When Congress created the Troubled Asset Relief Program to help rescue financial institutions during the 2008 financial crisis, it also established the office of the Special Inspector General for the TARP to make sure the $700 billion initially committed to the program was being disbursed and used properly.
In the years that followed, SIGTARP became one of the most dogged oversight agencies in Washington, landing criminal convictions of 381 people and recovering $11 billion as a result of its investigations, including those arising from fraud, insider trading, obstruction of justice and more. Its enforcement work continues today, more than a decade later.
If history is any guide, the passage of the multi-trillion dollar CARES Act will trigger a wave of audits and investigations focused on businesses and individuals who may have inappropriately tapped into these stimulus funds.
Like SIGTARP, the CARES Act created an office of the Special Inspector General for Pandemic Recovery. The substantial amount of taxpayer money already appropriated for the pandemic response with more likely to follow, together with the processes in place to disburse these funds, creates an attractive environment in which fraud and other financial crimes can flourish. As a result, any business seeking or receiving CARES funding should be prepared for government scrutiny.
The CARES Act grants SIGPR the authority to “conduct, supervise, and coordinate audits and investigations of the making, purchase, management, and sale of loans, loan guarantees, and other investments made by the Secretary of the Treasury” under Title IV of the act. This will include not only direct loans and grants made by the Secretary of the Treasury, but also programs in which the Department of the Treasury has made investments, such as Main Street Lending Programs and other capital markets programs, administered by the Federal Reserve.
The president has nominated Brian Miller, a former inspector general for the General Services Administration, to head SIGPR, which will have the same authority as any other inspector general, including the power to issue subpoenas and make referrals for prosecution to the Department of Justice.
The SIGPR will not be the only oversight body looking after the use of taxpayer funds. Traditional government investigators, such as the FBI and dozens of inspectors general across the federal government, will continue to be vigilant for this kind of fraud. In addition, the newly formed Pandemic Response Accountability Committee, which is made of up 21 inspectors general from a variety of government bodies, will most certainly use their authority and $80 million budget to aggressively audit and investigate the disbursement, receipt and use of funds under the act.
The Executive Branch will be joined by Congress in exercising oversight, with the newly established Congressional Oversight Commission, which will oversee the US Treasury and the Federal Reserve in their implementation of the CARES Act, as well as traditional oversight committees in both the House of Representatives and the Senate. In fact, Congressional investigations into businesses’ pandemic response have already begun in earnest, including, for example, the scrutiny of certain businesses that have received SBA Paycheck Protection Program payments.
While any company doing business with or receiving funds from the government should ensure robust compliance with applicable laws and regulations, the flood of stimulus money in response to the coronavirus pandemic, along with the new oversight authorities and funding, demand an even stricter compliance focus and framework from businesses. Here are a few key measures of diligence for businesses to keep in mind:
Ensure representations are accurate and supported.While the initial tranche of some loans have been exhausted, last week the president signed a bill providing nearly $500 billion more in federal stimulus, including for the Small Business Loan program. One of the more common charges resulting from oversight of such programs is making a false statement to the government, which is a felony. Whoever signs or submits a business’ application for CARES Act assistance is certifying to its accuracy. Neither the signer nor the business should simply rely on data provided by others. Demand the underlying documents and test the accuracy of the data as a basic measure of due diligence in verifying information and of whether the business satisfies the act’s statutory and regulatory requirements. For example, have you confirmed the size of the monthly payroll or number of employees, and the names of all business owners, individual or corporate, with a 20 percent or more equity interest?
Create policies and controls.When the money arrives in a company’s bank account, what happens next? How will the money be spent, who will make those decisions, and what are the controls and oversight in place to verify and document those decisions? The administration of any spending program needs policies and active controls to ensure a business is clear about what kind of spending is permissible and what is not. The CARES Act has very specific requirements for how stimulus dollars can be used, and sloppiness – or worse – could result in civil or criminal penalties. Building policies and active internal controls around these requirements is critical, as is making sure there is one person or small group responsible and accountable for these important compliance activities.
Conduct training.Policies are only effective if employees and managers know what is expected of them. Develop a comprehensive training program so those responsible for CARES Act related activities know the rules of the road and abide by them.
Keep good records.Acting appropriately is only one part of a strong compliance program. Businesses should centrally and safely maintain records demonstrating appropriate due diligence and compliance, including in filling out applications and in spending stimulus dollars. Such records should include underlying support for representations made to the government, any interpretations or analysis by counsel (appropriately marked as privileged), and an audit trail of how funds were spent. As part of its record-keeping, a business should create a list of CARES Act requirements and obligations, specifically demonstrating how it has complied with each of those obligations. It is always good practice to retain a backup of the documentation and to place such documentation in your records retention program.
Identify issues and act on them.CARES Act implementation, updated regulations, loan processing, disbursements and spending are all moving at breakneck speed. Businesses may discover issues or problems in connection with their application, receipt or spending of stimulus dollars after the fact. This is not something to be ignored or glossed over. Conduct an internal review of what happened, what the breakdown was, correct any internal process failures, and consider self-disclosure and other remedial measures as appropriate. These are often complex, fact-intensive inquires that require careful consideration with experienced advisors.
Monitor enforcement trends and guidance.Enforcement of CARES Act-related activities will be fast-moving. Monitoring these trends will help businesses refine and adjust their compliance programs to ensure they are abiding by the letter of the law and making adjustments as the regulatory landscape continues to evolve.
The country and the world will persevere through this crisis. But the impact of the government’s oversight of the extraordinary economic steps taken will continue to be felt for years—and investigations and enforcement actions by the SIGPR will be front and center.