- USAA Federal Savings Bank will pay $140 million in penalties after admitting it failed to maintain sufficient anti-money laundering (AML) safeguards from at least January 2016 until April 2021, the Financial Crimes Enforcement Network (FinCEN) said Thursday.
- The Office of the Comptroller of the Currency (OCC) notified USAA of deficiencies in its anti-money laundering program in 2017, and the bank committed the following year to revamping its customer due diligence and risk identification processes but consistently failed to meet deadlines and lacked adequate staffing, FinCEN said.
- Between August 2017 and August 2021, USAA failed to timely file at least 3,873 suspicious activity reports (SARs), some of which flagged apparent criminal activity by customers using their personal accounts, FinCEN said. During that span, the bank filed SARs an average of 226 days after the suspicious activity ended — nearly four times the 60-day limit under the Bank Secrecy Act (BSA).
Thursday’s penalties break down to $80 million from FinCEN and $60 million from the OCC — each of which filed consent orders against USAA. The OCC ordered the bank to appoint a compliance committee within 15 days and to develop and implement a written plan to align with the BSA within 30 days.
"As its customer base and revenue grew in recent years, USAA FSB willfully failed to ensure that its compliance program kept pace, resulting in millions of dollars in suspicious transactions flowing through the U.S. financial system without appropriate reporting," FinCEN Acting Director Himamauli Das said in a statement Thursday, adding the bank "received ample notice and opportunity to remediate its inadequate AML program, but repeatedly failed to do so."
USAA said it was cooperating with regulators. The bank’s CEO, Wayne Peacock, called compliance "a top and urgent priority," according to a statement seen by The Wall Street Journal and The New York Times.
"While the issues identified in these orders did not result in any individual member harm, we understand the importance of these requirements," Peacock said. "USAA has already made progress in many critical areas by investing in new systems and training, enhancing staffing and expertise, and improving our processes."
Yet USAA’s staffing represented a major sticking point for regulators. A 2018 assessment by the bank found it needed 178 permanent full-time positions to staff its compliance function. But the bank had 62 vacant positions as of 2021, including the chief of the bank’s financial intelligence unit, FinCEN said. Additionally, third-party contractors met roughly three-quarters of the bank’s compliance staff needs, the regulator said.
FinCEN also found issues with the bank’s old and new transaction monitoring systems. The regulator labeled the legacy system as "chronically deficient." But USAA reported its replacement, installed in the first quarter of 2021, was overly sensitive — creating a backlog of around 90,000 alerts and 6,900 cases yet to be reviewed.
USAA failed to adequately test the new system before launching it, FinCEN found. In the two months the bank used both systems in parallel testing, the new system failed to flag more than 1,300 cases the legacy system caught, meaning the bank would have filed at least 160 fewer SARs with the newer technology, the regulator said.
USAA’s woes, in the eyes of regulators, encompassed suspicious activity tied to customers, too.
In its consent order, FinCEN highlighted three cases in which USAA allowed suspicious activity to continue for seven, 12 and 15 months. One involved a doctor who made more than 2,800 withdrawals over six months from ATMs in Colombia, connected to a virtual currency side business. A second case involved a 22-year-old customer whose account received high-value wire deposits from a person overseas connected to an offshore entity named in the Panama Papers. A third involved two people, including a self-employed construction worker, who deposited 3,457 small-dollar checks intended as rebate coupons to be cashed by companies that deal in baby formula and baby products.
Thursday’s penalty is not the first recent instance in which USAA has run afoul of regulators. The OCC fined the bank $85 million in October 2020 for risk management and information security failures. The regulator’s report cited 546 violations of the Servicemembers Civil Relief Act, including wrongful repossessions of vehicles and the filing of inaccurate affidavits in default judgment cases. The OCC also found evidence of 54 violations of the Military Lending Act for using remotely created checks to collect past-due amounts from members who were covered borrowers.