USAA ordered to improve risk management, information security

Complimentary Access Pill
Enjoy complimentary access to top ideas and insights — selected by our editors.

Banking regulators have identified a range of operational shortcomings at USAA Federal Savings Bank, criticizing its risk management program, its systems for complying with various laws and regulations, and its information security efforts.

In an agreement that was made public Friday, the Office of the Comptroller of the Currency ordered the San Antonio bank to develop plans to remedy the alleged failures.

The 21-page agreement does not include any financial penalties. USAA, an $82 billion-asset bank that serves members of the U.S. military and their families, neither admitted nor denied the claims.

AB-021519-USAA (1).png

“We are committed to complying with regulatory expectations for companies of our size and complexity,” USAA spokesman Matt Hartwig said in an email. “We already have been proactively addressing these issues and made progress enhancing our systems and processes. But we have more to do to continue delivering the service members deserve.”

Hartwig said that the bank’s agreement with the OCC is not related to a consent order with the Consumer Financial Protection Bureau that was announced on Jan. 3, though he added that work the bank has been doing addresses the concerns of both agencies.

The CFPB alleged that USAA reopened deposit accounts without customers’ consent and neglected stop-payment requests. The bank agreed to pay a $3.5 million fine and $12 million in restitution to 66,000 customers.

In the agreement announced Friday, the OCC found that USAA failed to implement an effective risk management program that was commensurate with its size, complexity and risk profile. The bank’s audit program was deemed insufficient, as was its compliance management system.

The regulatory agency also determined that the bank’s information technology program does not comply with federal guidelines that establish information security standards.

The agreement, which took effect on Jan. 7, gives USAA until late March to submit a written plan detailing the steps it will take to remedy the problems.

For reprint and licensing requests for this article, click here.
Enforcement actions Compliance Data security Risk management USAA OCC CFPB
MORE FROM AMERICAN BANKER