by Jonathan J. Rusch

In a separate but coordinated action, the Office of the Comptroller of the Currency (OCC) announced that it had assessed a $60 million civil money penalty against USAA FSB — credited against the FinCEN $140 million civil penalty — for violations of the OCC’s BSA regulations, and had issued a Cease and Desist (C&D) Order against USAA FSB based on its failure to establish and maintain an effective BSA/AML program.[4]

This post will summarize FinCEN’s and the OCC’s principal findings and conclusions and offer several lessons that other financial institutions can learn from these enforcement actions.

FinCEN Findings and Conclusions

In the consent order that it entered against USAA FSB, FinCEN stated that during the relevant time period (i.e., January 1, 2016 – April 30, 2021), the bank “experienced tremendous growth as a financial institution. While USAA FSB’s membership eligibility expanded, it failed to match that growth with effective AML compliance capabilities.”[5]

FinCEN also stated that beginning by at least 2017, “the OCC informed USAA FSB that there were significant problems with its AML program, including that it failed to develop a compliance program that met all of the requirements of the OCC’s regulations.” In response to that OCC notification, in 2018 USAA FSB made seven specific commitments (“2018 Commitments”) to overhaul its AML program by March 31, 2020:

• “Fully address the scope of the internal controls and independent testing deficiencies”;
• “Establish a compliance committee to monitor the implementation of the 2018 Commitments”;
• “Conduct a comprehensive, enterprise-wide risk assessment”;
• “Develop and implement adequate customer due diligence (CDD), enhanced due diligence (EDD), and customer risk identification processes”;
• “Develop and implement written policies for timely review and disposition of suspicious activity alerts and improve suspicious activity identification processes”;
• “Provide for thorough and effective independent testing of the AML program”; and
• “Conduct a lookback review of Remote Deposit Capture (RDC) transaction activity and file suspicious activity reports (SARs) as needed.”

USAA FSB, however, “failed to make adequate progress to meet the March 31, 2020 deadline and instead amended its completion date to June 30, 2021.”  As of the date of the FinCEN Consent Order, the bank, even after missing two completion deadlines over four years, still remained out of compliance with its 2018 Commitments.[6]

FinCEN further determined that the facts “describe a bank that willfully failed to comply with the BSA over many years.”  In particular, FinCEN concluded that USAA FSB failed to implement an adequate AML program in multiple respects:

• Failure to Develop Internal Policies, Procedures, and Controls: As one example, during the relevant time period, the bank’s BSA/AML compliance department was significantly understaffed. Even though the bank determined in 2018 “that it needed 178 permanent, full-time positions to fully staff its compliance functions”, as of early 2021 it still had 62 vacant positions, including the head of its Financial Intelligence Unit (FIU).”  While it supplemented approximately 76 percent of its compliance staffing needs with third-party contractors, the bank “failed to properly train or otherwise ensure these contractors possessed satisfactory qualifications and expertise.”  In addition, FinCEN found that USAA FBS’s case alert and investigation system was “chronically deficient”, in both its legacy and replacement systems for transaction monitoring, and led to “an unmanageable number of alerts and cases” that resulted in tremendous backlogs of unreviewed alerts and cases.[7]
• Deficiencies in Independent Testing of the AML Program: This included failure to recognize numerous weaknesses identified during the relevant time period, “including weaknesses with key internal controls, such as risk assessment processes, [Customer Due Diligence], [Enhanced Due Diligence], customer risk identification, and suspicious activity monitoring processes.”[8]
• Training Failures: These included failure to tailor training to FIU investigators (including third-party contractors) and Know Your Customer analysts, and to properly oversee, train, and test third-party contractors.[9]
• Deficiencies in CDD Policies and Procedures: These included the development and use of a critically flawed customer risk score model and severe and material underestimation of customer-specific and overall BSA/AML risks.[10]
• Failure to Meet Requirement of the Bank’s Federal Functional Regulator Governing AML Programs: FinCEN found that USAA FSB knew that it was failing to meet the regulatory requirements of its federal functional regulator (i.e., the OCC) concerning its AML program, “but failed to bring itself into compliance with those requirements for over five years.”[11]
• Failure to File SARs: FinCEN finally noted that the bank’s AML failures resulted in “willful failures to timely and accurately file at least 3,873 SARs.”[12]

Basis for FinCEN Penalty

In deciding whether to impose a penalty and the size of the penalty, FinCEN took into account the following factors as particularly relevant:

• The nature and seriousness of the violations, including the extent of possible harm to the public and the amounts involved;
• The impact or harm of the violations on FinCEN’s mission to safeguard the financial system from illicit use, combat money laundering, and promote national security;
• The pervasiveness of wrongdoing within the institution, including management’s complicity in, condoning or enabling of, or knowledge of the conduct underlying the violations;
• The bank’s history of similar violations, or misconduct in general, including prior criminal, civil, and regulatory enforcement actions;
• The bank’s obtaining of competitive advantage and financial benefit resulting from, or attributable to, the violations;
• The absence of prompt, effective action to terminate the violations upon discovery, including self-initiated remedial measures;
• The bank’s lack of timely and voluntary disclosure of the violations to FinCEN;
• The bank’s cooperation and responsiveness to requests from the OCC and FinCEN;
• The systemic nature of the violations; and
• The OCC’s imposition of a civil penalty for the same pattern or practice of conduct associated with the violations covered in the FinCEN order.[13]

OCC Findings and Conclusions

The OCC’s Cease and Desist (C&D) Order in the case essentially tracked FinCEN’s principal findings and conclusions with regard to USAA FSB’s failures to implement and maintain a BSA/AML compliance program, to correct BSA/AML internal controls problems, and to file timely SARs.  It also directed the bank to establish a Compliance Committee to monitor and oversee the Bank’s compliance with the provisions of the C&D Order. and to provide the bank’s Board with periodic progress reports on corrective actions needed to comply with the C&D Order.[14]

Significantly, the Order requires the Board of Directors to “authorize, direct and adopt corrective actions on behalf of the Bank as may be necessary to perform the obligations and undertakings imposed on the Board by this Order.”  These requirements of the Board are more typical of what regulators normally demanded of management rather than the Board.  The board of a financial institution is not generally required to “direct” remediation measures.

The C&D Order further required the bank to develop and implement measures such as (1) a written action plan for BSA/AML compliance, (2) a written suspicious activity monitoring and reporting program, (3) an institution-wide AML/counter-terrorism financing risk assessment, and (4) internal controls.  It also required the bank’s Board to revise, adopt, and promptly implement and adhere to an appropriate written Customer Identification Program (“CIP).[15]  A separate OCC Consent Order directed USAA FSB to “expeditiously undertake all necessary and appropriate actions to achieve compliance with” the C&D Order.[16]

Lessons To Be Learned

These enforcement actions provide a critical lesson for other financial institutions: that federal financial regulators will not tolerate lengthy and unjustified delays in implementing fundamental elements of an AML/BSA compliance program.  Moreover, the language in the OCC Order regarding the Board may presage a broader expansion of how regulators see a board’s responsibilities.  Effective regulatory oversight requires that someone must be held accountable for ensuring a bank complies with regulatory requirements.  In this case, the OCC Order makes clear that if management fails to do its job, the OCC will impose that accountability directly on the Board.

Because this post cannot adequately address all of the compliance failures that FinCEN and the OCC identified, financial institution Chief Compliance Officers and their teams should peruse the orders in this case with a view to benchmarking their own firms’ AML compliance programs, and incorporate pertinent findings from the FinCEN and OCC orders into training materials and internal guidance.  No development and implementation of an effective AML compliance program, of course, can be accomplished without substantial investments of time and expertise.  Nonetheless, senior executives and board members of financial firms would do well to remember Cervantes’s admonition that “in delay there’s danger.”[17]

Footnotes

[1]  Letter from Thomas Jefferson to George Washington (May 16, 1792), Founders Online, National Archives, https://founders.archives.gov/documents/Washington/05-10-02-0253.

[2]  Peter Merkulov, The True Cost of Compliance, Corporate Compliance Insights, March 26, 2018, https://www.corporatecomplianceinsights.com/true-cost-compliance/.

[3]   Financial Crimes Enforcement Network, FinCEN Announces $140 Million Civil Money Penalty against USAA Federal Savings Bank for Violations of the Bank Secrecy Act, March 17, 2022, https://www.fincen.gov/news/news-releases/fincen-announces-140-million-civil-money-penalty-against-usaa-federal-savings.

[4]  Office of the Comptroller of the Currency, OCC Assesses $60 Million Civil Money Penalty, Issues Cease and Desist Order Against USAA, March 17, 2022, https://www.occ.gov/news-issuances/news-releases/2022/nr-occ-2022-25.html.

[5]   Financial Crimes Enforcement Network, U.S. Dep’t of the Treasury, Consent Order, In the Matter of USAA Federal Savings Bank, No. 2022-01 at 2 (March 17, 2022),  https://www.fincen.gov/sites/default/files/enforcement_action/2022-03-18/USAA%20Consent%20Order_Final%20508%20(2).pdf.

[6]   Id. 4-5.

[7]   Id. 6-7.

[8]   Id. 8.

[9]   Id.

[10]   Id. 9.

[11]   Id. 10.

[12]   Id. 11.

[13]   Id. 15-19.

[14]   Office of the Comptroller of the Currency, U.S. Dep’t of the Treasury, Consent Order, In the Matter of USAA, Federal Savings Bank, No. AA-EC-2022-2 (March 17, 2022),  https://www.occ.gov/static/enforcement-actions/ea2022-008.pdf.

[15]   Id. 4-13.

[16]   Office of the Comptroller of the Currency, U.S. Dep’t of the Treasury, Consent Order, In the Matter of USAA, Federal Savings Bank, No. AA-EC-2022-3 at 4 (March 17, 2022), https://www.occ.gov/static/enforcement-actions/ea2022-009.pdf.

[17]   Miguel de Cervantes, The History of Don Quixote (John Ormsby trans.), Project Gutenberg (updated February 28, 2022), https://www.gutenberg.org/files/996/996-h/996-h.htm.

Jonathan J. Rusch is a Senior Fellow at New York University School of Law’s Program on Corporate Compliance and Enforcement; Adjunct Professor at Georgetown University Law Center, American University Washington College of Law, and Washington and Lee Law School; and Principal of DTG Risk & Compliance LLC. He is a former Deputy Chief in the U.S. Department of Justice’s Fraud Section, and former Senior Vice President and Head of Anti-Bribery & Corruption Governance at Wells Fargo.

Disclaimer

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.