The OCC slams USAA for failing to correct errors in several areas

On By Littum

Diving card:

  • The Office of the Comptroller of the Currency has hit USAA Federal Savings Bank with a “sweeping” cease-and-desist order calling out the bank for its “non-compliance” with elements of previously issued orders and OCC requirements.
  • The order against USAA, published Wednesdayasks the bank to correct “a number of deficiencies,” after the regulator found unsafe or unsound practices related to management, earnings, information technology, consumer compliance and internal audit and suspected activity reporting violations. The order also limits the addition of any new products or services and places restrictions on USAA’s ability to expand its membership criteria.
  • The OCC’s order “outlines requirements to advance the bank’s risk and compliance management to the level we and our regulators expect,” a USAA spokesman said in a statement Thursday. “While our progress has not been consistent or rapid enough, the bank is well positioned to complete this work.”

Diving Insights:

USAA provides banking and insurance products to military members, veterans and their families.

The enforcement action is the latest hit for USAA’s bank, which has run into a series of regulatory problems in recent years. The OCC issued a consent order in January 2019 calling unsafe or unsound bankingng practices related to the bank’s IT program, compliance management system and risk governance framework. The regulator imposed a fine of $85 million against the bank in 2020 related to these issues.

Then, in March 2022, the OCC issued another order identifying deficiencies in the bank’s money laundering/Bank Secrecy Act compliance program. The bank was hit by another 140 million dollars in finesby the OCC and the Financial Crimes Enforcement Network, which stem from the AML issues.

IN the latest order, which replaces the actions in 2019 and 2022 against the bank, The OCC said the bank is not complying with certain elements of any of the prior orders. USAA also did not comply with the OCC’s enhanced standards requirements for large banks, which outline minimum standards for risk management frameworks.

In the far-reaching order, the OCC ordered the bank to take “comprehensive corrective actions” to improve its risk management and risk management related to compliance, information technology, fraud and third-party, affiliated and shared services.

The bank’s board of directors was ordered to establish a compliance committee to oversee the bank’s corrective actions, and the bank must prepare an action plan outlining remedial measures and reasonable timeframes for implementing necessary corrections. The regulator wants to see the bank report suspicious activity in a more timely manner, strengthen its compliance with consumer protection laws and improve the training of risk management and audit staff.

The order “confirms progress” the bank has made on its BSA/AML program with the closing of the 2022 consent order, the spokesman noted. “With a stronger foundation in place to prevent and mitigate risk, we will continue to improve our capabilities and processes to ensure we consistently serve our members with excellence,” the USAA spokesperson said.

As it is the third regulatory order in five years, “this must be the top priority for the bank’s board and management,” risk management consultant James Lam said. After repeated orders, “there may be some underlying opportunities to really improve the relationship and communication with the lead examiners.”

The order specifically addresses compensation, providing that the bank “shall not make any incentive-based compensation payment to any covered person,” effective April 1, 2025. Within 90 days, the bank must submit an annual plan to its examiner that describes “a proposed payment review process to ensure that all incentive-based compensation payments to any covered individual reflect any adverse risk outcomes,” the order states.

Carl Goss, a partner at law firm Hunton Andrews Kurth, called it “harsh.”

“I haven’t seen compensation hit this hard before,” he said in an email. “This is kind of like a civil monetary penalty.”

USAA CEO Wayne Peacock, who has served as CEO since 2020, will step down from his post in first half of 2025when a new CEO is elected.

The bank cannot add new products or services or expand its membership criteria “without evaluating and documenting the compliance and operational risks” associated with those initiatives, “ensuring that the bank has adequate controls to mitigate such risks, and providing 90 days before written notice to the responsible examiner,” the OCC said.

The timing of this restriction is “unfortunate,” Lam said, given that such a restriction on growth and innovation comes “at a very critical time for disruptive technology” in the banking sector.

The OCC also ordered the bank to implement a fraud risk management program commensurate with the bank’s risk profile and appetite, addressing internal and external fraud.

“I don’t think I’ve seen a specific article on fraud risk management in an enforcement action before,” Goss said. “These are likely to become more and more common,” as losses associated with fraud exceed credit losses for some banks, he added.

Wednesday’s order indicates that USAA did not make sufficient progress on some previous regulatory issues, while new concerns also emerged, including fraud risk management, said Patrick Haggerty, a senior director with financial advisory and investment firm Klaros Group.

“What is unusual to me is how extensive the new order is given that the bank has been under an order for more than five years at this point,” Haggerty said in an email. β€œIt is not unusual for it to take a long time to get out of an enforcement order, but it is unusual to hit the five-year mark only to be hit with a new order covering much of the same ground … and incur no civil money fines.”

The OCC noted in the ruling that it reserves the right to assess fines or take other enforcement action if it determines that the bank has failed to address the issues identified in the latest ruling.

The USAA spokesman said the bank continues “to identify and address issues while strengthening the rigor of our programs and processes.” The bank is also investing in additional systems and training and strengthening strong risk management culture, the spokesman said.

With the OCC requiring the bank to implement various frameworks related to IT, fraud, third-party risk management and compliance risk management, “there should be a unifying enterprise risk management framework that encompasses and integrates all of these requirements,” Lam said, rather than a fragmented or siled approach .

“You can’t play a mole,” Lam said.

Correction: An earlier version of this article contained incorrect information about USAA’s chief risk officer. USAA’s Interim Chief Risk Officer, George Stamatelatos, is part of the company’s management.