when the borrower requests loan forgiveness.

Subject to certain exceptions, when a new account is opened by a legal entity (e.g., the lender enters into an enforceable agreement to provide a loan to the borrower), the lender must identify and verify the entity’s beneficial owners. While the BSA only requires institutions to identify beneficial owners of 25% or more, the PPP loan application requests information on owners of 20% or more of the borrower. Therefore, a lender should identify beneficial owners including any individual who directly or indirectly owns 20% or more of the borrower’s equity interests and individuals with significant responsibility to control manager or direct the borrower (e.g., a chief executive officer, chief financial officer, president, or managing member). The lender must also take certain steps to document this process and retain the identification records for five years after the account has been closed and retain verification records for five years after those records are made. Lenders may rely on a completed certification form from the individual authorized to sign on behalf of the borrower for purposes of identifying beneficial owners, provided that the lender has no knowledge of facts that would call into question the individual’s veracity.

Customer Identification Program

Non-insured depository institutions will need to establish a CIP. A CIP is intended to enable an institution to form a reasonable belief that it knows the identity of each customer that opens an account. The CIP should be appropriate for the entity’s size and business and include the following minimum requirements:

  • For individuals, lenders should collect: name, date of birth, address, and identification number.
  • For PPP loans to businesses, lenders should additionally consider the following additional information: articles of incorporation, identification of all authorized signers, business license, and state registration or certification of incorporation.
  • In the alternative, lenders can rely on identification and verification conducted by a federally-insured depository institution or federally-insured credit union with an established CIP as part of its AML program.


While the PPP provides excellent opportunities for lenders to support small and local businesses while taking advantage of government assistance, new and current lenders should ensure they have strong policies in place to guard against money laundering and comply with the BSA. Lenders should also be mindful of the potential enforcement risks from regulators and law enforcement discussed in our prior client alert.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Laurel Loomis Rimon, an O’Melveny partner licensed to practice law in California and the District of Columbia, Mary Pat Dwyer, an O’Melveny counsel licensed to practice law in the District of Columbia and Pennsylvania, and Braddock Stevenson, an O’Melveny counsel licensed to practice law in New Jersey and New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2020 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.