While the Small Business Administration (SBA) implemented several layers of controls to prevent foreign entities from perpetrating fraud within the agency’s COVID-19 Economic Injury Disaster Loan (EIDL) application system, some individuals with foreign-based IP addresses were still able to access the system.
That’s the top-line news from a September 12 report from the SBA Office of Inspector General (OIG) which looks at possible sources of fraud in the EIDL program.
The OIG found that SBA received millions of attempts to submit COVID-19 EIDL applications from foreign IP addresses and stopped most of them.
But between March 2020 and November 2021, the agency processed more than 233,000 of these applications from foreign IP addresses, and SBA approved and disbursed 41,638 COVID-19 EIDLs, advances, and grants to those applicants amounting to $1.3 billion
“Although foreign applicants may qualify for this assistance, transnational crime entities in foreign countries have fraudulently obtained funding from this and other U.S. programs in the past,” the report says.
The OIG did not provide any estimate of fraudulent transactions, but did emphasize that “the numerous applications submitted from foreign IP addresses are an indication of potential fraud that may involve international criminal organizations.”
“OIG has ongoing investigations into international organized crime operations that applied for and stole pandemic relief funds,” the watchdog said.
SBA officials were aware and concerned about the potential fraud from foreign entities, and took numerous steps to prevent it, the OIG report says.
To prevent or reduce the possibility of fraud, SBA and contractor officials designed a system of four layers of internal controls to prevent loan applications from foreign IP addresses, and implemented a “geo-fence” for loan portals to protect against spam and distributed denial-of-service attacks.
“We geo-fenced that to only allow IP addresses from the U.S. and its territories to use the site, and we were able to cut off traffic that wasn’t supposed to be there,” Maria Roat, former chief information officer for SBA, told MeriTalk in a 2020 interview.
“Before we implemented the geo-fence, we saw a lot of loan requests starting to come from the Middle East and other parts of the world. Once we saw that as a problem, we fenced it off to eliminate non-U.S. traffic to the loan portals. But the rest of the world can see everything else on the site,” she added.
Specifically, SBA implemented two control layers to block the submission of applications from foreign IP addresses in six countries deemed high risk, and the completion of applications from foreign IP addresses in all foreign countries.
OIG found that both controls did not always block these applications, but it did acknowledge that SBA implemented two other controls to flag these applications.
“If a loan application from a foreign IP address made it past the first two controls, control layer three was for the system to flag the application. Control layer four was to have a loan officer thoroughly review the flagged application to determine if the applicant was eligible,” the report says.
Yet, OIG found that 16 applications were not flagged by the system and another 15 applications were flagged by the system but were not properly reviewed by loan officers before loans were approved and disbursed.
OIG recommended that SBA thoroughly review several loans and the $1.3 billion disbursed to applicants from foreign IP addresses. OIG also recommended that SBA stop any further or future disbursements to any applicants deemed to be ineligible or fraudulent.
SBA said it would conduct a proactive review of COVID-19 EIDL applications that received funds for potentially ineligible or fraudulent businesses and will attempt to recover and continue to refer suspected fraud to the OIG. However, the agency emphasized that the applications approved from foreign IP addresses were a small proportion of all applications.
OIG also recommended SBA recover any disbursed loans and advances determined to be ineligible or fraudulent. Additionally, it recommended that the agency examine controls related to foreign IP addresses and ensure these controls are more effective in future disaster processing systems.
SBA also acknowledged that the controls did not perform as intended and will not be used in future or current application systems.