On March 17, 2022, the Office of the Comptroller of the Currency announced a $60 million civil money penalty and a cease and desist order issued in the matter of USAA, Federal Savings Bank of San Antonio, Texas for Bank Secrecy Act violations. On the same day, the Financial Crimes Enforcement Network announced the resolution of its investigation of USAA FSB’s failure to comply with the Bank Secrecy Act.
As the federal banking agency responsible for overseeing federal savings associations, the OCC found that USAA FSB had failed to implement and maintain a Bank Secrecy Act/Anti-Money Laundering compliance program with the components required by the law. In particular, the bank’s BSA/AML compliance program did not include adequate internal controls, did not adequately provide for the identification, evaluation or reporting of suspicious activity, had deficient risk management practices, and inadequate staffing and training. In addition, the OCC found that USAA FSB had failed to file timely suspicious activity reports, and had failed to correct BSA/AML compliance issues identified by the OCC previously. The OCC found the bank’s conduct to be in violation of 12 USC §§ 1818(s)(3)(A) and (B) and implementing regulations 12 CFR §§ 21.21 and 163.180(d).
In addition to the $60 million monetary penalty, the OCC issued a second consent order imposing specific compliance obligations on the bank. Pursuant to the order, the USAA FSB Board must appoint a compliance committee composed primarily of directors — not employees or officers of the bank – who will monitor and oversee the bank’s compliance with the consent order. At the same time, the board must ensure that the bank have a qualified BSA officer who has the independence, authority and resources necessary to ensure compliance with the provisions of the Bank Secrecy Act and the action plan described below.
The consent order requires USAA FSB to develop and implement a BSA/AML action plan that specifies the corrective action needed to bring the bank into compliance with the Bank Secrecy Act, the regulations promulgated thereunder, and the rules and regulations of the Office of Foreign Assets Control and relevant Executive Orders. The action plan must include a timeline for achieving compliance. Other required components include:
- The development and implementation of a suspicious activity monitoring and reporting program;
- The establishment of programs to ensure that suspicious activity alerts are resolved in a timely fashion;
- The maintenance and regular updating of an institution-wide assessment of the bank’s money laundering and terrorist financing activity risks, and the incorporation of the risk assessment into the BSA/AML program;
- The revision and adoption of a system of internal controls reasonably designed guide BSA compliance that includes effective management information systems, risk-based transaction limits, risk-based quality assurance;
- The implementation of a written customer identification program that incorporates risk-based policies and procedures for collecting customer due diligence information for new accounts and periodically for some existing accounts.
The consent order further requires the adoption of a BSA/AML training program for bank employees and board members, and an independent testing program commensurate with the money laundering, terrorist financing risk profile of the bank. An OFAC compliance program is also required by the consent order, one that includes written OFAC risk assessment methodology and process, as well as a system of internal controls commensurate with the bank’s level of risk.
In a parallel action, the Financial Crimes Enforcement Network announced the assessment of a $140 million civil money penalty against USAA FSB for willfully violating the provisions of the Bank Secrecy Act and its implementing regulations. In its settlement with FinCEN, the bank admitted to willfully failing to implement an adequate AML program from January 2016 through April 2021. The consent order details the warnings given to USAA FSB beginning in 2017, and bank’s failure to fulfil commitments made in 2018 and 2020 to overhaul its AML programs. FinCEN credited the $60 million OCC penalty, and will collect $80 million from the bank.