FinCEN enforcement actions for anti-money laundering violations are often interesting because of the scope of violations and the large penalties imposed. 

For most financial institutions, CCOs read these enforcement actions with an eye to distinguishing their own AML programs from the target involved in the enforcement action.  I would urge some caution here – it is easy to breathe a sigh of relief and whisper to yourself that your company’s program is more robust and would never fall into the trap of the target company.  However, be careful – it is easy for a functioning program to turn into a deficient program in short order, depending on the consistency and vigilance of an existing program. 

With that background, let’s look at the USAA Bank case.  FinCEN announced the settlement last week after reaching a settlement agreement for $140 million in civil fines for violations of the Bank Secrecy Act.  The settlement include a separate agreement with the Office of the Comptroller of the Currency for a $60 million fine.

In 2019, USAA executed a consent order with the OCC identifying deficiencies in its compliance policies and procedures and directing USAA Bank to remediate the identified deficiencies.

USAA Bank is a federally-chartered savings bank based in San Antonio, Texas, and provided despite and consumer loans to approximately 13 million members, consisting of U.S. military personnel and their families in the United States and at military installations around the world. 

Between the time period of 2016 to 2021, USAA Bank experienced tremendous growth.  Despite this growth, USAA Bank failed to adjust its AML program in response. In 2017, the OCC informed USAA Bank that its AML program was deficient.  By 2018, USAA Bank made a number of commitments, which it failed to implement, including failures to: (1) Address the scope of internal controls and independent testing deficiencies; (2) Establish a compliance committee to monitor the implementation of the commitments; (3) Develop and implement adequate customer due diligence (CDD), enhanced due diligence (EDD), and customer risk identification processes; (4) Develop and implement written policies for timely review and disposition of suspicious activity alerts and improve suspicious activity identification processes; (5) Provide for thorough and effective independent testing of the AML program; and (6) Conduct a lookback review of Remote Deposit Capture (RDC) transaction activity and file suspicious activity reports (SARs) as needed.

USAA Bank extended its deadline to complete its remediation on two occasions, and as of the date of the enforcement action had not completed all of its commitments. Collectively, FinCEN noted that USAA Bank “willfully” violated its AML requirements.

FinCEN concluded that USAA Bank’s compliance failures resulted in millions of dollars in suspicious transactions flowing through the U.S. financial system without appropriate reporting.

The laundry list of deficiencies is significant and demonstrates USAA Bank’s fundamental failure to implement an effective AML program.  As a basic requirement, USAA Bank never completed implementation of risk-based policies and procedures and controls to address its relevant risks and meet minimum BSA requirements.

USAA Bank’s compliance staff was woefully inadequate.  The bank relied on third-party contractors to supplement staffing but failed to properly train or ensure that the contractors were qualified.  In 2018, the bank conducted an assessment and determined that it needed 178 additional permanent staff.  As of 2021, the Bank had 62 vacant positions, including the head of the bank’s Financial intelligence Unit.

USAA Bank’s case alert and investigation system was chronically deficient.  It legacy transaction monitoring system failed to capture critical information needed because of customer due diligence deficiencies.  Further, USAA Bank never conducted appropriate validation and adjustment of its legacy system.

In 2021, USAA Bank implemented a new transaction monitoring system.  Unfortunately, the bank failed to perform adequate pilot testing before launching the new system.  As a result, the new system failed to flag over 1300 cases resulting in a failure to file at least 160 SARs.  USAA Bank claimed that the new system turned out to be unmanageable because it was “too sensitive” thereby creating a backlog of 90,000 un-reviewed alerts and 6,900 un-reviewed cases.  These numbers underscored USAA Bank’s failure to retain adequate staff for its compliance function.

USAA Bank’s internal controls were poorly crafted including excessive limits for electronic activity (RRDC, wires, bill pay), ATM deposit and withdrawal, and ATM PIN attempts.  In addition, even when suspicious activity was properly alerted, in over 20 percent of the cases, USAA Bank decided not to file a SAR despite the fact that it lacked information on the customer’s source or purpose of funds.

Finally, USAA Bank relied on its internal audit team to conduct enterprise-wide independent testing of its AML program.  A review of the prior testing report revealed serious deficiencies in the teams review and conclusions.