Takeaways

Legal and compliance teams should be alert for the obligations organizations will assume through their acceptance of CARES Act relief.
Failure to have adequate controls may expose the company to investigations, public scrutiny, fines, and both civil and criminal penalties.

On March 27, 2020, Congress enacted the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), a $2.2 trillion stimulus package designed to address the widespread economic disruptions caused by the COVID-19 pandemic by establishing lending programs: (i) Paycheck Protection Program, (ii) an expanded version of the Economic Injury Disaster Loan Program, and (iii) the Main Street Lending Program (collectively, the “SBA and Treasury Loan Programs”). Businesses taking advantage of the financial relief being distributed should do so thoughtfully and set up systems to address the commitments being made and avoid unintended consequences.

Legal and compliance teams should be alert for the obligations organizations will assume through their acceptance of CARES Act relief, including documented proper use of loan proceeds in accordance with the applicable regulations. A chart outlining some of these obligations is included in this alert. Anticipating the heightened risk of fraud and abuse due to government funds being distributed quickly, the CARES Act established several oversight bodies including the Special Inspector General for Pandemic Recovery, the Pandemic Response Accountability Committee and a Congressional Oversight Commission. In addition, normal oversight bodies, including the U.S. Department of Justice and the Government Accountability Office, have indicated that they will prioritize investigation and oversight of federally backed loans.

The SBA and Treasury loans come with a variety of specific obligations and use restrictions outlined below for which existing compliance programs should be updated to address. Companies should assess their program and compliance controls in anticipation of questions and reporting obligations regarding their use of federal funds to document their compliance with these obligations as well as the company’s compliance with other legal and regulatory requirements. Borrowers should review their overall compliance programs to establish or confirm documented controls adequate to ensure overall good corporate stewardship to prevent fraud and abuse throughout the organization.

Following the 2008 financial crisis, government distributed stimulus funds under the Troubled Asset Relief Program (TARP) were subject to similar oversight overseen by Neil M. Barofsky, the Special Inspector General for TARP (SIGTARP), and Elizabeth Warren, Chair of the Congressional Oversight Program, both of whom conducted thorough investigations that were the subject of significant public attention. As will be true with respect to CARES relief, companies were subject to reporting, audit and numerous DOJ and Congressional Investigations. Corporate missteps for violating the terms and limitations of TARP or other transgressions were publicly reported and investigated. From its establishment in 2008 through September 2019, SIGTARP investigations for fraud and misconduct relating to TARP payments resulted in the government recovering $11 billion from recipients and bringing over 400 criminal charges against individuals. The investigations (and in many cases criminal convictions) have ranged widely from expected mortgage fraud cases, corruption investigations relating to the distribution of stimulus money and investigations into company’s executive compensation to money laundering investigations and securities violations and even investigations into decisions by General Motors and Chrysler to eliminate dealerships. These investigations have also been subject to numerous Congressional reports, hearings and investigations. Failure to have adequate controls may expose the company to investigations, public scrutiny, fines and penalties

Corporations can avoid missteps that will result in these types of pitfalls by taking steps now. All corporate actions and decision making could be subject to examination and scrutiny for companies that receive a public “bailout,” and businesses should implement internal compliance and fiscal controls to prevent fraud, abuse and improper activities. Companies must also take steps to understand and incorporate the limitations and obligations arising from the CARES Act stimulus into these controls.

A compliance program to establish these important controls should meet the standards established by the U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs. This would include:

  • A code of conduct and policies and procedures to document the company’s requirements and expectations. It is important to document policies and expectations to ensure compliance with the terms and requirements of the SBA and Treasury Loan Programs and the company’s overall standards and commitment to good public stewardship. Newly documented policies should encompass policies relating to the impact of COVID-19, the need for the loan, and controls to implement the use of proceeds and corporate obligations and commitments.
  • Risk assessment processes that fulsomely identify and evaluate the legal and compliance risks that the company faces, including the design and effectiveness of the company’s controls to confirm their sufficiency to mitigate the legal and compliance risks the company faces, including all the new risks raised by the COVID-19 pandemic, SBA commitments and any reopening conditions that the company faces.
  • Training and communication to integrate company policies and procedures into the organization, including through periodic training and certification for all directors, officers, relevant employees and, where appropriate, agents and business partners. Training and communications should address all new commitments and policies.
  • Confidential reporting and investigation process by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies or suspected or actual misconduct. Government whistleblowers often attempt to address their complaints though internal compliance processes, and it is important to have strong internal processes to properly identify, investigate and address any internal allegations of misconduct.
  • Third-party vendor compliance programs, including due diligence and contractual protections to prevent third-party partners, including the agents, consultants and distributors being used to conceal misconduct, such as the payment of bribes or other fraud and abuse.
  • Documented commitment from senior management. Starting with a strong tone from the top, messaging to employees is vital to demonstrate a company’s commitment to preventing fraud and abuse.
  • Adequately resourced legal and compliance team with sufficient autonomy to run an effective compliance program.
  • Incentives and discipline to enforce the compliance program consistently across the organization.
  • Monitoring and testing to review the effectiveness of the compliance program.
  • Investigations of any allegations or suspicions of misconduct by the company, its employees or agent.
  • Analysis and remediation of issues identified.

Companies that have or are considering CARES Act funding should ask themselves a couple key questions:

  • Do you have an adequately resourced and fulsome compliance program addressing your company’s current legal and compliance risks, including fiscal controls, anti-corruption risks, vendor management, etc.?
  • Is that program subject to regular updating and testing to regularly integrate new requirements and test its effectiveness to address new challenges?
  • How do you establish, within that program or a new program, adequate controls, policies and procedures for the new requirements your organization faces for both CARES Act loan obligations and reopening conditions imposed by the government? Have you discussed and documented the need for the loan and put in place controls to ensure loan proceeds are used on permitted uses, loan obligations are met and adequate records are maintained for required certifications and reporting?
  • Do all relevant stakeholders, including the Board, employees and third-party business partners, understand their legal and compliance obligations and know to whom they should report issues that may arise?
  • How should you plan to communicate and train relevant stakeholders regarding the company’s new and existing legal and compliance obligations to emphasize the need for compliance with new requirements and the vital nature of preserving the company’s corporate culture and good image in these challenging times?

Asking these questions can help to define the work you have ahead. Consider an assessment of your program and the current risks. Creation of an effective compliance program that addresses all legal and regulatory risks can help avoid some of the missteps that companies made after receiving TARP relief and help preserve your company legally and reputationally through this crisis and beyond, reducing the possibility of resulting liabilities.

For more information, please reach out to your regular Pillsbury contact or the authors of this client alert.


Pillsbury’s experienced multidisciplinary COVID-19 Task Force is closely monitoring the global threat of COVID-19 and providing real-time advice across industry sectors, drawing on the firm’s capabilities in crisis management, employment law, insurance recovery, real estate, supply chain management, cybersecurity, corporate and contracts law and other areas to provide critical guidance to clients in an urgent and quickly evolving situation. For more thought leadership on this rapidly developing topic, please visit our COVID-19 (Coronavirus) Resource Center.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.