Anti-money laundering (AML) compliance deficiencies by a large bank serving members of the military, years of noncompliant off-channel communications catching up to financial services titans, and a manufacturing firm that went into business with terrorists. There are plenty of lapses in judgment, risk management, and leadership to be called out in Compliance Week’s annual list of ethics and compliance failures for 2022.



USAA Federal Savings Bank has had years to address numerous AML and Bank Secrecy Act (BSA) compliance issues it has brushed aside. Former employees said it’s only a matter of time before the bank’s compliance deficiencies begin affecting its customers.

With more than $211 billion in total assets at the end of 2021, USAA has long outgrown its small-bank roots. USAA Federal Savings Bank, launched in 1983 as an offshoot of the company’s insurance business, serves more than 13 million members of the military and their families.

Despite a healthy balance sheet, USAA Bank’s compliance culture has been “catastrophically mismanaged,” said a former director of compliance at the bank who blew the whistle to regulators in March 2020 and spoke with Compliance Week reporter Jaclyn Jaeger as part of an exclusive series published in May. The series detailed the bank’s revolving door of chief compliance officers as well as its alleged deceit of U.S. regulators.

In March, USAA Bank was ordered to pay $140 million by the Financial Crimes Enforcement Network (FinCEN) and Office of the Comptroller of the Currency (OCC) for its “willful” failure to implement and maintain a BSA/AML compliance program. It had previously been fined $85 million by the OCC in 2020 for many of the same problems. FinCEN cited, and USAA admitted, the bank’s “significantly understaffed” compliance program as a fundamental reason it has continually violated federal banking regulations since at least 2016.

The USAA whistleblower who spoke with Compliance Week said the deficiencies cited by the regulators “are just the tip of the iceberg.”



Virtual currency is no different than fiat currency when it comes to BSA/AML compliance, as cryptocurrency trading platform Bittrex learned in October.

Bittrex was found to have conducted more than 116,000 transactions worth $263 million with people and entities located in nations and jurisdictions under U.S. sanctions, including Cuba, Iran, Sudan, Syria, and the Crimea region of Ukraine. For these violations, FinCEN and the Office of Foreign Assets Control (OFAC) combined to fine the platform $29 million.

For the first year of its existence, Bittrex had no BSA/AML compliance program. In February 2016, it hired a vendor to begin screening its trades for possible sanctions violations. However, the vendor only flagged transactions made by people and entities on OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List), ignoring customers located in sanctioned jurisdictions.

From February 2014 through May 2017, Bittrex did not file a single suspicious activity report with FinCEN, despite processing 22 transactions of virtual assets worth $1 million or more each involving sanctioned jurisdictions during those three years.

The case marked the first joint enforcement action by FinCEN and OFAC in the virtual currency space. An underlying message of the action applies to any startup or fintech, whether it provides services in virtual or fiat currency: A BSA/AML program needs to be in place when a service is launched, not years afterward.

Criminals and people in sanctioned jurisdictions will use services with lax compliance standards to process the proceeds of their illegal activities. And regulators will eventually come asking whether your firm’s BSA/AML compliance program was up to the task.



On Nov. 6, FTX was one of the world’s largest cryptocurrency exchanges, worth approximately $16 billion. The company purchased the naming rights of the Miami Heat’s arena, its influential backers included professional athletes Tom Brady and Steph Curry, and it aired expensive but well-received Super Bowl commercials. All the marketing attempted to convince the public cryptocurrency was a safe investment.

But following reports the assets of FTX were closely entwined with another of owner Sam Bankman-Fried’s companies, Alameda Research, FTX investors and customers panicked. Thousands attempted to pull funds from their FTX accounts at once. After six days, on Nov. 11, FTX filed for bankruptcy protection. Bankman-Fried resigned as CEO.

It’s not clear whether regulation of the cryptocurrency industry could have staved off the collapse, but it might have provided insight for investors into FTX’s inherent weaknesses.

The company hired John Ray, who oversaw Enron’s bankruptcy, to replace Bankman-Fried and sift through the wreckage. What he found was jaw-dropping: A “complete failure of corporate controls” that led FTX to reportedly lend Alameda $10 billion of customer funds to plug the latter’s losses.

Bankman-Fried’s previous financial statements could not be trusted. At least $1 billion in funds—and possibly more—initially appeared to be missing or stolen, according to a Nov. 13 report from Reuters. It was unclear which.

“From compromised systems integrity and faulty regulatory oversight abroad to the concentration of control in the hands of a very small group of inexperienced, unsophisticated, and potentially compromised individuals, this situation is unprecedented,” Ray wrote in his filing with the bankruptcy court.



It seems obvious but bears repeating: Paying bribes to win contracts or outmuscle rivals is illegal and unethical.

French multinational building products company Lafarge launched a scheme to pay more than $7 million in bribes to two terrorist groups and middlemen, apparently the cost of doing business in war-torn Syria. The company later doubled down, entering into a revenue-sharing agreement with the Islamic State of Iraq and al-Sham (ISIS).

Dishonorable Mentions

Elon Musk: After several months of trying to back out of a deal he foolishly signed, Musk finally paid $44 billion for Twitter in October. He immediately launched structural changes with the subtlety of a sledgehammer, laying off half of the social media company’s 7,500 staff members. Twitter advertisers, concerned content moderation had weakened, began announcing they were pausing spending. Company revenue plummeted. Musk has poisoned Twitter’s corporate culture so thoroughly there might be nothing left to work with once he has instituted his changes. A good leader works with employees, earns buy in, and keeps workers in the loop when changes are coming, even unpopular ones. If Twitter does fall, Musk will have no one to blame but himself.


Clearview AI: The U.S.-based facial image aggregator scrapes the internet for publicly available images of people’s faces and allows law enforcement and foreign governments to access its database. In 2022, the company was fined four times in four different countries for violations of the EU’s General Data Protection Regulation. Italy, Greece, and France each handed down €20 million penalties, while the United Kingdom fined the business more than £7.5 million. Each regulator said Clearview AI’s product is collecting and selling the personal data of its country’s citizens without their knowledge or consent. Clearview AI consistently responded it does not have any business or customers in the EU. Clearview AI cannot pick and choose where and when it complies with laws.

In return for helping to drive up prices for competitors, ISIS was compensated in payments structured on the amount of product Lafarge and its Syrian subsidiary were able to sell. The arrangement netted Lafarge approximately $70 million in sales from 2013-14 at its Syrian facility.

Lafarge pleaded guilty to its crimes and was fined $778 million by the Department of Justice (DOJ) in October. The company also faces legal threats in French courts related to the same misconduct, including charges of being complicit in crimes against humanity.

Compounding the misconduct were Lafarge’s attempts to cover up the scheme. Its employees created false invoices to mask the purpose of the payments, asked the terrorist groups not to use the company’s name in written agreements, and conducted much of their businesses with the terrorist groups via personal emails.

Once the scheme came to light, neither Lafarge nor the Swiss company that bought it, Holcim, fully cooperated with the subsequent investigation into the misconduct, according to the DOJ.

Big bank off-channel communications

The Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) hammered a dozen banks and investment firms with more than $2 billion in total fines for failing to prevent their employees from using personal devices to conduct official business over the course of several years. The misconduct included the employee use of personal emails, WhatsApp, WeChat, and other electronic communications to discuss deals with clients, competitors, and other colleagues.

The practice further included off-channel communications by senior managers who were supposed to be enforcing the rule.


In September, the regulators fined 11 banks, investment firms, and their affiliates a total of more than $1.8 billion for “widespread and longstanding failures” in monitoring, maintaining, and preserving electronic communications by employees. Bank of America agreed to pay $225 million, while Barclays, Citigroup, Deutsche Bank, Credit Suisse, Goldman Sachs, Morgan Stanley, and UBS were each fined $200 million. Each firm admitted to the misconduct.

The enforcement sweep began when JPMorgan Chase was fined $200 million by the SEC and CFTC for similar compliance failures in December 2021. And it is apparently not complete, as investment firms Apollo Global, Carlyle Group, and KKR each indicated in November the SEC is investigating them regarding employee off-channel communications.

Choosing to ignore a problem because everyone is doing it doesn’t fly with regulators.