A deep dive into the consent order issued last week by the Office of the Comptroller of the Currency (OCC) against USAA Federal Savings Bank imparts lessons for compliance officers in the financial services industry on how—and how not—to maintain a Bank Secrecy Act/anti-money laundering (BSA/AML) compliance program.
On March 17, USAA Bank agreed to pay $140 million as part of two separate consent orders reached with the OCC and the Financial Crimes Enforcement Network for the bank’s “willful” failure to implement and maintain a BSA/AML compliance program. The OCC also issued a cease-and-desist order against the bank, which requires it “to take broad and comprehensive corrective actions to improve internal controls, training, staffing, and third-party risk management of its BSA/AML program,” the agency stated.
A closer look at the compliance requirements USAA Bank must implement is explored in more detail below.
Suspicious activity report oversight: Under the OCC consent order, USAA Bank must implement procedures for “identifying, evaluating, and reporting suspicious activity” concerning BSA violations, terrorist financing, and other illicit financial activity.
USAA Bank must establish standards to “ensure accounts with high volumes of unusual or potentially suspicious activity alerts and/or case investigations are identified, elevated, and properly categorized,” the consent order stated. It must also maintain adequate documentation to support case investigations.
USAA Bank must also implement an effective decision-making process for suspicious activity reports and document facts and circumstances that support decisions for not filing a SAR.
The OCC stated USAA Bank must ensure its suspicious activity monitoring and reporting program provides for:
- Applying appropriate rules, thresholds, and filters for monitoring transactions, accounts, customers, products, services, and geographic areas commensurate with the bank’s BSA/AML risk profile;
- Implementing manual processes to identify potential suspicious activity not reviewed by an automated system;
- Complete and accurate information available to support alerts and investigations of potentially suspicious activity, including information from multiple business lines;
- Validating data inputs for automated systems, including inputs from all products, services, and peer-to-peer transactions;
- Maintaining documentation supporting the bank’s methodology for establishing and adjusting thresholds and filters;
- Processes for ongoing, risk-based independent validation of alert triggers, parameters, and other settings, including factors for developing a customer risk profile; and
- Processes for developing adequate documentation and prompt reporting of validation findings and prompt resolution of deficiencies.
Risk assessment processes: The bank must also “develop, implement, and maintain an institution-wide assessment of the bank’s money laundering, terrorist financing, and other illicit financial activity risks and incorporate that risk assessment into the design and implementation of the BSA/AML program,” the consent order directed.
This risk assessment must include:
- Identification of products, services, customers, and geographic locations that pose risks to the bank, and an analysis of the pertinent data obtained regarding these specific risk categories;
- An assessment of risk both separately within the bank’s business lines and on a consolidated basis across all bank activities and product lines;
- Maintaining appropriate data and information used to support the risk assessment’s conclusions, and making this documentation readily accessible for third-party review;
- An inventory of internal controls designed to address the risks identified through the risk assessment; and
- An assessment of the adequacy of those controls that incorporates findings from regulatory examinations, second-line testing, and audit reviews.
The risk assessment must be updated when changes occur that affect how accurately it reflects the bank’s risk profile.
BSA internal controls: The bank must implement a system of internal controls that must include, at a minimum:
- Appropriate risk-based transaction limits for bank products and services;
- Management information systems, commensurate with the bank’s size and risk profile, that provide timely and accurate periodic reporting to senior management and the board of the bank’s BSA/AML program’s status, including alert and investigation volumes; and
- Independent, risk-based quality assurance and quality control processes, including “assessment of suspicious activity alerts and investigations, SAR and currency transaction report filings, and periodic review of high-risk customers, with a focus on decision quality.”
Customer due diligence controls: The bank must “promptly” implement a written customer identification program and risk-based policies and procedures for collecting customer due diligence (CDD) information when opening new accounts and updating customer profiles, according to the OCC.
These efforts must include:
- Policies and procedures outlining ongoing high-risk account review expectations;
- Assigned accountability and oversight for account opening and review, including provisions for escalation to bank management of decisions to open high-risk accounts;
- Procedures to ensure accounts are accurately risk-rated and CDD performed is appropriate; and
- Documented explanations for changes in account activity.
BSA staffing: The bank must appoint an officer “vested with sufficient independence, authority, and resources” to ensure compliance with BSA requirements, the OCC stated.
The BSA officer’s responsibilities include monitoring for high-risk customers, keeping customer profiles updated, and providing timely and accurate periodic reporting to the board and senior management about the status of the bank’s BSA/AML program, according to the consent order.
In addition, the board must ensure the bank has sufficient staff with appropriate skills, expertise, and authority needed to support the BSA officer and the BSA/AML program.
Third-party vetting: The bank “shall not contract with any third party to perform BSA/AML functions, unless the bank has conducted and documented an assessment of the adequacy of the skills and training of the third party for the proposed services,” the OCC said.
Further, the bank must also “provide adequate oversight of all third parties performing BSA/AML functions, including a quality control program to evaluate third parties’ performance against specific standards.”
BSA training: The board must ensure the bank develops, implements, and adheres to a training program for all appropriate employees and board members to ensure their awareness of their responsibility for compliance with the requirements of the BSA and the bank’s BSA/AML program, according to the consent order. Third parties that perform BSA/AML functions must also “receive sufficient and ongoing training to perform their tasks effectively.”
BSA independent testing: The board must ensure the bank adheres to an effective BSA/AML audit program commensurate with the bank’s money laundering, terrorist financing, and other illicit financial activity risk profile.
The audit program must:
- Test the adequacy of internal controls and evaluate compliance with applicable laws, rules, and regulations;
- Evaluate the bank’s adherence to established policies and procedures;
- Provide adequate audit coverage and audit frequency using a risk-based approach;
- Perform sufficient transaction testing to support audit findings, particularly in areas of higher risk or concern; and
- Maintain sufficient documentation to support audit findings and conclusions.
The audit program must be adequately staffed, and deficiencies in BSA/AML processes and controls identified through the audit program must be promptly reported to the board or audit committee and to senior management.
In addition, the board or audit committee “shall ensure that management takes prompt action to remedy deficiencies cited in audit reports and that the audit program reviews and validates corrective action promptly,” the OCC said.
OFAC compliance program: The consent order requires the development, implementation, and adherence to an effective Office of Foreign Assets Control (OFAC) compliance program. The program must include an OFAC risk assessment methodology and process, a system of internal controls, adequate training of staff, and periodic testing.