There’s no denying the need for federal relief in the midst of COVID-19, but companies that have never before been exposed to False Claims Act liability may not have compliance programs designed to prevent these risks. Hughes Hubbard’s Michael DeBernardis and Philip Giordano stress that now is the time to prepare.
On December 27, 2020, President Trump signed the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSA Act), a $900 billion economic relief and stimulus package to counter the harm to America’s economy caused by the coronavirus pandemic. Together with the $2.6 trillion in federal relief established by the Coronavirus Aid, Relief and Economic Security Act (CARES Act) of 2020 and related expansions, the U.S. government has authorized more than $3.5 trillion in economic stimulus in response to the pandemic. The stimulus comes at the same time as various government agencies are making other emergency expenditures in response to the pandemic, including spending on critical supplies such as ventilators, medical supplies and personal protective equipment.
In the midst of this spending, an unprecedented number of companies are accepting government funds or otherwise doing business with the government. If oversight of coronavirus stimulus and spending is anything like that instituted as part of the last major government stimulus, the 2008 Troubled Asset Relief Program (TARP) or recent large-scale disaster relief efforts, we will likely see investigations into fraud and misuse of funds that will continue for years after the funds are disbursed and the spending occurs. Moreover, because program application and performance requirements can sometimes be complicated and vague, even well-intentioned companies could face enforcement actions related to their participation.
As in the past, the Department of Justice (DOJ) is likely to lean heavily on the False Claims Act (FCA), a Civil War-era law that in recent decades has become a primary weapon to combat fraud and misrepresentations in government programs. Since 2010, the DOJ has successfully recovered an average of about $3 billion per year from FCA judgments and settlements, many in connection with TARP-related misrepresentations. For companies familiar with government contracting, FCA compliance and compliance programs have become a common means of managing associated risks. But for companies inexperienced in government contracting, economic stimulus and emergency spending presents a slew of new risks.
FCA Risks in Coronavirus Economic Stimulus and Emergency Spending
The FCA imposes liability for knowingly or recklessly submitting a false claim for payment to the government, causing another to submit a false claim to the government or knowingly providing false information material to a claim for payment. The FCA also penalizes “reverse false claims” (i.e., false claims to avoid paying money owed to the government).
Defense contractors, many health care providers and other companies that regularly conduct business with the government are, or should be, well aware of the FCA risks posed by their business activities. Emergency government economic stimulus programs, such as TARP, the CARES Act and the CRRSA Act (along with other emergency relief spending), expose a much broader group of companies to FCA risks. Not only are inexperienced companies dealing with often opaque rules and regulations, but the volume of the funds and the expedient nature of the spending creates an environment in which fraud and negligence become practically inevitable.
Following the 2008 stimulus bills, including TARP, the DOJ targeted recipients for, among other things:
- misrepresentation in the application for stimulus program funds,
- failure to comply with the stimulus program terms and obligations and
- inappropriate billing by vendors utilizing TARP funds.
The coronavirus economic stimulus programs and emergency spending present similar risks. While the CRRSA Act garnered headlines for its $600 direct payments to individuals, the law provides for billions of dollars for struggling industries, such as $45 billion to transportation industries, including $15 billion to help commercial airlines maintain their payrolls, $14 billion for mass transit and another $13 billion for infrastructure projects. This spending and the resulting procurements are likely to attract companies that are entirely unfamiliar with the nuances of government contracting, exposing companies to risks associated with improper billing, time-charging and other common pitfalls.
Moreover, according to U.S. government data, through June 2020, approximately 80,000 businesses had received at least $1 million in loans through the CARES Act’s Paycheck Protection Program, which is just one of the stimulus programs that provide funds directly to eligible businesses. To obtain these funds, businesses were required to certify that they were entitled to the funds and that they would use the funds as required. If those certifications prove false, the FCA allows the government to prosecute the recipient. Even companies that are careful to comply with application requirements face the risk that employees misuse the funds, either through lack of care, lack of control or other pressures, which presents another avenue for FCA exposure.
It is no secret or surprise that the U.S. government has made investigating coronavirus fraud a priority. In a memorandum to U.S. Attorneys in March 2020, then-Attorney General William Barr also directed every U.S. Attorney’s Office to prioritize the detection, investigation and prosecution of crimes related to the coronavirus pandemic. Other agencies and bodies will be involved in monitoring and auditing the spending as well. For example, the Small Business Administration has announced that it will review the eligibility of all Paycheck Protection Program loan recipients who received more than $2 million. Misrepresentations discovered during this review could be referred to the DOJ for further action.
So far, enforcement efforts have focused on egregious examples of fraud. In December 2020, the DOJ initiated at least 27 criminal prosecutions related to consumer fraud, unemployment fraud and Paycheck Protection Program fraud. Civil enforcement to date has been limited and driven by state attorneys general and, to a lesser extent, the SEC. Although the FCA has not played a role yet, it is clear that the government is determined to ensure that funds disbursed under these programs were obtained and used properly, and history suggests that the FCA will be a major weapon in that effort.
Why Right-Sized Compliance Programs are Key to Risk Mitigation
As companies engaged in government contracting know well, compliance programs are key to reducing FCA exposure and mitigating potential penalties.
For companies that are new to government contracting or that are contracting with the government increasingly in relation to the coronavirus pandemic, establishing a right-sized compliance program is critical for addressing FCA exposure. Government contracting involves complex regulations and often complicated requirements. Companies should understand the regulations that apply to their particular contracts and put a process in place to monitor agency guidance and potential changes to program requirements. Measures should also target high-risk functions, such as billing, time charging and staffing contracts.
Recipients of coronavirus economic stimulus funds must be conscientious both in the application process and in the use of the funds. As noted above, even if a company has already received stimulus funds (and made certain certifications in the process) appropriate compliance controls can help the company ensure that employees act in accordance with those representations. At a minimum, in proportion to their size and complexity, companies should:
Exercise Diligence in the Applications Process
False statements made in the loan application process are likely to be the source of significant enforcement related to the coronavirus economic stimulus programs. So far, enforcement is this area has focused on individuals who have fraudulently obtained loans under the Paycheck Protection Program, such as by falsifying the number of their employees and their payroll expenses. Enforcement bodies have not shown much interest in targeting companies for honest or apparently minor mistakes, probably because of the difficulty of following vague statutory mandates and confusing regulatory guidance. However, in coming years, enforcement bodies may be less lenient when scrutinizing a company’s loan application. As such, companies must exercise diligence to ensure that all statements made in the application process are accurate and supported by documentation, and that the documentation is retained. Among other things, large companies with multi-tiered reporting structures should consider requiring the employees involved in the process to acknowledge that the information is true and accurate to the best of their knowledge. Or such companies might utilize a cascading certification process similar to that used by public companies pursuant to the Sarbanes-Oxley Act.
Establish Controls Regarding Obligations
It is critical that companies establish policies and controls to meet obligations regarding how government funds will be spent, document how the funds are actually spent and clearly establish who will be responsible for making the spending decisions. A company that ultimately faces an audit or an investigation will fare significantly better if it has created and maintained a clear document trail regarding how it allocated the funds.
Provide Appropriate Training
This is new ground for everyone. Small business owners need to be familiar with the program’s statutory and regulatory requirements. Larger and more complex organizations should provide formal training on these topics to individuals tasked with applying for funds or making spending decisions. A company that fails to take proactive measures to provide necessary training runs a significant risk that an ill-informed and untrained employee will make a critical mistake.
Keep Proper Records
Audits and investigations may continue for years after the coronavirus is behind us. With the passage of time, it will become increasingly difficult for employees to recall how and why decisions were made. Therefore, companies should retain documents for all aspects of securing and spending stimulus funds, including documents that:
- substantiate representations made to obtain the funds;
- record how the funds were spent;
- memorialize how decisions were made, including decisions regarding complex issues of regulatory interpretation; and
- describe steps taken to assure compliance with all legal requirements.
Finally, the DOJ has made it clear that taking steps to implement or enhance a compliance program after identifying potential misconduct can qualify for “cooperation credit,” potentially reducing applicable criminal and civil penalties. Thus, as part of a fully functioning compliance program, if a company learns of a potential violation, it should respond swiftly by conducting an internal investigation appropriate to the company’s size to determine exactly what happened, who was involved and what evidence must be preserved. Only after obtaining this information can the company engage in a thoughtful analysis of whether to self-report a violation to the appropriate government authorities. In any event, the company should take remedial measures in response to its investigatory findings, including by correcting any identified process failures.