The Office of the Comptroller of the Currency (OCC) recently assessed a hefty $85 million civil penalty against USAA Federal Savings Bank resulting from failures in its compliance risk management program. But both sides remain curiously tightlipped about the specific consumer law violations that occurred and the extent of harm done.

In its consent order released Wednesday, the OCC—USAA’s main banking regulator—said the firm “failed to implement and maintain an effective compliance risk management program and an effective IT risk governance program commensurate with the bank’s size, complexity, and risk profile.” The OCC further noted USAA has “deficiencies in all three lines of defense—first-line business units, independent risk management, and internal audit—in its compliance risk management program.”

According to the consent order, these deficiencies resulted in violations of consumer protection laws, including the Military Lending Act (MLA) and the Servicemembers Civil Relief Act (SCRA). For these reasons, the OCC said, USAA “engaged in unsafe or unsound practices and violations of law, which were part of a pattern of misconduct.”

The OCC said USAA is “in the process of remediating these violations” under a related January 2019 consent order. More noteworthy than the fine is the lack of detail around it, which begs more questions than answers:

  • In what specific ways did USAA fail to implement and maintain “an effective compliance risk management program and an effective IT risk governance program”?
  • In what specific ways did USAA violate the MLA and SCRA?
  • How many violations were involved?
  • Over what period did these violations occur?
  • What specific consumer harm was done?
  • How many consumers were impacted? What losses did they sustain? How much, if any, will USAA have to compensate to them?
  • Why was the fine issued one year after the consent order?

In response to an email inquiry to the above questions, a USAA spokesperson responded, “I don’t have specific answers to your questions and would refer you back to the OCC for specific questions.” Taking that advice, an OCC spokesperson reverted me back to the 2019 consent order, which spells out all the ways the agency expects USAA to enhance its compliance risk management program but doesn’t provide much detail beyond that.

USAA does provide some—albeit, cryptic—responses on its Website in the form of a series of FAQs regarding the consent order, which indicates consumer harm in some capacity did result. “The issues relate to misapplication of benefits or protections afforded under laws like the SCRA,” USAA said. “For example, servicemembers may not have been provided the correct interest rate benefit when they went on active duty for a period of less than 30 days.”

Regarding MLA violations, the company explained, “one MLA issue related to contract disclosures in three products that the bank no longer offers. The second MLA issue related to allowing MLA-covered borrowers to use remotely created checks to make payments for past-due consumer loans.”

“Noncompliance occurred because USAA’s compliance, risk management and technology capabilities, processes and expertise did not keep pace with our growth or regulatory expectations,” the company added. “We are working diligently to address our challenges by hiring the right expertise and improving systems and processes.”

On the Better Business Bureau Website, customers give USAA a dismal one-star (out of five stars) rating. Such a poor standing should be a red flag for any company regarding its business operations. Having been in business for nearly 100 years, USAA has a storied history—but so does Wells Fargo.

USAA insisted its issues “do not reflect an effort to avoid providing benefits and/or protections.” The $85 million OCC penalty suggests the opposite. Just don’t expect any clarity either way.

The email response I received from the OCC concluded, “Please let us know if you have additional questions.” Indeed, I’m still awaiting answers to all the questions I originally asked.