UNITED STATES OF AMERICA FINANCIAL CRIMES ENFORCEMENT NETWORK
DEPARTMENT OF THE TREASURY
IN THE MATTER OF: USAA Federal Savings Bank
Number 2022-01
CONSENT ORDER IMPOSING CIVIL MONEY PENALTY
The Financial Crimes Enforcement Network (FinCEN) conducted a civil enforcement investigation and determined that grounds exist to impose a Civil Money Penalty against USAA Federal Savings Bank (USAA FSB or the Bank) for violations of the Bank Secrecy Act (BSA) and its implementing regulations.1 USAA FSB admits to the Statement of Facts and Violations set forth below and consents to the issuance of this Consent Order.
I. JURISDICTION
Overall authority for enforcement and compliance with the BSA lies with the Director of FinCEN, and the Director may impose civil penalties for violations of the BSA and its implementing regulations.2
At all times relevant to this Consent Order, USAA FSB was a “bank” and a “domestic financial institution” as defined by the BSA and its implementing regulations.3 As such, USAA FSB was required to comply with applicable FinCEN regulations.
II. STATEMENT OF FACTS
The conduct described below took place beginning on or about January 1, 2016, and continuing until on or about April 30, 2021 (the Relevant Time Period), unless otherwise indicated.
Background
Bank Secrecy Act
The BSA requires banks to implement and maintain an effective anti-money laundering (AML) program in order to guard against money laundering through financial institutions.4 Additionally, the BSA imposes affirmative duties on banks such as USAA FSB, including the duty to identify and report suspicious transactions relevant to a possible violation of law or regulation in suspicious activity reports (SARs) filed with FinCEN.5 The reporting and transparency that financial institutions provide through these reports is essential financial intelligence that FinCEN, law enforcement, and others use to safeguard the U.S. financial system and combat serious threats, including money laundering, terrorist financing, organized crime, corruption, drug trafficking, and massive fraud schemes targeting the U.S. government, businesses, and individuals.6
FinCEN
FinCEN is a bureau within the U.S. Department of the Treasury and is the federal authority that enforces the BSA by investigating and imposing civil money penalties on financial institutions and individuals for willful violations of the BSA.7 As delegated by the Secretary of the Treasury, FinCEN has “authority for the imposition of civil penalties” and “[o]verall authority for enforcement and compliance, including coordination and direction of procedures and activities of all other agencies exercising delegated authority under this chapter,” including the Office of the Comptroller of the Currency (OCC).8
The OCC
The OCC is a federal banking agency within the U.S. Department of the Treasury that has both delegated authority from FinCEN for examinations and separate authority under Title 12 of the United States Code for compliance and enforcement.9 Under this authority, the OCC conducts regular examinations and issues reports assessing a bank’s AML and BSA compliance.
USAA Federal Savings Bank
Throughout the Relevant Time Period, USAA FSB was a federally chartered savings bank headquartered in San Antonio, Texas.10 The Bank provided retail deposit and consumer loan products to approximately 13 million members (customers)—consisting of U.S. military personnel and their families—throughout the United States and at military installations around the world. The Bank did not offer small business or commercial products. During the Relevant Time Period, the Bank was a “financial institution” and a “bank” within the meaning of the BSA and its implementing regulations11 and was subject to an annual examination performed by the OCC as its Federal functional regulator.
Factual Background
During the Relevant Time Period, USAA FSB experienced tremendous growth as a financial institution. While USAA FSB’s membership eligibility expanded, it failed to match that growth with effective AML compliance capabilities.
Beginning by at least 2017, the OCC informed USAA FSB that there were significant problems with its AML program, including that it failed to develop a compliance program that met all of the requirements of the OCC’s regulations.12 In response to the OCC’s notification, in 2018, USAA FSB made commitments to overhaul its AML program (2018 Commitments) by March 31, 2020. Specifically, USAA FSB committed to making the following improvements:
• Fully address the scope of the internal controls and independent testing deficiencies.
• Establish a compliance committee to monitor the implementation of the 2018 Commitments.
• Conduct a comprehensive, enterprise-wide risk assessment.
• Develop and implement adequate customer due diligence (CDD), enhanced due diligence (EDD), and customer risk identification processes.
• Develop and implement written policies for timely review and disposition of suspicious activity alerts and improve suspicious activity identification processes.
• Provide for thorough and effective independent testing of the AML program.
• Conduct a lookback review of Remote Deposit Capture (RDC) transaction activity and file suspicious activity reports (SARs) as needed.
However, USAA FSB failed to make adequate progress to meet the March 31, 2020 deadline and instead amended its completion date to June 30, 2021. To date, the Bank has not met all of the terms of the 2018 Commitments. Now, concurrent with FinCEN’s action, the OCC is undertaking a public enforcement action against USAA FSB for non-compliance with the OCC’s regulations. The OCC is assessing a $60 million civil money penalty against the Bank.
In sum, as early as 2017, USAA FSB was aware of significant problems that resulted in its failure to develop an adequate BSA/AML compliance program. USAA FSB authored the 2018 Commitments and pledged to make improvements, yet it missed two completion deadlines over four years and remains out of compliance with them. Since the 2018 Commitments, the OCC informed the Bank of additional BSA deficiencies—some as recent as 2021. Collectively, these facts describe a bank that willfully failed to comply with the BSA over many years.
The Bank Failed to Implement an Adequate Anti-Money Laundering Program
In order to guard against money laundering, the BSA and its implementing regulations require banks with a Federal functional regulator, such as the OCC, to establish an AML program that is reasonably designed to assure and monitor BSA compliance, and includes at a minimum: (a) the development of internal policies, procedures, and controls; (b) an independent audit function to test programs; (c) designation of a compliance officer; (d) an ongoing employee training program; and (e) appropriate risk-based procedures for conducting ongoing customer due diligence.13 Additionally, a bank is required to implement and maintain an AML program that “[c]omplies with the regulation of its Federal functional regulator governing such programs.”14 The Bank willfully failed to implement an AML program that met these BSA requirements during the Relevant Time Period.
Internal Policies, Procedures, and Controls
In 2017, USAA FSB’s AML program was rudimentary, lacking comprehensive risk-based policies and procedures and the operational rigor needed to successfully address the risks associated with its customer base, products and services, and geographies. While the Bank’s AML program improved over time, the Bank still failed to develop internal policies, procedures, and controls sufficient to meet the minimum requirements of the BSA.
During the Relevant Time Period, USAA FSB’s BSA/AML compliance department was significantly understaffed. As a result, the Bank relied on third-party contractors to augment staffing levels. In 2018, the Bank conducted an assessment and determined that it needed 178 permanent, full-time positions to fully staff its compliance functions. As of early 2021, the Bank had 62 vacant positions, including the head of the Bank’s Financial Intelligence Unit (FIU). Additionally, USAA FSB supplemented approximately 76% of its compliance staffing needs with third-party contractors. However, the Bank failed to properly train or otherwise ensure these contractors possessed satisfactory qualifications and expertise. These staffing deficits exacerbated management’s inability to assure compliance with the BSA.
USAA FSB’s case alert and investigation system was also chronically deficient. For example, beginning in 2014, USAA FSB implemented an internally developed system for its transaction monitoring (legacy system). As early as 2016, the Bank knew the legacy system failed to capture critical information needed for the Bank’s AML program, due to the CDD failures described below. Additionally, USAA FSB did not have distinct policies and procedures to govern the validation and adjustment of its legacy system, including the testing, updating and optimizing (tuning) of suspicious activity detection scenarios. As such, 40% of active scenarios had not been tuned in over two years, with only seven scenarios tuned in the second year and six scenarios that were never tuned since initial implementation of the legacy system. Further, USAA FSB’s legacy system had significant control gaps including inappropriately high limits for electronic activity such as RDC and Automated Teller Machine (ATM) deposits and withdrawals.
In the first quarter of 2021, USAA FSB implemented a new transaction monitoring system to replace the legacy system. However, the Bank failed to perform adequate pilot testing before launching the system, and deficiencies continued throughout implementation. The Bank elected to implement the system after only two months of parallel testing with the legacy system despite significant failures identified during that two-month period. Specifically, the new system failed to flag over 1,300 cases flagged by the legacy system, resulting in at least 160 filed SARs that would not have been filed using the new system.
USAA FSB now reports that the new system is too sensitive and creates an unmanageable number of alerts and cases. As of the end of 2021, this resulted in a total backlog of around 90,000 un-reviewed alerts and 6,900 un-reviewed cases. At its current rate of growth, these backlogs are expected to grow to 120,000 alerts and 24,000 cases before USAA FSB is able to begin reducing these numbers. These backlogs lead to unreasonable delays in the detection and reporting of potentially suspicious activity, and further highlight the negative consequences of the Bank’s failure to hire adequate staff.
Other issues with USAA FSB’s internal controls also persisted throughout the Relevant Time Period. As of 2021, USAA FSB suffered from numerous control gaps within operations, including excessive limits for electronic activity (RDC, wires, bill pay), ATM deposit and withdrawal, and ATM PIN attempts. Further, even when potentially suspicious activity was properly alerted and a case was generated, a sampling of instances in which USAA FSB decided not to file SARs in 2021 revealed shortcomings. Specifically, for 22% of its decisions, the Bank did not have sufficient information as to the customer’s source or purpose of funds to justify the decision not to file a SAR.
Independent Testing
USAA FSB relied on an internal audit team to conduct enterprise-wide independent testing of its AML program during the Relevant Time Period. The audit team concluded that the Bank’s BSA compliance was generally satisfactory in a 2016 report, but subsequent reviews demonstrate that this report was deficient. The 2016 report noted the Bank’s failure to act on account closure recommendations, for example, but failed to recognize the numerous weaknesses identified during the same time period, including weaknesses with key internal controls, such as risk assessment processes, CDD, EDD, customer risk identification, and suspicious activity monitoring processes.
Training
Management did not tailor USAA FSB’s training program for the FIU investigators (including third-party contractors) and KYC analysts to the Bank’s risk profile and suspicious activity typologies. For example, training in 2020 focused on changes in policies and procedures and the documentation of certain reviews in the Bank’s systems, but failed to address how to analyze accounts or to describe what constitutes potential suspicious activity. The 2021 training schedule purported to include more targeted training for the FIU and KYC analysts, but the training did not focus on the Bank’s products, services, or customers, and was inconsistent with USAA FSB’s business model as a retail bank with predominantly consumer accounts. Management also failed to properly oversee, train, and test third-party contractors.
Customer Due Diligence
The BSA and its implementing regulations require banks to have “[a]ppropriate risk-based procedures for conducting ongoing customer due diligence.”15 Under this requirement, a bank’s AML program must include procedures for understanding the nature and purpose of a customer’s financial relationships in order to develop a customer risk profile. A bank must also conduct ongoing monitoring to maintain and update customer information. FinCEN guidance clarifies that banks “must establish policies, procedures, and processes for determining whether and when, on the basis of risk, to update customer information to ensure that customer information is current and accurate.”16 It further states that a bank “should have an understanding of the money laundering, terrorist financing, and other financial crime risks of its customers to develop the customer risk profile.”17 The determination of customer risk profiles “should be sufficiently detailed to distinguish between significant variations in the risks of its customers.”18
USAA FSB’s CDD policies and procedures were deficient. For example, information obtained at account opening was insufficient to assess a customer’s risk and support effective suspicious activity monitoring. This resulted in the development and use of a critically flawed customer risk score model, which the Bank employed to assess customer risk and identify high-risk accounts requiring EDD. Due to insufficient customer information, model developers were unable to incorporate key risk factors—such as type and volume of expected account activity—into the model to augment its predictive power.
This critical absence of data created another problem. Management would arbitrarily assign risk sub-scores of 1 or 2 (on a 10-point maximum scale) for risk factors where member data was missing. This in turn caused customer-specific and overall BSA/AML risks to be severely and materially underestimated. An internal Bank report revealed that of approximately six million customer-risk scores, not a single customer received a high-risk score of 5.5 or higher, and only around 11,500 customers received a low-medium risk score between 4 and 5.4. The Bank ignored the report and took no corrective action. In sum, the Bank’s poor CDD practices further undermined the Bank’s ability to properly monitor high-risk accounts and its analysts’ abilities to perform quality investigations into alerted activity and arrive at rational and informed conclusions to close or escalate cases.
Requirements of USAA FSB’s Federal Functional Regulator
The OCC imposes parallel AML program requirements on national banks and savings associations, such as USAA FSB. Specifically, those regulations require that OCC-regulated banks “develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the recordkeeping and reporting requirements set forth in [the BSA].”19 Further, this compliance program, “shall, at a minimum:
(1) Provide for a system of internal controls to assure ongoing compliance;
(2) Provide for independent testing for compliance to be conducted by national bank or savings association personnel or by an outside party;
(3) Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and
(4) Provide training for appropriate personnel.”20
USAA FSB knew it was failing to meet the regulatory requirements of its Federal functional regulator concerning its AML program, but failed to bring itself into compliance with those requirements for over five years. The Bank knew of significant problems in its AML program and had an opportunity to bring its AML program into compliance with the law under its own terms, but the Bank failed to make adequate progress despite extending its commitment deadline multiple times and receiving repeated warnings over many years. As a result, the OCC, concurrent with this Consent Order, is issuing a Consent Order for violations of its regulations.
Unfiled SARs
In addition to the above AML program failures, the AML failures resulted in the below willful failures to timely and accurately file at least 3,873 SARs.
The Bank Failed to File Suspicious Activity Reports
The BSA and its implementing regulations require banks to report transactions that involve or aggregate to at least $5,000, are conducted by, at, or through the bank, and that the bank “knows, suspects, or has reason to suspect” are suspicious.21 A transaction is “suspicious” if a bank “knows, suspects, or has reason to suspect” the transaction: (a) involves funds derived from illegal activities, or is conducted to disguise funds derived from illegal activities; (b) is designed to evade the reporting or recordkeeping requirements of the BSA or regulations implementing it; or (c) has no business or apparent lawful purpose or is not the sort in which the customer normally would be expected to engage, and the bank knows of no reasonable explanation for the transaction after examining the available facts, including background and possible purpose of the transaction.22 A bank is generally required to file a SAR no later than 30 calendar days after the initial detection by the bank of the facts that may constitute a basis for filing a SAR.23
To obtain the necessary transparency into potentially illicit activity, FinCEN, law enforcement, and other regulators rely on financial institutions’ accurate and timely filing of SARs. To accurately and completely prepare a SAR, known subjects involved in the suspicious activity should be identified in the appropriate fields on the SAR form.24 Investigators use these names and other identifiers to retrieve relevant records related to the subjects and targets of an investigation.
Failure to file a SAR can hamper an investigator’s ability to identify relevant records. Additionally, filing SARs without properly identifying the subjects (i.e., failing to identify all subjects connected to the conduct) can obfuscate the true nature of the activity and those involved.
As described above, during the Relevant Time Period USAA FSB willfully failed to implement and maintain its AML program, which included failing to maintain adequate staff to review alerts and investigate cases for possible reporting to FinCEN. This meant that AML analysts were unable to devote sufficient time and attention to alerts and cases generated by the Bank’s transaction monitoring system. At times, AML analysts inappropriately cleared suspicious activity. At other times, alerted activity went un-reviewed for months beyond the deadline for reporting suspicious activity. The following is a list of examples of the Bank’s willful failure to file SARs.
Customer A
Customer A was a Texas-based physician with an annual income of $250,000 to $500,000 and an approximate net worth between $500,000 and $1 million. Customer A held multiple accounts at USAA FSB. Customer A reported to USAA FSB that the accounts were for personal and household spending and that expected monthly activity would include cash withdrawals exceeding $5,000, and five to ten incoming/outgoing digital application-based transactions of between $1,000 and $5,000 each.
From October 2020 through March 2021, one of Customer A’s accounts received 76 deposits from a virtual currency exchange totaling nearly $1.5 million, activity inconsistent with the expected activity and stated purpose of the account. During that same six-month timeframe, Customer A made over 2,800 ATM cash withdrawals totaling approximately $1.6 million from ATMs in Colombia, a high-risk jurisdiction for money laundering.25 During this time, Customer A contacted USAA FSB several times to increase the daily ATM withdrawal limit. A conversation between the Bank and Customer A revealed that Customer A was temporarily but indefinitely residing in Colombia and that the cash withdrawals were to buy and sell virtual currency, which the customer was now relying on as an alternative source of cash flow. Customer A stated that using cash to purchase virtual currency ensured Customer A got the best price. Overall, Customer A’s accounts collectively facilitated approximately $3.3 million in deposits and withdrawals over a six-month period.
USAA FSB’s initial review of this activity resulted in no escalation or SAR filings. In April 2021, the Bank became aware of the activity’s gross incompatibility with Customer A’s profile The Bank then re-evaluated the activity and, based on that review, filed a SAR and terminated the customer relationship. USAA FSB reported the activity to FinCEN on or about April 16, 2021 approximately seven months after the conduct began and only after re-evaluating the activity.
Customer B
Customer B was a 22-year-old individual residing in Los Angeles, California, who maintained checking and credit cards with USAA for four years. Customer B reported to USAA that she owned a “performance art company” that had a minimal virtual footprint. Customer B reported that her annual income was between $50,000 and $100,000, and that her account was for personal and household expenses.
In 2019, Customer B’s account alerted on indicators of possible suspicious activity, and the Bank reviewed the alert. The Bank closed initial reviews of alerted activity without escalation and without a thorough review of the customer’s reported source of income and the counterparties involved. However, the underlying activity within the account showed significant red flags, including receiving payments for what may have been unlawful internationally-based prostitution/escort ventures. Specifically, an analysis of Customer B’s financial activity revealed high value wire deposits from an individual located overseas with whom she had no known or established connection. It also showed expensive and unexplained international travel, and incoming and outgoing funds to accounts associated with online businesses involved in public allegations of misconduct. Over a one-month period, Customer B received three wire transfers from an individual located overseas totaling $44,500. These transfers referenced “art purchase,” but there was no discernable, legitimate connection between Customer B and the art industry. Additionally, further investigation connected the foreign-based individual to an offshore entity named in the Panama Papers. From May 10, 2019 through June 29, 2020, Customer B engaged in approximately $125,000 of suspicious activity. USAA FSB did not report this activity to FinCEN until July 22, 2020 – over one year later.
Customers C and D
For fifteen months, USAA FSB permitted two customers to engage in activity consistent with check fraud without reporting the activity as suspicious to FinCEN. Specifically, Customers C and D held two checking accounts at USAA FSB. Between March 1, 2019, and June 29, 2020, Customers C and D deposited 3,457 checks for which they were not the intended beneficiaries via RDC through USAA FSB’s mobile app. These checks listed the payee as one of several baby formula or baby product companies, and specifically stated on the check that they were intended as self-reimbursing rebate coupons for point of sale purchases, to be cashed only by the baby formula or baby product companies. These deposited checks ranged from $3 to $17 each, were deposited in a cyclical manner, and were inconsistent with Customer C’s occupation as a self-employed construction worker.
USAA FSB’s RDC controls failed to detect that these checks were actually made payable to the baby formula and baby product companies rather than to Customers C and D. Customers C and D utilized these funds for various purchases, including consumer spending, groceries, and bill payments. In the end, USAA FSB permitted this scheme to go on for 15 months without reporting the activity to FinCEN.
III. VIOLATIONS
FinCEN has determined that USAA FSB willfully violated the BSA and its implementing regulations during the Relevant Time Period. Specifically, FinCEN has determined that USAA FSB willfully failed to implement and maintain an AML program that met the minimum requirements of the BSA, in violation of 31 U.S.C. § 5318(h) and 31 C.F.R. § 1020.210. Additionally, FinCEN has determined that USAA FSB willfully failed to accurately and timely report suspicious transactions to FinCEN, in violation of 31 U.S.C. § 5318(g) and 31 C.F.R. § 1020.320.
IV. ENFORCEMENT FACTORS
FinCEN considered all of the factors outlined in the Statement on Enforcement of the BSA, issued August 18, 2020, when deciding whether to impose a civil money penalty in this matter.26 The following factors were particularly relevant to FinCEN’s evaluation of the appropriate disposition of this matter, including the decision to impose a civil money penalty and the size of the penalty.
• Nature and seriousness of the violations, including the extent of possible harm to the public and the amounts involved: USAA FSB’s violations of the BSA and its implementing regulations were serious and risked significant possible harm to the public. During the Relevant Time Period, USAA FSB’s compliance operations were insufficient to address the risks associated with its membership, geographic locations, and products and services. The Bank was fully aware of its AML program deficiencies since 2017. However, despite ample notice and opportunity to remediate, the Bank failed to demonstrate compliance throughout the Relevant Time Period leading to the possibility of public harm. USAA FSB’s willful failure to implement and maintain an effective AML program undermined its ability to properly monitor and review customer accounts and timely report potentially suspicious activity to FinCEN relating to thousands of transactions and millions of dollars over the Relevant Time Period.
• Impact or harm of the violations on FinCEN’s mission to safeguard the financial system from illicit use, combat money laundering, and promote national security: Although the OCC classifies USAA as a mid-size institution, the Bank plays a relatively large role in the U.S. financial system, serving over 13 million members. USAA FSB offers only individual, non-commercial services and products, which lowers its exposure to certain risks as compared to other banks that offer services to individuals and businesses. However, during the Relevant Time Period, the Bank failed to properly monitor for and detect personal accounts being used for business activities, which allowed millions in potentially suspicious funds to flow through its customers’ accounts without adequate scrutiny from the Bank’s compliance department. Given the Bank’s overall size and unique customer base, including members deployed to military installations around the world, the violations adversely impacted FinCEN’s mission to safeguard the financial system from illicit use and combat money laundering.
• Pervasiveness of wrongdoing within the institution, including management’s complicity in, condoning or enabling of, or knowledge of the conduct underlying the violations: USAA FSB’s BSA/AML compliance failures were pervasive across the Bank’s business lines. Additionally, the violations eventually affected all layers of the Bank’s overall risk management during the Relevant Time Period, including the Bank’s first (business unit), second (compliance/operations risk), and third (independent testing) lines of defense. The Bank failed to correct problems with its AML program that the OCC previously reported to the Bank’s management and the Board of Directors. These managers therefore had knowledge of the violations, yet they failed to quickly and effectively remediate the identified deficiencies. For example, for some time, Bank management explicitly acknowledged a monitoring gap as to Bank members using personal accounts for business purposes, yet USAA FSB failed to act swiftly to implement appropriate detection scenarios and train staff to identify and escalate potential suspicious activity.
• History of similar violations, or misconduct in general, including prior criminal, civil, and regulatory enforcement actions: USAA FSB struggled to implement and demonstrate compliance with the BSA and its implementing regulations over the last five examination cycles. The Bank knew of its BSA violations as early as 2017 but failed to take satisfactory corrective actions. As a result, the Bank has not completed its 2018 Commitments.
• Financial gain or other benefit resulting from, or attributable to, the violations: USAA FSB began offering banking services to members of the military in 1983. Over the next decades, the Bank experienced substantial company and membership growth as it expanded eligibility, but the Bank did not match this growth with increased compliance capabilities. In 2017, the Bank’s AML program was rudimentary, lacking risk assessments and other fundamental policies and procedures. Since 2019, the Bank invested approximately $500 million into overhauling its AML program. Despite this, USAA FSB failed to fully satisfy the terms of the 2018 Commitments. Further, FinCEN has identified new and recurring AML program violations throughout the Relevant Time Period. Prior to 2017, the Bank’s compliance program was even more rudimentary due to a lack of financial investment and a reliance on an internally developed system to conduct transaction monitoring and assign customer risk ratings that was less reliable, but cheaper to implement, than readily-available, industry-standard transaction monitoring systems. Overall, USAA FSB’s inconsistent and ineffective allocation of resources to AML compliance operations during the Relevant Time Period delivered both a competitive advantage and a financial benefit to the Bank.
• Presence or absence of prompt, effective action to terminate the violations upon discovery, including self-initiated remedial measures: Although USAA FSB undertook steps to remediate the problems with its AML program starting in 2017, it was unable to fully do so in a timely and effective manner. The Bank was unable to comply with the terms of the 2018 Commitments that it authored five years ago. As of early 2021, three separate corrective actions related to the Bank’s 2017 violations were still pending, along with newly-identified deficiencies related to internal controls and training. While the Bank made substantial investments to update its AML program, serious failures were apparent throughout the Relevant Time Period.
• Timely and voluntary disclosure of the violations to FinCEN: USAA FSB did not voluntarily disclose the violations described in this Consent Order to FinCEN.
• Quality and extent of cooperation with FinCEN and other relevant agencies, including as to potential wrongdoing by its directors, officers, employees, agents, and counterparties: USAA FSB has been cooperative and responsive to requests from the OCC and from FinCEN. It has provided documents in response to requests, conducted lookback reviews of previous activity, and provided timely compliance status updates.
• Systemic Nature of the Violations. Considerations include, but are not limited to, the number and extent of violations, failure rates (e.g., the number of violations out of total number of transactions), and duration of violations: From at least 2017 through 2021, USAA FSB had two to three AML program violations at any given time. FinCEN’s review revealed that from August 31, 2017 through August 31, 2021, a total of 3,873 SARs were filed late, with an average filing time of 226 days after the underlying suspicious activity ended, well beyond the 60 calendar day maximum permitted under the BSA. Late SARs constituted almost 10% of all of USAA FSB’s SAR filings for the same period.
• Whether another agency took enforcement action for related activity. FinCEN will consider the amount of any fine, penalty, forfeiture, and/or remedial action ordered: The OCC is imposing a civil money penalty under its own regulations for the same pattern or practice of conduct associated with the violations described in this Consent Order.
V. CIVIL PENALTY
FinCEN may impose a Civil Money Penalty of up to $62,689 per day for willful violations of the requirement to implement and maintain an effective AML program occurring after November 2, 2015.27
For each willful violation of a SAR reporting requirement occurring after November 2, 2015, FinCEN may impose a Civil Money Penalty not to exceed the greater of the amount involved in the transaction (capped at $250,759) or $62,689.28
After considering all the facts and circumstances, as well as the enforcement factors discussed above, FinCEN is imposing a Civil Money Penalty of $140,000,000 (one hundred forty million dollars) in this matter. As discussed above, FinCEN will credit the $60,000,000 (sixty million dollars) civil money penalty imposed by the OCC for the same conduct described in this Consent Order. Accordingly, USAA FSB shall make a payment of $80,000,000 (eighty million dollars) to the U.S. Department of the Treasury pursuant to the payment instructions that will be transmitted to USAA FSB upon execution of this Consent Order.
VI. CONSENT AND ADMISSIONS
To resolve this matter, and only for that purpose, USAA FSB admits to the Statement of Facts and Violations set forth in this Consent Order and admits that it willfully violated the BSA and its implementing regulations. USAA FSB consents to the use of the Statement of Facts, and any other findings, determinations, and conclusions of law set forth in this Consent Order in any other proceeding brought by or on behalf of FinCEN, or to which FinCEN is a party or claimant, and agrees they shall be taken as true and correct and be given preclusive effect without any further proof. USAA FSB understands and agrees that in any administrative or judicial proceeding brought by or on behalf of FinCEN against it, including any proceeding to enforce the Civil Money Penalty imposed by this Consent Order or for any equitable remedies under the BSA, USAA FSB shall be precluded from disputing any fact or contesting any determinations set forth in this Consent Order.
To resolve this matter, USAA FSB agrees to and consents to the issuance of this Consent Order and all terms herein and agrees to make a payment of $80,000,000 (eighty million dollars) to the U.S. Department of the Treasury within ten (10) days of the Effective Date of this Consent Order, as defined further below. If timely payment is not made, USAA FSB agrees that interest, penalties, and administrative costs will accrue.29 If USAA FSB fails to pay the $60,000,000 (sixty million dollars) penalty arising out of its OCC violations, it must pay the entire $140,000,000 (one hundred forty million dollars) penalty imposed by this Consent Order.
USAA FSB understands and agrees that it must treat the Civil Money Penalty paid under this Consent Order as a penalty paid to the government and may not claim, assert, or apply for a tax deduction, tax credit, or any other tax benefit for any payments made to satisfy the Civil Money Penalty. USAA FSB understands and agrees that any acceptance by or on behalf of FinCEN of any partial payment of the
Civil Money Penalty obligation will not be deemed a waiver of USAA FSB’s obligation to make further payments pursuant to this Consent Order, or a waiver of FinCEN’s right to seek to compel payment of any amount assessed under the terms of this Consent Order, including any applicable interest, penalties, or other administrative costs.
USAA FSB affirms that it agrees to and approves this Consent Order and all terms herein freely and voluntarily and that no offers, promises, or inducements of any nature whatsoever have been made by FinCEN or any employee, agent, or representative of FinCEN to induce USAA FSB to agree to or approve this Consent Order, except as specified in this Consent Order.
USAA FSB understands and agrees that this Consent Order implements and embodies the entire agreement between USAA FSB and FinCEN, and its terms relate only to this enforcement matter and any related proceeding and the facts and determinations contained herein. USAA FSB further understands and agrees that there are no express or implied promises, representations, or agreements between USAA FSB and FinCEN other than those expressly set forth or referred to in this Consent Order and that nothing in this Consent Order is binding on any other law enforcement or regulatory agency or any other governmental authority, whether foreign, Federal, State, or local.
USAA FSB understands and agrees that nothing in this Consent Order may be construed as allowing USAA FSB, its holding company, subsidiaries, affiliates, Board, officers, employees, or agents to violate any law, rule, or regulation.
USAA FSB consents to the continued jurisdiction of the courts of the United States over it and waives any defense based on lack of personal jurisdiction or improper venue in any action to enforce the terms and conditions of this Consent Order or for any other purpose relevant to this enforcement action. Solely in connection with an action filed by or on behalf of FinCEN to enforce this Consent Order or for any other purpose relevant to this action, USAA FSB authorizes and agrees to accept all service of process and filings through the Notification procedures below and to waive formal service of process.
VII. COOPERATION
USAA FSB shall fully cooperate with FinCEN in any and all matters within the scope of or related to the Statement of Facts, including any investigation of its current or former directors, officers, employees, agents, consultants, or any other party. USAA FSB understands that its cooperation pursuant to this paragraph shall include, but is not limited to, truthfully disclosing all factual information with respect to its activities, and those of its present and former directors, officers, employees, agents, and consultants. This obligation includes providing to FinCEN, upon request, any document, record or other tangible evidence in its possession, custody, or control, about which FinCEN may inquire of USAA FSB. USAA FSB’s cooperation pursuant to this paragraph is subject to applicable laws and regulations, as well as valid and properly documented claims of attorney-client privilege or the attorney work-product doctrine.
VIII. RELEASE
Execution of this Consent Order and compliance with all of the terms of this Consent Order settles all claims that FinCEN may have against USAA FSB for the conduct described in this Consent Order during the Relevant Time Period. Execution of this Consent Order, and compliance with the terms of this Consent Order, does not release any claim that FinCEN may have for conduct by USAA FSB other than the conduct described in this Consent Order during the Relevant Time Period, or any claim that FinCEN may have against any current or former director, officer, owner, or employee of USAA FSB, or any other individual or entity other than those named in this Consent Order. In addition, this Consent Order does not release any claim or provide any other protection in any investigation, enforcement action, penalty assessment, or injunction relating to any conduct that occurs after the Relevant Time Period as described in this Consent Order.
IX. WAIVERS
Nothing in this Consent Order shall preclude any proceedings brought by, or on behalf of, FinCEN to enforce the terms of this Consent Order, nor shall it constitute a waiver of any right, power, or authority of any other representative of the United States or agencies thereof, including but not limited to the Department of Justice.
In consenting to and approving this Consent Order, USAA FSB stipulates to the terms of this Consent Order and waives:
A. Any and all defenses to this Consent Order, the Civil Money Penalty imposed by this Consent Order, and any action taken by or on behalf of FinCEN that can be waived, including any statute of limitations or other defense based on the passage of time;
B. Any and all claims that FinCEN lacks jurisdiction over all matters set forth in this Consent Order, lacks the authority to issue this Consent Order or to impose the Civil Money Penalty, or lacks authority for any other action or proceeding related to the matters set forth in this Consent Order;
C. Any and all claims that this Consent Order, any term of this Consent Order, the Civil Money Penalty, or compliance with this Consent Order, or the Civil Money Penalty, is in any way unlawful or violates the Constitution of the United States of America or any provision thereof;
D. Any and all rights to judicial review, appeal or reconsideration, or to seek in any way to contest the validity of this Consent Order, any term of this Consent Order, or the Civil Money Penalty arising from this Consent Order;
E. Any and all claims that this Consent Order does not have full force and effect, or cannot be enforced in any proceeding, due to changed circumstances, including any change in law;
F. Any and all claims for fees, costs, or expenses related in any way to this enforcement matter, Consent Order, or any related administative action, whether arising under common law or under the terms of any statute, including, but not limited to, under the Equal Access to Justice Act. USAA FSB agrees to bear its own costs and attorneys’ fees.
X. VIOLATIONS OF THIS CONSENT ORDER
Determination of whether USAA FSB has failed to comply with this Consent Order, or any portion thereof, and whether to pursue any further action or relief against USAA FSB, shall be in FinCEN’s sole discretion. If FinCEN determines, in its sole discretion, that a failure to comply with this Consent Order, or any portion thereof, has occurred, or that USAA FSB has made any misrepresentations to FinCEN or any other government agency related to the underlying enforcement matter, FinCEN may void any and all releases or waivers contained in this Consent Order; reinstitute administrative proceedings; take any additional action that it deems appropriate; and pursue any and all violations, maximum penalties, injunctive relief, or other relief that FinCEN deems appropriate. FinCEN may take any such action even if it did not take such action against USAA FSB in this Consent Order and notwithstanding the releases and waivers herein. In the event FinCEN takes such action under this paragraph, USAA FSB expressly agrees to toll any applicable statute of limitations and to waive any defenses based on a statute of limitations or the passage of time that may be applicable to the Statement of Facts in this Consent Order, until a date 180 days following USAA FSB’s receipt of notice of FinCEN’s determination that a misrepresentation or breach of this agreement has occurred, except as to claims already time barred as of the Effective Date of this Consent Order.
In the event that FinCEN determines that USAA FSB has made a misrepresentation or failed to comply with this Consent Order, or any portion thereof, all statements made by or on behalf of USAA FSB to FinCEN, including the Statement of Facts, whether prior or subsequent to this Consent Order, will be admissible in evidence in any and all proceedings brought by or on behalf of FinCEN. USAA FSB agrees that it will not assert any claim under the Constitution of the United States of America, Rule 408 of the Federal Rules of Evidence, or any other law or federal rule that any such statements should be suppressed or are otherwise inadmissible. Such statements will be treated as binding admissions, and USAA FSB agrees that it will be precluded from disputing or contesting any such statements. FinCEN shall have sole discretion over the decision to impute conduct or statements of any director, officer, employee, agent, or any person or entity acting on behalf of, or at the direction of USAA FSB in determining whether USAA FSB has violated any provision of this Consent Order.
XI. PUBLIC STATEMENTS
USAA FSB expressly agrees that it shall not, nor shall its attorneys, agents, partners, directors, officers, employees, affiliates, or any other person authorized to speak on its behalf or within its authority or control, take any action or make any public statement, directly or indirectly, contradicting its admissions and acceptance of responsibility or any terms of this Consent Order, including any fact finding, determination, or conclusion of law in this Consent Order.
FinCEN shall have sole discretion to determine whether any action or statement made by USAA FSB, or by any person under the authority, control, or speaking on behalf of USAA FSB contradicts this Consent Order, and whether USAA FSB has repudiated such statement.
XII. RECORD RETENTION
In addition to any other record retention required under applicable law, USAA FSB agrees to retain all documents and records required to be prepared or recorded under this Consent Order or otherwise necessary to demonstrate full compliance with each provision of this Consent Order, including supporting data and documentation. USAA FSB agrees to retain these records for a period of six years after creation of the record, unless required to retain them for a longer period of time under applicable law.
XIII. SEVERABILITY
USAA FSB agrees that if a court of competent jurisdiction considers any of the provisions of this Consent Order unenforceable, such unenforceability does not render the entire Consent Order unenforceable. Rather, the entire Consent Order will be construed as if not containing the particular unenforceable provision(s), and the rights and obligations of FinCEN and USAA FSB shall be construed and enforced accordingly.
XIV. SUCCESSORS AND ASSIGNS
USAA FSB agrees that the provisions of this Consent Order are binding on its owners, officers, employees, agents, representatives, affiliates, successors, assigns, and transferees to whom USAA FSB agrees to provide a copy of the executed Consent Order. Should USAA FSB seek to sell, merge, transfer, or assign its operations, or any portion thereof, that are the subject of this Consent Order, USAA FSB must, as a condition of sale, merger, transfer, or assignment obtain the written agreement of the buyer, merging entity, transferee, or assignee to comply with this Consent Order.
XV. MODIFICATIONS AND HEADINGS
This Consent Order can only be modified with the express written consent of FinCEN and USAA FSB. The headings in this Consent Order are inserted for convenience only and are not intended to affect the meaning or interpretation of this Consent Order or its individual terms.
XVI. AUTHORIZED REPRESENTATIVE
USAA FSB’s representative, by consenting to and approving this Consent Order, hereby represents and warrants that the representative has full power and authority to consent to and approve this Consent Order for and on behalf of USAA FSB, and further represents and warrants that USAA FSB agrees to be bound by the terms and conditions of this Consent Order.
XVII. NOTIFICATION
Unless otherwise specified herein, whenever notifications, submissions, or communications are required by this Consent Order, they shall be made in writing and sent via first-class mail and simultaneous email, addressed as follows:
To FinCEN: Associate Director, Enforcement and Compliance Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, Virginia 22183
To USAA FSB: General Counsel, USAA Federal Savings Bank 10750 McDermott Freeway., San Antonio, Texas 78288 Notices submitted pursuant to this paragraph will be deemed effective upon receipt unless otherwise provided in this Consent Order or approved by FinCEN in writing.
XVIII. COUNTERPARTS
This Consent Order may be signed in counterpart and electronically. Each counterpart, when executed and delivered, shall be an original, and all of the counterparts together shall constitute one and the same fully executed instrument.
XIX. EFFECTIVE DATE AND CALCULATION OF TIME
This Consent Order shall be effective upon the date signed by FinCEN. Calculation of deadlines and other time limitations set forth herein shall run from the effective date (excluding the effective date in the calculation) and be based on calendar days, unless otherwise noted, including intermediate Saturdays, Sundays, and legal holidays.
By Order of the Director of the Financial Crimes Enforcement Network.
/s/ Himamauli Das Date:
Acting Director
Consented to and Approved By:
/s/ USAA Federal Savings Bank
1 The BSA is codified at 31 U.S.C. §§ 5311-5314, 5316-5336 and 12 U.S.C. §§ 1829b, 1951-1960. Regulations implementing the BSA appear at 31 C.F.R. Chapter X.
2 31 U.S.C. § 5321(a); 31 C.F.R. §§ 1010.810(a), (d); Treasury Order 180-01 (July 1, 2014).
3 31 U.S.C. § 5312(b)(1); 31 C.F.R. § 1010.100(d).
4 31 U.S.C. § 5318(h); 31 C.F.R. § 1020.210.
5 31 U.S.C. § 5318(g); 31 C.F.R. § 1020.320.
6 FinCEN, FIN-2014-A007, FinCEN Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance (Aug. 11, 2014).
7 31 U.S.C. § 5321(a). In civil enforcement of the BSA under 31 U.S.C. § 5321(a)(1), to establish that a financial institution or individual acted willfully, the government need only show that the financial institution or individual acted with either reckless disregard or willful blindness. The government need not show that the entity or individual had knowledge that the conduct violated the BSA, or that the entity or individual otherwise acted with an improper motive or bad purpose. The Bank admits to “willfulness” only as the term is used in civil enforcement of the BSA under 31 U.S.C. § 5321(a)(1).
8 31 C.F.R. § 1010.810(a), (d).
9 Id; 12 U.S.C. § 1818(s)(2); 12 C.F.R. § 21.21.
10 The Bank is an indirect subsidiary of United Services Automobile Association, a mutual inter-insurance exchange organization that wholly owns USAA Capital Corporation, which wholly owns the Bank.
11 31 U.S.C. § 5312(a)(2)(A); 31 C.F.R. §§ 1010.100(d)(5), 1010.100(t)(1).
12 12 C.F.R. § 21.21(d).
13 31 U.S.C. § 5318(h); 31 C.F.R. § 1020.210 (2016); 12 C.F.R. §§ 21.21(c)(1), 21.21(d).
14 31 C.F.R. § 1020.210(c) (2016) and 31 C.F.R. § 1020.210(a)(3) (2020).
15 31 C.F.R. § 1020.210(a)(5) (2016); 31 C.F.R. § 1020.210(a)(2)(v) (2020).
16 FinCEN, FIN-2020-G002, Frequently Asked Questions Regarding CDD Requirements for Covered Financial Institutions (Aug. 3, 2020).
17 Id.
18 Id.
19 12 C.F.R. § 21.21(c).
20 12 C.F.R. § 21.21(d).
21 31 U.S.C. § 5318(g); 31 C.F.R. § 1020.320.
22 31 C.F.R. § 1020.320(a)(2)(i)-(iii).
23 31 C.F.R. § 1020.320(b)(3).
24 FinCEN, FinCEN Suspicious Activity Report (FinCEN SAR) Electronic Filing Instructions, Version 1.2 (Oct. 2012).
25 See State Department, International Narcotics Control Strategy Report, Volume II, pp. 82–84 (Mar. 2020) available at INCSR VOLUME II (state.gov).
26 FinCEN, Statement on Enforcement of the BSA (Aug. 18, 2020).25 See State Department, International Narcotics Control Strategy Report, Volume II, pp. 82–84 (Mar. 2020) available at INCSR VOLUME II (state.gov).
UNITED STATES OF AMERICA FINANCIAL CRIMES ENFORCEMENT NETWORK
DEPARTMENT OF THE TREASURY
IN THE MATTER OF: USAA Federal Savings Bank
Number 2022-01
CONSENT ORDER IMPOSING CIVIL MONEY PENALTY
The Financial Crimes Enforcement Network (FinCEN) conducted a civil enforcement investigation and determined that grounds exist to impose a Civil Money Penalty against USAA Federal Savings Bank (USAA FSB or the Bank) for violations of the Bank Secrecy Act (BSA) and its implementing regulations.1 USAA FSB admits to the Statement of Facts and Violations set forth below and consents to the issuance of this Consent Order.
I. JURISDICTION
Overall authority for enforcement and compliance with the BSA lies with the Director of FinCEN, and the Director may impose civil penalties for violations of the BSA and its implementing regulations.2
At all times relevant to this Consent Order, USAA FSB was a “bank” and a “domestic financial institution” as defined by the BSA and its implementing regulations.3 As such, USAA FSB was required to comply with applicable FinCEN regulations.
II. STATEMENT OF FACTS
The conduct described below took place beginning on or about January 1, 2016, and continuing until on or about April 30, 2021 (the Relevant Time Period), unless otherwise indicated.
Background
Bank Secrecy Act
The BSA requires banks to implement and maintain an effective anti-money laundering (AML) program in order to guard against money laundering through financial institutions.4 Additionally, the BSA imposes affirmative duties on banks such as USAA FSB, including the duty to identify and report suspicious transactions relevant to a possible violation of law or regulation in suspicious activity reports (SARs) filed with FinCEN.5 The reporting and transparency that financial institutions provide through these reports is essential financial intelligence that FinCEN, law enforcement, and others use to safeguard the U.S. financial system and combat serious threats, including money laundering, terrorist financing, organized crime, corruption, drug trafficking, and massive fraud schemes targeting the U.S. government, businesses, and individuals.6
FinCEN
FinCEN is a bureau within the U.S. Department of the Treasury and is the federal authority that enforces the BSA by investigating and imposing civil money penalties on financial institutions and individuals for willful violations of the BSA.7 As delegated by the Secretary of the Treasury, FinCEN has “authority for the imposition of civil penalties” and “[o]verall authority for enforcement and compliance, including coordination and direction of procedures and activities of all other agencies exercising delegated authority under this chapter,” including the Office of the Comptroller of the Currency (OCC).8
The OCC
The OCC is a federal banking agency within the U.S. Department of the Treasury that has both delegated authority from FinCEN for examinations and separate authority under Title 12 of the United States Code for compliance and enforcement.9 Under this authority, the OCC conducts regular examinations and issues reports assessing a bank’s AML and BSA compliance.
USAA Federal Savings Bank
Throughout the Relevant Time Period, USAA FSB was a federally chartered savings bank headquartered in San Antonio, Texas.10 The Bank provided retail deposit and consumer loan products to approximately 13 million members (customers)—consisting of U.S. military personnel and their families—throughout the United States and at military installations around the world. The Bank did not offer small business or commercial products. During the Relevant Time Period, the Bank was a “financial institution” and a “bank” within the meaning of the BSA and its implementing regulations11 and was subject to an annual examination performed by the OCC as its Federal functional regulator.
Factual Background
During the Relevant Time Period, USAA FSB experienced tremendous growth as a financial institution. While USAA FSB’s membership eligibility expanded, it failed to match that growth with effective AML compliance capabilities.
Beginning by at least 2017, the OCC informed USAA FSB that there were significant problems with its AML program, including that it failed to develop a compliance program that met all of the requirements of the OCC’s regulations.12 In response to the OCC’s notification, in 2018, USAA FSB made commitments to overhaul its AML program (2018 Commitments) by March 31, 2020. Specifically, USAA FSB committed to making the following improvements:
• Fully address the scope of the internal controls and independent testing deficiencies.
• Establish a compliance committee to monitor the implementation of the 2018 Commitments.
• Conduct a comprehensive, enterprise-wide risk assessment.
• Develop and implement adequate customer due diligence (CDD), enhanced due diligence (EDD), and customer risk identification processes.
• Develop and implement written policies for timely review and disposition of suspicious activity alerts and improve suspicious activity identification processes.
• Provide for thorough and effective independent testing of the AML program.
• Conduct a lookback review of Remote Deposit Capture (RDC) transaction activity and file suspicious activity reports (SARs) as needed.
However, USAA FSB failed to make adequate progress to meet the March 31, 2020 deadline and instead amended its completion date to June 30, 2021. To date, the Bank has not met all of the terms of the 2018 Commitments. Now, concurrent with FinCEN’s action, the OCC is undertaking a public enforcement action against USAA FSB for non-compliance with the OCC’s regulations. The OCC is assessing a $60 million civil money penalty against the Bank.
In sum, as early as 2017, USAA FSB was aware of significant problems that resulted in its failure to develop an adequate BSA/AML compliance program. USAA FSB authored the 2018 Commitments and pledged to make improvements, yet it missed two completion deadlines over four years and remains out of compliance with them. Since the 2018 Commitments, the OCC informed the Bank of additional BSA deficiencies—some as recent as 2021. Collectively, these facts describe a bank that willfully failed to comply with the BSA over many years.
The Bank Failed to Implement an Adequate Anti-Money Laundering Program
In order to guard against money laundering, the BSA and its implementing regulations require banks with a Federal functional regulator, such as the OCC, to establish an AML program that is reasonably designed to assure and monitor BSA compliance, and includes at a minimum: (a) the development of internal policies, procedures, and controls; (b) an independent audit function to test programs; (c) designation of a compliance officer; (d) an ongoing employee training program; and (e) appropriate risk-based procedures for conducting ongoing customer due diligence.13 Additionally, a bank is required to implement and maintain an AML program that “[c]omplies with the regulation of its Federal functional regulator governing such programs.”14 The Bank willfully failed to implement an AML program that met these BSA requirements during the Relevant Time Period.
Internal Policies, Procedures, and Controls
In 2017, USAA FSB’s AML program was rudimentary, lacking comprehensive risk-based policies and procedures and the operational rigor needed to successfully address the risks associated with its customer base, products and services, and geographies. While the Bank’s AML program improved over time, the Bank still failed to develop internal policies, procedures, and controls sufficient to meet the minimum requirements of the BSA.
During the Relevant Time Period, USAA FSB’s BSA/AML compliance department was significantly understaffed. As a result, the Bank relied on third-party contractors to augment staffing levels. In 2018, the Bank conducted an assessment and determined that it needed 178 permanent, full-time positions to fully staff its compliance functions. As of early 2021, the Bank had 62 vacant positions, including the head of the Bank’s Financial Intelligence Unit (FIU). Additionally, USAA FSB supplemented approximately 76% of its compliance staffing needs with third-party contractors. However, the Bank failed to properly train or otherwise ensure these contractors possessed satisfactory qualifications and expertise. These staffing deficits exacerbated management’s inability to assure compliance with the BSA.
USAA FSB’s case alert and investigation system was also chronically deficient. For example, beginning in 2014, USAA FSB implemented an internally developed system for its transaction monitoring (legacy system). As early as 2016, the Bank knew the legacy system failed to capture critical information needed for the Bank’s AML program, due to the CDD failures described below. Additionally, USAA FSB did not have distinct policies and procedures to govern the validation and adjustment of its legacy system, including the testing, updating and optimizing (tuning) of suspicious activity detection scenarios. As such, 40% of active scenarios had not been tuned in over two years, with only seven scenarios tuned in the second year and six scenarios that were never tuned since initial implementation of the legacy system. Further, USAA FSB’s legacy system had significant control gaps including inappropriately high limits for electronic activity such as RDC and Automated Teller Machine (ATM) deposits and withdrawals.
In the first quarter of 2021, USAA FSB implemented a new transaction monitoring system to replace the legacy system. However, the Bank failed to perform adequate pilot testing before launching the system, and deficiencies continued throughout implementation. The Bank elected to implement the system after only two months of parallel testing with the legacy system despite significant failures identified during that two-month period. Specifically, the new system failed to flag over 1,300 cases flagged by the legacy system, resulting in at least 160 filed SARs that would not have been filed using the new system.
USAA FSB now reports that the new system is too sensitive and creates an unmanageable number of alerts and cases. As of the end of 2021, this resulted in a total backlog of around 90,000 un-reviewed alerts and 6,900 un-reviewed cases. At its current rate of growth, these backlogs are expected to grow to 120,000 alerts and 24,000 cases before USAA FSB is able to begin reducing these numbers. These backlogs lead to unreasonable delays in the detection and reporting of potentially suspicious activity, and further highlight the negative consequences of the Bank’s failure to hire adequate staff.
Other issues with USAA FSB’s internal controls also persisted throughout the Relevant Time Period. As of 2021, USAA FSB suffered from numerous control gaps within operations, including excessive limits for electronic activity (RDC, wires, bill pay), ATM deposit and withdrawal, and ATM PIN attempts. Further, even when potentially suspicious activity was properly alerted and a case was generated, a sampling of instances in which USAA FSB decided not to file SARs in 2021 revealed shortcomings. Specifically, for 22% of its decisions, the Bank did not have sufficient information as to the customer’s source or purpose of funds to justify the decision not to file a SAR.
Independent Testing
USAA FSB relied on an internal audit team to conduct enterprise-wide independent testing of its AML program during the Relevant Time Period. The audit team concluded that the Bank’s BSA compliance was generally satisfactory in a 2016 report, but subsequent reviews demonstrate that this report was deficient. The 2016 report noted the Bank’s failure to act on account closure recommendations, for example, but failed to recognize the numerous weaknesses identified during the same time period, including weaknesses with key internal controls, such as risk assessment processes, CDD, EDD, customer risk identification, and suspicious activity monitoring processes.
Training
Management did not tailor USAA FSB’s training program for the FIU investigators (including third-party contractors) and KYC analysts to the Bank’s risk profile and suspicious activity typologies. For example, training in 2020 focused on changes in policies and procedures and the documentation of certain reviews in the Bank’s systems, but failed to address how to analyze accounts or to describe what constitutes potential suspicious activity. The 2021 training schedule purported to include more targeted training for the FIU and KYC analysts, but the training did not focus on the Bank’s products, services, or customers, and was inconsistent with USAA FSB’s business model as a retail bank with predominantly consumer accounts. Management also failed to properly oversee, train, and test third-party contractors.
Customer Due Diligence
The BSA and its implementing regulations require banks to have “[a]ppropriate risk-based procedures for conducting ongoing customer due diligence.”15 Under this requirement, a bank’s AML program must include procedures for understanding the nature and purpose of a customer’s financial relationships in order to develop a customer risk profile. A bank must also conduct ongoing monitoring to maintain and update customer information. FinCEN guidance clarifies that banks “must establish policies, procedures, and processes for determining whether and when, on the basis of risk, to update customer information to ensure that customer information is current and accurate.”16 It further states that a bank “should have an understanding of the money laundering, terrorist financing, and other financial crime risks of its customers to develop the customer risk profile.”17 The determination of customer risk profiles “should be sufficiently detailed to distinguish between significant variations in the risks of its customers.”18
USAA FSB’s CDD policies and procedures were deficient. For example, information obtained at account opening was insufficient to assess a customer’s risk and support effective suspicious activity monitoring. This resulted in the development and use of a critically flawed customer risk score model, which the Bank employed to assess customer risk and identify high-risk accounts requiring EDD. Due to insufficient customer information, model developers were unable to incorporate key risk factors—such as type and volume of expected account activity—into the model to augment its predictive power.
This critical absence of data created another problem. Management would arbitrarily assign risk sub-scores of 1 or 2 (on a 10-point maximum scale) for risk factors where member data was missing. This in turn caused customer-specific and overall BSA/AML risks to be severely and materially underestimated. An internal Bank report revealed that of approximately six million customer-risk scores, not a single customer received a high-risk score of 5.5 or higher, and only around 11,500 customers received a low-medium risk score between 4 and 5.4. The Bank ignored the report and took no corrective action. In sum, the Bank’s poor CDD practices further undermined the Bank’s ability to properly monitor high-risk accounts and its analysts’ abilities to perform quality investigations into alerted activity and arrive at rational and informed conclusions to close or escalate cases.
Requirements of USAA FSB’s Federal Functional Regulator
The OCC imposes parallel AML program requirements on national banks and savings associations, such as USAA FSB. Specifically, those regulations require that OCC-regulated banks “develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the recordkeeping and reporting requirements set forth in [the BSA].”19 Further, this compliance program, “shall, at a minimum:
(1) Provide for a system of internal controls to assure ongoing compliance;
(2) Provide for independent testing for compliance to be conducted by national bank or savings association personnel or by an outside party;
(3) Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and
(4) Provide training for appropriate personnel.”20
USAA FSB knew it was failing to meet the regulatory requirements of its Federal functional regulator concerning its AML program, but failed to bring itself into compliance with those requirements for over five years. The Bank knew of significant problems in its AML program and had an opportunity to bring its AML program into compliance with the law under its own terms, but the Bank failed to make adequate progress despite extending its commitment deadline multiple times and receiving repeated warnings over many years. As a result, the OCC, concurrent with this Consent Order, is issuing a Consent Order for violations of its regulations.
Unfiled SARs
In addition to the above AML program failures, the AML failures resulted in the below willful failures to timely and accurately file at least 3,873 SARs.
The Bank Failed to File Suspicious Activity Reports
The BSA and its implementing regulations require banks to report transactions that involve or aggregate to at least $5,000, are conducted by, at, or through the bank, and that the bank “knows, suspects, or has reason to suspect” are suspicious.21 A transaction is “suspicious” if a bank “knows, suspects, or has reason to suspect” the transaction: (a) involves funds derived from illegal activities, or is conducted to disguise funds derived from illegal activities; (b) is designed to evade the reporting or recordkeeping requirements of the BSA or regulations implementing it; or (c) has no business or apparent lawful purpose or is not the sort in which the customer normally would be expected to engage, and the bank knows of no reasonable explanation for the transaction after examining the available facts, including background and possible purpose of the transaction.22 A bank is generally required to file a SAR no later than 30 calendar days after the initial detection by the bank of the facts that may constitute a basis for filing a SAR.23
To obtain the necessary transparency into potentially illicit activity, FinCEN, law enforcement, and other regulators rely on financial institutions’ accurate and timely filing of SARs. To accurately and completely prepare a SAR, known subjects involved in the suspicious activity should be identified in the appropriate fields on the SAR form.24 Investigators use these names and other identifiers to retrieve relevant records related to the subjects and targets of an investigation.
Failure to file a SAR can hamper an investigator’s ability to identify relevant records. Additionally, filing SARs without properly identifying the subjects (i.e., failing to identify all subjects connected to the conduct) can obfuscate the true nature of the activity and those involved.
As described above, during the Relevant Time Period USAA FSB willfully failed to implement and maintain its AML program, which included failing to maintain adequate staff to review alerts and investigate cases for possible reporting to FinCEN. This meant that AML analysts were unable to devote sufficient time and attention to alerts and cases generated by the Bank’s transaction monitoring system. At times, AML analysts inappropriately cleared suspicious activity. At other times, alerted activity went un-reviewed for months beyond the deadline for reporting suspicious activity. The following is a list of examples of the Bank’s willful failure to file SARs.
Customer A
Customer A was a Texas-based physician with an annual income of $250,000 to $500,000 and an approximate net worth between $500,000 and $1 million. Customer A held multiple accounts at USAA FSB. Customer A reported to USAA FSB that the accounts were for personal and household spending and that expected monthly activity would include cash withdrawals exceeding $5,000, and five to ten incoming/outgoing digital application-based transactions of between $1,000 and $5,000 each.
From October 2020 through March 2021, one of Customer A’s accounts received 76 deposits from a virtual currency exchange totaling nearly $1.5 million, activity inconsistent with the expected activity and stated purpose of the account. During that same six-month timeframe, Customer A made over 2,800 ATM cash withdrawals totaling approximately $1.6 million from ATMs in Colombia, a high-risk jurisdiction for money laundering.25 During this time, Customer A contacted USAA FSB several times to increase the daily ATM withdrawal limit. A conversation between the Bank and Customer A revealed that Customer A was temporarily but indefinitely residing in Colombia and that the cash withdrawals were to buy and sell virtual currency, which the customer was now relying on as an alternative source of cash flow. Customer A stated that using cash to purchase virtual currency ensured Customer A got the best price. Overall, Customer A’s accounts collectively facilitated approximately $3.3 million in deposits and withdrawals over a six-month period.
USAA FSB’s initial review of this activity resulted in no escalation or SAR filings. In April 2021, the Bank became aware of the activity’s gross incompatibility with Customer A’s profile The Bank then re-evaluated the activity and, based on that review, filed a SAR and terminated the customer relationship. USAA FSB reported the activity to FinCEN on or about April 16, 2021 approximately seven months after the conduct began and only after re-evaluating the activity.
Customer B
Customer B was a 22-year-old individual residing in Los Angeles, California, who maintained checking and credit cards with USAA for four years. Customer B reported to USAA that she owned a “performance art company” that had a minimal virtual footprint. Customer B reported that her annual income was between $50,000 and $100,000, and that her account was for personal and household expenses.
In 2019, Customer B’s account alerted on indicators of possible suspicious activity, and the Bank reviewed the alert. The Bank closed initial reviews of alerted activity without escalation and without a thorough review of the customer’s reported source of income and the counterparties involved. However, the underlying activity within the account showed significant red flags, including receiving payments for what may have been unlawful internationally-based prostitution/escort ventures. Specifically, an analysis of Customer B’s financial activity revealed high value wire deposits from an individual located overseas with whom she had no known or established connection. It also showed expensive and unexplained international travel, and incoming and outgoing funds to accounts associated with online businesses involved in public allegations of misconduct. Over a one-month period, Customer B received three wire transfers from an individual located overseas totaling $44,500. These transfers referenced “art purchase,” but there was no discernable, legitimate connection between Customer B and the art industry. Additionally, further investigation connected the foreign-based individual to an offshore entity named in the Panama Papers. From May 10, 2019 through June 29, 2020, Customer B engaged in approximately $125,000 of suspicious activity. USAA FSB did not report this activity to FinCEN until July 22, 2020 – over one year later.
Customers C and D
For fifteen months, USAA FSB permitted two customers to engage in activity consistent with check fraud without reporting the activity as suspicious to FinCEN. Specifically, Customers C and D held two checking accounts at USAA FSB. Between March 1, 2019, and June 29, 2020, Customers C and D deposited 3,457 checks for which they were not the intended beneficiaries via RDC through USAA FSB’s mobile app. These checks listed the payee as one of several baby formula or baby product companies, and specifically stated on the check that they were intended as self-reimbursing rebate coupons for point of sale purchases, to be cashed only by the baby formula or baby product companies. These deposited checks ranged from $3 to $17 each, were deposited in a cyclical manner, and were inconsistent with Customer C’s occupation as a self-employed construction worker.
USAA FSB’s RDC controls failed to detect that these checks were actually made payable to the baby formula and baby product companies rather than to Customers C and D. Customers C and D utilized these funds for various purchases, including consumer spending, groceries, and bill payments. In the end, USAA FSB permitted this scheme to go on for 15 months without reporting the activity to FinCEN.
III. VIOLATIONS
FinCEN has determined that USAA FSB willfully violated the BSA and its implementing regulations during the Relevant Time Period. Specifically, FinCEN has determined that USAA FSB willfully failed to implement and maintain an AML program that met the minimum requirements of the BSA, in violation of 31 U.S.C. § 5318(h) and 31 C.F.R. § 1020.210. Additionally, FinCEN has determined that USAA FSB willfully failed to accurately and timely report suspicious transactions to FinCEN, in violation of 31 U.S.C. § 5318(g) and 31 C.F.R. § 1020.320.
IV. ENFORCEMENT FACTORS
FinCEN considered all of the factors outlined in the Statement on Enforcement of the BSA, issued August 18, 2020, when deciding whether to impose a civil money penalty in this matter.26 The following factors were particularly relevant to FinCEN’s evaluation of the appropriate disposition of this matter, including the decision to impose a civil money penalty and the size of the penalty.
• Nature and seriousness of the violations, including the extent of possible harm to the public and the amounts involved: USAA FSB’s violations of the BSA and its implementing regulations were serious and risked significant possible harm to the public. During the Relevant Time Period, USAA FSB’s compliance operations were insufficient to address the risks associated with its membership, geographic locations, and products and services. The Bank was fully aware of its AML program deficiencies since 2017. However, despite ample notice and opportunity to remediate, the Bank failed to demonstrate compliance throughout the Relevant Time Period leading to the possibility of public harm. USAA FSB’s willful failure to implement and maintain an effective AML program undermined its ability to properly monitor and review customer accounts and timely report potentially suspicious activity to FinCEN relating to thousands of transactions and millions of dollars over the Relevant Time Period.
• Impact or harm of the violations on FinCEN’s mission to safeguard the financial system from illicit use, combat money laundering, and promote national security: Although the OCC classifies USAA as a mid-size institution, the Bank plays a relatively large role in the U.S. financial system, serving over 13 million members. USAA FSB offers only individual, non-commercial services and products, which lowers its exposure to certain risks as compared to other banks that offer services to individuals and businesses. However, during the Relevant Time Period, the Bank failed to properly monitor for and detect personal accounts being used for business activities, which allowed millions in potentially suspicious funds to flow through its customers’ accounts without adequate scrutiny from the Bank’s compliance department. Given the Bank’s overall size and unique customer base, including members deployed to military installations around the world, the violations adversely impacted FinCEN’s mission to safeguard the financial system from illicit use and combat money laundering.
• Pervasiveness of wrongdoing within the institution, including management’s complicity in, condoning or enabling of, or knowledge of the conduct underlying the violations: USAA FSB’s BSA/AML compliance failures were pervasive across the Bank’s business lines. Additionally, the violations eventually affected all layers of the Bank’s overall risk management during the Relevant Time Period, including the Bank’s first (business unit), second (compliance/operations risk), and third (independent testing) lines of defense. The Bank failed to correct problems with its AML program that the OCC previously reported to the Bank’s management and the Board of Directors. These managers therefore had knowledge of the violations, yet they failed to quickly and effectively remediate the identified deficiencies. For example, for some time, Bank management explicitly acknowledged a monitoring gap as to Bank members using personal accounts for business purposes, yet USAA FSB failed to act swiftly to implement appropriate detection scenarios and train staff to identify and escalate potential suspicious activity.
• History of similar violations, or misconduct in general, including prior criminal, civil, and regulatory enforcement actions: USAA FSB struggled to implement and demonstrate compliance with the BSA and its implementing regulations over the last five examination cycles. The Bank knew of its BSA violations as early as 2017 but failed to take satisfactory corrective actions. As a result, the Bank has not completed its 2018 Commitments.
• Financial gain or other benefit resulting from, or attributable to, the violations: USAA FSB began offering banking services to members of the military in 1983. Over the next decades, the Bank experienced substantial company and membership growth as it expanded eligibility, but the Bank did not match this growth with increased compliance capabilities. In 2017, the Bank’s AML program was rudimentary, lacking risk assessments and other fundamental policies and procedures. Since 2019, the Bank invested approximately $500 million into overhauling its AML program. Despite this, USAA FSB failed to fully satisfy the terms of the 2018 Commitments. Further, FinCEN has identified new and recurring AML program violations throughout the Relevant Time Period. Prior to 2017, the Bank’s compliance program was even more rudimentary due to a lack of financial investment and a reliance on an internally developed system to conduct transaction monitoring and assign customer risk ratings that was less reliable, but cheaper to implement, than readily-available, industry-standard transaction monitoring systems. Overall, USAA FSB’s inconsistent and ineffective allocation of resources to AML compliance operations during the Relevant Time Period delivered both a competitive advantage and a financial benefit to the Bank.
• Presence or absence of prompt, effective action to terminate the violations upon discovery, including self-initiated remedial measures: Although USAA FSB undertook steps to remediate the problems with its AML program starting in 2017, it was unable to fully do so in a timely and effective manner. The Bank was unable to comply with the terms of the 2018 Commitments that it authored five years ago. As of early 2021, three separate corrective actions related to the Bank’s 2017 violations were still pending, along with newly-identified deficiencies related to internal controls and training. While the Bank made substantial investments to update its AML program, serious failures were apparent throughout the Relevant Time Period.
• Timely and voluntary disclosure of the violations to FinCEN: USAA FSB did not voluntarily disclose the violations described in this Consent Order to FinCEN.
• Quality and extent of cooperation with FinCEN and other relevant agencies, including as to potential wrongdoing by its directors, officers, employees, agents, and counterparties: USAA FSB has been cooperative and responsive to requests from the OCC and from FinCEN. It has provided documents in response to requests, conducted lookback reviews of previous activity, and provided timely compliance status updates.
• Systemic Nature of the Violations. Considerations include, but are not limited to, the number and extent of violations, failure rates (e.g., the number of violations out of total number of transactions), and duration of violations: From at least 2017 through 2021, USAA FSB had two to three AML program violations at any given time. FinCEN’s review revealed that from August 31, 2017 through August 31, 2021, a total of 3,873 SARs were filed late, with an average filing time of 226 days after the underlying suspicious activity ended, well beyond the 60 calendar day maximum permitted under the BSA. Late SARs constituted almost 10% of all of USAA FSB’s SAR filings for the same period.
• Whether another agency took enforcement action for related activity. FinCEN will consider the amount of any fine, penalty, forfeiture, and/or remedial action ordered: The OCC is imposing a civil money penalty under its own regulations for the same pattern or practice of conduct associated with the violations described in this Consent Order.
V. CIVIL PENALTY
FinCEN may impose a Civil Money Penalty of up to $62,689 per day for willful violations of the requirement to implement and maintain an effective AML program occurring after November 2, 2015.27
For each willful violation of a SAR reporting requirement occurring after November 2, 2015, FinCEN may impose a Civil Money Penalty not to exceed the greater of the amount involved in the transaction (capped at $250,759) or $62,689.28
After considering all the facts and circumstances, as well as the enforcement factors discussed above, FinCEN is imposing a Civil Money Penalty of $140,000,000 (one hundred forty million dollars) in this matter. As discussed above, FinCEN will credit the $60,000,000 (sixty million dollars) civil money penalty imposed by the OCC for the same conduct described in this Consent Order. Accordingly, USAA FSB shall make a payment of $80,000,000 (eighty million dollars) to the U.S. Department of the Treasury pursuant to the payment instructions that will be transmitted to USAA FSB upon execution of this Consent Order.
VI. CONSENT AND ADMISSIONS
To resolve this matter, and only for that purpose, USAA FSB admits to the Statement of Facts and Violations set forth in this Consent Order and admits that it willfully violated the BSA and its implementing regulations. USAA FSB consents to the use of the Statement of Facts, and any other findings, determinations, and conclusions of law set forth in this Consent Order in any other proceeding brought by or on behalf of FinCEN, or to which FinCEN is a party or claimant, and agrees they shall be taken as true and correct and be given preclusive effect without any further proof. USAA FSB understands and agrees that in any administrative or judicial proceeding brought by or on behalf of FinCEN against it, including any proceeding to enforce the Civil Money Penalty imposed by this Consent Order or for any equitable remedies under the BSA, USAA FSB shall be precluded from disputing any fact or contesting any determinations set forth in this Consent Order.
To resolve this matter, USAA FSB agrees to and consents to the issuance of this Consent Order and all terms herein and agrees to make a payment of $80,000,000 (eighty million dollars) to the U.S. Department of the Treasury within ten (10) days of the Effective Date of this Consent Order, as defined further below. If timely payment is not made, USAA FSB agrees that interest, penalties, and administrative costs will accrue.29 If USAA FSB fails to pay the $60,000,000 (sixty million dollars) penalty arising out of its OCC violations, it must pay the entire $140,000,000 (one hundred forty million dollars) penalty imposed by this Consent Order.
USAA FSB understands and agrees that it must treat the Civil Money Penalty paid under this Consent Order as a penalty paid to the government and may not claim, assert, or apply for a tax deduction, tax credit, or any other tax benefit for any payments made to satisfy the Civil Money Penalty. USAA FSB understands and agrees that any acceptance by or on behalf of FinCEN of any partial payment of the
Civil Money Penalty obligation will not be deemed a waiver of USAA FSB’s obligation to make further payments pursuant to this Consent Order, or a waiver of FinCEN’s right to seek to compel payment of any amount assessed under the terms of this Consent Order, including any applicable interest, penalties, or other administrative costs.
USAA FSB affirms that it agrees to and approves this Consent Order and all terms herein freely and voluntarily and that no offers, promises, or inducements of any nature whatsoever have been made by FinCEN or any employee, agent, or representative of FinCEN to induce USAA FSB to agree to or approve this Consent Order, except as specified in this Consent Order.
USAA FSB understands and agrees that this Consent Order implements and embodies the entire agreement between USAA FSB and FinCEN, and its terms relate only to this enforcement matter and any related proceeding and the facts and determinations contained herein. USAA FSB further understands and agrees that there are no express or implied promises, representations, or agreements between USAA FSB and FinCEN other than those expressly set forth or referred to in this Consent Order and that nothing in this Consent Order is binding on any other law enforcement or regulatory agency or any other governmental authority, whether foreign, Federal, State, or local.
USAA FSB understands and agrees that nothing in this Consent Order may be construed as allowing USAA FSB, its holding company, subsidiaries, affiliates, Board, officers, employees, or agents to violate any law, rule, or regulation.
USAA FSB consents to the continued jurisdiction of the courts of the United States over it and waives any defense based on lack of personal jurisdiction or improper venue in any action to enforce the terms and conditions of this Consent Order or for any other purpose relevant to this enforcement action. Solely in connection with an action filed by or on behalf of FinCEN to enforce this Consent Order or for any other purpose relevant to this action, USAA FSB authorizes and agrees to accept all service of process and filings through the Notification procedures below and to waive formal service of process.
VII. COOPERATION
USAA FSB shall fully cooperate with FinCEN in any and all matters within the scope of or related to the Statement of Facts, including any investigation of its current or former directors, officers, employees, agents, consultants, or any other party. USAA FSB understands that its cooperation pursuant to this paragraph shall include, but is not limited to, truthfully disclosing all factual information with respect to its activities, and those of its present and former directors, officers, employees, agents, and consultants. This obligation includes providing to FinCEN, upon request, any document, record or other tangible evidence in its possession, custody, or control, about which FinCEN may inquire of USAA FSB. USAA FSB’s cooperation pursuant to this paragraph is subject to applicable laws and regulations, as well as valid and properly documented claims of attorney-client privilege or the attorney work-product doctrine.
VIII. RELEASE
Execution of this Consent Order and compliance with all of the terms of this Consent Order settles all claims that FinCEN may have against USAA FSB for the conduct described in this Consent Order during the Relevant Time Period. Execution of this Consent Order, and compliance with the terms of this Consent Order, does not release any claim that FinCEN may have for conduct by USAA FSB other than the conduct described in this Consent Order during the Relevant Time Period, or any claim that FinCEN may have against any current or former director, officer, owner, or employee of USAA FSB, or any other individual or entity other than those named in this Consent Order. In addition, this Consent Order does not release any claim or provide any other protection in any investigation, enforcement action, penalty assessment, or injunction relating to any conduct that occurs after the Relevant Time Period as described in this Consent Order.
IX. WAIVERS
Nothing in this Consent Order shall preclude any proceedings brought by, or on behalf of, FinCEN to enforce the terms of this Consent Order, nor shall it constitute a waiver of any right, power, or authority of any other representative of the United States or agencies thereof, including but not limited to the Department of Justice.
In consenting to and approving this Consent Order, USAA FSB stipulates to the terms of this Consent Order and waives:
A. Any and all defenses to this Consent Order, the Civil Money Penalty imposed by this Consent Order, and any action taken by or on behalf of FinCEN that can be waived, including any statute of limitations or other defense based on the passage of time;
B. Any and all claims that FinCEN lacks jurisdiction over all matters set forth in this Consent Order, lacks the authority to issue this Consent Order or to impose the Civil Money Penalty, or lacks authority for any other action or proceeding related to the matters set forth in this Consent Order;
C. Any and all claims that this Consent Order, any term of this Consent Order, the Civil Money Penalty, or compliance with this Consent Order, or the Civil Money Penalty, is in any way unlawful or violates the Constitution of the United States of America or any provision thereof;
D. Any and all rights to judicial review, appeal or reconsideration, or to seek in any way to contest the validity of this Consent Order, any term of this Consent Order, or the Civil Money Penalty arising from this Consent Order;
E. Any and all claims that this Consent Order does not have full force and effect, or cannot be enforced in any proceeding, due to changed circumstances, including any change in law;
F. Any and all claims for fees, costs, or expenses related in any way to this enforcement matter, Consent Order, or any related administative action, whether arising under common law or under the terms of any statute, including, but not limited to, under the Equal Access to Justice Act. USAA FSB agrees to bear its own costs and attorneys’ fees.
X. VIOLATIONS OF THIS CONSENT ORDER
Determination of whether USAA FSB has failed to comply with this Consent Order, or any portion thereof, and whether to pursue any further action or relief against USAA FSB, shall be in FinCEN’s sole discretion. If FinCEN determines, in its sole discretion, that a failure to comply with this Consent Order, or any portion thereof, has occurred, or that USAA FSB has made any misrepresentations to FinCEN or any other government agency related to the underlying enforcement matter, FinCEN may void any and all releases or waivers contained in this Consent Order; reinstitute administrative proceedings; take any additional action that it deems appropriate; and pursue any and all violations, maximum penalties, injunctive relief, or other relief that FinCEN deems appropriate. FinCEN may take any such action even if it did not take such action against USAA FSB in this Consent Order and notwithstanding the releases and waivers herein. In the event FinCEN takes such action under this paragraph, USAA FSB expressly agrees to toll any applicable statute of limitations and to waive any defenses based on a statute of limitations or the passage of time that may be applicable to the Statement of Facts in this Consent Order, until a date 180 days following USAA FSB’s receipt of notice of FinCEN’s determination that a misrepresentation or breach of this agreement has occurred, except as to claims already time barred as of the Effective Date of this Consent Order.
In the event that FinCEN determines that USAA FSB has made a misrepresentation or failed to comply with this Consent Order, or any portion thereof, all statements made by or on behalf of USAA FSB to FinCEN, including the Statement of Facts, whether prior or subsequent to this Consent Order, will be admissible in evidence in any and all proceedings brought by or on behalf of FinCEN. USAA FSB agrees that it will not assert any claim under the Constitution of the United States of America, Rule 408 of the Federal Rules of Evidence, or any other law or federal rule that any such statements should be suppressed or are otherwise inadmissible. Such statements will be treated as binding admissions, and USAA FSB agrees that it will be precluded from disputing or contesting any such statements. FinCEN shall have sole discretion over the decision to impute conduct or statements of any director, officer, employee, agent, or any person or entity acting on behalf of, or at the direction of USAA FSB in determining whether USAA FSB has violated any provision of this Consent Order.
XI. PUBLIC STATEMENTS
USAA FSB expressly agrees that it shall not, nor shall its attorneys, agents, partners, directors, officers, employees, affiliates, or any other person authorized to speak on its behalf or within its authority or control, take any action or make any public statement, directly or indirectly, contradicting its admissions and acceptance of responsibility or any terms of this Consent Order, including any fact finding, determination, or conclusion of law in this Consent Order.
FinCEN shall have sole discretion to determine whether any action or statement made by USAA FSB, or by any person under the authority, control, or speaking on behalf of USAA FSB contradicts this Consent Order, and whether USAA FSB has repudiated such statement.
XII. RECORD RETENTION
In addition to any other record retention required under applicable law, USAA FSB agrees to retain all documents and records required to be prepared or recorded under this Consent Order or otherwise necessary to demonstrate full compliance with each provision of this Consent Order, including supporting data and documentation. USAA FSB agrees to retain these records for a period of six years after creation of the record, unless required to retain them for a longer period of time under applicable law.
XIII. SEVERABILITY
USAA FSB agrees that if a court of competent jurisdiction considers any of the provisions of this Consent Order unenforceable, such unenforceability does not render the entire Consent Order unenforceable. Rather, the entire Consent Order will be construed as if not containing the particular unenforceable provision(s), and the rights and obligations of FinCEN and USAA FSB shall be construed and enforced accordingly.
XIV. SUCCESSORS AND ASSIGNS
USAA FSB agrees that the provisions of this Consent Order are binding on its owners, officers, employees, agents, representatives, affiliates, successors, assigns, and transferees to whom USAA FSB agrees to provide a copy of the executed Consent Order. Should USAA FSB seek to sell, merge, transfer, or assign its operations, or any portion thereof, that are the subject of this Consent Order, USAA FSB must, as a condition of sale, merger, transfer, or assignment obtain the written agreement of the buyer, merging entity, transferee, or assignee to comply with this Consent Order.
XV. MODIFICATIONS AND HEADINGS
This Consent Order can only be modified with the express written consent of FinCEN and USAA FSB. The headings in this Consent Order are inserted for convenience only and are not intended to affect the meaning or interpretation of this Consent Order or its individual terms.
XVI. AUTHORIZED REPRESENTATIVE
USAA FSB’s representative, by consenting to and approving this Consent Order, hereby represents and warrants that the representative has full power and authority to consent to and approve this Consent Order for and on behalf of USAA FSB, and further represents and warrants that USAA FSB agrees to be bound by the terms and conditions of this Consent Order.
XVII. NOTIFICATION
Unless otherwise specified herein, whenever notifications, submissions, or communications are required by this Consent Order, they shall be made in writing and sent via first-class mail and simultaneous email, addressed as follows:
To FinCEN: Associate Director, Enforcement and Compliance Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, Virginia 22183
To USAA FSB: General Counsel, USAA Federal Savings Bank 10750 McDermott Freeway., San Antonio, Texas 78288 Notices submitted pursuant to this paragraph will be deemed effective upon receipt unless otherwise provided in this Consent Order or approved by FinCEN in writing.
XVIII. COUNTERPARTS
This Consent Order may be signed in counterpart and electronically. Each counterpart, when executed and delivered, shall be an original, and all of the counterparts together shall constitute one and the same fully executed instrument.
XIX. EFFECTIVE DATE AND CALCULATION OF TIME
This Consent Order shall be effective upon the date signed by FinCEN. Calculation of deadlines and other time limitations set forth herein shall run from the effective date (excluding the effective date in the calculation) and be based on calendar days, unless otherwise noted, including intermediate Saturdays, Sundays, and legal holidays.
By Order of the Director of the Financial Crimes Enforcement Network.
/s/ Himamauli Das Date:
Acting Director
Consented to and Approved By:
/s/ USAA Federal Savings Bank
1 The BSA is codified at 31 U.S.C. §§ 5311-5314, 5316-5336 and 12 U.S.C. §§ 1829b, 1951-1960. Regulations implementing the BSA appear at 31 C.F.R. Chapter X.
2 31 U.S.C. § 5321(a); 31 C.F.R. §§ 1010.810(a), (d); Treasury Order 180-01 (July 1, 2014).
3 31 U.S.C. § 5312(b)(1); 31 C.F.R. § 1010.100(d).
4 31 U.S.C. § 5318(h); 31 C.F.R. § 1020.210.
5 31 U.S.C. § 5318(g); 31 C.F.R. § 1020.320.
6 FinCEN, FIN-2014-A007, FinCEN Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance (Aug. 11, 2014).
7 31 U.S.C. § 5321(a). In civil enforcement of the BSA under 31 U.S.C. § 5321(a)(1), to establish that a financial institution or individual acted willfully, the government need only show that the financial institution or individual acted with either reckless disregard or willful blindness. The government need not show that the entity or individual had knowledge that the conduct violated the BSA, or that the entity or individual otherwise acted with an improper motive or bad purpose. The Bank admits to “willfulness” only as the term is used in civil enforcement of the BSA under 31 U.S.C. § 5321(a)(1).
8 31 C.F.R. § 1010.810(a), (d).
9 Id; 12 U.S.C. § 1818(s)(2); 12 C.F.R. § 21.21.
10 The Bank is an indirect subsidiary of United Services Automobile Association, a mutual inter-insurance exchange organization that wholly owns USAA Capital Corporation, which wholly owns the Bank.
11 31 U.S.C. § 5312(a)(2)(A); 31 C.F.R. §§ 1010.100(d)(5), 1010.100(t)(1).
12 12 C.F.R. § 21.21(d).
13 31 U.S.C. § 5318(h); 31 C.F.R. § 1020.210 (2016); 12 C.F.R. §§ 21.21(c)(1), 21.21(d).
14 31 C.F.R. § 1020.210(c) (2016) and 31 C.F.R. § 1020.210(a)(3) (2020).
15 31 C.F.R. § 1020.210(a)(5) (2016); 31 C.F.R. § 1020.210(a)(2)(v) (2020).
16 FinCEN, FIN-2020-G002, Frequently Asked Questions Regarding CDD Requirements for Covered Financial Institutions (Aug. 3, 2020).
17 Id.
18 Id.
19 12 C.F.R. § 21.21(c).
20 12 C.F.R. § 21.21(d).
21 31 U.S.C. § 5318(g); 31 C.F.R. § 1020.320.
22 31 C.F.R. § 1020.320(a)(2)(i)-(iii).
23 31 C.F.R. § 1020.320(b)(3).
24 FinCEN, FinCEN Suspicious Activity Report (FinCEN SAR) Electronic Filing Instructions, Version 1.2 (Oct. 2012).
25 See State Department, International Narcotics Control Strategy Report, Volume II, pp. 82–84 (Mar. 2020) available at INCSR VOLUME II (state.gov).
26 FinCEN, Statement on Enforcement of the BSA (Aug. 18, 2020).25 See State Department, International Narcotics Control Strategy Report, Volume II, pp. 82–84 (Mar. 2020) available at INCSR VOLUME II (state.gov).