A look inside USAA’s ‘catastrophically mismanaged’ compliance culture

Since 2015, USAA Federal Savings Bank (USAA Bank), an indirect wholly owned subsidiary of USAA, has gone through at least four chief compliance officers (CCOs). And, at the group level, another four CCOs and several enterprise chief risk officers have come and gone in a very short period.

“There’s a reason for all this,” said Lenn Ferrer, who was a former director of compliance at USAA Bank before he blew the whistle to regulators in March 2020. “This has been a catastrophically mismanaged organization. It lost its way. It lost its core values.”

The shifting regulatory landscape following the 2008 financial crisis played a significant role in USAA’s change in culture. In 2011, the Office of Thrift Supervision (OTS) was dismembered and absorbed into the Office of the Comptroller of the Currency (OCC) under the Dodd-Frank Act of 2010, a move that suddenly placed USAA Bank under stricter federal supervision.

Unlike the OCC, which is a national bank supervisor, the OTS was responsible at the time for overseeing thrifts, commonly known as savings and loan associations, that specialize in mortgage lending. Because USAA Bank is chartered as a federal savings association, it fell under the OTS’s umbrella.

The OTS was a notoriously lax regulator, whose goal was to “to allow thrifts to operate with a wide breadth of freedom from regulatory intrusion,” former OTS Director James Gilleran once stated in a speech. Instead, the agency relied on the lenders themselves to self-evaluate their own compliance with consumer lending laws, which ultimately led to the collapse of several large banks, including Washington Mutual, IndyMac, and BankUnited. Countrywide sold itself to Bank of America in 2008.

“Historically, USAA really wasn’t challenged to go deep into how the business was being run from a compliance perspective,” said Charles Mapson, a former executive director of bank compliance at USAA. In 2012, while the bank was growing exponentially—approaching $50 billion in assets at the time—it still had a “small-bank mentality toward compliance,” with “maybe” 13 people making up its compliance staff, he said.

From a governance standpoint, at that time, USAA Bank’s CCO reported into USAA’s CCO at the enterprise level, “to whom the compliance staff and all the lines of business reported,” Mapson said. USAA’s enterprise compliance program itself was still in its earliest stages of development.

Over the years, the bank’s reporting structure would go through several changes—from reporting into compliance, to reporting into the general counsel for a short period of time, to reporting into the chief risk officer. Before USAA’s former Chief Executive Officer Joe Robles retired in February 2015, he made it so compliance and risk reported into him, but there was still no integration between risk and compliance at that time, Mapson said.

Compliance: The missing element

USAA had become so accustomed to getting great grades from regulators and not having issues that it failed to appreciate the rapidly developing banking regulatory environment as the bank grew, Mapson added.

“It was a great culture in terms of the mentality of trying to provide financial products to help facilitate the financial security of their members—very much like a credit union—but I think the missing element was how important compliance would be for them to achieve that goal,” he said.

Other former USAA executives, who requested anonymity to speak candidly about the matter, described a bank hamstrung by its lack of banking regulatory knowledge. When USAA first charted the bank in 1983, instead of hiring people with experience in the banking industry, it simply shifted its insurance employees over to the bank.

One former USAA executive commented, “Things were not done properly from Day 1,” due to a “complete lack of understanding” for how different the banking regulatory environment was compared to the insurance industry.

To this day, many of USAA’s insurance people still reside within the bank, including at the very top. USAA’s current CEO Wayne Peacock has been with the company for more than 30 years, according to his LinkedIn profile. Previously, he was president of USAA’s property and casualty insurance group.

A shifting culture

All told, the regulatory environment that developed in the aftermath of Dodd-Frank served as a major catalyst for USAA’s transformative culture, which directly related to risk and compliance but trickled into other areas of the business as well.

“It was a great culture in terms of the mentality of trying to provide financial products to help facilitate the financial security of their members—very much like a credit union—but I think the missing element (at USAA) was how important compliance would be for them to achieve that goal.”

Charles Mapson, former executive director of bank compliance at USAA

Anecdotally, it used to be USAA employees counted their tenure in decades. While that’s still true to some extent today, USAA’s senior leaders have been put on notice by regulators to bring more outside people in with necessary knowledge and expertise in the banking regulatory space, not just transplants from its insurance division.

As new compliance personnel have been brought in, however, the monumental challenge of cleaning up after those who have allowed a toxic mess of law violations to linger for years was exhausting to the point of burnout, more than one former USAA insider shared. Much of the problem had to do with, as regulators have confirmed, the bank’s “significantly understaffed” compliance department, leaving those who were at the bank stuck picking up the slack.

Without commenting specifically about the company’s internal culture, USAA’s director of public relations, Roger Wildermuth, replied in an email, “We remain focused on strengthening our risk and compliance capabilities.”

Within other troubled financial institutions, it’s not unusual for compliance to work collaboratively with the business, backed by leadership support, to solve systemic problems. At USAA, however, as one former executive described, “So many people have to agree over anything you want to get done, and the lack of support from senior leadership means that you’re constantly spinning your wheels.”

Some likened USAA’s culture to the military-mentality style of leadership from which it hails, in which leaders are accountable for the failures of their subordinates, as opposed to the teamwork mentality of, “We got ourselves into this mess, let’s get ourselves out of it.”

Compliance as a ‘rubber stamp’

That military-mentality style of leadership—take direct orders, don’t ask questions—spilled into compliance as well, according to former employees.

“The compliance department was basically a rubber stamp for what the business wanted,” Ferrer said. “That is not speculation. That is a fact. That is the culture I walked into in 2014.”

These cultural deficiencies continued even after receiving the OCC’s January 2019 consent order, in which the regulator found “unsafe or unsound banking practices” relating to the bank’s compliance risk management program and information technology risk governance program.

One stipulation of the consent order was that USAA Bank conduct a “six-year lookback,” going back to 2013, to uncover all its previous violations of law, Ferrer said. During the lookback, the bank also was in the process of redrafting all its internal policies and procedures, including its “SCRA (Servicemembers Civil Relief Act) Lookback Review Foreclosure Procedures,” according to internal email communications seen by Compliance Week.

On several occasions, compliance personnel were asked to sign off on policies and procedures while they were still being drafted. In one instance, Ferrer explained, “I was told by a contractor, ‘Just sign the document. We’ll run it through legal after,’ and I said, ‘No. This is a draft. I’ve made changes and said this does not comply.’ Why would compliance rubber-stamp a draft document? I refused to do it.”

Stated one email communication from a USAA contractor, “Attached is the most current version of the procedures to include compliance feedback and edits, along with a section … regarding redemptions that was added by legal. This section was added after we submitted procedures to the compliance team for approval because the Treliant team is currently working through the redemptions and evictions process with legal. This section is still … being built out.”

Ferrer responded in the email, “We should neither be reviewing nor ‘approving’ partial, incomplete, second, third, fourth revisions that still need to be ‘built out.’ These are very dangerous practices that violate industry standards.”

“The compliance department was basically a rubber stamp for what the business wanted.”

Lenn Ferrer, USAA whistleblower

He continued, “Second and third line ‘defenses’ should not be ‘approving’ documents merely because business, or worse, contractors say so, especially on a compressed timeline that frustrates our ability to actually take the necessary time to ensure the documents are correct, when complete.”

Treliant did not return request for comment.

According to a former OCC national bank examiner close to the matter who asked not to be identified, the OCC lookback is notable itself. “In a lookback, the regulator will require banks to appoint an independent consulting firm, subject to regulator nonobjection, do a lookback only when it believes the scope of the problem is bigger than the time and resources the OCC has,” he said. “A lookback might mean, ‘I don’t trust you, the bank, to do it.’”

CCO musical chairs

In October 2018, the same month USAA received notice from the OCC regarding the incoming consent order, one of the bank’s longest-running CCOs at the time, Jay Christoff, was moved and named vice president of business risk and controls, according to people familiar with the matter and confirmed by his LinkedIn profile. Christoff had been CCO for three years. Following the departure of yet another CCO one year later, USAA Bank in August 2019 appointed Ron Fox to the position.

There were two major conflicts of interests at play. Firstly, before being appointed CCO, Fox had served as USAA’s assistant vice president of enterprise regulatory affairs, tasked with overseeing the company’s regulatory assessments, exam readiness, and remediation of violations.

“He was the one who had to make affirmative representations to the OCC,” Ferrer said. “He was the fox guarding the henhouse.”

Part and parcel with that, the other conflict of interest was—as Ferrer later stated in a letter to the OCC’s Midsize Bank Supervision headquarters—Fox’s “altogether too chummy” friendship with the OCC’s midsize bank examiner, Dallas Nobles.

Other USAA insiders who spoke with Compliance Week on condition of anonymity corroborated USAA executives were warned about appointing Fox as CCO because his qualifications did not meet what the company had documented as its own minimum criteria.

Neither Nobles nor Fox returned requests for comment. The OCC would not answer any questions posed to it.

Following yet more reshuffling within compliance at the enterprise level, Fox left the bank in February 2022. In response to an inquiry from Compliance Week regarding why Fox left, Wildermuth declined to provide a reason, “beyond noting that Celie’s role encompasses bank [compliance].” He was referring to the October 2021 appointment of Celie Niehaus as USAA’s enterprise-wide chief compliance officer.

In addition to Niehaus’s appointment, USAA established in August 2021 a compliance committee, as required by the OCC’s 2019 consent order, and updated its risk and compliance committee charter in September 2021.