Senior executives at USAA ignored warnings from compliance staff and consultants for years regarding multiple violations of U.S. federal banking laws and “intentionally” hid from regulators the scope of the company’s illegal practices, a former USAA director of compliance turned whistleblower told Compliance Week.

The $225 million in combined civil penalties USAA has received, to date—$85 million in 2020 and $140 million in March—from the Office of the Comptroller of the Currency (OCC) and the Financial Crimes Enforcement Network (FinCEN) for compliance failures could portend more enforcement activity to come, the whistleblower suggested.

“These fines are just the tip of the iceberg,” said Lenn Ferrer, who was hired in compliance at USAA Federal Savings Bank (USAA Bank), an indirect wholly owned subsidiary of USAA, before he blew the whistle to federal regulators in March 2020. Ferrer was terminated the same day by USAA, which it claimed was “for cause” for “creat[ing] a toxic employment atmosphere by engaging in threatening and inappropriate conduct towards coworkers,” according to documents seen by Compliance Week.

“They (USAA) have been actively lying to regulators for years,” he said.

Ferrer shared details of his whistleblower complaint with Compliance Week, along with internal communications from when he was at USAA and conversations he had with regulators regarding his claims. Compliance Week asked USAA a dozen specific questions related to Ferrer’s allegations, including regarding unreported violations of the Military Lending Act (MLA), internal warnings that went ignored, and deficiencies in its compliance controls. USAA declined to answer these questions directly, instead providing a single statement.

“We cannot comment on a complaint we have not seen; however, the allegations provided are completely baseless and unfounded,” stated Roger Wildermuth, public affairs director for USAA. “USAA has an open and transparent relationship with our regulators as we address regulatory concerns.”

“Once you pull back the curtain (at USAA), it’s nothing what you would expect it to be. It’s this toxic mess.”

Former USAA executive

Both the OCC and FinCEN are divisions of the Department of the Treasury. In April, Ferrer moved forward with filing a separate whistleblower complaint against USAA with the Consumer Financial Protection Bureau (CFPB). The Bureau declined to comment on whether it currently has any ongoing investigation into USAA.

The allegations are a far cry from USAA’s humble beginnings in 1922, when 25 Army officers made a pact to self-insure each other’s vehicles. After establishing its banking arm in 1983, USAA today is a membership-only diversified insurance and financial services powerhouse, offering insurance, banking, and investment products to current and former military members and their families. As of the end of 2020, USAA had more than 13 million members and $200 billion in total assets.

For the better part of the century, USAA’s devotion to its stated four core values —service, loyalty, honesty, and integrity—is what garnered it generations of loyalty from its military-affiliated customers and employees alike. As recently as this year, USAA continued to rank among Fortune’s esteemed list of the “World’s Most Admired Companies.”

But even as USAA was trying to uphold a pristine façade on the outside, major structural fractures on the inside concerning both its culture and lax compliance controls were starting to buckle, several people close to the matter told Compliance Week.

“Once you pull back the curtain, it’s nothing what you would expect it to be,” said one former USAA executive who asked to remain anonymous. “It’s this toxic mess.”

Ferrer, a former white-collar prosecutor, said it took him just three weeks into his job, after arriving at USAA in January 2014, to “come to the conclusion that the bank was operating well outside the bounds of numerous federal laws.”

“What I observed at the bank was appalling,” he said. “They are wrapping themselves in the flag [with USAA’s motto], ‘We know what it means to serve,’ and they’re ripping off active-duty military members right and left.”

According to USAA’s 2020 annual report, more than 20 percent of its 36,000 employees have a direct connection to the military. Ferrer himself is a decorated war veteran who served his entire adult life on and off active duty, including more than two years of combat tours in Iraq and Afghanistan.

Immediately prior to USAA, Ferrer served four years as counsel at the Federal Deposit Insurance Corporation (FDIC) and, earlier in his career, had been awarded accolades both as a senior Navy Judge Advocate General officer and in his role as a tenured assistant U.S. attorney for the Department of Justice’s Criminal Division, representing cases that included bank and mortgage fraud.

Consent orders USAA Bank has received over the last few years from multiple enforcement agencies have mentioned violations of the MLA, the Servicemembers Civil Relief Act (SCRA), and other consumer protection laws dating back at least as early as 2014.

For example, USAA Bank received a consent order from the CFPB in 2019 for violations of the Electronic Fund Transfer Act (EFTA) and Regulation E. According to the order, on “numerous occasions” prior to 2015, “when consumers notified USAA about suspected errors regarding EFTs that were incorrect, unauthorized, or exceeded the authorization granted by the consumer,” USAA “as a matter of policy” failed to promptly initiate error resolution investigations in violation of Reg E.

The CFPB further found USAA Bank engaged in “unfair acts or practices” prohibited under the Consumer Financial Protection Act by reopening 16,980 previously closed deposit accounts without seeking customers’ required authorization or providing timely notice. In its frequently asked questions, USAA said it reimbursed impacted members for the bank fees they incurred. The company has since deleted its FAQ page, which is now only discoverable through a web archive search.

USAA Bank did not admit nor deny the CFPB’s findings. 

Alleged mortgage fraud

The consent orders, to date, don’t begin to scratch the surface, Ferrer said. None of them address the mortgage fraud USAA Bank was engaging in, he alleged.

“Their entire mortgage system was a fraud,” Ferrer said in internal communications with USAA in February 2020. “We spent $200 million on a mortgage system that didn’t work.”

Ferrer further alleged USAA was engaging in the same mortgage law misconduct that has resulted in enforcement actions against other banks in the past. In February 2015, for example, five major banks—which did not include USAA Bank—agreed to distribute a combined $123 million across settlements with the Department of Justice for the nonjudicial foreclosures of servicemembers and their families.

“USAA was doing this,” Ferrer told Compliance Week. “We actually had a meeting … called ‘the plan to change public record’ in the company calendar because they wanted to scrub from public record cases where USAA had foreclosed on properties illegally.”

USAA did not answer specific questions regarding any alleged violations of law.

Not your typical bank

Underlying all USAA Bank’s alleged violations is one critical point: It is not a typical consumer-serving bank.

“You cannot be a member of USAA unless you have a military nexus,” Ferrer stressed. “They’re violating the very statutes that are designed specifically to protect military members, a protected class.”

The purpose of the SCRA is “to enable [servicemembers] to devote their entire energy to defense needs of the nation,” the law states. Enacted in 2003, the SCRA strictly prohibits lenders from engaging in a wide range of practices that impede servicemember protections, including issuing default judgments and nonjudicial foreclosures, evicting active-duty military members, and repossessing their vehicles.

The MLA, enacted in 2006 and implemented by the Department of Defense, similarly is designed to protect active duty servicemembers and their dependents, mainly from predatory lending practices.

The OCC found evidence of 546 violations of the SCRA and 54 violations of the MLA at USAA Bank in a 2019 performance evaluation. The regulator’s $85 million action against the bank in October 2020 cited an unspecified number of violations of both laws; Ferrer told the OCC seven months earlier a consulting firm commissioned by the bank discovered an estimated 400,000 violations of the MLA as part of an OCC-mandated lookback.

“You cannot be a member of USAA unless you have a military nexus. They’re violating the very statutes that are designed specifically to protect military members, a protected class.”

Lenn Ferrer, USAA whistleblower

“If anybody should know what MLA means and how to comply with it, it should be USAA,” Ferrer said.

As documented in a letter to the OCC’s Midsize Bank Supervision headquarters, Ferrer stated he notified USAA executives on two different occasions of what he characterized as “predatory and potentially criminal practices against members of the military” being committed by USAA Bank as it concerned “numerous violations of law.”

Ferrer described first expressing his concerns during an internal group meeting attended by USAA Bank compliance department personnel in 2014. “I was verbally berated for having had the audacity to have made this statement,” he said.

After being recalled to active duty in October 2014, he said he drafted a letter directed to then-Chairman Lester Lyles and then-Chief Executive Officer Stuart Parker, expressing concerns about “what I then believed to be the ongoing commission of criminal activity.”

“They didn’t have an investigator contact me. They did nothing and allowed the illegal conduct to continue,” Ferrer said.

Parker declined to comment. Lyles did not return requests for comment.

First signs of compliance failures

Cracks in USAA’s façade did not begin to show publicly until January 2019, when the OCC, USAA’s primary regulator, issued the bank a consent order for engaging in “unsafe or unsound banking practices, including those relating to the bank’s compliance management system, risk governance framework, and information technology (IT) program.”

The OCC’s consent order likely had to do with either a changing of the guard at the regulator and/or that USAA had been given several previous warnings, said a former OCC national bank examiner familiar with the matter who asked not to be identified.

In its consent order, the OCC said USAA Bank “failed to implement and maintain an effective bank-wide risk management program commensurate with the bank’s size, complexity, and risk profile.” At this time, the bank’s customer base and total asset size were continuing to grow, reaching $117.4 billion as of January 2022, according to data from iBanknet.

The consent order presented only a watered-down version of the truth, Ferrer alleged. He described USAA’s IT risk governance program as “so poorly resourced” that it was still relying upon spreadsheets to identify violations of law. The bank had a “complete and total lack of any IT system normally and routinely found in use for compliance and risk purposes at other banks of like size and complexity,” he said.

The bank had roughly 20 compliance personnel “at most” at that time, when it should have had about 10 times that, he said. In place of compliance personnel, USAA executives hired third-party contractors who were embedded into compliance.

“They were physically in the bank. They were sitting in cubes right next to us,” Ferrer said.

FinCEN found in its consent order the bank’s compliance department was “significantly understaffed,” and it “relied on third-party contractors to augment staffing levels.”

For years, USAA enlisted the help of numerous major consulting firms—Treliant, KPMG, PwC, and Protiviti, to name a few. The contractors were the ones who did “all the heavy lifting, the deep dive compilations of raw data to uncover all the violations of law,” Ferrer said. “We spent more on consultants than actual bank compliance personnel.”

PwC, KPMG, and Protiviti declined to comment. Treliant did not return request for comment.

Ferrer claimed these practices were intentional so USAA could hide its violations of law from the OCC. Meanwhile, USAA executives “intentionally turned a blind eye” to all the federal and state banking laws they were violating, he alleged.

‘Willful’ violations

In March, FinCEN and the OCC ordered USAA Bank to pay $140 million as part of two separate consent orders for violations of Bank Secrecy Act/anti-money laundering laws. USAA Bank admitted to FinCEN’s findings of “willful” violations.

FinCEN found in its consent order the bank’s compliance department was “significantly understaffed,” and it “relied on third-party contractors to augment staffing levels.”

Further, it was publicly revealed the bank in 2018 “determined that it needed 178 permanent, full-time positions to fully staff its compliance functions,” and yet still had 62 vacant positions as of 2021. The bank “supplemented approximately 76 percent of its compliance staffing needs with third-party contractors,” and these contractors were neither properly trained nor “possessed satisfactory qualifications and expertise,” FinCEN stated in its consent order.

Ferrer described the case as a “paradigm shift” for regulators regarding FinCEN’s finding USAA Bank engaged in “willful” violations because it means USAA is no longer going to get the benefit of the doubt.

“I believe we’re now going to see a pattern of admissions of ‘willful’ violations,” Ferrer said.

Editor’s note: This story package was updated May 10 to identify Lenn Ferrer as a former director of compliance at USAA. The original report referred to him as a former compliance officer.

​Whistleblower: USAA ‘actively lying to regulators for years’ regarding violations of law