Before we forget, compliance professionals should take a look at the enforcement action banking regulators imposed on USAA last week. It’s a fascinating look at how regulators are trying to pressure corporate boards and senior executives to take compliance risks more seriously.
What happened? The Office of the Comptroller of the Currency and FinCEN hit USAA (which offers banking and other financial services to U.S. military members and their families) with a $140 million fine on March 17 for persistent problems with its anti-money laundering controls. Specifically, the regulators had warned USAA as far back as 2017 that its AML compliance program had issues, and USAA promised to fix those weaknesses promptly — except it didn’t, and last week’s enforcement action was a kick in the corporate rear for USAA to do better.
USAA “received ample notice and opportunity to remediate its inadequate AML program, but repeatedly failed to do so,” FinCEN acting director Himamauli Das said in a statement. “Today’s action signals that growth and compliance must be paired, and AML program deficiencies, especially deficiencies identified by federal regulators, must be promptly and effectively addressed.”
If you want a complete chronology of USAA’s compliance shortcomings, the consent order with FinCEN goes into painful detail about USAA’s mistakes over the years. (USAA admitted to the facts and violations as part of the FinCEN settlement.)
I was more interested in USAA’s settlement order with the OCC. It imposed a raft of compliance program improvements that USAA needs to make from here forward, on everything from boardroom governance, risk assessment, customer due diligence programs, training and oversight of third parties, and much more.
That’s the instructive part for compliance professionals at large; by giving this settlement a close read, we can better understand what regulators want to see in a strong compliance program. So let’s get to it.
Beginning With the Board
First, OCC directed USAA’s board of directors to establish a compliance committee of at least three members, the majority of them independent. That compliance committee will be responsible for assuring that USAA implements all the other specific compliance program improvements that OCC and FinCEN told USAA to make, and that those improvements happen in a timely manner.
The compliance committee must meet at least once every 60 days to review the bank’s progress on its compliance improvements. Within 15 days of those meetings, the committee will need to provide a written progress report to USAA’s full board. Then the full board will need to review those progress reports, add extra commentary and feedback as warranted, and pass along the marked-up reports to OCC examiners within 10 days of each board meeting.
The USAA board already does have a risk and compliance committee whose charter includes regulatory compliance and AML compliance specifically. That said, the risk and compliance committee has seven members, and the full board has 18 members. That’s a lot, so I assume the USAA board will establish a smaller, dedicated compliance committee. The list of compliance program improvements that OCC wants to see is certainly long enough to warrant its own board committee.
That might be the most important point in this whole saga. USAA grew at a brisk speed in the 2010s, but the resources and capabilities of its compliance program did not — and there wasn’t enough direction and oversight from the board to rectify that compliance capability gap. So now OCC is going to breathe down the board’s collective neck until those directors get their priorities right.
Indeed, as I read the OCC’s governance requirements, I kept thinking of that Blue Bell Creameries decision from the Delaware Supreme Court in 2019. In that case, the court found that Blue Bell’s board didn’t take an active, engaged interest in food safety risks, even though food safety is a primary concern for a food business.
OCC is making pretty much the same point here: that anti-money laundering and regulatory compliance are the primary concerns of a bank, so the bank’s board should be fully engaged in assuring that those risks are addressed. OCC also sent that same message in 2020, when it hit Citigroup with a $400 million penalty and ordered Citi’s board to do better with compliance issues.
Is This Enforcement Strategy Scalable?
My next question is whether OCC’s approach might scale up to other regulators and industries, for other compliance failures.
Take the Justice Department and FCPA enforcement as an example. Rather than impose a compliance monitor on a company, could prosecutors draft a laundry list of anti-corruption program improvements they want the company to make, and then impose stiff reporting requirements from the board to assure that those improvements get made? Would that work? We used to see that sometimes long ago in FCPA enforcement actions, but I don’t recall seeing it any time recently.
Perhaps the idea wouldn’t work here; regulatory compliance in banking is far more specific and onerous than what you might see for anti-corruption compliance. OCC can draft a laundry list of improvements for customer due diligence and suspicious activity reporting because the rules for those tasks are so structured. In the FCPA world, companies have much more discretion about precisely how they’d develop anti-corruption policies and procedures. If prosecutors started taking away that flexibility, corporate legal departments would probably howl in protest.
Still, if regulators want to see fundamental, permanent change in how organizations approach ethics and compliance, you need to embed that idea into the board somehow. It might not be enough for boards to hear from the CEO, “Yep, we’re doing what we need for ethics and compliance capability as our business expands.” Somehow, we need to flip the dynamic so that boards themselves probe the issue more directly: “We have these expectations for compliance capability; show us how the business is delivering on that while the operations side is growing like weeds.”
Food for thought. Next week we’ll look at other parts of the USAA settlement that get into more detail about staffing levels, training, compliance processes, and more.