- The $140 million penalty levied by U.S. Treasury’s Financial Crimes Enforcement Network and the Office of the Comptroller of the Currency for anti-money laundering failings at USAA has a host of lessons for the compliance community, essentially being a roadmap to evade systems, technology and human training pitfalls.
- Some key takeaways: The importance of truthfulness and transparency with regulators and not rushing complex technology and systems upgrades. As well, if you can’t risk-rate customers accurately – and be able to delineate low, medium, high, and why – you are building a compliance program on a cracked and faulty foundation.
- A technology upgrade will also not always save the day – and could make things worse, at least in the interim. The bank also must never forget about the vital importance of training for analysts, case-crafters and decision-makers – training that goes beyond technical policies and teaches how to think and act like an experienced, effective investigator.
By Dev Odedra
Independent AML expert, director, Minerva Stratagem Consulting
March 28, 2022
With editing and minor content contributions by ACFCS VP of Content, Brian Monroe
Over the years, more and more attention has been drawn to banks and anti-money laundering failings, with news headlines hitting the mainstream, over the last decade hitting historic figures in the billions of dollars – just against one institution.
Banks often include in their responses that such issues were “historic,” with the caveat they have since moved on and corrected the identified deficiencies, but from time to time, the failings have been found to be more recent – case in point, USAA Federal Savings Bank (USAA FSB).
The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC) recently announced penalties of $80 million and $60 million (totaling $140 million) respectively, for Bank Secrecy Act/Anti Money Laundering (BSA/AML) program failings.
USAA FSB’s conduct in relation to the failings was as recent as up to around April 30, 2021. The penalty, while painful for the bank, can be helpful if you know how to read it, acting as a compliance roadmap, to not make the same mistakes.
As well, the overall penalty figure, while not a huge number – the highest single penalty against a bank is $9 billion – has important takeaways through nearly 70 pages of prescriptive, lengthy and detailed actions between the federal agencies, including the importance of truthfulness and transparency with regulators and not rushing complex technology and systems upgrades.
The penalty documents tell the story of a bank that grew too quickly for its outdated and under-resourced fincrime compliance program to keep up.
To remedy this, USAA committed to a host of improvements in anti-money laundering (AML) technology – spending roughly half a billion dollars – but never made them quickly or completely enough to satisfy regulatory concerns.
Then those missed deadlines got compounded even further when federal regulators, believing they were getting lip service and losing trust in the remediation schedule, looked deeper and found more problems than before.
The action also needs to be viewed in the broader context of seminal changes in U.S. financial crime and compliance defenses, the biggest changes since the 2001 USA Patriot Act.
The USAA action is done under shadow of the U.S. Anti-Money Laundering Act (AMLA), a transformative law passed in January 2021 that pushed the industry to focus on effectiveness in overall programs, better serving law enforcement with relevant, valuable and timely intelligence, than fretting fulltime about more arcane regulatory technicalities.
While many of the regulations implementing pieces of the AMLA have yet to come into being, the FinCEN action evinces a shift from rules to results, mentioning the word “effective” nine times, while the OCC action mentions the term a dozen times related to AML and sanctions program expectations.
The bank failed to have an effective AML program, an effective independent testing prong, support effective suspicious activity monitoring, quickly and effectively remediate deficiencies and all of this was magnified due to an “ineffective allocation of resources to AML compliance operations.”
The action also must be viewed and weighed against FinCEN’s recently released nationwide AML priorities, including crypto, corruption, human trafficking and more, to see how these industrywide focal points will expand and contract AML programs – even before formal rules and regulations are out.
Specifically, the failings around the bank’s AML program centered around:
- Internal Policies, Procedures and Controls
- Independent Testing
- Customer Due Diligence
- The willful failure to file Suspicious Activity Reports (SARs).
The Bank provided retail deposit and consumer loan products to approximately 13 million members (customers) – consisting of U.S. military personnel and their families – throughout the United States and at military installations around the world.
The Bank did not offer small business or commercial products but expanded quickly in recent years as it opened the doors for those related to direct members of the military.
An enduring enigma, where the bread-and-butter requirements of core anti-money laundering duties are decades old – and yet banks of all sizes, experience and resource levels continue to make AML 101 mistakes.
As bank grew members, revenues, meager, rudimentary AML program floundered
The FinCEN action also notes that “USAA FSB experienced tremendous growth as a financial institution. While USAA FSB’s membership eligibility expanded, it failed to match that growth with effective AML compliance capabilities.”
Compliance frameworks and efforts can sometimes fall behind during growth periods, therefore this should serve as a warning that as well as growth of profits, compliance efforts should equally match increases in risks that may come with such growth.
Notably, USAA FSB had been forewarned about shortcomings in its AML program prior to the current penalties by the FINCEN and the OCC.
Around 2017, the OCC had notified the bank that there were significant deficiencies in its AML program, including a failure to develop a compliance program that met all the expected AML requirements set out by the OCC.
USAA FSB made commitments to the OCC in 2018 that it would make improvements to its AML program by March 31st, 2020. The improvements as part of these initial commitments included the following:
- Fully address the scope of the internal controls and independent testing deficiencies.
- Establish a compliance committee to monitor the implementation of the 2018 Commitments.
- Conduct a comprehensive, enterprise-wide risk assessment.
- Develop and implement adequate customer due diligence (CDD), enhanced due diligence (EDD), and customer risk identification processes.
- Develop and implement written policies for timely review and disposition of suspicious activity alerts and improve suspicious activity identification processes.
- Provide for thorough and effective independent testing of the AML program.
- Conduct a lookback review of Remote Deposit Capture (RDC) transaction activity and file suspicious activity reports (SARs) as needed.
The failure to have made adequate progress to the commitments, as a well as not meeting all the terms of the commitments to date (despite a revised completion date of June 30, 2021), serve as a prelude to the actions being taken now by the FinCEN and the OCC.
This is despite the bank investing approximately $500 million into turning around its AML program in a bid to meet the standards expected under compliance with BSA requirements, which goes to show that money alone does not equate to a satisfactory AML program.
Having been aware of AML program issues since 2017, two missed deadlines spanning four years, as well as the OCC informing USAA FSB of additional deficiencies (some of which were as recent as 2021), the FinCEN consent order sums up that “Collectively, these facts describe a bank that willfully failed to comply with the BSA over many years.”
The meaning for the rest of the compliance community: these successive failings and whiffed deadlines were likely several steps too far before a regulator loses patience with expected control improvements.
The other message: don’t give lip service to examiners when it comes to how things are going on the ground.
If you say it, mean it. If you mean it, do it.
It’s one thing when a regulator is disappointed. That will already make for an adversarial relationship to be that much more incendiary.
But it is far worse if a regulatory agency feels it can’t trust you.
That means, as in this case, they will not believe what you tell them.
They will look much more deeply at all areas – including issues you thought you had closed – and make that particular remediation more grueling, and expensive.
Internal Policies, Procedures, and Controls: the risk factor of too many contractors
USAA FSB’s AML program was described as ‘rudimentary’ in 2017, of which criticism points to a lack of robust risk-based policies and procedures that led to shortcomings in addressing risks associated with the banks client base, products/services and geographies.
Despite some improvements in the program, these fell short of minimum requirements expected of the BSA.
Policies and procedures lacking in rigor were compounded by understaffing of the compliance department, with heavy reliance on third-party contractors – approximately 76 percent of the bank’s compliance requirements were met with third-party contractors.
Over reliance on third-party contractors brings with it its own set of risks – one of which being long term sustainability of an effective compliance function.
As well, in addition to relying too much on third-party contractors, there was also a lack of appropriate training or measures to ensure the contractors had the required expertise or qualifications to carry out the work required.
Underestimating the importance of resourcing issues can bring with it consequences at an individual level.
No employees at USAA FSB’s faced individual censure, but this wasn’t the case in an AML program failure at another bank.
In a rare instance of a top compliance official facing individual liability for egregious bank AML failures, FinCEN in 2020 issued a $450,000 civil penalty against the former Chief Operational Risk Officer for U.S. Bank, a subsidiary of U.S. Bancorp.
Transaction Monitoring: a familiar regulatory tune – a lack of proper tuning
USAA FSB’s ‘case and alert investigation’ system from 2014, a system developed in-house by the bank, was found by the bank in 2016 to have been failing to capture critical information due to critical gaps in Customer Due Diligence (CDD).
Whilst it may be one thing to have in place a transaction monitoring system, a key question with such systems is always “Is it doing what it is supposed to?”
In short: is it helping to effectively detect suspicious activity – or just producing a mountain of low-quality alerts or false positives eating up sparse investigative resources?
Lacking governance around validation and adjustment of these systems, from testing to updating and tuning of detection scenarios, can render them next to useless.
Moreover, in USAA FSB’s case, there was particular criticism around policies and procedures around this governance.
On that note, FinCEN noted a staggering “…40% of active scenarios had not been tuned in over two years, with only seven scenarios tuned in the second year and six scenarios that were never tuned since initial implementation of the legacy system.”
To make matters worse, the system also had high limits set for potential higher risk activity such as Remote Deposit Capture (RDC) and Automated Teller Machine (ATM) deposits and withdrawals.
The lack of rigor continued, even up to 2021, when a newer transaction monitoring system was implemented.
Here, a failure to complete sufficient pilot testing prior to going live – two months of parallel testing of the new system against the old – meant deficiencies became part of the implementation of the new system.
The example given in the FinCEN consent order states that the new system failed to flag 1,300 cases that the old system had found, in which case 160 SARs that had been filed may have been missed with the new system used for detecting suspicious activity for investigation.
USAA FSB has found itself in a position now whereby the new system is “too sensitive,” creating a high volume of alerts and cases, resulting in a backlog of approximately 90,000 unreviewed alerts and 6,900 unreviewed cases as at year end 2021.
Such a wildly glitchy system would put the bank on a path for a never-ending backlog.
Penalty documents noted that the forecast would be an unsustainable rate of backlog growth: up to 120,000 alerts and 24,000 cases before the bank is in a position to start to reduce these exponentially high volumes.
The knock-on effect of such backlogs is obviously that it causes delays in spotting and reporting actual suspicious activity.
Such a dynamic gives not only time for criminals to continue their activity but also allowing the damage caused by them to be extended before action can be taken, and any potential illicit funds tied to a criminal group, scheme or scam to be long gone.
Whilst a delay on filing SARs is one thing, it is another to be alerted to potential suspicious activity and not thoroughly investigate and file a SAR if required.
Sampling from 2021 found that for 22 percent of decisions on cases, USAA FSB didn’t have sufficient information relating to customer source or purpose of funds in order justify the decisions not to file SARs.
Having trained many AML investigators, one of the main points I stress to them is “rationale is king.”
Detail and documentation to defend the “why” of why you didn’t file a certain SAR needs to be just as thorough, supported and airtight as the reasoning of “why” you did file a given SAR.
It is of vital importance that AML investigations are thorough, not only in the investigation work conducted itself, but also in case and report notes as to conclusions drawn.
As they say in math class: “show your work.”
Independent Testing: who watches the watchmen when they miss something?
A running theme throughout the findings for USAA FSB in relation to the AML program appear to be around the lack of appreciation of risk and this seems to transcend beyond the compliance function.
The bank’s internal audit team conducted enterprise-wide testing of the AML program and concluded in a 2016 report that compliance with BSA requirements within the bank was generally satisfactory, though later reviews found that this report was lacking sufficiency.
Whilst the report mentioned that the bank failed to act on account closures, it failed to pick up equally, if not more pressing issues such as “…weaknesses with key internal controls, such as risk assessment processes, CDD, EDD, customer risk identification, and suspicious activity monitoring processes.”
This begs a question for other large bank fines seen, both previously and more recently, when it comes to AML failings: “why didn’t the internal audit function pick these up?”
Training: Don’t train on general updates, teach how to think like an investigator
Briefly mentioned above, the lack of appropriate training contributed to failings.
Specifically, the training was not tailored toward the bank’s FIU investigators, which included the third-party contractors, and KYC analysts, when it should have been geared toward the bank’s overall risk profile.
The example given in the FinCEN consent order states that training in 2020 was aimed at changes in policies and procedures but more crucially failed to sufficiently cover how to conduct account analysis or describe what potentially suspicious activity looks like.
As recent as 2021, the training plan was said to include more targeted training for FIU investigators and KYC analysts.
The problem: examiners found that the training program did not to focus enough on products, services or customers of the bank and was not aligned to the bank’s business model – issues all made worse due to a lack of oversight, training and testing of the third-party contractors.
Customer Due Diligence: building an AML program on a faulty foundation
Amongst deficiencies in USAA FSB’s policies and procedures were those related to the core foundation of any AML program: CDD.
This bedrock exercise has so many other AML duties that are built on top of it: the depth and accuracy of CDD – or EDD – sensitizes the transaction monitoring system.
If done properly, it ensures systems monitor higher risk individuals and companies more closely and more quickly spits out alerts, which, if meaty and weighty enough, become SARs.
But in that same vein, if inadequate details are captured at this stage, and riskier customers slip through at a lower risk ranking, they can typically transact more freely and frequently with nary a second glance – from AML systems or their human analysts.
Insufficient information was captured at account opening meaning customer risk was not effectively assessed and this lack of sufficient information also led to an inability to effectively monitor for suspicious activity.
The lack of insufficient information captured at account opening naturally led to flaws in the bank’s customer risk rating model – something that’s key to helping identify, review and monitor higher risk clients.
In this case, that meant essentially hamstringing model crafters from being able to incorporate one of the most glaring and obvious of financial crime red flags: what kind of activity is expected in the account – therefore being able to gauge when out-of-scope transactions, either frequency or size, occur.
Examiners noted that “…model developers were unable to incorporate key risk factors—such as type and volume of expected account activity—into the model to augment its predictive power.”
The lack of a proper risk rating model meant that arbitrary risk sub-scores of 1 or 2 (where 10-points was the maximum) were given on risk factors where the customer information was missing, resulting in the bank underestimating AML risks.
An internal report, that the bank ignored by not taking any corrective action even stated that “…of approximately six million customer-risk scores, not a single customer received a high-risk score of 5.5 or higher, and only around 11,500 customers received a low-medium risk score between 4 and 5.4. The Bank ignored the report and took no corrective action.”
I have repeatedly seen within a number of banks where higher risk clients and money laundering activity have been missed due to poor risk rating models and/or incorrect weights assigned to various risk factors used to make up the risk rating models.
Not having a proper risk ranking at account opening due to human or system errors and lax CDD is like building an AML program on an unstable foundation.
Such gaps make the task of not only detecting suspicious activity, but managing higher risk customers, that much more difficult.
Failure to File Suspicious Activity Reports: where there’s a will(ful), there’s a way
One of the key failures in USAA FSB’s case resulting from the AML program deficiencies was the willful failure to file SARs in a timely and accurate manner – at least 3,873 such SARs.
FinCEN’s consent order gives examples of activity concerning four customers, where willful failures to file SARs occurred:
‘Customer A’ – The Colombian Crypto Connection:
- A Texas physician, annual income of $250,000 to $500,000 – approximate net worth between $500,000 and $1 million
- With multiple accounts at USAA FSB
- Accounts for personal and household spending
- Expected monthly transactions were to include cash withdrawals exceeding $5,000, and five to ten incoming/outgoing “digital application-based” transactions of between $1,000 and $5,000 each
Between October 2020 and March 2021, one account received 76 transfers from a virtual currency exchange of close to $1.5 million – the activity something that was expected or what the accounts stated purpose had been quoted as for.
For this same time period, more than 2,800 cash withdrawals were made totaling $1.6 million from ATMs located in Colombia.
The customer had even contacted the bank at the time on a number of occasions to increase the daily ATM cash withdrawal limits.
In discussions with bank staff the customer was “temporarily but indefinitely residing in Colombia” and that the cash withdrawals were being made to buy and sell virtual currency, with cash stated as the preferred method for obtaining the best price for the virtual currency purchases, hence the withdrawals.
The customer’s account transacted $3.3 million over the six months from October 2002 to March 2021 – something that was not expected nor in keeping with the customers known profile.
Many reading this article may think the activity was not in keeping with the customer’s profile and expected activity and appears suspicious, yet the initial review of the activity resulted in no escalations or SARs being filed by the bank.
The following month, in April 2021, the bank was said to have become aware, though it is not specified how e.g. via assessment of files by FinCEN or OCC or through being notified by a law enforcement inquiry, and it was at this stage that a re-evaluation of the activity promoted a SAR finally being filed and termination of the customer relationship.
For even junior AML officers or risk rating teams, this account should have been high risk at the outset of the relationship.
Texas has a border with Mexico, beset by violent and surging narco cartel activity. A customer doing significant transaction activity with a virtual currency exchange is also high risk – meaning this person is not just a casual trader.
They could be a fraudster involved in a crypto securities scheme, a scammer involved in ransomware attacks or a money launderer trying to muddy the money trail from drug sales or other activities.
Quickly depositing and pulling out money quickly from an ATM is also a high-risk activity – and doing it in Colombia, well, that is the cherry on top of a very high-risk cake.
‘Customer B’ – The (Performance) Art of Money Laundering:
- 22-year-old individual living in Los Angeles, California
- Held checking account and credit cards with USAA FSB for four years
- Told the bank she owned a “performance art company” which had a minimal virtual footprint
- Said that her annual income was between $50,000 and $100,000 and account was for personal and household expenses
Following a transaction monitoring alert on the customer’s account for potential suspicious activity, it was closed without a thorough review of the customer’s source of income and without looking into the counterparties involved.
The activity in question had a number of red flags, one of which was receipt of “…payments for what may have been unlawful internationally based prostitution/escort ventures.”
Analysis of the activity showed high value wire transfers from an individual overseas, for which the customer appeared to have no known connection.
Other activity included high value and unexplained international travel, incoming and outgoing transfers to accounts connected to online businesses, where online public information showed allegations of misconduct.
Three wire transfers received in one month came for an individual overseas totaling $44,500 with references such as “art purchases” despite the customer having no known or legitimate connections to the art industry.
The overseas individual in question was also found to be linked to an offshore company named in the Panama Papers.
From May 2019 to June 2020, the customer was revealed to have been connected to approximately $125,000 worth of suspicious activity – yet USAA FSB only reported the suspicious activity to FinCEN in July 2020 – roughly a month later.
This is another case that showed a breakdown in the understanding of the red flags of certain suspected unlawful activities and engaging in basic, and more elaborate, investigations, including going beyond bank details to triangulate account activity with OSINT and social media information.
For example, even prior to the Panama Papers connection, the bank AML investigators, if it suspected illegal escort activities, could have done name and reverse image searches for known online escort sites to see if they found the customer.
They could have then reviewed the listing to see if the escort stated things like, “I will be in xxx country in xxx month, so come check me out.”
Similarly, the bank could check social media operations like Instagram or cam sites like OnlyFans to see if the customer was making suggestive comments or, again, noting travel to certain parts of the world where wealthy men are known to engage in more vice than virtue.
‘Customer C’ and ‘Customer D’ – Check Fraud is as Easy as Taking Candy from a Baby
For a period of about fifteen months, March 2019 to June 2020, two customers of the bank were able to carry out check fraud schemes without the bank reporting the activity to FinCEN.
The two customers held two checking accounts with the bank, into which they deposited 3,457 checks – for which neither was the beneficiary.
These checks were deposited using RDC (or Remote Deposit Capture, as mentioned above) through the bank’s mobile App, with payees named on them as a number of baby formula or baby product companies.
In fact, it was specifically stated on the checks “…they were intended as self-reimbursing rebate coupons for point of sale purchases, to be cashed only by the baby formula or baby product companies.”
The amounts were small values from $3 to $17 per check, deposited in a cyclical manner and out of profile for Customer C, who was recorded as a self-employed construction worker.
Although the checks were used for “various purchases, including consumer spending, groceries, and bill payments,” something that may not have been detected as suspicious activity on the face of it, the bank failed to detect that the checks were made payable to the baby formula or baby product companies only, instead of being allowed to be paid to the two customers.
This allowed the two individuals to open up and abuse the RDC feature on the mobile App for more than a year.
The lesson here: RDC has long been a target for scams large and small.
Even if the values of checks are small, if they come in rapid succession and involve something that isn’t historically profitable – self-paying rebate coupons for baby formula – someone somewhere in the bank needs to ask the basic question: what is this and does it make sense?
If this is such a well-known money maker, how many other customers are cashing checks for self-reimbursable baby food coupons? Is this a common thing?
A simple Internet search of these terms reveals that while many sites offer coupons for baby food, formula and diapers and tips to get freebies for expectant mothers, few if any give detailed instructions of going the opposite direction – and turning purchases into cold, hard cash that can, somehow, be deposited with checks into bank accounts.
As in the case of a baby with a dirty diaper, this one doesn’t pass the small test.
Enforcement Factors: Anatomy of a penalty, from truthfulness to timeliness, remediation insecurity to national security
Compliance professionals would also be remiss if they did not read the section in the FinCEN penalty order titled “enforcement factors” as these give concise, precise descriptions of the weightings, good and bad, that made up the decision to levy a hefty monetary penalty.
Here are some snapshots:
Nature of violations, possible harm to public: USAA FSB’s willful failure to implement and maintain an effective AML program undermined its ability to properly monitor and review customer accounts and timely report potentially suspicious activity to FinCEN relating to thousands of transactions and millions of dollars over the Relevant Time Period.
Potential harm to FinCEN’s mission, national security: the Bank failed to properly monitor for and detect personal accounts being used for business activities, which allowed millions in potentially suspicious funds to flow through its customers’ accounts without adequate scrutiny from the Bank’s compliance department.
Compliance enforcement history: USAA FSB struggled to implement and demonstrate compliance with the BSA and its implementing regulations over the last five examination cycles.
Financial gain from the violations: Overall, USAA FSB’s inconsistent and ineffective allocation of resources to AML compliance operations during the Relevant Time Period delivered both a competitive advantage and a financial benefit to the Bank.
Systemic nature of violations: From at least 2017 through 2021, USAA FSB had two to three AML program violations at any given time. Late SARs constituted almost 10 percent of all of USAA FSB’s SAR filings for the same period.
On the horizon: bank must bolster battle readiness for blacklisted regions, designated entities
As USAA works to comply with FinCEN and the OCC, it also faces a reckoning with the U.S. Treasury’s Department of Foreign Assets Control (OFAC), the country’s sanctioning and foreign policy change lever.
OFAC and the Biden Administration have made global headlines in recent weeks as it issued a range of sanctions against Russia’s banks, Putin cronies and rotund oligarchs and their energy and other businesses.
For USAA, the OCC also detailed a host of improvements it needed to make, while not specifically mentioning a specific sanctions violation.
To ensure it doesn’t engage in an entity off limits to the U.S. financial system, the bank must institute a more formalized sanctions compliance program, including creating and engaging in:
- A system of internal controls commensurate with the Bank’s OFAC risk assessment that includes processes for incorporating changes to OFAC-administered sanctions programs;
- Maintenance of sufficient, adequately trained Bank staff to sustain compliance with OFAC requirements;
- Periodic independent testing of the OFAC Compliance Program for prompt internal reporting and correction of issues identified during independent reviews internally or by regulators
- Periodic, risk-based independent validation of automated systems that support the Bank’s OFAC Compliance Program, including tuned, tested and validated sanctions screening filters.
Willful Blindness: Just because you didn’t see it, doesn’t mean it didn’t happen
The word “willful” (in relation to the AML program violations) does not appear in the OCC’s civil money penalty nor it’s cease and desist notice, but it does appear 13 times in the FinCEN consent order.
Two books that should be staple for all compliance staff are ‘Willful Blindness: Why We Ignore the Obvious’ by Margaret Heffernan and ‘Giving Voice to Values: How to Speak Your Mind When You Know What’s Right’ by Mary C. Gentile.
Whereas the former shows what can happen when risks are ignored, the latter goes about showing how to speak up when you know there is something wrong.
Both are very relevant to compliance staff – now more than ever.
About the author
Dev Odedra is an independent anti-money laundering and financial crime expert and is the creator and architect of thelaunderynews.com.
He has more than a decade of experience in managing financial crime risk in the retail, corporate and investment banking sectors.
His expertise covers investigations, advisory and controls implementation and improvement.
Dev is also a prolific author and gathers and analyzes many of the biggest financial crime compliance news stories on social media to help the community keep abreast of key criminal, regulatory and program trends.
Want to chat with Dev? Feel free to connect with him here.