Date: May 12, 2022

At a time when other large banks were stacking their risk and compliance departments amid intensified banking regulatory scrutiny, USAA’s risk and compliance functions remained woefully understaffed in an organization plagued by systemic violations of laws that went unaddressed for years. In exclusive interviews with Compliance Week, former USAA insiders described a culture in which numerous individuals either were given the axe or quit because the problems were so endemic.

Since 2015, USAA Federal Savings Bank (USAA Bank), an indirect wholly owned subsidiary of USAA, has gone through at least four chief compliance officers (CCOs). And, at the group level, another four CCOs and several enterprise chief risk officers have come and gone in a very short period.

“There’s a reason for all this,” said Lenn Ferrer, who was a former director of compliance at USAA Bank before he blew the whistle to regulators in March 2020. “This has been a catastrophically mismanaged organization. It lost its way. It lost its core values.”

The shifting regulatory landscape following the 2008 financial crisis played a significant role in USAA’s change in culture. In 2011, the Office of Thrift Supervision (OTS) was dismembered and absorbed into the Office of the Comptroller of the Currency (OCC) under the Dodd-Frank Act of 2010, a move that suddenly placed USAA Bank under stricter federal supervision.

Unlike the OCC, which is a national bank supervisor, the OTS was responsible at the time for overseeing thrifts, commonly known as savings and loan associations, that specialize in mortgage lending. Because USAA Bank is chartered as a federal savings association, it fell under the OTS’s umbrella.

The OTS was a notoriously lax regulator, whose goal was to “to allow thrifts to operate with a wide breadth of freedom from regulatory intrusion,” former OTS Director James Gilleran once stated in a speech. Instead, the agency relied on the lenders themselves to self-evaluate their own compliance with consumer lending laws, which ultimately led to the collapse of several large banks, including Washington Mutual, IndyMac, and BankUnited. Countrywide sold itself to Bank of America in 2008.

“Historically, USAA really wasn’t challenged to go deep into how the business was being run from a compliance perspective,” said Charles Mapson, a former executive director of bank compliance at USAA. In 2012, while the bank was growing exponentially—approaching $50 billion in assets at the time—it still had a “small-bank mentality toward compliance,” with “maybe” 13 people making up its compliance staff, he said.

From a governance standpoint, at that time, USAA Bank’s CCO reported into USAA’s CCO at the enterprise level, “to whom the compliance staff and all the lines of business reported,” Mapson said. USAA’s enterprise compliance program itself was still in its earliest stages of development.

Over the years, the bank’s reporting structure would go through several changes—from reporting into compliance, to reporting into the general counsel for a short period of time, to reporting into the chief risk officer. Before USAA’s former Chief Executive Officer Joe Robles retired in February 2015, he made it so compliance and risk reported into him, but there was still no integration between risk and compliance at that time, Mapson said.

Compliance: The missing element

USAA had become so accustomed to getting great grades from regulators and not having issues that it failed to appreciate the rapidly developing banking regulatory environment as the bank grew, Mapson added.

“It was a great culture in terms of the mentality of trying to provide financial products to help facilitate the financial security of their members—very much like a credit union—but I think the missing element was how important compliance would be for them to achieve that goal,” he said.

Other former USAA executives, who requested anonymity to speak candidly about the matter, described a bank hamstrung by its lack of banking regulatory knowledge. When USAA first charted the bank in 1983, instead of hiring people with experience in the banking industry, it simply shifted its insurance employees over to the bank.

One former USAA executive commented, “Things were not done properly from Day 1,” due to a “complete lack of understanding” for how different the banking regulatory environment was compared to the insurance industry.

To this day, many of USAA’s insurance people still reside within the bank, including at the very top. USAA’s current CEO Wayne Peacock has been with the company for more than 30 years, according to his LinkedIn profile. Previously, he was president of USAA’s property and casualty insurance group.

A shifting culture

All told, the regulatory environment that developed in the aftermath of Dodd-Frank served as a major catalyst for USAA’s transformative culture, which directly related to risk and compliance but trickled into other areas of the business as well.

Source: A look inside USAA’s ‘catastrophically mismanaged’ compliance culture