UK’s COVID-19 Bounce Back Loan scheme undermined by poor data management

The UK’s Bounce Back Loan Scheme (BBLS) was a lifeline to many businesses during the early stages of the COVID-19 pandemic. The taxpayer-guaranteed BBLS, however, is likely to see “eye watering” levels of fraud - in part as a result of the government’s and British Business Bank’s poor data management and IT infrastructure. 

This is the latest conclusion drawn by MPs on the Public Accounts Committee, which in a new report out today state that the Department for Business, Energy and Industrial Strategy (BEIS) has been “complacent” in prevent fraud and that it is “unacceptable” that the government has no long-term plans for recovering overdue debt. 

The scheme was set up in May 2020 as the largest of three COVID-19 related business loan support schemes, targeting the smallest businesses and providing them with loans of up to £50,000, or a maximum of 25% of annual turnover, in an attempt to maintain their financial health during the pandemic. 

The Committee examined the Scheme in December 2020 and warned that the Department’s focus on the speed of delivery had exposed the taxpayer to potentially huge losses. In addition, it concluded in its previous report that the Government lacked data to assess the levels of fraud. 

To make the process as fast as possible, the Scheme did not require lenders to check the information on the loan application form or to perform credit and affordability checks. 

A continued lack of access to quality data and inadequate data sharing across government departments has meant that it is difficult to gain insight into fraudulent activity. It is estimated that out of the £48 billion paid out in Bounce Back Loans, £17 billion is already expected to be lost. 10% of the loans - £4.9 billion - is expected to be lost to fraud. 

Dame Meg Hillier MP, Chair of the Public Accounts Committee, said:

With weary inevitability we see a government department using the speed and scale of its response to the pandemic as an excuse for complacent disregard for the cost to the taxpayer. More than two years on BEIS has no long- term plans to chase overdue debt and is not focussed on lower-level fraudsters who may well just walk away with billions of taxpayers’ money.

The Committee was unpleasantly surprised to find how little Government learned from the 2008 banking crisis and even now are not at all confident that these hard lessons will be embedded for future emergencies. BEIS must commit now to identifying what anti-fraud measures are needed at the start of any new emergency scheme so the taxpayer is better protected in future. It also needs to set out the trade-offs and what level of fraud it will tolerate at the outset.

Lack of data to manage risks

It’s important to note that the British Business Bank manages the Scheme on behalf of the government, where loans are delivered through 24 commercial lenders, such as banks and building societies. The commercial lenders are also responsible for loan repayments and pursuing borrowers for missed repayments for up to 12 months after the issue of a formal demand. 

However, a lack of access to data is proving to be a considerable risk to the taxpayer. The Committee asked BEIS what data is uses to manage the risk of credit and fraud losses, to which the department said that its estimates have “real and meaningful uncertainty”. 

In addition, the data that the government and the Bank is receiving from the commercial lenders administering the loans is inconsistent, causing further problems. The Committee notes: 

The Bank began collecting Scheme loan data from the 24 Scheme lenders in July 2021, where lenders provide data to the Bank via a collections system. The Bank said that it holds loan data from lenders across 70 different data points, including the name and address of the borrower, term of the loan and size. 

It explained that it was aggregating this data from all of the Scheme lenders and interrogating it to spot trends and errors. Despite the Department and the Bank telling us that they had a “rich” and “comprehensive” loan dataset, the NAO found that lender data can be unreliable as the system depends on lenders submitting accurate and timely data, and each lender reports it on a different basis.

Some lenders might choose not to report suspected fraud, which makes comparisons subjective; while some lenders do not share their underlying data. The Bank wrote to us and told us that it was working with lenders to understand what was driving these differences, such as different business models, or that some lenders might not have had a pre-existing relationship with Scheme borrowers.

In addition, although the government knew from the start that it had limited fraud prevention measures in place, it was also slow to introduce detection and post-loan controls. It took eight months to bring in processes to verify borrowers’ self-declared turnover against existing HMRC data - by which time 93% of the loans by value had been issued. 

BEIS did introduce a check to identify and prevent multiple applications, but only did so a month after the scheme’s launch. By the time this had been made mandatory, 60% of loans had already been made. The Department said that the delay was because of the time needed to set up data sharing processes. The Bank said that it has identified 13,000 possible duplicate loan applications. 

Repeating past mistakes

The Committee had previously asked the government to use the lessons from this Scheme to inform future schemes, asking for examples of where this has been applied. BEIS said that one such lesson is that it has applied different data requirements on lenders for the new Recovery Loan Scheme and that it has made “big progress” on its capability on data and data sharing. 

The department said that such data capability would put it in a “stronger position” if it were to do something similar again. 

However, the Committee was displayed that BEIS had not identified and used lessons from when it supported businesses during the 2008 financial crisis - meaning that it essentially repeated past mistakes. The report notes: 

Neither the Department nor the Bank foresaw the desperate situation that the economy found itself in as a result of the pandemic, and they maintained that it was not something government would have planned for.

The Bank, however, recognized that it would have been in a better starting position for delivering loans if it had invested in data management and IT infrastructure earlier. The Department acknowledged that ‘corporate memory’ was a challenge, and we welcome the Department’s planned evaluation of the Scheme to draw lessons learnt. 

However, neither the Department nor the Bank provided any plans on how it intends to share the lessons-learned across government.

My take

We’ve been here before and I’m sure we will be here again. The government’s approach to data use and sharing of data needs significant improvement. There are of course challenges, but too often departments operate in silos, building what they perceive to be kingdoms. Yes, checks and balances and privacy needs to be at the core, but if governments want to protect taxpayers money, they need to figure out ways to safely use, understand and share their valuable data assets.