AREAS TO WATCH IN 2022
CYBERSECURITY
In October 2021, the DOJ announced the formation of the Civil Cyber-Fraud Initiative to utilize the FCA to pursue cybersecurity-related fraud by government contractors and grant recipients. DOJ plans to focus on entities that knowingly misrepresent their cybersecurity practices or protocols, knowingly violate obligations to monitor and report cybersecurity incidents and breaches, or knowingly provide deficient cybersecurity products or services. Such deficiencies could include failure to meet specific contract terms such as requirements to take measures to protect government data, to restrict non-U.S. citizen employees from accessing systems, or to avoid using components from certain foreign countries. DOJ has already begun encouraging whistleblowers to bring cybersecurity-related FCA cases. Contractors and grant recipients would be wise to review the cybersecurity requirements in their contracts, grants, and licenses to ensure compliance and avoid being the subject of action by this new DOJ initiative.
CARES ACT
The United States has been actively involved in CARES Act enforcement matters. To date, the vast majority of cases have involved criminal prosecutions as opposed to civil enforcement through the False Claims Act and other civil enforcement tools. FCA practitioners generally expect significant civil enforcement activity in the near future. The United States has made CARES Act enforcement a priority at DOJ and the many federal agencies that are stewards of CARES Act funds. On May 17, 2021, Attorney General Merrick Garland directed the establishment of the COVID-19 Fraud Enforcement Task Force stating “[t]he Department of Justice will use every available tool – including criminal, civil, and administrative actions – to combat and prevent COVID-19 related fraud.” Similarly, on February 17, 2021, Assistant Attorney General Brian Boynton listed pandemic-related fraud as the first of the Civil Division’s enforcement priorities stating “It is clear to me and my colleagues in the Civil Division…that the False Claims Act will play a significant role in the coming years as the government grapples with the consequences of this pandemic.” Boynton added that the “Civil Division is working closely with various Inspector General and other agency stakeholders to identify, monitor, and investigate the misuse of critical pandemic relief monies, and we expect this collaborative effort to translate into significant cases and recoveries.”
We expect two key programs to be the subject of FCA activity in 2022 and beyond. First, the Small Business Administration’s Paycheck Protection Program, which provided over 11.45 million loans in the aggregate amount of over $791 billion, is at the top of most enforcement priority lists. The SBA Office of Inspector General (OIG) listed fraud in the PPP and other SBA programs as its No. 1 challenge in its “Top Management and Performance Challenges Facing the SBA in Fiscal Year 2022” report. Released on October 15, 2021, the report notes several key indicators of the scope of future enforcement activity in the PPP:
• There were 40,000 hotline tips on fraudulent activity.
• Through its own analysis the SBA identified over 70,000 loans that were potentially fraudulent based on certain indicators, including duplicative loans; businesses created after February 2015; and entities receiving loans that are on the Department of Treasury’s “Do Not Pay” list.
• There were thousands of loans to potentially ineligible borrowers.
The PPP is well suited to FCA enforcement for a variety of reasons. It is subject to extensive rules and regulations regarding a borrower’s eligibility. Companies were also required to submit documents supporting their loan applications. Additionally, the PPP has a separate application for forgiveness of the loan. Borrowers must submit additional representations about the use of the loan proceeds in supporting documentation related to those applications. Misstatements, whether intentional or mistaken, on any of these documents can result in investigation and potential FCA liability.
Currently, DOJ has pursued hundreds of criminal PPP cases dealing with egregious fraud, including the establishment of fake companies and ghost employees, misuse of proceeds to purchase luxury automobiles and other personal items, and grossly misstating payroll costs. As a general matter, it appears that enforcement authorities have focused their efforts on the most egregious cases. To date only a handful of FCA cases have been publicly reported with respect to the PPP program, and only one involved a qui tam complaint by a whistleblower. We expect, however, that whistleblower activity in these matters will increase as businesses obtain the loans and employees — sometime disgruntled employees — witness the use of the funds by their employers. As enforcement authorities investigate the many thousands of potentially fraudulent loans already identified by OIG, and those that are later reported by whistleblowers, we expect the “reckless disregard” scienter standard and preponderance of the evidence burden of proof applicable in civil cases will make the FCA an extremely attractive enforcement tool.
The second CARES Act program where we expect to see additional enforcement activity is the Department of Health and Human Services (HHS) Provider Relief Fund (PRF). The PRF allocated $178 billion to HHS to assist healthcare providers during the pandemic. Funds have been distributed in four phases, beginning with Phase One in late March 2021 when many of the nation’s healthcare providers found vast sums of money directly deposited into their bank accounts by HHS without notice. Multiple other general and targeted distributions of funds have occurred up until the present. Acceptance and use of the PRF funds by healthcare providers are subject to numerous rules and regulations, including shifting guidance from HHS distributed in the form of Frequently Asked Questions (FAQs) posted to HHS’s website. Recipients of PRF funds are also subject to detailed reporting requirements to validate the amount of funds they received and account for the use of the funds.
In addition to previously described enforcement priorities for pandemic-related fraud at the DOJ, the importance of PRF compliance and enforcement is underscored by HHS-OIG’s inclusion of the audit of the PRF in its 2022 work plan. In late 2021, OIG began reaching out to recipients in preparation for upcoming audits of PRF funds.
To date, there have been only a handful of PRF enforcement cases, all of which are criminal in nature. Each generally deals with the flagrant misappropriation of PRF funds for personal use. The FCA, however, is very likely to be a more potent weapon in PRF enforcement in future cases. First, PRF funds are subject to an intricate web of rules for how the money can be used and how it can be accounted for. Violation of such rules is often the grist of whistleblower complaints and government FCA enforcement. Additionally, billions of dollars are at issue, with many sophisticated companies as recipients of many millions of dollars. Use of the PRF funds will in many cases involve complex accounting and regulatory interpretation. Under such circumstances, it is very likely that criminal intent will be lacking in all but the most egregious cases. FCA cases for PRF funds may be based on false statements in multiple different reports that recipients of PRF funds must file. Given the sophistication of many of the players in this area, the United States will expect a high degree of diligence in following the rules and accurately reporting information. Thus, the FCA’s reckless disregard scienter standard and preponderance of evidence burden of proof are likely to make it the preferred enforcement tool in large PRF enforcement actions. With PRF reporting deadlines coming up only recently and extending as far forward as late 2023, we can expect FCA cases in this area for years to come