On March 18th, the ACAMS Carolinas Chapter hosted a virtual meeting to discuss trends and strategies for investigating COVID-19 fraud. The panel provided industry insights and discussed the rise of various frauds associated with the Payment Protection Plan (PPP), Economic Injury Disaster Loans (EIDL), unemployment claims, money mules and other fraud typologies tied to the pandemic. The meeting was moderated by Megan Hodge, Executive Compliance Director and BSA Officer for Ally Financial. Megan was joined by a panel of industry leaders including Anne Archer, FIU Fraud Risk Manager at Atlantic Union Bank, Evan Campanella, Supervisory Special Agent with the Transnational Cyber Crimes team within Homeland Security Investigations (HSI), Jim Dinkins, President of Thomson Reuters Special Services, LLC (TRSS) and Tyler Reynolds, Senior Director of Enterprise Financial Crimes at US Bank. The meeting was sponsored by Thomson Reuters Special Services, LLC.
Scope, Intelligence Insights
Jim Dinkins opened the meeting with insights into some of the early analysis TRSS performed in collaboration with HSI shortly after the passage of the CARES Act on March 27th 2020. As the pandemic began to rage across the globe, The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) was signed into law and provides $2.2 trillion dollars to support businesses, individuals and certain government organizations negatively impacted by the virus. The $953 billion dollar Paycheck Protection Program was created through the CARES Act and establishes a forgivable loan program to help certain businesses maintain its operations during the economic shutdown.
Realizing fraudsters never sleep, TRSS began researching newly formed companies and quickly found 80 companies with ‘COVID’ in the name. These companies were associated with 120 beneficial owners (BOs). TRSS conducted negative news searches on the BOs and found 17 with criminal arrests or healthcare sanctions for committing fraud. Following the trail, TRSS proactively combed new corporate filings and found over 228,000 newly formed companies. TRSS conducted negative news searches and compiled these findings plus specific data points (company addresses, unique phone numbers, and URLs) and provided this data to Evan Campanella at HSI.
HSI combined bulk data (4.7 million records) provided by the Small Business Administration (SBA) with TRSS’s data and shipped it off to HSI’s Innovation Lab for analysis. HSI describes The Innovation Lab as “a centralized hub for the development of new advanced analytics capabilities, tools and enhanced business processes for HSI.” A two-week analysis of the data uncovered the following:
· 40 PPP applicants were name matches
· 86 PPP applicants were address matches
· 77 EIDL applicants were name matches
· 169 EIDL applicants were address matches
Evan went on to describe a $16 million dollar fraud case involving seven (7) individuals and 45 fraudulently funded PPP loan applications (80 total applications). Red flags included a lack of business presence (website, residential business address, lack of customers), falsified payroll documents and unsigned IRS forms. HSI agents seized over $3 million in PPP funds, a home, and several exotic vehicles.
PPP/EIDL Fraud
Megan then turned the conversation to PPP and EIDL fraud. Recognizing banks now have extended experience with these loans as well as an understanding of the loan risks and monies flowing through our institutions, Megan asked the panel where banks should focus their attention. Anne Archer acknowledged that banks are being forced to learn as they go, reiterated many of the risks Evan and Jim noted, and indicated Atlantic Union Bank focused its efforts on training employees to recognize red flags and altered documents during loan applications. The panel noted that customers are experiencing higher levels of identity theft and spoke to examples of customers seeking PPP loan forgiveness only to find out they have other non-client initiated EIDL loans. The panel discussed the importance of keeping up with changes to the SBA PPP rules and establishing/focusing on relationships with peer banks, industry groups, and law enforcement. Tyler Reynolds reiterated that the cornerstone of a good AML program is constant communication and a feedback loop with law enforcement which allows banks to focus their limited resources. Following the right channels to share information with law enforcement can lead to faster seizure warrants and often save the financial institutions and the taxpayer significant money. Several red flags were identified by the panel following a PPP fraud example including:
· A sense of urgency by a client to fund a loan;
· Inactive corporate status;
· No observed payroll expenses;
· Low balances with little to no activity pre and post-funding;
· Quickly pulling funds out at ATMs or moving money via payment apps like Zelle or CashApp.
· Funds transferred into personal accounts followed by travel or luxury purchases
The panel discussed the early challenges banks faced when returning fraudulent funds to the SBA but noted the SBA has since provided clear return instructions.
Unemployment Fraud
Evan started this segment by noting the Document and Benefits fraud section of HSI investigates Unemployment Insurance (UI) fraud and that during the pandemic UI claims skyrocketed. Between March 21st, 2020, and August 1st, 2020, 51.2 million new initial claims were filed across the states compared to 4.3 million over the same time frame in 2019. Jim Dinkins acknowledged that historically, unemployment fraud is low. However, given the additional benefits provided under the stimulus package ($300/week), organized, global fraud organizations sought to defraud states of these funds. Monitoring teams at TRSS uncovered published schemes on the dark web outlining how to defraud states (state by state) of unemployment funds. Common red flags include multiple UI claims tied to one client or address, accounts receiving out-of-state UI funds, and claims initiated from foreign IP addresses across various countries. Typically, the fraudulent funds are quickly followed by high-velocity transactions to move the money outside the financial institution which creates difficulties getting the money back to the government.
Money Mule Activity
The conversation then switched to Money mule activity and Anne noted it is on the rise based on a convergence of multiple fraud schemes and a highly vulnerable population due to the current environment. As a reminder, a money mule is someone, witting or unwitting, who transfers illicit funds on behalf of someone else. Money mule activity is commonly linked to work from home and romance schemes. During the pandemic, fraudsters are engaging customers that may be isolated and in need of additional income in get-rich-quick schemes. For example, fraudsters ask clients to receive out-of-state cash deposits, UI or EIDL funds into their accounts (not in their name) with instructions to quickly move the money out of the bank via wires, cash, etc. for a fee. It is the same targeted approach but now tied to government monies.
Other Fraudulent Activity
From a law enforcement perspective, Evan notes that HSI is seeing a rise in COVID-related fraud associated with personal protective equipment (PPE) and fake vaccine purchases. Evan notes that criminals are creating fake websites intended to outright defraud customers and governments seeking to purchase PPE and vaccines or in an effort to steal identities by using fake links and malware. Evan notes the same criminals conducting COVID fraud are also engaged in other frauds too (lottery, work from home, romance, etc.).
In April of 2020, HSI launched Operation Stolen Promise to investigate COVID-19 related fraud and criminal activity. Within the website (https://www.ice.gov/topics/operation-stolen-promise), there is downloadable documentation tied to COVID-19 red flags and related documents.
The session ended with the panelist sharing key takeaways that will aid in identifying and dealing with COVID fraud such as establishing partnerships with law enforcement and other financial institutions as well as educating your staff and sharing available government resources with clients so they make better decisions in this period of increased fraudulent activity.