USAA Bank Fighting Major Regulatory Fires

  • February 20, 2019
  • Quantivate

Remember the old Smokey the Bear adage,Ā ā€œOnly you can prevent forest firesā€?

Well, it certainly seems true in the case ofĀ USAA Bank being hit with cease-and-desist proceedings for engaging in unsafe or unsound banking practicesĀ (ā€œconsent orderā€). I have always believed that it is more cost-efficient and a better business model toĀ prevent the fireĀ than to expend countless resources to continually fight the fire. So, who is the ā€œyouā€ at USAA Bank responsible for the prevention of these regulatory fires?

Sound risk management practices would tell you that it is everyone from the board down to the front-line staff, including internal audit (three lines of defense), and a review of the consent order appears to follow those risk management practices specifically.

While we do not know with extensive details the deficiencies found by OCC, we certainly understand from theirĀ Article II – FindingsĀ the extent to which the overall sound practices of risk management failed. Those are as follows (emphasis mine):

  1. The Bank hasĀ failed to implement and maintain an effective Bank-wide Risk Management Program (ā€œERMā€)Ā commensurate with the Bankā€™s size, complexity, and risk profile. The Bankā€™s failure to implement and maintain an effective Bank-wide Risk Management Program is an unsafe or unsound practice.
  2. The Bankā€™sĀ internal controls and information systems do not comply with the guidelines established inĀ 12 C.F.R. Part 30, Appendix A.
  3. The Bankā€™sĀ internal audit program (ā€œInternal Auditā€) is insufficientĀ given the Bankā€™s size, complexity, and risk profile, and is not in compliance with the guidelines established in 12 C.F.R. Part 30, Appendix A.
  4. The Bank hasĀ failed to implement and maintain an effective compliance management systemĀ that includes processes and practices designed to manage consumer compliance risk, support compliance with consumer protection-related laws and regulations and prevent consumer harm. The Bankā€™s failure to implement and maintain a satisfactory compliance management system is an unsafe or unsound practice.
  5. The Bank hasĀ failed to implement and maintain an effective, comprehensive IT program, and its IT program is not in compliance with the guidelines established inĀ 12 C.F.R. Part 30, Appendix B.

Throughout all the remediation plans required for the corrective actions needed to address the above deficiencies, we see risk management principles that were either missing or needed vast improvement. The risk management principles are the same for all financial institutions, regardless of regulator, and that is to ensure that you can effectively mitigate risks based upon your financial institutionā€™s size, complexity, and risk profile.

So, what are those basic principles, andĀ do you appropriately exhibit them based upon your size, complexity, and risk profile?Ā The list below, while not comprehensive, should give you a quick ā€œTop 10ā€ logic check for your governance, risk, and compliance (GRC) basics.

1. Risk Management Policies & Procedures (Tone at the Top)
a. ERM
b. Compliance
c. Vendor Management
d. Information Security
e. Internal Controls
f. Audit
i. Policies to Include:
1. Management and/or Senior Executive Approval Date
2. Board Approval Date
3. Applicable Laws/Regulations
4. Areas of Responsibility
a. Board
b. Committee
c. CEO
d. Head of Risk
e. Risk Department(s)
f. Executives
g. Departments/Staff
h. Internal Audit
5. Summary of Risk Management Approach
6. Purpose of Policy
7. Risk Management Overview
8. Risk Management Mission
9. Risk Management Definitions
10. Risk Appetite
11. RiskĀ Categories
12. Approach to Risk Management
13. Information and Communication
14. Monitoring Activities and Correcting Deficiencies
15. Policy Management/Documentation and Review
ii. Procedures to Support the Execution of Policies
2. Specific Leader to Oversee All Risk Management Programs
a. Required Competencies:
i. Risk identification
ii. Understand the organizationā€™s business
iii. Respected throughout the organization
iv. Highly effective communicator
3. Committee(s) and Charter(s)
a. Charter to Include:
i. Current Board Approval
ii. Previous Board Approval
iii. Purpose
iv. Charter
v. Scope of the Committeeā€™s Responsibilities
vi. Composition and Appointment to Committee
vii. Meetings
viii. Agenda
ix. Minutes
x. Reports
4. Risk Management Framework
a. Clearly Defined:
i. Approach to Risk Management (Strategically and Operationally)
ii. Risk Categories and Definitions
iii.Qualitative & Quantitative
1. Likelihood of Risk
2. Impact of Risk
3. Control Ratings
4. Control Effectiveness
5. Risk Velocity
6. Risk Vulnerability
7. Overall Risk Rating
5. Risk Assessments (Before Change/Decisions Are Made)
a. Strategic Plans
b. Business Operations (Departmental Business Processes)
c. Products/Services
6. Risk Appetite Statement With Thresholds
a. Clearly Articulated Across All Applicable Risk Categories
7. Key Indicators
a. Appropriately updated and monitored (KRI and KPI)
8. Appropriate Reporting to:
a. Board
b. Senior Management
c. Risk Management
d. Risk Committee(s)
e. Audit/Supervisory Committee
f. Employees
9. Appropriate and Continuous Risk Management Training
a. Board
b. Senior Management
c. Management
d. Employees
e. Volunteers
f. Internal Audit
10. Third-Party Independent Testing of All Risk Management Functions

While the above is only a quick check of your overall GRC responsibilities, it is a good place to start. Because in the end,Ā ONLY YOUĀ can prevent a regulatory fire!

About the Author:

When not blogging, Bill is consulting with numerous financial institutions and companies across the country, helping them build and shape their risk management programs. He also works with many associations and professional organizations to teach and enhance their ERM curriculum.

Stay up to date with the latest news, compliance alerts, and thought leadership for the financial services industry: