May 7, 2020 - On May 5, the Department of Justice announced its first criminal fraud charges related to funds obtained under the $2.2 trillion federal relief program established by the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”).1 The DOJ charged two individuals in the District of Rhode Island, alleging that they had filed fraudulent bank loan applications for more than $500,000 in forgivable loans guaranteed by the Small Business Administration under the CARES Act Paycheck Protection Program (“PPP”). The DOJ alleged that in order to obtain the loans, the individuals falsely represented that they had dozens of wage-earning employees at four different companies, which they did not actually own or were defunct.

This action makes clear that the DOJ will prioritize the prosecution of such allegedly blatant acts of fraud by recipients of CARES Act funds. If CARES Act oversight is anything like that applied to the 2008 Troubled Asset Relief Program (“TARP”) or recent large-scale disaster relief efforts—and every indication suggests that it will be—we will likely see investigations into fraud and misuse of CARES Act funds continue for years after the funds are disbursed. Moreover, as discussed below, even well-intentioned companies could face enforcement actions related to their participation in the CARES Act stimulus program. A business applying for or utilizing CARES Act funds, either directly or indirectly, should exercise caution and take proactive measures appropriate to the organization’s size and complexity to mitigate the enforcement risks.

Potential Missteps

The 880-page CARES Act is a complicated piece of legislation.2  In addition to PPP loans for small businesses and non-profits, it offers loans to medium-sized businesses through its Main Street Lending Program, loans to large companies through the Treasury Department, and economic relief programs for specific industries, such as the commercial airline industry.3 Congress fast-tracked passage of the CARES Act, and federal agencies have attempted to implement many of its programs in less than a month. Some of its requirements are vague and susceptible to subjective judgments, and agency guidance provided to date has been inconsistent.  

Indeed, the first few weeks of the disbursement process for CARES Act loans were marked by confusion. As has been widely reported, when the CARES Act funds initially became available, hundreds of public companies, seemingly acting in good faith, obtained emergency PPP loans that Congress apparently intended for private small businesses.  Although these companies purportedly met the minimum requirements for obtaining the PPP loans, the disbursements to well-known, brand-name recipients caused a public outcry. The Treasury Department reacted with regulatory guidance advising that PPP loans were not intended for public companies that can raise money through the capital markets.4  The guidance also cautioned that some borrowers may have falsely certified that their loans were “necessary to support the ongoing operations of the Applicant.” The Treasury Department gave borrowers that might have made false certifications until May 7, since extended to May 14, to repay the funds in full or face potential penalties.5  It also announced that it would not forgive (per the forgiveness provisions of the CARES Act) any PPP loan over $2 million without first conducting a compliance audit.6   

Compounding these difficulties, companies have had to move quickly to secure CARES Act funds needed to continue operations or forestall unpaid furloughs. The intersection of these two factors creates circumstances ripe for mistakes. There are several scenarios in which a company attempting to navigate this difficult environment could find itself under investigation for fraud or misuse of CARES Act funds. These include, but are certainly not limited to:

  • applying for and receiving a loan or grant for which the company is, in fact, ineligible;
  • applying for and receiving more money than the company is eligible for;
  • making false statements or false certifications in its application for CARES Act funds; and
  • violating CARES Act restrictions on use of funds that were otherwise properly obtained.

Oversight Agencies

The federal government’s intention to monitor and enforce compliance with the requirements of the CARES Act is clear from the oversight bodies it has established specifically for this role.

  • The Special Inspector General for Pandemic Recovery (“SIGPR”):  The SIGPR is responsible for conducting, supervising, and coordinating audits and investigations of loans, grants, and other investments made by the Department of the Treasury under the CARES Act. The SIGPR has subpoena power and can refer matters to the DOJ for civil or criminal enforcement. On April 6, 2020, President Trump nominated Brian Miller, previously Inspector General of the General Services Administration, to serve as the SIGPR.
  • The Pandemic Response Accountability Committee (“PRAC”):  PRAC is empowered to detect fraud and abuse that “cut[s] across program and agency boundaries.”  PRAC is tasked with assisting and supporting inspectors general in the oversight of disbursements from all four phases of the federal coronavirus relief program.7   PRAC has authority to conduct investigations through both subpoenas and by holding public hearings. Like SIGPR, it can refer matters to the DOJ for criminal and civil investigation. PRAC is not a stand-alone organization, but rather a committee of the Council of the Inspectors General on Integrity and Efficiency, itself an independent entity comprising the 75 statutorily created federal Inspectors General. As of this writing, the Acting Chair of PRAC is Michael Horowitz, Inspector General of the Department of Justice.
  • The Congressional Oversight Commission:  COC has oversight authority for the implementation of stimulus packages by the Department of the Treasury and the Federal Reserve. It has authority to hold hearings, take testimony, receive evidence and issue reports. COC will expire at the end of fiscal year 2025. COC consists of five members selected by the majority and minority leadership from both houses of Congress. The current members of COC are Senator Pat Toomey (R-PA), Bharat Ramamurti (D),8  Rep. Donna Shalala (D-FL), and Rep. French Hill (R-AR); the chair of COC is currently empty.

In addition to these newly established enforcement bodies, other agencies, including the DOJ, the Securities and Exchange Commission, the Internal Revenue Service, and the traditional House and Senate oversight committees, will also likely pursue investigations of misconduct related to the CARES Act. As noted above, the DOJ has already begun prosecuting fraud in connection with the application for CARES Act funds.

Compliance Tips and Measures

Companies availing themselves of CARES Act funds should be conscientious in both the application process and the use of the funds. At a minimum, in proportion to their size and complexity, companies should:

  • Exercise diligence in the applications process:  False statements made in the loan application process are likely to be the source of significant enforcement related to the CARES Act.  Today, enforcement bodies might not target companies for honest or apparently minor mistakes due to the difficulty of following vague statutory mandates and confusing regulatory guidance.  However, in coming years, enforcement bodies may be less lenient when scrutinizing a company’s loan application. As such, companies must exercise diligence to ensure that all statements made in the application process are accurate, supported by documentation, and that the documentation is retained. Among other things, large companies with multi-tiered reporting structures should consider requiring the employees involved in the process to acknowledge that the information is true and accurate to the best of their knowledge. Or such companies might utilize a cascading certification process similar to that used by public companies pursuant to the Sarbanes-Oxley Act.  
  • Establish policies and controls regarding how all CARES Act funds are spent: It is critical that companies establish a policy regarding how funds received through the CARES Act will be spent, document how the funds are actually spent, and clearly establish who will be responsible for making the spending decisions. A company that ultimately faces audit or investigation will fare significantly better if it has created and maintained a clear document trail regarding how it apportioned the funds. 
  • Provide appropriate training: The CARES Act is new ground for everyone.  Small business owners need to be familiar with the program’s statutory and regulatory requirements. At larger and more complex organizations, formal training on these topics should be provided to individuals tasked with applying for funds or making spending decisions. A company that fails to take proactive measures to provide necessary training runs a significant risk that an ill-informed and untrained employee will make a critical mistake. 
  • Keep proper records: Audits and investigations may continue for years after all of the CARES Act funds have been disbursed, and with the passage of time it will become increasingly difficult for employees to recall how and why decisions were made. Therefore, companies should retain documents for all aspects of securing and spending CARES Act funds, including documents that: (i) substantiate representations made to obtain the funds; (ii) record how the funds were spent; (iii) memorialize how decisions were made, including decisions regarding complex issues of CARES Act interpretation; and (iv) document steps taken to assure compliance with all CARES Act requirements.
  • Respond appropriately if compliance issues arise:  If a company learns of a potential violation, it should respond swiftly by conducting an internal investigation appropriate to its size to determine exactly what happened, who was involved, and what evidence must be preserved. Only after obtaining this information can the company engage in a thoughtful analysis as to whether to self-report a violation. In any event, the company should take remedial measures in response to its findings, including by correcting any identified process failures. 


Congress is currently debating the merits of implementing a fifth phase of significant financial relief and economic stimulus. If anything is certain, it is that if a fifth phase is enacted, it will be as complicated as the CARES Act and as fraught with uncertainty as to its terms, requirements and procedures. That is all the more reason to have sound compliance procedures in place.

Click here to go to our COVID-19 Resource Center for more advisories, articles and other content related to the coronavirus pandemic.


1    “Two Charged in Rhode Island with Stimulus Fraud,” available at 

2  Coronavirus Aid, Relief, and Economic Security Act, Pub.L. 116–136 (2020).

3  Under the CARES Act, the PPP loans and Main Street Lending Program loans are submitted to and approved by private lenders, who in turn submit them to the Treasury Department.  Loans to large companies are arranged directly with the Treasury Department.

4  Department of Treasury, “Paycheck Protection Program Loans: Frequently Asked Questions,” FAQ 31 (published April 23, 2020), available at

5  Id., FAQ 43 (published May 5, 2020).

6  Id., FAQ 39 (published April 29, 2020).

7  Each phase was instituted by an act of Congress.  The first was the Coronavirus Preparedness and Response Supplemental Appropriations Act, Pub.L. 116–123 (2020).  The second was the Families First Coronavirus Response Act, Pub.L. 116–127 (2020).  The third was the CARES Act. The fourth was the Paycheck Protection Program and Health Care Enhancement Act, Pub.L. 116–139 (2020).

8  Mr. Ramamurti is an attorney and political advisor; he not a member of Congress. Committee members are not required to be members of Congress.