Regulators Tell USAA: Do Better, Faster

Head’s up, compliance and IT executives in the banking sector! We have another bank sanctioned by regulators for taking too long to get its regulatory compliance act together. This time it’s USAA taken to the woodshed, for failing to implement reforms promised in previous consent orders from 2019 and 2022.

The Office of the Comptroller of the Currency (OCC) announced this latest enforcement action on Wednesday. USAA wasn’t hit with any monetary penalties, but OCC did limit USAA’s ability to add certain new products and services and to expand its membership criteria until the bank takes “comprehensive corrective actions” to improve its risk governance, compliance risk management, IT management, fraud risk management, and third-party risk management systems. 

Those long-standing issues are no secret. The San Antonio-based USAA, which provides a range of financial services to U.S. military members and their families, has been faulted for weak anti-money laundering controls, charging military members higher interest rates than allowed under federal law, poor customer service, and more. (Radical Compliance last took a deep dive into USAA’s regulatory issues in 2022.)

The San Antonio Current had a fascinating article in November about USAA’s woes. The fundamental problem: USAA experienced rapid growth on the business side, as it expanded the criteria for whom it serves; but failed to develop compliance and risk management capabilities sufficient to keep pace with that business expansion. Which is a problem that resonates with compliance officers far beyond the banking sector.

This is the third time OCC has sanctioned a large bank in recent months for failing to fulfill previous consent orders in a timely manner. The agency first slapped Citibank in July for failing to live up to the terms of a 2020 settlement, and fined Citi $136.5 million along the way (on top of a $400 million penalty from that 2020 order). Then OCC took Wells Fargo to task in September for failing to develop strong anti-money laundering controls; no monetary penalties in that instance, but OCC did prohibit Wells from launching any new lines of business in risky markets until it resolves its issues.

Now we have this enforcement action against USAA. Clearly OCC is sending a message that banks must do better at maintaining robust compliance capabilities. That raises questions about board oversight, budgets, staffing, technology, and overall program design; so let’s take a deep dive into the OCC order against USAA to see what USAA must now do to resolve its issues.

Starting With the Board

First, the board of USAA Federal Savings Bank (the banking subsidiary within the larger USAA empire) must establish a compliance committee to oversee implementation of the rest of OCC’s consent order. That committee will then review management’s action plan for the OCC order and provide progress reports to the full board (also forwarded along to OCC) every quarter. 

The OCC settlement also includes a section on “general board responsibilities” that hits all the usual tones. Whether done through the compliance committee, the audit committee, the whole board, or any other committee, USAA’s board shall:

  • Require that bank management and personnel have sufficient training and authority to execute their duties and responsibilities here;
  • Hold bank management and personnel accountable for executing those duties and responsibilities;
  • Authorize, direct, and adopt corrective actions as may be necessary; and
  • Address any noncompliance with corrective actions in a timely and appropriate manner.

This is the same language we saw in OCC’s consent order with Wells Fargo a few months ago. The agency is sending a message that it wants the board to be involved directly with compliance program improvements. As I’ve said before, the proof will be whether the board leans on management with sufficient force to address those instances of noncompliance in a timely manner, because nothing demonstrates a poor tone at the top better than known problems going unaddressed. 

Whole Lotta Frameworks

USAA’s management team must also draft an action plan within 90 days to address a host of issues at the bank. Some of the main points are… 

A risk governance framework, to serve as the blueprint for independent assessments of USAA’s compliance posture and to validate that all corrective actions have been taken in a timely manner. This framework would also define  the roles and responsibilities for risk management across all three Lines of Defense, and include mechanisms to hold management accountable for following the framework. 

But wait, there’s more! The framework must also include compensation plans that both encourage risk management and discourage reckless risk-taking; identify the skills and expertise needed to adhere to the framework; and address “relevant and periodic training” on the framework for the board and all relevant USAA employees. So, lots of specifics to be sure the right people are trained and motivated in the right ways to keep USAA’s collective head in the risk management game.

sustainability riskNumerous risk management programs. USAA is supposed to draw up formal programs for compliance risk management, fraud risk management, IT risk management, third-party risk management, and shared services risk management. Each one of those programs should follow its own framework, although overall those frameworks must address basic capabilities such as assessing risk, holding managers accountable, performing root cause analysis, and the like. 

If we took each of those frameworks in turn, this post would run the length of a Russian novel. So for now, let’s focus on some of the more interesting specifics. 

The framework for IT risk management, for example, must include an assessment “to determine the extent the bank’s IT systems have contributed to or are a root cause of operational and compliance deficiencies.” That’s interesting because IT systems, and the inability to streamline them for compliance management and reporting, seem to be a pervasive and chronic problem across the whole banking sector. It’s the same issue that put Citibank into such hot water with OCC. (Citi hired Tim Ryan, former boss of PwC, to be head of “technology and business enablement” to solve its problems.) 

Meanwhile, the fraud risk management program must develop mechanisms to hold First Line management accountable for identifying fraud risks, assessing the control environment, and resolving control problems that prevent the anti-fraud program from working properly. In other words, the fraud risk program must develop ways to have First Line managers own the risk, which of course should be the case all the time. 

This is interesting because USAA saw significant business growth over the last decade, expanding into new products and new types of customers — which, of course, brings new types of fraud risk. So USAA must figure out a way to get ahead of those fraud risks, rather than play catch-up to them later. Again, that should be the case everywhere all the time, but seldom is.

We’ll stop there for now, but the OCC order offers plenty of food for thought for compliance officers both inside and outside the banking sector. It touches on a lot of fundamental questions of governance and risk management; and on those issues, we need all the food for thought we can get.

Leave a Comment

You must be logged in to post a comment.