The Coronavirus Business Interruption Loan Scheme (CBILS) and Bounce Back Loan Scheme (BBLS) have proven to be critical in helping many businesses stay afloat, and have seen c.£38 billion provided to 1.3 million businesses to date.

Yet, in recent weeks, there has been increasing press coverage concerning the rise in fraud committed by people abusing these schemes. As loan applications are largely reliant on self-certification and processed in an emergency, individuals and participants in organised crime have seized the opportunity to access funds with ease, on the basis that normal lending checks were loosened. The specific risks that amount from this include synthetic identity fraud, first party fraud and mule and money laundering activities. The full scale of the fraud may not be known for some time, however, losses are estimated to exceed averages between 0.5% and 5% - and the UK National Audit Office has recently said that the Government face a potential loss somewhere between £15 and £26 billion.

As banks begin considering the collection and recovery of these loans, many are now dealing with the ramifications of having applied less stringent Know Your Customer (KYC) checks to meet compressed government timelines and pressure to get funds to desperate businesses. In order to recoup the money from the government, banks need to have a proper system to avoid fraud in the first place. As the BBLS have recently been extended, it is prudent to consider whether:

• A robust application process is in place to identify potential fraud early on and subsequently throughout the lifecycle, or
• Remedial activity is required, checking for fraud and ensuring the right people have received the funds.

Fraud risks related to BBLs are not new risks per se (application fraud and identity theft, for example, are well known threats to the industry). However, due to the emergency of the scheme, and the fact that fraud and financial crime teams may be been under more operational pressure due to the pandemic, these risks are more likely to materialise.

The Financial Conduct Authority stated that they expected banks to maintain compliance with money laundering regulations. For existing customers, where a bank has already carried appropriate due diligence before an application has been received, they may not need to do further checks. However, if the bank has received flags or alerts suggesting that the customer poses a higher risk, further checks will be required. The decision makers will need to focus on three key areas; technology and automation, process and quality control, and people.

From the outset, banks have been unable to prevent duplicate applications. However, technology can be used to undertake a retrospective due diligence process. Technology can be used to automate the process of scanning, and it can cross reference documentation to flag duplicates, triggering when further intervention is required. This detects those who are committing fraud by recruiting multiple people to set up fake companies and bank accounts to launder the cash. This technology can be implemented for ongoing onboarding activities, by using analytics and commercial datasets to complete a remote ID verification using machine learning, thereby reducing the need for the physical transfer of documents.

Setting up the right end-to-end processes at scale is a challenge that a lot of businesses have had to deal with. This has been made difficult by a remote working environment with the inherent data security threats. Banks must ensure that their teams are connected and not working in siloes, so that onboarding teams have the correct insights and training in order to swiftly identify attempted fraud from further down the line.

Banks can strengthen their governance processes by putting quality control checks in place within key interactions with their customers, ensuring that the customer contact strategy includes verification that the funds have been delivered to the correct parties.

There have been several instances of misuse of funds reported in the press. Mortgage lenders have seen BBLs being used to purchase properties and motor lenders have reported examples of company directors using the schemes to upgrade their cars. In these circumstances, there are several indicators to use to identify these potential fraud risk early on; such as misstatement of business performance at the date of application, misstatement of turnover to falsely inflate value of the loan and/or receipt of more than one loan per permissible business group.

It is currently unclear if the detection of self-declaration fraud forms part of normal fraud checks and would invalidate government indemnification. However, recovery of funds from the Government following the default of BBLs and CIBLs could rely on evidence that lending was made in accordance with the schemes’ guidelines, and that the lenders had controls in place to prevent fraud from occurring. 

Operations are already stretched beyond capacity due to processing extended payment holidays, additional product requirements and the collections process. There is limited resource available to conduct remedial and ongoing fraud, cyber security, Customer Due Diligence (CDD) and KYC checks at scale in this current climate.

Through a managed service approach, adding teams with specific expertise can help deliver consistent service. Leveraging experienced, quality-focused third parties means enabling banks to overcome these demand challenges. KPMG Managed Services has been supporting clients throughout COVID-19 across onboarding, KYC and CDD and fraud-related activities at scale. With over 2,500 analysts at our disposal, we’ve been able to scale rapidly and execute alongside our technology accelerators and our fraud and forensic subject matter experts. 

With increased media and regulatory scrutiny, there is no room for lapses. With the right expertise, external support can play a very important role. To discuss how KPMG can help your business tackle this challenge, please contact Richard Parsons, Director KPMG Managed Services.