If you haven’t already, you could soon be hearing from your commercial borrowers complaining about the large number of calls from the Inspector General inquiring about their PPP and EIDL loans. Even if you didn’t originate these loans, it would be a good idea to notify your borrowers that the statute of limitations on fraud-related PPP and EIDL originations has been extended.

And importantly, a Special Prosecutor has been appointed to punish pandemic-related fraud, including PPP fraud, as the President promised in his State of the Union address last March.

Because of all this, your borrowers should retain their COVID-related files for at least 10 years now. Here’s why:

The recently enacted PPP and Bank Fraud Enforcement and Harmonization Act of 2022 and the COVID-19 EIDL Fraud Statute of Limitations Act of 2022, * together have extended the statute of limitations on fraud enforcement related to PPP and EIDL to 10 years. SBA had been advising borrowers to retain their files for six years because that was the previous term of the statute of limitations.

We all remember why the PPP was established in the first place: loans intended to assist small businesses with meeting payroll costs and other business expenses, offering full loan forgiveness if loan proceeds were spent for these purposes.

Keep this not-so-little factoid in your memory bank: During its relatively short life, the PPP made as many loans as SBA normally makes in three decades! To meet the demand, SBA recruited thousands of new lenders, including non-bank fintech lenders. The Agency’s controls were insufficient to meet the challenge of handling that many loans and it provided no checks on businesses that spent too much of their PPP loan proceeds on non-PPP-eligible costs. This raised the possibility of fraud in the PPP origination process.

So far, the Inspector General has identified nearly 71,000 potentially fraudulent loans. Of these, 75% involved fintech lenders although they accounted for only 15% of all PPP loans. Bank fraud has a 10-year statute of limitations but since fintechs are not banks, they aren’t governed by the bank fraud statute. Instead, fintech-originated frauds have been prosecuted as wire fraud, which has only a 5-year statute of limitations. The new law provides for a 10-year statute of limitations for all COVID-related fraud, whether bank-originated or fintech-originated. That’s the “harmonization” part of the Act.

The volume of cases is what led to the appointment of a Special Prosecutor. Armed with a longer statute of limitations and additional prosecutorial authority, it makes sense that your borrowers are receiving more requests for information on their PPP loans than ever before.

So, yes, your borrowers should keep their COVID-related records for at least 10 years. That way they will be able to respond to the government’s requests for information expeditiously. And importantly, they’ll be better able to focus on their businesses.

 We’re headed to NAGGL, October 24-26. At JRB, we’ll soon be off to Colorado Springs, Colorado for NAGGL’s Annual Conference. This always cutting edge conference gives all of us an opportunity to get the latest information in issues affecting our industry from congressional, SBA, and industry leaders. Not to mention the great networking. If you’re attending NAGGL in person, stop by our booth. We’re looking forward to seeing you!

Richard Jeffrey
Senior Associate
Head Underwriter

*On August 5, 2022 President Joe Biden signed into law the PPP and Bank Fraud Enforcement Harmonization Act and the COVID-19 EIDL Fraud Statute of Limitations Act of 2022. These two[bipartisan] bills would extend the statute of limitations for certain fraud cases involving the Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (EIDL) program. Ref. U.S. House Committee on Small Business.

Ref. U.S. House Committee on Small Business; PPP and Bank Fraud Enforcement Harmonization Act of 2022, H. Rpt. 117-328; Washington: Government Printing Office, 2022.