Whistleblower to OCC: USAA had 400,000 undisclosed Military Lending Act violations

The estimated scope of USAA Bank’s MLA violations was uncovered following an internal review by a consulting firm retained by USAA, which the OCC, the bank’s primary regulator, mandated as part of its January 2019 consent order, according to the whistleblower. The consent order marked the first time the OCC publicly cited the bank for engaging in “unsafe or unsound banking practices, including those relating to the bank’s compliance management system, risk governance framework, and information technology program.”

Under its consent order, the OCC mandated the bank to enlist the help of a consulting firm to conduct a “six-year lookback,” going back to 2013, to uncover all its violations of law, said Lenn Ferrer, a former director of compliance at USAA Bank before he was terminated in March 2020 after internally blowing the whistle.

The culmination of that lookback was an internal report, the findings of which were presented at a management meeting attended by USAA Bank’s compliance personnel, Ferrer said.

The internal presentation of that report, which took place in January 2020, revealed for the first time an estimation of the bank’s violations of law—specifically that USAA had engaged in approximately 400,000 MLA violations, according to Ferrer. He noted these findings in his whistleblower complaint and subsequent communications with the OCC.

USAA did not answer specific questions regarding the alleged MLA violations.

Most of the MLA violations concerned guaranteed asset protection (GAP) insurance, a technical provision of the MLA, Ferrer said. Another roughly 10,000 violations concerned USAA’s illegal use of “remotely created checks” or “remotely created payments.” Under the MLA, creditors are explicitly prohibited from using a covered borrower’s account information to create a remotely created check or remotely created payment to collect payments on consumer credit.

“For years, the OCC has allowed USAA to linger as a colossal screwup.”

Former OCC national bank examiner

If a military service member owes a debt and doesn’t pay it, and USAA takes money out of the servicemember’s account to create a check to themselves, that’s an MLA violation.

Regulatory protections for enlisted servicemembers cannot be overstated. According to the “2019 Military Family Lifestyle Survey,” conducted by nonprofit group Blue Star Families, servicemembers often aren’t paid as much as their civilian counterparts, making it especially difficult for them to effectively manage debt.

The survey—sponsored by USAA—also found many military spouses struggle to maintain steady employment due to constant relocation. Under such circumstances, it’s not unusual for a one-income military family to make an informed choice to skip paying a monthly bill to afford food, rent, childcare, or medical treatment, for example.

Ferrer, a decorated war veteran who served his entire adult life on and off active duty and began working for USAA in 2014, stressed what was especially egregious about the alleged misconduct was USAA Bank was engaging in these violations in a time of war.

During the Covid-19 pandemic, USAA received further criticism after taking its customers’ stimulus funds issued under the CARES Act. A report from the American Prospect detailed one example where $3,400 in stimulus funds were collected from the family of a disabled veteran. Following blowback on social media, USAA said it changed its policy and reimbursed the funds.

An oblivious OCC?

A former OCC national bank examiner familiar with the matter who wished to remain anonymous signaled USAA Bank acknowledged deficiencies about its compliance management system to the OCC as early as 2012.

“What doesn’t make sense to me is how in God’s name you can have a 10-year festering problem like that,” the former examiner said. “For years, the OCC has allowed USAA to linger as a colossal screwup.”

Based on the OCC’s latest performance evaluation of USAA Bank, which covered the period 2014 through 2018, the regulator appeared unaware of the scope of the bank’s alleged MLA violations. In that evaluation, the OCC stated that, based on “nonpublic information,” it found evidence of 54 MLA violations concerning USAA’s illegal use of remotely created checks.

Further, the OCC said it found evidence of 546 violations of the Servicemembers Civil Relief Act (SCRA), “including failure to provide SCRA protections to military reservists, wrongful repossessions of vehicles, and the filing of inaccurate affidavits in default judgment cases.”

In that same evaluation, the OCC found USAA Bank had engaged in “discriminatory or other illegal credit practices,” due to its “poor” distribution of motor vehicle loans in low- and moderate-income neighborhoods. Consequentially, the OCC, in a rare move against a large bank, downgraded USAA Bank’s performance rating under the Community Reinvestment Act from “satisfactory” to “needs to improve.”

Ferrer said USAA cannot truthfully claim it discovered the violations only after seeing the consultant’s report because compliance personnel and its own consultants had been warning senior executives for years about violations of the MLA, SCRA, and various other consumer protection laws.

“We (USAA) knew we were violating the MLA years ago, because we were talking about [the MLA violations] years ago,” Ferrer said. “We’ve met about it for years. We’ve had different consultants talk about it for years. Moreover, these consultant reports went to the highest echelons of USAA. They knew exactly what was going on.”

USAA did not answer specific questions regarding internal warnings of violations of law.

After being presented with the data in the consultant’s report, Ferrer said he reiterated his concerns about the illegal conduct to USAA’s senior management, as he had first done in January 2014 and a second time in a letter addressed to senior management in 2015 while serving on active duty.

But Ferrer said when he approached senior management about his concerns, he was rebuffed once again. “I was dismissed and told, ‘Don’t worry about it. The regulators have approved the remediation plan,’” he said, referring to the OCC’s 2019 consent order.

Whistleblower complaint

As a privately held entity, USAA has a lot of leeway in controlling its own regulatory narrative. “Nothing gets revealed because there are no public filings,” Ferrer said. “They conceal everything.”

After numerous failed attempts to get USAA’s senior management to address alleged criminal conduct, Ferrer filed a formal whistleblower consumer complaint with the Federal Reserve on the morning of March 5, 2020, according to documents seen by Compliance Week.

“We (USAA) knew we were violating the MLA years ago, because we were talking about [the MLA violations] years ago. We’ve met about it for years. We’ve had different consultants talk about it for years. Moreover, these consultant reports went to the highest echelons of USAA. They knew exactly what was going on.”

Lenn Ferrer, USAA whistleblower

That same afternoon, Ferrer said he was terminated by USAA, which it claimed was “for cause” for “creat[ing] a toxic employment atmosphere by engaging in threatening and inappropriate conduct towards coworkers,” according to documents seen by Compliance Week.

“They knew I was a whistleblower long before they fired me, because I put them on actual notice,” Ferrer said. This was verbally documented in internal communications with USAA in February 2020 viewed by Compliance Week.

Under the Uniformed Services Employment and Reemployment Rights Act (USERRA), an employer cannot fire military members within the first year of them returning from service, except for cause. “Make no mistake, I was fired as a whistleblower, but because I had just returned from military duty, they implicated USERRA,” said Ferrer, who also has a separate USERRA complaint pending against USAA.

As Ferrer later explained in a letter to the OCC, he intentionally filed his whistleblower complaint with the Federal Reserve because “USAA’s relationship with the then midsize bank supervisor (Dallas Nobles) seemed altogether too chummy for the OCC to take any real action against USAA.”

Nobles did not answer a request for comment.

In his complaint, Ferrer notified the Federal Reserve about USAA Bank’s “numerous violations” of the SCRA, the MLA, and mortgage laws. He further described how USAA’s remediation plan, as it was proposed to the OCC, was illegal in his view and that the company’s contracts that allegedly violated the MLA should have been legally void.

“I fail to see how collecting money which one has no legal right to collect is not, in and of itself, material consumer fraud,” Ferrer wrote in his complaint. “These violations are knowing and voluntary, and that makes them amenable to criminal prosecution.”

“Like Wells Fargo, this is systemic mismanagement and fraud at an institutional level,” Ferrer added. The following day, in an email reply seen by Compliance Week, the Federal Reserve responded that it had forwarded his complaint to the OCC.

Cryptic $85M penalty

In October 2020, seven months after Ferrer acted formally as a whistleblower regarding the alleged 400,000 MLA violations, the OCC issued a cryptic $85 million civil penalty that it tacked on as a follow-up to its January 2019 consent order.

The second OCC consent order added new publicly stated findings, including “deficiencies in all three lines of defense” and an unspecified number of violations of the MLA and SCRA. “By reason of the foregoing conduct, the bank engaged in unsafe or unsound practices and violations of law, which were part of a pattern of misconduct,” the order stated.

In a series of frequently asked questions (FAQs) responding to the civil penalty, USAA said, “The issues relate to misapplication of benefits or protections afforded under laws like the SCRA. For example, servicemembers may not have been provided the correct interest rate benefit when they went on active duty for a period of less than 30 days.”

“One MLA issue related to contract disclosures in three products that the bank no longer offers,” USAA continued. “The second MLA issue related to allowing MLA covered borrowers to use remotely created checks to make payments for past-due consumer loans.” The wording’s suggestion of just two MLA issues contradicts the allegations of thousands raised by Ferrer.

USAA’s FAQs now lead to a broken link on its website and can only be accessed through a web archive search.

Other than cryptically citing the MLA and SCRA violations and issuing the $85 million civil penalty, the OCC provided no further details.

In an email to Compliance Week, the OCC stated, “We decline to comment, as we do not comment on specific banks, supervisory activities, or enforcement actions.”

The regulator further did not respond to specific questioning by Compliance Week regarding whether it informed the Department of Justice of the MLA violations it determined occurred at USAA or the allegations raised by Ferrer.

Under Title 10 of U.S. federal criminal code, Section 987, “a creditor who knowingly violates this section shall be fined as provided in Title 18, or imprisoned for not more than one year, or both.”

“USAA unequivocally violated a misdemeanor federal offense under federal criminal statute to the tune of 400,000 violations,” Ferrer said. However, only assistant U.S. attorneys or the federal government have prosecutorial authority over Title 18.

The MLA explicitly provides that “any credit agreement, promissory note, or other contract with a covered borrower that fails to comply with [the regulations] … is void from the inception of the contract.”

“This is where the numbers become astronomical,” potentially amounting to tens of billions of dollars in voided contracts alone for USAA, said Ferrer regarding the alleged MLA violations. 

The Department of Justice did not return requests for comment regarding whether there are any ongoing criminal investigations into USAA.