What credit unions should consider regarding vendors that took PPP loans

Plenty of noise has been made around the Small Business Administration’s Payroll Protection Program. The mainstream news has covered the government and businesses’ missteps with the program, as well as financial institutions’ execution of it. 

The program was intended to save jobs at small businesses that were struggling due to the coronavirus and subsequent government lockdowns. As a refresher, the PPP loans were intended to cover eight weeks of payroll (75% of funds are required to go to payroll within 8 weeks to qualify for the loan forgiveness), mortgage interest, utilities and rent that would be forgiven if it met SBA’s thresholds for the funds. The first round of funding ($349 billion) was gone in less than two weeks, but then as everyone started realizing the flaws in the rushed program, the second round of $310 billion went out much slower because of all the confusion over the forgiveness aspects. Not to mention not receiving any assistance upon application, because “small” companies like the L.A. Lakers and Shake Shack received PPP funding before others.

When the financial services industry, the nation and the world are in crisis, we tend to come together as humans. I like to think we rally around each other. We are a global society. Yes, there have been scams related to coronavirus; there will always be those nefarious actors, but as humans, we care about all of our futures. As a seasoned risk management professional, I know that’s not always the case.

I work with several banks and credit unions to assess all types of risk in a variety of ways, and I felt it prudent to share some of the research I’ve done on SBA PPP loans regarding companies to which financial institutions outsource critical operations. I will emphasize there are many reasons one of the critical financial institution vendors might want to take advantage of the program, like a short-term funding solution to support its staff while it figured out the machinations of adapting to a coronavirus-ridden world, but just read this opinion piece on SBA PPP usage from USA Today to understand some of the risk (my emphasis added): The PPP isn’t meant for businesses and wealthy owners that are not facing a manifest threat due to COVID-19. Nor is it meant for well-capitalized and financed businesses, as Senate Small Business Committee chairman Marco Rubio pointed out. Applicants for the PPP loans must attest that the “current economic uncertainty makes this loan request necessary to support the ongoing operations.”

A couple of red flags regarding critical vendor risk go up after reading this piece. First, if a company finds it “necessary” to take the funds to survive, its financial footing can be called into question. If your credit union is using that company and that business falters, it will have a direct impact on your members. Second, how do you feel about your credit union working with critical vendors that felt entitled to take government-backed, low-interest PPP loans that were not “necessary” for their survival? 

CNN published a great sortable, searchable listing of all the companies that took PPP loans here, if you’d like to do some digging, too, but here are some of the critical financial services vendors I discovered in my research as taking PPP loans:

Loffler Companies, Inc. of Minneapolis, Minn., received $5M to $10M in PPP loans through BMO Harris. Loffler offers IT solutions, including security and managed services, and office equipment ranging from printers to temperature scanner solutions.

Total Card, Inc. of Sioux Falls, SD, received between $2M and $5M through Plains Commerce Bank. As the name implies, it’s an end-to-end card solutions firm, as well as providing services for other types of loans.

LogicManager, Inc. received $1M-$2M through the PPP program from JP Morgan Chase. The company provides enterprise governance, risk and compliance software, among other things.

Venminder, Inc. of Elizabethtown, Ky., borrowed between $1M and $2M in PPP loans through Blue Ridge Bank. The company lists its services as third-party risk software, vendor risk assessments and managed services.

Access Softek, Inc. of Berkley, Calif., received a PPP loan of $1M to $2M dollars through Citibank. According to its website, this company provides online and mobile banking, account opening, lending, commercial banking, automated investment and real-time fraud control.

Continuity Engine, Inc. of New Haven, Conn., took out $350K-$1M in a PPP loan through Liberty Bank. The firm offers enterprise risk management and compliance management technology systems.

SBS Cybersecurity, LLC. of Madison, SD, received a $350K-$1M in a PPP loan through First Bank & Trust. SBS offers risk management software, network security, audits, business continuity planning and more.

I’m not suggesting any of these companies nor any of the others that have taken PPP loans have done anything wrong with regard to their PPP borrowings or that they’re in dire straits financially. However, I would advise my bank, credit union and fintech clients to ask some serious questions about the financial situations of any of the companies on the PPP loan list as part of their vendor due diligence. Financial risk is a critical element of vendor due diligence per the NCUA, OCC, FDIC and the Fed. Remember, the financial institution – regardless of outsourcing agreements – is ultimately responsible for the risk affecting its business. 

Coronavirus has clearly demonstrated financial institutions’ duty to monitor for third-party vendor risk. Credit Union Times reported that 80% of credit unions that assessed their business continuity plans during the coronavirus pandemic “were unable to conduct critical functions remotely.” Constant vendor risk management is crucial to identifying changes and adapting third-party risk exposure accordingly.

Leadership must be on top of the information and capable of asking the tough questions to ensure your credit union is comfortable with the stability and integrity of the partners with which it does business. And, of course, my firm and other third-party resources are here to help with the necessary expertise.

Radhika Dholakia-Lipton

Radhika Dholakia-Lipton

Radhika Dholakia-Lipton is one of the nation’s most esteemed authorities on internal auditing, compliance, operations and risk management for financial institutions. She’s a tenured banking executive, accomplished business ... Details