USAA FSB Bank Fined $140m for ‘Willful’ AML Violations

The USAA Federal Savings Bank (USAA FSB) has been fined $140m after admitting that despite repeated warnings, it willfully failed to implement and maintain an anti‑money laundering (AML) program that met the minimum requirements of the US Bank Secrecy Act (BSA).

From January 2016 through to April 2021, USAA FSB also willfully failed to accurately and timely report thousands of suspicious transactions to FinCEN. These included customers using personal accounts for apparent criminal activity.

And despite receiving ample notice and opportunity to remediate its inadequate AML program – and spending $500m since 2019 overhauling it – the bank failed to make “adequate progress” by its extended 2021 deadline.  

The ‘willful’ element to USAA FSB’s response is key to the $80m fine imposed by the Financial Crimes Enforcement Network (FinCEN) and $60m by the Office of the Comptroller of the Currency (OCC).

Regulators assess the extent to which firms did, could, or should have known their actions were in violation of regulations and – when a problem is identified – whether they disclose it proactively, and what steps they take to remediate issues. Subsequent fines or actions reflect this assessment. 

In 2017, the OCC informed USAA that there were significant problems with its AML program, including the lack of a suitable compliance program that met OCC regulations. The bank, headquartered in Texas, provides retail deposit and consumer loan products to around 13 million customers, mainly US military personnel and their families.

“As its customer base and revenue grew in recent years, USAA FSB willfully failed to ensure that its compliance program kept pace, resulting in millions of dollars in suspicious transactions flowing through the US financial system without appropriate reporting,” said FinCEN’s Acting Director, Himamauli Das. 

FinCEN notes USAA FBB missed two completion deadlines over four years and remains out of compliance with them. 

FinCEN highlights some of the key problems in a 29-page report about the case. The top 10 errors include: 

1. Understaffing – In 2018, the bank identified it needed 178 permanent full-time positions, but as of 2021 it still had 62 vacancies. 
2. An over-reliance on contractors – 76% of its compliance staffing needs were met by third-party contractors. 
3. The bank developed a transaction monitoring system internally that failed to capture critical information for its AML program. 
4. By 2021, the bank had implemented a new transaction monitoring system but hadn’t performed adequate testing. The new system failed to flag over 1,300 cases flagged by the legacy system, resulting in at least 160 filed SARs that would not have been filed using the new system.
5. Changes to the system then made it “too sensitive”. USAA FSB reported that the new system creates an unmanageable number of alerts and cases. By the end of 2021, this resulted in a backlog of around 90,000 un-reviewed alerts and 6,900 un-reviewed cases. 
6. At its current rate of growth, backlogs are expected to grow to 120,000 alerts and 24,000 cases before USAA FSB is able to begin reducing these numbers.
7. Enterprise-wide independent testing of its AML program was done internally. 
8. Training was inadequate and not tailored for FIU investigators and KYC analysts. 
9. The bank didn’t collect sufficient information at account opening to “assess a customer’s risk and support effective suspicious activity monitoring.” 
10. The report notes that in total, AML failures resulted in a failure to timely and accurately file 3,873 SARs.

A key part of FinCEN’s statement on this case refers to the need to scale AML programs with a firm’s growth: “Today’s action signals that growth and compliance must be paired, and AML program deficiencies, especially deficiencies identified by federal regulators, must be promptly and effectively addressed.”

Firms should make sure that they plan for growth, with processes and technology that can be upscaled when needed. The ‘enforcement factors’ noted on pages 15-19 of the report should be reviewed by compliance teams, providing a helpful reminder to firms of the factors any violations will be assessed against. 

Compliance teams will also find pages 12-15 of the report useful, with examples of where the bank failed to file SARs initially, despite evidence of suspicious activity.