USAA, Part III: Better Risk Assessments 

Today we have one more look at that enforcement action banking regulators took against USAA last month, over the bank’s slow pace of compliance improvements. We’ve already reviewed changes to board oversight and compliance staffing levels that USAA needs to make. Next up: risk assessments. 

Again, a quick recap. FinCEN and the Office of the Comptroller of the Currency jointly sanctioned USAA in March for its failure to address long-standing problems with its anti-money laundering controls. The regulators had warned USAA as far back as 2017 that its AML compliance program had issues, and USAA promised to fix those weaknesses promptly — and then it didn’t, all the way into early 2021. Now USAA needs to implement a raft of compliance program improvements, with extensive oversight from the board and detailed reporting to OCC. 

OCC’s demands for better risk assessment caught my eye because risk assessments are so important for any compliance program’s success, yet they’re still so difficult to do well. So what do those required improvements tell us about how corporate compliance programs should operate?

First, OCC wants to see USAA identify categories of risk across four dimensions: 

  • products 
  • services 
  • customers 
  • geographic locations 

For each risk that USAA identifies, it will then need to analyze the relevant data, including volume and types of transactions and services by geographic location; and by the numbers of customers that typically pose higher risk, both by type of risk and by geographic location. Those are some complex risk matrices a compliance team would need to establish, but they cover the bases for any organization, in banking or otherwise.

OCC also wants USAA to assess risk both individually, within the bank’s lines of business; and on a consolidated basis across all bank activities and product lines. That caught my eye because it’s essentially the same demand OCC made to Citigroup in 2020, which also had to implement extensive compliance reforms. OCC wants each operating unit with a bank’s First Line to have senior executives responsible for compliance; and also a chief compliance officer who can oversee enterprise-wide compliance — including oversight of those First Line compliance leaders, to assure that they’re doing the job right. 

As I said about Citigroup two years ago: the message is that for effective compliance programs, you first need to define the relationship between the First and Second lines of defense. That’s true whether you’re a bank worried about regulatory compliance, or a global corporation worried about operating units overseas and anti-corruption issues. 

Other Components of a Risk Assessment

OCC had a few other stipulations for USAA’s risk assessments, too:

  • An assessment of affiliate relationships to identify and analyze their effect on the USAA’s AML risk profile; 
  • A provision requiring maintenance of appropriate data and information used to support the risk assessment’s conclusions; and 
  • An inventory of internal controls designed to address the risks identified through the risk assessment, and an assessment of the adequacy of those controls.

Again, those are points any compliance or audit team should consider while building up your own risk assessment capabilities. I especially like the point about maintenance of data and information used to support the risk assessment. Too often, we see sophisticated risk assessment models, with plenty of attention paid to them — but not enough attention paid to the quality and accuracy of the  underlying data (especially if that data comes from an outside party). 

Also note the inventory of internal controls; you should, ideally, be able to map those internal controls to the risks you’ve identified. If you can’t, consider whether your GRC technology is up to the task. If you can’t because you still use spreadsheets, you have even bigger problems. 

Let’s say you’ve worked your way through all of the above. You identified your risks across all those dimensions; you have clear lines of communication between compliance leaders in the First Line of Defense and the formal compliance function in the Second Line; your data is solid and your internal controls are inventoried and mapped. 

That’s an effective risk assessment at one point in time. You still need to assure that your risk assessment capabilities evolve with your risk landscape. 

To that end, OCC imposed a few more requirements on USAA worth noting. 

First, USAA must update its AML risk assessment “as needed, when changes in risk factors, events, or operations occur that result in the existing risk assessment no longer accurately reflecting the bank’s risk profile.” The lesson for others is to have some mechanism in place to understand when such changes have occurred.

At the least, the compliance team could revisit your risk assessment annually. You could also have the internal audit team (or some outside firm) examine your risk assessment every several years. But the above point also reminds us why organizations should have in-house risk committees that meet, say, quarterly or monthly: so you can pick up on changes in operations or events even more quickly.

Second, USAA must conduct annual independent testing of its AML risk assessment and methodology, to confirm the accuracy and completeness of the risk assessment and the reasonableness of its methodology and approach. This point is quite similar to our previous one about updating the risk assessment as necessary, since testing drives toward the same point: whether your controls and procedures are adequately designed

So it’s another best practice to contemplate, and consider how you could do something similar for your own company and its own risks. 

Really, you could read the OCC demands for risk assessment and swap “FCPA” wherever you see “AML.” The risks are different, but the principles to manage them are basically the same. 

Leave a Comment

You must be logged in to post a comment.