Diving certificate:

• The Office of the Comptroller of the Currency has issued a “comprehensive” cease-and-desist order to USAA Federal Savings Bank, reprimanding the bank for its “failure to comply” with elements of previously issued orders and OCC requirements.
• The order against USAA, published on Wednesdayinstructs the bank to correct the problem “a series of deficiencies” after the regulator found unsafe or unsound practices in management, revenue, information technology, consumer compliance and internal audit, as well as violations in reporting suspicious activity. The order too limits the addition of some new products or services and limits USAA’s ability to expand its membership criteria.
• The OCC’s order “outlines requirements to bring the bank’s risk and compliance management to the level that we and our regulators expect,” a USAA spokesman said in a statement Thursday. “Although our progress has not been consistent or rapid enough, the Bank is well positioned to complete this work.”

Insight into the dive:

USAA offers banking and insurance products for military members, veterans and their families.

The enforcement action is the latest blow to USAA’s bank, which has faced a series of regulatory problems in recent years. The OCC issued a consent order in January 2019 addressing unsafe or unsound Banking practices related to the Bank’s IT program, compliance management system and risk governance framework. The regulator imposed a penalty of $85 million against the bank in 2020 related to these issues.

Then, in March 2022, the OCC issued another order finding deficiencies in the bank’s anti-money laundering/Bank Secrecy Act compliance program. The bank was hit again $140 million finefrom the OCC and the Financial Crimes Enforcement Network, related to AML issues.

In the latest order, which replaces the lawsuits against the bank from 2019 and 2022, The OCC said the bank was not complying with certain elements of any of the previous orders. USAA also did not comply with the OCC’s enhanced standard requirements for major banks, which set minimum standards for risk governance frameworks.

In the wide-ranging order, the OCC directed the bank to take “comprehensive corrective actions” to improve its risk governance and risk management related to compliance, information technology, fraud, and third-party, affiliate and shared services.

The bank’s board of directors has been directed to appoint a compliance committee to oversee the bank’s corrective actions, and the bank must draft an action plan outlining remedial actions and appropriate timelines for making necessary corrections. The regulator wants the bank to report suspicious activity more quickly, improve compliance with consumer protection laws and improve training for risk management and audit staff.

The order “confirms the progress” the bank has made on its BSA/AML program, with the completion of the 2022 consent order, the spokesperson noted. “With a stronger foundation for risk prevention and mitigation, we will continue to improve our capabilities and processes to ensure we consistently provide superior service to our members,” the USAA spokesperson said.

Given that this is the third regulatory order in five years, “this must be a top priority for the bank’s board and management.” Risk management consultant James Lam said. After repeated orders, “there may be some fundamental opportunities to really improve the relationship and communication with principal investigators.”

The order specifically addresses compensation and states that effective April 1, 2025, the bank “shall not make any incentive-based compensation payment to insured persons.” Within 90 days, the bank must submit to its auditor an annual plan that includes: “a We have proposed a payment review process to ensure that any incentive-based compensation payments to an insured person reflect any adverse risk outcomes,” the order says.

Carl Goss, a partner at law firm Hunton Andrews Kurth, called it “tough.”

“I have never seen compensation hit so hard,” he said in an email. “It’s kind of like a civil penalty.”

USAA CEO Wayne Peacock, who has been CEO since 2020, is stepping down from his position at USAA first half of 2025as soon as a new CEO is elected.

The bank cannot add new products or services or expand its membership criteria “without assessing and documenting the compliance and operational risks associated with these steps,” “ensuring that the bank has adequate controls in place to mitigate those risks, and 90 days provide written notice in advance.” to the responsible auditor,” the OCC said.

The timing of this restriction is “unfortunate,” Lam said, as such a restriction on growth and innovation comes “at a very critical time for disruptive technologies” in banking.

The OCC also required the bank to implement a fraud risk management program that is consistent with the bank’s risk profile and risk appetite and combats internal and external fraud.

“I don’t think I’ve seen a dedicated fraud risk management article in an enforcement action before,” Goss said. “These are likely to become more common” as fraud-related losses at some banks exceed loan losses, he added.

Wednesday’s order suggests that USAA has not made sufficient progress on some previous regulatory sticking points, while new concerns also emerged, including fraud risk management, said Patrick Haggerty, senior director at financial services advisory and investment firm Klaros Group.

“What is unusual to me is how comprehensive the new order is, considering the bank has been under an order for more than five years at this point,” Haggerty said in an email. “It is not unusual to take a long time to get out of an enforcement order, but it is unusual to reach the five-year deadline only to be slapped with a new order covering much of the same ground… and without any civil liability “Funds will be incurred.” Penalties.”

The OCC noted in the order that it reserves the right to impose penalties or take other enforcement actions if it concludes that the bank has failed to address the issues identified in the recent order.

The USAA spokesman said the bank continues to “identify and resolve issues while strengthening the rigor of our programs and processes.” The bank is also investing in additional systems and training and strengthening a strong risk management culture, the spokesman said.

Since the OCC requires the bank to implement various frameworks related to IT, fraud, third-party risk and compliance risk management, “there should be a unified enterprise risk management framework that encompasses and integrates all of these requirements,” said Lam, a fragmented one or isolated approach.

“You can’t play whack-a-mole,” Lam said.

Correction: An earlier version of this article contained incorrect information about USAA’s chief risk officer. USAA Interim Chief Risk Officer, George Stamatelatos is a member of the Company’s Board of Directors.