USAA fined $140M for AML compliance failures

The orders, announced Thursday, include a $140 million civil penalty imposed against USAA FSB by FinCEN and $60 million penalty levied by the OCC. FinCEN credited the OCC’s fine based on the regulators’ similar findings. Both agencies are divisions of the Department of the Treasury.

The OCC also issued a cease-and-desist order against the bank, which requires it “to take broad and comprehensive corrective actions to improve internal controls, training, staffing, and third-party risk management of its BSA/AML program,” the agency stated.

The details: From at least January 2016 through April 2021, USAA FSB admitted it willfully failed to implement and maintain an AML program that met the minimum requirements of the BSA. Deficiencies included “inadequate internal controls and risk management practices; suspicious activity identification, evaluation, and reporting; staffing; training; and third-party risk management, among others,” according to the OCC’s consent order.

FinCEN added in its consent order that USAA FSB’s BSA/AML compliance department was “significantly understaffed.” Instead, the bank “supplemented approximately 76 percent of its compliance staffing needs with third-party contractors.”

“However, the bank failed to properly train or otherwise ensure these contractors possessed satisfactory qualifications and expertise,” FinCEN added. “These staffing deficits exacerbated management’s inability to assure compliance with the BSA.”

Suspicious activity report (SAR) failures: The bank’s compliance deficiencies resulted in its failure to file “at least 3,873 SARs,” including for customers using personal accounts for apparent criminal activity, according to FinCEN’s consent order.

A new transaction monitoring system implemented by USAA FSB in the first quarter of 2021 has continued to prove problematic, according to FinCEN. Even today, the new system is said to be “too sensitive and creates an unmanageable number of alerts and cases,” the regulator explained. “As of the end of 2021, this resulted in a total backlog of around 90,000 unreviewed alerts and 6,900 unreviewed cases.”

These backlogs are expected to grow to 120,000 alerts and 24,000 cases before the bank can begin reducing the numbers, according to FinCEN. The backlogs “lead to unreasonable delays in the detection and reporting of potentially suspicious activity and further highlight the negative consequences of the bank’s failure to hire adequate staff,” the consent order stated.

Repeated AML failures: USAA FSB “failed to correct BSA/AML internal control problems that the OCC had previously identified and reported to it,” the OCC stated.

In 2017, the OCC informed the bank of “significant problems” with its AML program, according to FinCEN. While USAA FSB committed to overhaul its AML program by the end of March 2020, the bank still has not met all the terms of commitments it pledged to make back in 2018, FinCEN stated. Commitments included:

• Fully addressing the scope of internal controls and independent testing deficiencies;
• Establishing a compliance committee to monitor implementation of the 2018 commitments;
• Conducting a comprehensive, enterprise-wide risk assessment;
• Developing and implementing adequate customer due diligence (CDD), enhanced due diligence (EDD), and customer risk identification processes;
• Developing and implementing written policies for timely review and disposition of suspicious activity alerts and improving suspicious activity identification processes;
• Providing thorough and effective independent testing of the AML program; and
• Conducting a lookback review of remote deposit capture transaction activity and filing SARs, as needed.

“Since the 2018 commitments, the OCC informed the bank of additional BSA deficiencies—some as recent as 2021,” FinCEN stated. “Collectively, these facts describe a bank that willfully failed to comply with the BSA over many years.”

Other compliance failings: FinCEN also described deficiencies in testing by USAA FSB’s internal audit team, in third-party training, and in the bank’s CDD policies. Specific compliance failures cited included:

• Management not tailoring the bank’s training program for financial intelligent unit investigators, including third-party contractors, and know your customer (KYC) analysts to the bank’s risk profile and suspicious activity typologies.
• Management failing to properly oversee, train, and test third-party contractors.
• Deficient CDD policies and procedures, resulting in the development and use of a critically flawed customer risk score model the bank employed to assess customer risk and identify high-risk accounts requiring EDD.

“In sum, the bank’s poor CDD practices further undermined the bank’s ability to properly monitor high-risk accounts and its analysts’ abilities to perform quality investigations into alerted activity and arrive at rational and informed conclusions to close or escalate cases,” FinCEN stated in its consent order.

Noted FinCEN Acting Director Himamauli Das, the enforcement action “signals that growth and compliance must be paired, and AML program deficiencies, especially deficiencies identified by federal regulators, must be promptly and effectively addressed.”

USAA response: The company acknowledged in an emailed statement the deficiencies occurred “because we did not sufficiently strengthen the capabilities and expertise necessary to meet BSA/AML requirements.” USAA said it is working cooperatively with the OCC and will continue to do so.

“While the issues identified in these orders did not result in any individual member harm, we understand the importance of these requirements. Compliance is a top and urgent priority that is fundamental to providing our members with the highest level of service,” USAA Chief Executive Wayne Peacock stated. “USAA has already made progress in many critical areas by investing in new systems and training, enhancing staffing and expertise, and improving our processes. And we have an unwavering commitment to the military community.”