As all lenders know by now, the Coronavirus Aid, Relief, and Economic Security Act’s (“CARES Act”) guaranteed Paycheck Protection Program (“PPP”) loans are the key piece of economic relief for small businesses during the COVID-19 crisis. Yet, in the rush to get those loans flowing into the economy, the Small Business Administration (“SBA”) issued an interim regulation that raises substantial unanswered questions about participating lenders’ compliance policies. Business Loan Program Temporary Changes; Paycheck Protection Program (proposed Apr. 2, 2010) (to be codified at 13 C.F.R. pt. 120). Those questions are starkly different yet similarly important for banks and other traditional lending institutions accustomed to operating under the Bank Secrecy Act (“BSA”) and those nonbank lenders who have never been under the BSA’s purview.

Banks and other traditional lending institutions already have AML (Anti-Money Laundering) and KYC (Know Your Customer) policies in place. For them, the SBA’s interim regulation seems, at first glance, like nothing earthshattering; it simply requires these lenders “to follow their existing BSA protocols.” In this crisis, though, nothing is as it always was. The urgency of getting these loans approved plus the importance of social distancing makes verifying the applicant’s information no easy task. Although the SBA’s regulation says that “PPP loans for existing customers will not require re-verification under applicable BSA requirements, unless otherwise indicated by the institution’s risk-based approach to BSA compliance,” the question arises whether a PPP loan application for an existing customer is considered a new account for FinCEN Customer Due Diligence (“CDD”) Rule purposes. Fortunately, the SBA and the Treasury Department issued revised FAQs addressing that question and explaining that, for PPP loans to existing customers, lenders do not have to re-verify information that had been previously provided and verified and do not even have to collect and verify missing information in the first instance “unless otherwise indicated by the lender’s risk-based approach to BSA compliance.” Paycheck Protection Program Loans Frequently Asked Questions (FAQs) (Apr. 8, 2010). We expect the final SBA regulation to be updated to reflect this important clarification.

For nonbank lenders that have not been subject to the BSA, the interim regulation requires these lenders to “establish an anti-money laundering (AML) compliance program equivalent to that of a comparable federally regulated institution,” which “[d]epending upon the comparable federally regulated institution,… may include a customer identification program.” What is clear is that these nonbank lenders will have to establish some sort of AML and (probably) KYC policy in order to participate in PPP loans. What is unclear is how elaborate those policies need to be, especially given how quickly they would have to be designed and implemented in order to join this emergency program. That problem is compounded by the BSA’s broad definition of “financial institution,” which includes a wide variety of different financial entities, making it difficult for nonbank lenders to determine which type of “financial institution” they should be modeling their new policies after. Unless the SBA provides additional guidance on how to determine the appropriate comparable institution, crafting the best AML and KYC policy for each nonbank lender might turn more on its already existing procedures and what is reasonably possible to implement on an expedited timeline.