FinCEN’s enforcement actions for anti-money laundering violations are often attractive due to the scale of the violations and the heavy penalties imposed.
For most financial institutions, CCOs read these enforcement actions making sure to distinguish their own AML programs from the target involved in the enforcement action. I would recommend some caution here – it’s easy to breathe a sigh of relief and whisper to yourself that your company’s program is more robust and would never fall for the target company’s trap. However, be careful – it is easy for a working program to turn into a deficient program in a short time, depending on the consistency and vigilance of an existing program.
In this context, consider the USAA Bank case. FinCEN announced the settlement last week after reaching a settlement agreement for $140 million in civil penalties for violations of the Bank Secrecy Act. The settlement includes a separate settlement with the Office of the Comptroller of the Currency for a $60 million fine.
In 2019, USAA executed a consent order with the OCC identifying deficiencies in its compliance policies and procedures and ordering USAA Bank to remedy the identified deficiencies.
USAA Bank is a federally chartered savings bank based in San Antonio, Texas, and has provided despite and consumer loans to approximately 13 million members, consisting of United States military personnel and their families in the United States and around military installations around the world.
Between 2016 and 2021, USAA Bank has experienced phenomenal growth. Despite this growth, USAA Bank has not adapted its AML program in response. In 2017, the OCC notified USAA Bank that its AML program was flawed. In 2018, USAA Bank made a number of commitments, which it did not implement, including failures to: (1) Address the scope of internal controls and independent testing deficiencies; (2) Establish a compliance committee to monitor the implementation of the commitments; (3) Develop and implement adequate customer due diligence (CDD), enhanced due diligence (EDD) and risk identification processes for customers; (4) Develop and implement written policies for the timely review and disposition of suspicious activity alerts and improve processes for identifying suspicious activity; (5) Provide thorough and effective independent testing of the AML Program; and (6) conduct a post-mortem review of Remote Deposit Capture (RDC) transaction activity and file Suspicious Activity Reports (SARs) as required.
USAA Bank extended its time to complete its repair twice, and as of the date of the enforcement action, it had not fulfilled all of its commitments. Collectively, FinCEN noted that USAA Bank “deliberately” violated its anti-money laundering requirements.
FinCEN concluded that USAA Bank’s compliance failures resulted in millions of dollars in suspicious transactions flowing through the US financial system without proper reporting.
The long list of shortcomings is significant and demonstrates USAA Bank’s fundamental failure to implement an effective AML program. As a baseline requirement, USAA Bank has never completed the implementation of risk-based policies, procedures, and controls to address its relevant risks and meet BSA minimum requirements.
USAA Bank’s compliance staff was woefully inadequate. The bank relied on third-party contractors to supplement staff, but did not properly train or ensure contractors were qualified. In 2018, the bank conducted an assessment and determined that it needed 178 additional permanent employees. In 2021, the Bank had 62 vacancies, including that of Head of the Bank’s Financial Intelligence Unit.
USAA Bank’s alert and investigation system was chronically flawed. Its old transaction monitoring system failed to capture critical information needed due to gaps in customer due diligence. Additionally, USAA Bank never did the proper validation and adjustment of its old system.
In 2021, USAA Bank implemented a new transaction monitoring system. Unfortunately, the bank did not carry out adequate pilot tests before launching the new system. As a result, the new system failed to flag more than 1,300 cases, resulting in the failure to file at least 160 SARs. USAA Bank claimed the new system proved unmanageable because it was “too sensitive”, creating a backlog of 90,000 unexamined alerts and 6,900 unexamined cases. These numbers underscored USAA Bank’s inability to retain adequate staff for its compliance function.
USAA Bank’s internal controls were poorly designed, including excessive limits for electronic activity (RRDC, transfers, bill payments), ATM deposits and withdrawals, and ATM PIN attempts. Additionally, even when suspicious activity was properly alerted, in more than 20% of cases, USAA Bank decided not to file an SAR despite lacking information about the source or subject of the customer funds.
Finally, USAA Bank relied on its internal audit team to conduct independent company-wide testing of its AML program. A review of the previous test report revealed serious flaws in the teams review and conclusions.