USAA has been 'actively lying to regulators for years' about legal violations, says whistleblower

For years, senior executives at USAA ignored warnings from compliance staff and consultants about multiple violations of federal banking laws, and "intentionally" concealed the scope of the company's illegal practices from regulators, according to a former USAA compliance officer turned whistleblower.

The $225 million in combined civil penalties USAA has received from the Office of the Comptroller of the Currency (OCC) and the Financial Crimes Enforcement Network (FinCEN) for compliance failures to date—$85 million in 2020 and $140 million in March—could portend more enforcement activity in the future, according to the whistleblower.


"These fines are just the tip of the iceberg," said Lenn Ferrer, who worked as a compliance executive at USAA Federal Savings Bank (USAA Bank), an indirect wholly owned subsidiary of USAA, before informing federal regulators in March 2020. According to documents obtained by Compliance Week, Ferrer was fired the same day by USAA for "creat[ing] a toxic employment atmosphere by engaging in threatening and inappropriate conduct towards coworkers."


He claimed that "they (USAA) have been actively lying to regulators for years."

Ferrer told Compliance Week about his whistleblower complaint, as well as internal communications from his time at USAA and conversations he had with regulators about his claims. USAA was asked a dozen specific questions about Ferrer's allegations, including unreported violations of the Military Lending Act (MLA), internal warnings that went unheeded, and compliance controls deficiencies. Instead of directly answering these questions, USAA issued a single statement.


"We can not comment on a complaint we have not seen," said Roger Wildermuth, USAA's public affairs director. "However, the allegations provided are completely baseless and unfounded. USAA has an open and transparent relationship with our regulators as we address regulatory concerns ."


The OCC and FinCEN are both divisions of the Treasury Department. Ferrer filed a separate whistleblower complaint against USAA with the Consumer Financial Protection Bureau in April (CFPB). The FBI declined to comment on whether or not it is currently investigating USAA.


The allegations are a far cry from USAA's humble beginnings in 1922, when 25 Army officers formed a self-insurance pact to cover each other's vehicles. USAA is a membership-only diversified insurance and financial services powerhouse that offers insurance, banking, and investment products to current and former military members and their families, after establishing its banking arm in 1983. USAA had more than 13 million members and $200 billion in assets at the end of 2020.


For the better part of a century, USAA's commitment to its stated four core values—service, loyalty, honesty, and integrity—has earned it generations of customers and employees who are military-affiliated. USAA remained on Fortune's prestigious list of "World's Most Admired Companies" as recently as this year.


However, while USAA was attempting to maintain a pristine exterior on the outside, major structural fractures on the inside concerning both its culture and lax compliance controls were beginning to buckle, according to several people familiar with the situation.


"Once you pull back the curtain, it’s nothing what you would expect it to be," one former USAA executive who requested anonymity said. "It’s this toxic mess" she says.


After arriving at USAA in January 2014, Ferrer, a former white-collar prosecutor, said it took him only three weeks to "come to the conclusion that the bank was operating well outside the bounds of numerous federal laws."


He described what he saw at the bank as "appalling".  "They are wrapping themselves in the flag [with USAA’s motto], ‘We know what it means to serve,’ and they’re ripping off active-duty military members right and left."


More than 20% of USAA's 36,000 employees have a direct connection to the military, according to the company's 2020 annual report. Ferrer is a decorated war veteran who has served on and off active duty throughout his adult life, including more than two years in combat in Iraq and Afghanistan.


Prior to joining USAA, Ferrer worked for the Federal Deposit Insurance Corporation (FDIC) for four years and had received awards as a senior Navy Judge Advocate General officer and as a tenured assistant US attorney for the Department of Justice's Criminal Division, where he represented cases involving bank and mortgage fraud.


Multiple enforcement agencies have issued consent orders to USAA Bank over the last few years alleging violations of the MLA, the Servicemembers Civil Relief Act (SCRA), and other consumer protection laws dating back to at least 2014.


In 2019, the CFPB issued a consent order to USAA Bank for violating the Electronic Fund Transfer Act (EFTA) and Regulation E. According to the order, USAA "as a matter of policy" failed to promptly initiate error resolution investigations "when consumers notified USAA about suspected errors regarding EFTs that were incorrect, unauthorized, or exceeded the authorization granted by the consumer" prior to 2015.


The Consumer Financial Protection Bureau also discovered that USAA Bank engaged in "unfair acts or practices" prohibited by the Consumer Financial Protection Act by reopening 16,980 previously closed deposit accounts without seeking customers' permission or providing timely notice. USAA stated in its frequently asked questions that it reimbursed impacted members for bank fees. Since then, the company has removed its FAQ page, which can now only be found through a web archive search.


The CFPB's findings were neither admitted nor denied by USAA Bank.


To date, the consent orders only scratch the surface, according to Ferrer. None of them, he claims, address the mortgage fraud committed by USAA Bank.


"Their entire mortgage system was a fraud," Ferrer said in February 2020 in internal USAA communications. "We spent $200 million on a mortgage system that didn’t work."


Ferrer also claimed that USAA was breaking the same mortgage laws that had previously resulted in enforcement actions against other banks. For example, in February 2015, five major banks—including USAA Bank—agreed to pay the Department of Justice a total of $123 million in settlements for nonjudicial foreclosures of servicemembers and their families.


Ferrer told Compliance Week, "USAA was doing this. We actually had a meeting … called ‘the plan to change public record’ in the company calendar because they wanted to scrub from public record cases where USAA had foreclosed on properties illegally ."


USAA did not respond to specific questions about any alleged legal violations.


One critical point underpins all of USAA Bank's alleged violations: it is not a typical consumer-serving bank.


"You cannot be a member of USAA unless you have a military nexus," Ferrer emphasized. "They’re violating the very statutes that are designed specifically to protect military members, a protected class."


The SCRA's goal is to "enable [servicemembers] to devote their entire energy to defense needs of the nation," according to the law. The Servicemembers Civil Relief Act (SCRA) was enacted in 2003 and prohibits lenders from engaging in a wide range of practices that jeopardize servicemember protections, such as issuing default judgments and nonjudicial foreclosures, evicting active-duty military members, and repossessing their vehicles.


Similarly, the Military Lending Act (MLA), enacted in 2006 and implemented by the Department of Defense, is intended to protect active duty servicemembers and their dependents from predatory lending practices.


In a 2019 performance evaluation, the OCC discovered evidence of 546 SCRA violations and 54 MLA violations at USAA Bank. Ferrer told the OCC seven months earlier that a consulting firm commissioned by the bank discovered an estimated 400,000 violations of the MLA as part of an OCC-mandated lookback, which resulted in the regulator's $85 million action against the bank in October 2020.


"If anybody should know what MLA means and how to comply with it, it should be USAA," Ferrer said.


Ferrer claimed in a letter to the OCC's Midsize Bank Supervision headquarters that he informed USAA executives on two separate occasions of what he described as "predatory and potentially criminal practices against members of the military" being perpetrated by USAA Bank, citing "numerous violations of law."


Ferrer stated that he first expressed his concerns during a USAA Bank compliance department internal group meeting in 2014. He said, "I was verbally berated for having had the audacity to have made this statement."


He said he drafted a letter to then-Chairman Lester Lyles and then-Chief Executive Officer Stuart Parker after being recalled to active duty in October 2014, expressing concerns about "what I then believed to be the ongoing commission of criminal activity."


"They didn’t have an investigator contact me. They did nothing and allowed the illegal conduct to continue ," Ferrer said.


Parker remained silent. Lyles did not respond to messages seeking comment.


The OCC, USAA's primary regulator, issued the bank a consent order in January 2019, accusing the bank of engaging in "unsafe or unsound banking practices, including those relating to the bank’s compliance management system, risk governance framework, and information technology (IT) program."


According to a former OCC national bank examiner familiar with the matter who asked not to be identified, the consent order was likely prompted by a change of guard at the regulator and/or the fact that USAA had previously received several warnings.


USAA Bank "failed to implement and maintain an effective bank-wide risk management program commensurate with the bank’s size, complexity, and risk profile," according to the OCC's consent order. According to iBanknet data, the bank's customer base and total asset size were both growing at the time, reaching $117.4 billion in January 2022.


Ferrer claimed that the consent order only presented a diluted version of the truth. He said USAA's IT risk governance program was "so poorly resourced" that it was still using spreadsheets to detect legal violations. He claimed the bank had "complete and total lack of any IT system normally and routinely found in use for compliance and risk purposes at other banks of like size and complexity."


At the time, the bank had about 20 compliance personnel "at most," when it should have had about ten times that, he said. Instead of hiring compliance personnel, USAA executives hired third-party contractors who were already familiar with the process.


"They were physically in the bank. They were sitting in cubes right next to us ," Ferrer explained.


For years, USAA enlisted the help of a number of major consulting firms, including Treliant, KPMG, PwC, and Protiviti. "All the heavy lifting, the deep dive compilations of raw data to uncover all the violations of law," said Ferrer, referring to the contractors. "We spent more on consultants than actual bank compliance personnel."


Protiviti, PwC, and KPMG all declined to comment. Treliant has yet to respond to a request for comment.


Ferrer claimed that these practices were done on purpose so that USAA could hide its legal violations from the OCC. Meanwhile, he claimed that USAA executives "intentionally turned a blind eye" to all of the federal and state banking laws they were breaking.


FinCEN and the OCC fined USAA Bank $140 million in March as part of two separate consent orders for violations of the Bank Secrecy Act and anti-money laundering laws. FinCEN's findings of "willful" violations were accepted by USAA Bank.


The bank's compliance department was "significantly understaffed," according to FinCEN's consent order, and it "relied on third-party contractors to augment staffing levels."


Furthermore, the bank in 2018 "determined that it needed 178 permanent, full-time positions to fully staff its compliance functions," but there were still 62 vacant positions as of 2021, according to public records. According to FinCEN's consent order, the bank "supplemented approximately 76 percent of its compliance staffing needs with third-party contractors," who were neither properly trained nor "possessed satisfactory qualifications and expertise."


FinCEN's finding that USAA Bank committed "willful" violations is a "paradigm shift" for regulators, according to Ferrer, because it means USAA will no longer be given the benefit of the doubt.


"I believe we’re now going to see a pattern of admissions of ‘willful’ violations," Ferrer predicted.

By fLEXI tEAM