On March 17, 2022, FinCEN announced that it has assessed a $140 million civil money penalty against USAA Federal Savings Bank (USAA FSB) for willful violations of the Bank Secrecy Act (BSA) and its implementing regulations. This is after FinCEN conducted a civil enforcement investigation and determined that grounds exist to impose a Civil Money Penalty against USAA FSB for violations of the BSA. According to the FinCEN’s press release, USAA FSB admitted that it willfully failed to implement and maintain an anti‑money laundering (AML) program that met the minimum requirements of the BSA from at least January 2016 through April 2021.

USA FSB was a federally chartered savings bank headquartered in San Antonio, Texas that provided retail deposit and consumer loan products to approximately 13 million members throughout the United States and at military installations around the world. While USAA FSB’s membership eligibility expanded, it failed to match that growth with effective AML compliance capabilities. In response to the OCC’s notification about the banks insufficient AML program, the USAA FSB made commitments in 2018 to overhaul its AML program by March 31, 2020, which was then adjusted to June 30, 2021 due to failure to make adequate progress. To date, the Bank has not met all of the terms of the commitments.

In the consent order issued by FinCEN, USAA FSB’s deficiencies include:

• In 2017, USAA FSB’s AML program was rudimentary, lacking comprehensive risk-based policies and procedures and the operational rigor needed to successfully address the risks associated with its customer base, products and services, and geographies

• USAA FSB’s BSA/AML compliance department was significantly understaffed and the bank relied on third-party contractors to augment staffing levels. However, it failed to properly train or otherwise ensure these contractors possessed satisfactory qualifications and expertise.

• USAA FSB’s case alert and investigation system was chronically deficient. This resulted in a total backlog of around 90,000 un-reviewed alerts and 6,900 un-reviewed cases as of the end of 2021.

• As of 2021, USAA FSB suffered from numerous control gaps within operations, including excessive limits for electronic activity (RDC, wires, bill pay), ATM deposit and withdrawal, and ATM PIN attempts. Further, even when potentially suspicious activity was properly alerted and a case was generated, a sampling of instances in which USAA FSB decided not to file SARs in 2021 revealed shortcomings.

• ·USAA FSB’s 2016 internal audit report failed to recognize the numerous weaknesses with key internal controls, such as risk assessment processes, CDD, EDD, customer risk identification, and suspicious activity monitoring processes.

• Management did not tailor USAA FSB’s training program for the FIU investigators (including third-party contractors) and KYC analysts to the Bank’s risk profile and suspicious activity typologies.

• USAA FSB’s Customer Due Diligence policies and procedures were deficient.

Concurrently, the OCC issued a Consent Order to USAA FSB for failure to file at least 3,873 SARs.

The OCC assessed a civil penalty of $60 million for related violations.  Taken together, USAA FSB will pay a total of $140 million to the U.S. Treasury for its violations, with $80 million representing FinCEN’s penalty and $60 million representing the OCC’s penalty.

 Read FinCEN’s press release here.

The Consent Order against USAA FSB can be found here.