A national lender, USAA Federal Savings Bank, entered into a consent order with the Office of the Controller of the Currency (“OCC”), which included an $85 million dollar civil money penalty for alleged "unsafe or unsound" banking risk management, compliance processes, and information technology (“IT”) risk governance. In the consent order, the OCC stated that the bank has failed to implement and maintain banking risk management and IT risk governance protocols. Specifically, the bank had deficiencies in "all three lines of defense": first-line business units, independent risk management, and internal audits. As a result, the OCC concluded that the lender had violated the Military Lending Act (“MLA”) and the Servicemembers Civil Relief Act (“SCRA”) in a “pattern of misconduct."
The OCC said that its investigation revealed evidence of several hundred SCRA violations by the bank, including "failure to provide SCRA protections to military reservists, wrongful repossessions of vehicles, and the filing of inaccurate affidavits in default judgment cases." The agency said that it had also identified several dozen MLA violations involving the use of "remotely created checks to collect past due amounts from members who were covered borrowers." The bank is also in the process of remediating the MLA and SCRA violations pursuant to the terms of a 2019 consent order with the OCC.
While the alleged violations are the focus, the underlying point of the OCC’s consent order is clearly that the bank’s personnel and IT risk management were insufficient and that this insufficiency led to the multiple violations. Thus, it is a reminder that lenders must have robust frontline consumer complaint, risk avoidance, and risk mitigation personnel and technology that can and does evolve as the business operations change and grow.
The matter is USAA Federal Savings Bank, No. AA-ENF-2020-67, in the U.S. Department of the Treasury's Office of the Comptroller of the Currency.
