Today I want to circle back to that civil settlement that banking regulators struck with USAA last month, where they fined USAA a total of $140 million and imposed a raft of compliance program improvements that USAA needs to make double-quick. What do those demands tell us about how corporate compliance programs should operate?
First, the recap. FinCEN and the Office of the Comptroller of the Currency jointly sanctioned USAA three weeks ago for its failure to address long-standing problems with its anti-money laundering controls. The regulators had warned USAA as far back as 2017 that its AML compliance program had issues, and USAA promised to fix those weaknesses promptly — and then it didn’t, all the way into early 2021.
In a previous post about this enforcement action, we examined new requirements for board-level oversight of the compliance program that regulators imposed on USAA. For example, the board will need to establish a new compliance committee, which will need to meet at least once every 60 days to review program improvements. The board will then need to review that committee’s work, and send along progress reports to OCC examiners.
Now let’s examine what those specific, program-level improvements are. The OCC imposed a lot of them, and studying that list can help the rest of us understand what capabilities regulators want AML compliance programs to have.
Better AML Compliance Staffing
We can begin with the OCC’s demand for better staffing. First, the board must assure that USAA has a qualified Bank Secrecy Act compliance officer in place, “vested with sufficient independence, authority, and resources” to fulfill all Bank Secrecy Act compliance obligations. (We should note that USAA has hired several high-level compliance personnel in the last year, including Celie Niehaus as senior vice president and chief compliance officer; my guess is this BSA compliance officer would report to her.)
Should the BSA compliance job become vacant, the board will need to hire a replacement “promptly,” the OCC order says. Moreover, the board will need to submit a detailed explanation of its proposed new hire to OCC for approval, including a written statement of the board’s reasons for selecting the proposed officer; and a written description of the proposed officer’s duties and responsibilities.
Let’s pause here to say: these are good practices for any board to follow when hiring a senior-level compliance officer. They demonstrate that the board understands the importance of the compliance function to the company’s overall success; and they force the board to document its thoughts about roles and responsibilities in the compliance function. Such documentation could be mighty valuable in the future if regulators are trying to assess the company’s overall culture of, and commitment to, compliance.
The board will also need to review (within six months at first, annually thereafter) USAA’s larger efforts at AML compliance staffing. Those reviews must consider:
- The overall effectiveness of the AML compliance program;
- The leadership, knowledge, training, and skills of the BSA officer and staff;
- The oversight and governance structures for BSA/AML staff; and
- Appropriate staffing levels for the BSA/AML compliance function.
Even better: USAA cannot contract with any third parties to perform AML compliance services until bank executives review the training and expertise of those vendors and implement a quality control program to assure that the vendors meet predetermined performance standards.
Poor oversight of outsourced AML services was a big part of USAA’s troubles. As recently as 2021, USAA was meeting roughly 75 percent of its AML compliance staffing needs via outside contractors. But the bank didn’t properly train those contractors or otherwise assure that they had the necessary expertise, and “these staffing deficits exacerbated management’s inability to assure compliance with the BSA.” the OCC said.
One lesson here is about third-party oversight. If you want to outsource parts of your AML compliance program, that’s fine; but the company must have mechanisms in place to assess the competency of the vendor and to hold the vendor accountable for performance goals. Regulators want to see that.
Even more striking, however, is how USAA’s board must exercise close oversight of these operational issues. Why? Because the board didn’t assure progress on building a strong compliance program in the late 2010s, when regulators were raising their concerns about the compliance program. The board should have asked more probing questions at the time, to assure that management was making improvements in a timely manner (including more budgetary support for staffing needs).
None of that happened, so now OCC is intervening with the board directly.
Suspicious Activity Reporting
OCC’s settlement order also had lots to say about suspicious activity reporting. This section of the settlement caught my eye because banking regulators cite weak SAR programs in enforcement actions all the time. Clearly many financial firms are not good at it — so what improvements are regulators requiring from USAA?
First, USAA must develop a written suspicious activity reporting plan; and then follow that plan rigorously so the bank can review and resolve suspicious activity reports (SARs) in a timely manner. That written plan must include:
- Procedures for identifying, evaluating, and reporting suspicious activity that happens across all lines of business; including the opening of new accounts, monitoring of new accounts, and transfers of funds (including remote deposits and electronic payments).
- Standards to assure that accounts with high volumes of unusual or potentially suspicious activity are identified, elevated, and categorized.
- Instructions for compliance staff to use appropriate customer due diligence information when reviewing SARs or conducting investigations.
- Procedures to assure that USAA has an effective SAR decision-making process and that it documents individual decisions on whether to file SARs, and the key facts and circumstances supporting each decision to not file a SAR.
Beyond the written policy, USAA must also implement automated monitoring systems according to specific performance criteria. For example…
- The systems must apply appropriate rules, thresholds, and filters for monitoring transactions, products, and geographic areas according to the bank’s risk profile. That risk profile must include volumes and types of transactions by country or geographic location; and the number of customers that typically pose higher risk, both by type of risk and by geographic location.
- USAA must identify areas outside the automated monitoring systems and then implement manual processes so the bank can still find suspicious activity not reviewed by the automated systems.
- The AML program must include a way to validate all the data inputs for the automated systems, including inputs from all products, services, and transactions.
- USAA must also have management systems and metrics to validate automated system settings and thresholds, and to measure the effectiveness of the automated system and individual scenarios and adjust the system.
More simply: the automated monitoring system needs to be comprehensive (it can collect and process all necessary data), robust (system performance can be tested and monitored, including the sources of data), and versatile (note that bit in the last bullet point about testing individual scenarios and adjusting them). Those are rigorous IT demands, and they could apply just as well to any large-scale transaction monitoring program — say, payments to third parties so you can find corruption payments.
The demands here are also a good reminder for internal audit people: if you want to audit the AML compliance program, you might start by testing the program according to all the criteria OCC listed in its settlement order. I’ve flagged only about half of them here; there are more in the text.
That’s all for now. Next week we’ll take a look at what OCC had to say about risk assessments and internal controls.