Compliance Blog

Last week, the Financial Crimes Enforcement Network (FinCEN) announced it completed an investigation, which led to a consent order and a $140 million civil money penalty against USAA Federal Savings Bank (USAA) for violations of the Bank Secrecy Act (BSA) and its implementing regulations. This enforcement action can serve as an example of growing pains and the importance of updating the BSA/AML compliance program as membership and product types expand.

In the consent order, FinCEN explained that USAA had grown substantially in the years 2016 to 2021, yet failed to update its BSA/AML compliance program to match the size and risks associated with the increased bank activities. Specifically, FinCEN describes a list of updates USAA agreed to make in 2018 after its examiners found it to have a deficient compliance program. These improvements were to include:

• Expand internal controls and testing
• Establish a compliance committee
• Complete an enterprise-wide risk assessment
• Update customer due diligence, enhanced due diligence and customer identification programs
• Write policies and procedures for handling suspicious activities
• Create plans for independent testing and auditing of the compliance program
• Lookback review of remote deposit capture transactions and file any necessary SARs

However, during this investigation, it was found that USAA failed to make adequate improvements.

The order includes a detailed discussion of some of the major requirements of the BSA that USAA failed to comply with. Generally, the BSA and FinCEN’s regulations require banks and credit unions to maintain a program that includes: a system of internal controls to assure ongoing compliance; Independent testing for compliance to be conducted by bank personnel or by an outside party; designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance; training for appropriate personnel; and appropriate risk-based procedures for conducting ongoing customer due diligence. Despite these being the minimum requirements for a BSA/AML program, it was found that USAA’s BSA department was understaffed and heavily relied on third-party contractors in completing compliance functions, using these contractors for about 76% of its compliance staffing needs. It was also found that USAA did not have appropriate training or other processes in place to ensure the staff were knowledgeable or had the expertise to handle BSA compliance.

Additionally, the consent order details issues with the bank’s internal monitoring systems and explains that USAA failed to maintain systems to accurately identify suspicious activity, causing a backlog of around 90,000 alerts that have not been reviewed. These un-reviewed alerts may have contributed to the failure to file thousands of SARs. During the investigation, it was discovered that one member, a physician, received 76 deposits from a virtual currency exchange totaling nearly $1.5 million and made over 2,800 ATM cash withdrawals totaling approximately $1.6 million from ATMs in Colombia. Despite these transactions being vastly different from the expected use of this account, it took months for an alert to be escalated and a SAR to be filed. Eventually, USAA closed this account.

FinCEN explained that the shortcomings in the systems built to recognize suspicious activities were directly related to the shortcomings in the customer due diligence policies. For example, it was determined that USAA often opened accounts without collecting sufficient information to assess a member’s risk profile or implement programs to flag suspicious activity on their accounts. Additionally, FinCEN found that managers and employees would assign low risk scores in relation to unknown or missing information for an account, causing the overall BSA/AML risks to be significantly understated. Without adequate CDD processes at account opening, employees were left with limited information to use for monitoring accounts and flagging suspicious transactions.

The consent order contains more interesting examples of the bank’s failures to comply with the BSA and FinCEN’s rules. Compliance professionals can look to these examples as guidance as to what regulators may expect in times of growth and expansion. We often remind members that FinCEN requires a credit union’s BSA/AML compliance program to grow and adapt to the size, complexity, and risk factors faced by the credit union. This is why all compliance programs are not the same and a credit union should determine whether its risks are adequately addressed by its compliance program and internal controls.