Skip to main content
close search
site logo
Dive Brief

OCC slaps USAA over failure to fix flaws in several areas

The order blasts the bank’s management, IT, compliance and suspicious activity reporting. It also limits new products or services and restricts USAA’s ability to expand its membership criteria.

Published Dec. 19, 2024
Caitlin Mullen's headshot
Reporter
The exterior of the USAA headquarters building is shown.
USAA headquarters in San Antonio. Courtesy of USAA

Dive Brief:

  • The Office of the Comptroller of the Currency has hit USAA Federal Savings Bank with a “comprehensive” cease-and-desist order, calling out the bank for its “noncompliance” with elements of previously issued orders and OCC requirements.
  • The order against USAA, made public Wednesday, directs the bank to fix “a range of deficiencies,” after the regulator found unsafe or unsound practices related to management, earnings, information technology, consumer compliance and internal audit and suspicious activity reporting violations. The order also limits the addition of some new products or services and puts restrictions around USAA’s ability to expand its membership criteria.
  • The OCC’s order “outlines requirements to advance the Bank’s risk and compliance management to the level we and our regulators expect,” a USAA spokesperson said in a statement Thursday. “Although our progress has not been consistent or swift enough, the Bank is well-positioned to complete this work.”

Dive Insight:

USAA provides banking and insurance products to military members, veterans and their families.

The enforcement action is the latest hit for USAA’s bank, which has run into a number of regulatory issues in recent years. The OCC issued a consent order in January 2019 that called out unsafe or unsound banking practices related to the bank’s IT program, compliance management system and risk governance framework. The regulator levied an $85 million penalty against the bank in 2020 related to those issues. 

Then, in March 2022, the OCC issued another order identifying flaws in the bank’s anti-money laundering/Bank Secrecy Act compliance program. The bank was hit with another $140 million in penalties, by the OCC and the Financial Crimes Enforcement Network, stemming from the AML issues. 

In the newest order, which replaces the 2019 and 2022 actions against the bank, the OCC said the bank is not complying with certain elements of either prior order. USAA also was not in compliance with the OCC’s heightened standards requirements for large banks, which outline minimum standards for risk governance frameworks. 

In the wide-ranging order, the OCC directed the bank to take “comprehensive corrective actions” to improve its risk governance and risk management related to compliance, information technology, fraud, and third-party, affiliate and shared services. 

The bank’s board was directed to appoint a compliance committee to oversee the bank’s corrective actions, and the bank must draft an action plan outlining remedial actions and reasonable timelines to complete necessary fixes. The regulator wants to see the bank report suspicious activity in a more timely manner, bolster its compliance with consumer protection laws, and enhance training for risk management and audit staff.

The order “confirms progress” the bank has made on its BSA/AML program, with the closure of the 2022 consent order, the spokesperson noted. “With a stronger foundation in place to prevent and mitigate risk, we will continue to enhance our capabilities and processes to ensure we consistently serve our members with excellence,” the USAA spokesperson said.

Given it’s the third regulatory order in five years, “this has to be the top priority for the bank’s board and management,” risk management consultant James Lam said. After repeated orders, “there might be some underlying opportunities to really improve the relationship and communication with the lead examiners.” 

The order specifically addresses compensation, stipulating that the bank “shall not make any incentive-based compensation payment to any covered individual,” effective April 1, 2025. Within 90 days, the bank must submit to its examiner an annual plan that details “a proposed payment review process to ensure that any incentive-based compensation payments to any covered individual reflect any adverse risk outcomes,” the order said. 

Carl Goss, a partner at law firm Hunton Andrews Kurth, called that “harsh.” 

“I have not seen compensation hit so hard before,” he said in an email. “This is kind of like a civil money penalty.”

USAA CEO Wayne Peacock, who’s been chief executive since 2020, is stepping away from his post in the first half of 2025, once a new CEO is chosen. 

The bank can’t add new products or services or expand its membership criteria “without evaluating and documenting the compliance and operational risks” posed by those moves, “ensuring the Bank has adequate controls to mitigate such risks, and providing 90 days prior written notification to the Examiner-in-Charge,” the OCC said. 

The timing of that limitation is “unfortunate,” Lam said, given that such a restriction on growth and innovation comes “during a very critical time for disruptive technology” in banking.

The OCC also ordered the bank to implement a fraud risk management program commensurate with the bank’s risk profile and appetite, and addressing internal and external fraud. 

“I don’t think I have seen a specific fraud risk management article in an enforcement action before,” Goss said. “These will probably become increasingly common,” as losses associated with fraud outpace credit losses for some banks, he added. 

Wednesday’s order indicates USAA wasn’t making sufficient progress on some prior regulatory sticking points while new concerns arose, too, including fraud risk management, said Patrick Haggerty, a senior director with financial services advisory and investing firm Klaros Group. 

“What’s unusual to me is just how comprehensive the new order is given that the bank has been under an order for more than five years at this point,” Haggerty said in an email. “It’s not unusual for it to take a long time to get out from under an enforcement order, but it’s unusual to hit the five-year mark only to be hit with a new order covering much of the same ground … and not incur civil money penalties.”

The OCC noted in the order that it reserves the right to assess penalties or take other enforcement actions if it determines the bank has failed to address the issues identified in the most recent order. 

The USAA spokesperson said the bank continues “to identify and resolve issues while strengthening the rigor of our programs and processes.” The bank is also investing in additional systems and training, and reinforcing strong risk management culture behaviors, the spokesperson said.

With the OCC requiring the bank to implement different frameworks related to IT, fraud, third-party risk and compliance risk management, “there should be a unifying enterprise risk management framework that encompasses and integrates all of these requirements,” Lam said, rather than a fragmented or siloed approach. 

“You can’t play whack-a-mole,” Lam said.

Lam noted that USAA’s chief risk officer, Neeraj Singh, is not part of the firm’s executive council, according to its website

“It is important that the CRO has appropriate authority and independence,” Lam said.

Editors' picks

  • fintech graphic
    Image attribution tooltip
    Getty Images/Staff via Getty Images
    Image attribution tooltip

    5 lessons learned from Synapse’s collapse

    Ledgering issues, bank partner and regulatory lapses and gross mismanagement led to a shortfall of up to $95 million between bank-held funds and amounts owed to fintech end users, a law firm found.

    By Rajashree Chakravarty • Oct. 30, 2024
  • Woman stands under TD Bank sign.
    Image attribution tooltip
    Drew Angerer via Getty Images
    Image attribution tooltip

    TD hit with asset cap, $3B in penalties over AML woes

    The bank will pay $1.8 billion to the Justice Department, $1.3 billion to FinCEN, and growth will be restricted in the bank’s U.S. retail unit.

    By Gabrielle Saulsbery • Oct. 10, 2024

Company Announcements

View all | Post a press release
MANTL Expands Platform to Create All-in-One Solution for Deposit and Loan Origination
From MANTL
December 11, 2024
Saphyre Announces Partnership with BlackRock’s Aladdin Platform, deepening the relationship be…
From Saphyre
December 10, 2024
Narmi Launches Narmi One: The Unified Digital Banking Platform for Community Financial Institu…
From Narmi
December 18, 2024
MAPP Advisors Welcomes Aleksandra Teichman as Senior Vice President of Embedded Finance and Ba…
From MAPP Advisors
December 05, 2024
Editors' picks
  • fintech graphic
    Image attribution tooltip
    Getty Images/Staff via Getty Images
    Image attribution tooltip

    5 lessons learned from Synapse’s collapse

    Ledgering issues, bank partner and regulatory lapses and gross mismanagement led to a shortfall of up to $95 million between bank-held funds and amounts owed to fintech end users, a law firm found.

    By Rajashree Chakravarty • Oct. 30, 2024
  • Woman stands under TD Bank sign.
    Image attribution tooltip
    Drew Angerer via Getty Images
    Image attribution tooltip

    TD hit with asset cap, $3B in penalties over AML woes

    The bank will pay $1.8 billion to the Justice Department, $1.3 billion to FinCEN, and growth will be restricted in the bank’s U.S. retail unit.

    By Gabrielle Saulsbery • Oct. 10, 2024
Latest in Regulations & Policy
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.