<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Inside USAA’s CRA Rating Downgrade and $85 Million Penalty

4 min read
Oct 28, 2020

Every bank that’s confident in its satisfactory Community Reinvestment Act (CRA) performance, take a step forward.

Not so fast, USAA.

The Office of the Comptroller of the Currency (OCC) took the rare action of downgrading USAA’s CRA rating to “Needs to Improve” after it uncovered evidence of discriminatory and illegal credit practices. The agency also cited failures in its compliance management program leading to the violations, which cost the bank an additional $85 million in civil money penalties.

Why Did the OCC Downgrade USAA’s CRA Rating?

The OCC found evidence of 546 violations of the Servicemembers Civil Relief Act which included:

      • Failure to provide SCRA protections to military reservists.
      • Wrongful repossessions of vehicles.
      • Filing of inaccurate affidavits in default judgment cases.

It also found evidence of 54 violations of the Military Lending Act for using remotely created checks to collect past due amounts from consumers who were covered borrowers.

The OCC noted that USAA’s geographic distribution of consumer loans in 2017 through 2019 was poor, with the number of motor vehicle loans in low-income areas not proportional to the number of households—consistent with its prior findings in 2014 through 2016 evaluation.

What Went Wrong?

Blame it on the compliance management program—and not moving fast enough to fix it.

The OCC first came at USAA with a consent order in January 2019 for engaging in unsafe and unsound banking practices related to its compliance management system (CMS), risk governance framework, and IT program.

When the agency followed up with its October 2020 consent order, it said that USAA did not implement or maintain an effective compliance risk management program or an effective IT risk governance program. More specifically, the programs:

        • Weren’t commensurate with USAA’s size, complexity, and risk profile.
        • Had deficiencies in all three lines of defense (business units, independent risk management, and internal audit) of its compliance risk management program.

In explaining the consent order to customers, USAA blamed its compliance shortfalls on its quick growth over the last decade and not “sufficiently invest[ing] in the capabilities and expertise necessary to meet regulatory requirements and evolving business needs.”

USAA also acknowledged they “have not moved fast enough to close some gaps.”

As for specifics on the violations, USAA said that:

        • Servicemembers may not have been provided the correct interest rate benefit when they went on active duty for a period of less than 30 days.
        • One MLA issue related to contract disclosures in three products USAA no longer offers. The other MLA issue related to allowing MLA covered borrowers to use remotely created checks to make payments for past-due consumer loans.

USAA is reaching out to impacted customers with remediation that may include payments, changing fee structures, or supplying correct disclosures.

policies for banks

Lessons Learned from USAA’s Compliance Risk Management Mistakes

Choose an appropriate risk management approach. Financial institutions have a lot of freedom when it comes to structuring risk management programs. Rather than a one-size-fits-all model, FIs should be structuring programs in a way that is appropriate for their business models (i.e. size, complexity, and risk profile). For example, it could be a single risk committee, a large risk department, a chief risk officer, or some combination of them all.

The lesson here is not to take a casual approach to risk management. Regulators have expectations for formal, documented programs that cover specific areas, including board oversight. Every risk management program should have the same goals of identifying, measuring, monitoring, and controlling risk.

When tailoring risk management programs to your FI, it should at a minimum include internal controls, information systems, and internal audits that are appropriate for the size of the institution and the nature, scope, and risk of its activities.

What Do Regulators Have to Say About Risk Management Requirements?

Make sure risk and compliance management keep pace with your FI’s growth. Looking at USAA’s company history page, it is clear USAA had planned for growth by expanding its consumer footprint, adding new locations and digital services. However, it’s clear no one was tasked with ensuring that its compliance management kept pace.

If your financial institution has plans to grow—whether organically or through acquisition—make sure you’re considering your FI’s compliance management. What works as a three-branch, $500 million-asset institution may not be suitable for a 20-branch, $1.2 billion institution. Programs do not have to change immediately, but well-laid plans to scale it up need to put in place and documented with clear timelines for implementation

Meanwhile, every merger or acquisition must be approved by regulators. If institutions are burdened with unchecked compliance risk, it can derail the transaction. It is important to have a strong compliance management team to successfully integrate two or more institutions.

If growth is a goal, make sure that growth includes a plan for compliance.

Move quickly to correct findings and deficiencies. USAA knew the OCC was unhappy with its compliance risk management program, but it did not invest the resources or effort to promptly correct the problem. Had the bank shown a quick turnaround, it could have potentially avoided the $85 million civil money penalty.

Learn from this mistake. If examiners or auditors uncover a problem—especially a major systemic issue—make correcting the issue a high priority. It is less costly to proactively remediate the problem than to pay a fine and possibly damage your reputation. Findings management is a must.

Also, remember the saying where there is smoke, there is fire. A lackluster compliance management system (CMS) is not going to lead to just one compliance problem. Who knows what other issues are lurking below the surface waiting to be found? The sooner a strong CMS is put into place, the sooner these issues can be detected and corrected.

Related: Flood Insurance: Compliance Tips for Avoiding Costly Penalties

Regularly assess lending for CRA compliance. Actively measuring and monitoring CRA performance helps your FI stay compliant—you are able to proactively discover and remediate issues before examiners find them. The same is true of fair lending. I bet USAA wishes it had taken a more proactive role in CRA compliance risk management.

From internal controls, internal audit, and IT systems to frontline accountability and management and board oversight, make sure your FI has compliance policies, procedures, and systems that result in compliance.

The cost of noncompliance is too high to ignore.  Download our whitepaper to learn more about best practices for tracking audit and exam findings.


Learn even more about building a strong lending compliance management system.


New call-to-action

Subscribe to the Nsight Blog