UPDATE: This article includes additional details from the OCC's enforcement action.
Federal regulators on Wednesday issued a stinging enforcement action outlining "comprehensive" shortcomings at USAA Federal Savings Bank, marking the third attempt in five years to force an overhaul of the military-focused bank.
In a cease-and-desist order, the Office of the Comptroller of the Currency — USAA's primary federal banking regulator — said it's prohibiting the bank from adding "any new product or service" or loosening its membership criteria without evaluating the risks of getting bigger.
The order follows
Key USAA leaders, including CEO Wayne Peacock, have left the company in recent months or are set to leave next year. At least some of the exits appear to signal that regulators remain frustrated with USAA over its failure to complete required overhauls, experts have said.
The OCC made its dissatisfaction clear in Wednesday's announcement, saying the bank has failed to respond adequately to issues the agency has flagged going back to 2019.
In its most recent order, the OCC regulators flagged various specific "unsafe or unsound practices." The list includes the bank's lackluster earnings and its shortcomings in numerous areas, such as information technology systems, compliance with consumer protection laws, internal audit practices and reporting of suspicious activity.
In a statement Wednesday, USAA said that although its "progress has not been consistent or swift enough, the Bank is well-positioned to complete this work."
"With a stronger foundation in place to prevent and mitigate risk, we will continue to enhance our capabilities and processes to ensure we consistently serve our members with excellence," the company said.
The bank also pointed to signs of progress in meeting its regulators' demands. The OCC, for example, agreed Wednesday to terminate a 2022 consent order tied to the bank's anti-money-laundering practices after seeing needed improvements. One aspect of USAA's reporting of suspicious activity still needs improvement, the order says.
"Moving forward, our path is clear," USAA said in its statement.
USAA is continuing to "identify and resolve issues while strengthening the rigor of our programs and processes," investing in new systems and improving training for staff, the company said.
The company also said that USAA's financials are strong, with its holding company getting top marks from the ratings agencies Standard & Poor's, Moody's and AM Best.
The latest OCC order requires the bank to come up with an action plan that has "reasonable and well-supported timelines" for correcting the various issues the agency flagged. The OCC issued a broad order against the company in 2019, plus
The OCC did not announce any monetary penalties on Wednesday, though it said it reserves the right to do so if it finds USAA is continuing to violate its orders. In 2020, the OCC
The latest enforcement action places some restrictions on USAA's growth, saying that the bank can't add new products or start serving a wider swath of customers without evaluating any heightened compliance risks and taking steps to "mitigate such risks."
The company has loosened its membership criteria over the decades to add more customers. Its membership ranks now include noncommissioned officers, anyone who's served honorably in the military and family members of those who have served.
The enforcement action forces the bank's board to oversee compliance with the order. Those responsibilities include ensuring that the bank's management and employees "have sufficient training and authority" and are held "accountable" to fix the bank's problems.
The order also requires USAA's bank to adhere to a risk governance framework that's meant to ensure it is "operating within established risk appetites," and that it addresses deficiencies speedily. The risk framework must ensure that employee compensation programs "do not encourage inappropriate risk-taking behavior," the order said.
The bank is required to create an annual incentive compensation plan that is "consistent with safe and sound" practices, with bonuses that "reflect any adverse risk outcomes."
The order also mandates an assessment of whether the bank's risk appetite is the same as that of USAA's insurance company, plus an annual review of the holding company's risk profile and whether decisions stand to "jeopardize the bank's safety and soundness."
The OCC order lays out requirements meant to improve the bank's compliance with consumer protection laws. Past alleged consumer violations have resulted in two consecutive failures on the bank's Community Reinvestment Act exams. The order requires clearly delineated roles and accountability procedures for front-line compliance staff and internal audit teams.
The bank must create a program that will effectively "identify, report, and escalate customer complaints," including determining and resolving the "root causes" of those complaints, according to the order.
In addition, the order requires upgrades to the bank's IT systems and governance, calling on USAA to develop a program to attract and retain IT talent. The bank must also examine whether its IT shortcomings "have contributed to or are a root cause of operational and compliance deficiencies."
The order requires USAA to follow procedures for "reporting and escalating significant IT risks" to senior leadership and the board, and to implement a comprehensive training program for risk management staffers and internal auditors.
Though the OCC terminated its broad 2022 anti-money-laundering order against USAA, it also found that the bank wasn't complying with a provision that calls on staffers to report suspicious transactions. The latest OCC order requires USAA's bank to "ensure fraud-related suspicious activity" is flagged promptly and that reports are filed in time.
The company must run regular audits aimed at preventing and detecting fraud, along with reporting to leadership on its fraud risk, fraud audits, "backlogs" in fraud-related suspicious activity reports and fraud losses, the order said.
