Protecting SBA Business Loans from Fraud

Protecting SBA Business Loans from Fraud

The SBA, a lifeline for many small businesses, is under siege from fraudsters. The urgency of the situation is clear when we see them pouncing on new programs and even disaster funds. A quick scan of Telegram reveals half a million in likely illegal disbursements, just the tip of the iceberg. These fraudsters are adept at bypassing existing systems, a sign that the SBA and lenders security controls need immediate reinforcement to stem the tide of fraud.

Many articles, reports, and posts about past and ongoing fraud exist. It was a colossal failure to allow this much fraud, but one with multiple parties participating. For a review or deeper dive, you can view one of the many studies and reports about SBA fraud:

Instead of delving into all these cases, we will look at actionable recommendations and actual solutions to prevent fraud. If you are interested, there are some fun reads, but many bad actors will never face the consequences since they are out of reach of the U.S. legal system. (PPP Loan Fraud Episode 213 - Kabbage Gets Taken Down: Who's Next? And Uncovering a Scam During a Site Visit | Ep. #9)  Lawmakers and officials are usually at a higher level and unable to see the granular details of fraud committed and unable to think of solutions that should solve it. It has been almost 5 years since the initial fraud wave, and it is time to look at answers instead of exploring the past. Fraud evolves quickly, and bad actors constantly adapt to plan their subsequent money-making schemes.

Education and alerts are not just resources, they are our best defense against fraud. For instance, using wholly fabricated and stolen identities for SBA applications is no longer a straightforward tactic. Many fraud cases now use social engineering and cons to deceive real people into participating in fraud. They know they need to use real identities to submit applications for funds. Sending educational material to the applicant's email, phone, and address can inform them of why they are receiving funds. For the FEMA disaster funds, rigorous identity proofing is done to ensure the right person is applying. However, the government needs to remind the applicant of the purposes of the funds and the consequences of illegal behavior. Simple reminders throughout the process can be a lifeline to previously fooled individuals. For example, many Facebook groups and other social media sources lure people into scams with individuals applying for loans who will default or use their information. (SBA Loan Grant | Facebook) Education and alerts are not just critical, they are our best defense with the highest ROI versus adding more technology tools and processes.

Now, going into some specific actions lenders and the SBA should consider when providing business funds. A few of the below are novel pieces of advice, but they can be cherry-picked across industries to apply best practices to the SBA process. Friction is always deemed a scourge to the process. Still, when dealing with hundreds of thousands to millions of dollars, the individual/business should be able to sacrifice a few hours of their time to deal with additional fraud checks. At the end of the day, taxpayers are fronting most of these services, so it should not take less time to receive large sums of money than it takes to file taxes with the IRS.

First, using some fraud AI models is necessary for an overall risk score. Looking at NIST's latest identity proofing guidelines (https://pages.nist.gov/800-63-4/sp800-63a.html) they finally incorporate that as a best practice. Several other government agencies (DEA / IRS) are following NIST guidelines that should provide a playbook for the SBA, i.e., IAL2 and IAL3, depending on the risk. The SBA can then tailor the requirements and make exceptions to make the process equitable across demographics. The receiving bank is a top signal of fraud. Banks like Chime and Cash App have lower KYC requirements and are associated with higher fraud rates. Many SBA processes rely too much on credit scores and other 3rd party credit data sources. Those can be gamed too easily, and patient fraudsters build up their credit until they can get loans and bust out default. Lenders should collect banking information earlier as more data about an applicant will discover signs of fraud sooner. A vital mindset to change about underwriting and risk reviews is to take a massive data approach and focus on every single bit of data about the business. Look at the employees, website, news, web presence, reviews, social media, locations, email, IPs, phones, device networks, and more to gather if there are any outlier signals. Not all businesses will have the same data, but different profiles can be generated depending on the industry.

Going into detail, the business category has a high factor in fraud rates. For example, default rates of limousine services, electronics, and appliances are extremely high, which should put that business in high-risk categories to review. Fraudsters are attracted to enterprises where laundering and other illegal activity can be masqueraded as legitimate businesses. This is why these specific industries result in high default rates, as they allow for more methods to extract unclawable funds. The SBA fraud also fuels more illegal activities that affect the entire country. Tracking the movement of money and loan funds should also be a high indicator of fraud. If a bank pays a loan and then immediately the business sends it elsewhere that does not look like regular business activity, there needs to be an alert or freeze of transfers.

Next, all identity information should be thoroughly vetted by multiple data sources and even checked against government databases. Hopefully, the SBA will verify data with DMVs and passports with the State Department to verify authenticity. Liveness checks on selfies compared to authoritative sources are critical, too, as we are already at the point where deepfakes can be easily spoofed. Site visits are also not scalable for loans less than $500k, but physical address verification may be required, such as USPS mailings or USPS notary. Also, a cryptographic verification such as an NFC check should be employed for high-value and risk loans for further assurance. The government shies away from doing too many checks for equity purposes, but a dynamic risk system must be protected against multiple fraud attempts. A starting point should be around funding amounts and industry, as those are quick indicators that should not lead to an uprising because of discrimination. Even looking at the top fraud indicators, such as IP and EIN issues, those are trivial methods that could have been investigated and stopped. Duplicate accounts and network graphs of related applicants can find the basic fraud. However, the professionals know how to keep everything separate, and that is where new security techniques should be applied.

Underwriting in the merchant processor space is one industry that has taken advantage of many security tools and technologies. They incorporate people, processes, and technology to keep fraud low while dealing with many businesses with little information. Picking up a phone and calling an applicant is one method, and these days, it could easily be automated with AI agents that can discuss a portion of a loan. Getting a voice recording for identification would likely slash many fraud cases originating internationally. The international schemes are the ones that should be in focus, too, as they are perpetuating fraud with little consequences. Task forces and lawyers can clean up the messes later domestically, but the funnel of new fraud needs to be slowed so that more attention can be put on more prominent cases.

The SBA also must provide better guidance to lenders on the verification requirements. It doesn't make sense that fraudsters on Telegram have more PDFs and guides on how to commit fraud than the SBA has for ID proofing requirements. If defaults keep increasing, there should be a way to clamp down on some fraud. Opening the spigots to smaller loans also increases the risk for the entire system. Identity verification with multiple rules can discover existing fraud and prevent future ones. For example, it is doubtful that lenders and the SBA are going through all past applicants with any common traits of a confirmed fraudster. Multiple strategies should be in place, one at the front door and another at a bouncer that seeks out any common exiting fraud. One ant often leads you back to an entire colony of fraud. If you search the SBA SOPs, there is little guidance, Document search | U.S. Small Business Administration to discover and remediate fraud. The SBA has the opportunity to integrate with other government services for SSN (eCBSV Home | Data Exchange | SSA), IRS Taxes, Login.gov, and more, which could help identify stolen and fake applications. Fraud does not happen with solely one agency, and many fraudsters attack multiple, so network intelligence should be shared by an overseer.

Another gap is why the SBA only sends letters for defaults but should also send them out before or during the funding. (Veteran on the hook for $20,000 SBA loan he never borrowed) They should do everything possible to notify people about loans using automated phone, mail, and email messaging. (IRS asks for taxpayer identity data to corroborate that and make sure the correct person is being notified. Work with telecom carriers to notify subscribers if their name and DOB match a loan.) The lender should also be responsible for this and verify with a 3rd party data source that the applicant is receiving notifications. Countless ways exist for the government to identify people and contact them when they owe taxes, so solutions exist to do the same when the government provides funds. There should also be high-risk trait lists that require high screening, similar to how the TSA has its security procedures for watch lists. The SBA already employs blocklists, but they are prone to being outdated when fraudsters change all the identity data. Even basic KYC would have caught many fraudulent payouts. It doesn't help, though, when insiders are also assisting the scams to proliferate (Former SBA Employee Convicted Of Conspiracy, Bribery, Wire Fraud); likely, these are outliers and similar insider fraud already happens at banks. The entire ecosystem needs a refresher to find the gaps and implement measures to make it more challenging to continue fraud. If Amazon can solve its refunding fraud problem, which is more straightforward than the SBA, it can implement similar controls to clamp down on these practices. Audit trails and continuous performance monitoring of loan defaults traced back to specific employees can help with training opportunities and identify insider threats.

Lastly, no one solution will work for all and be a magical cure. However, different ideas and technologies must be experimented with to determine what works and what doesn't. With AI making fraud easier and quicker to commit, banks and the SBA need a plan to respond with their defense. Waiting until a deposit is sent is too late, as fraudsters have countless ways to extract the funds through untraceable methods. There will always be new methods to bypass underwriting processes, but as seen in the numbers, the banks and government have failed to contain the issue. Rapid solutions should be deployed in different stages of the SBA's loan process, and identity verification is a critical backbone of the entire process that desperately needs a revamp.

Appendix: Research Screenshots of Fraud Groups

Share:
Facebook Twitter LinkedIn

Related posts

Face Search and Dupe Fraud Detection for ID Verification
December 2nd, 2024

NIST IAL3 An Exploratory Solution Using Kiosks to Verify
November 19th, 2024

NIST IAL2 Identity Verification An Updated Review of Requirements
November 15th, 2024

Recent posts

Face Search and Dupe Fraud Detection for ID Verification
December 02, 2024

NIST IAL3 An Exploratory Solution Using Kiosks to Verify
November 19, 2024

NIST IAL2 Identity Verification An Updated Review of Requirements
November 15, 2024

Fortifying Gaps in KYC Defenses
November 08, 2024

How to identify fake employees and candidates?
October 29, 2024

View all