author photo
By Bruce Sussman
Wed | Feb 20, 2019 | 6:38 AM PST

Chances are you've seen the bank's ads on TV, with smiling military families saying they are "USAA members for life." 

But behind the scenes, bank leadership may be frowning, because the federal government says the Fortune 500 financial services company, with $2.4 billion in profits, is failing at risk management. 

The details are revealed in a "Cease and Desist" order by the U.S. Treasury Department's Office of the Comptroller of Currency.

 "... a Notice of Charges, for engaging in unsafe or unsound banking practices, including those relating to the Bank’s compliance management system, risk governance framework, and information technology program."

The Comptroller and USAA entered into an agreement that specifies what the bank must do in the first quarter of 2019 and beyond. 

We won't break down the whole thing, but of interest to our SecureWorld regional cybersecurity conference leaders will be how USAA Federal Savings Bank is now being required to fix its IT risk management and IT security.

11 ways USAA is ordered to reduce IT risk in 2019

USAA must "submit a written plan describing the actions necessary for the Bank to implement and maintain an effective IT Risk Governance Program," by doing or creating the following:

  1. An effective IT risk governance framework that establishes the roles, responsibilities, and accountability of front-line units and independent risk management
  2. A program to develop, attract, and retain talent and maintain appropriate staffing levels to fulfill respective roles in the Bank’s IT program
  3. A program and methodology adhered to by front-line units to assess, measure, and limit IT risks and concerns on an ongoing basis commensurate with the risk profile and risk appetite of the Bank
  4. A program and methodology to assess, measure, aggregate, and limit IT risks and concerns on an ongoing basis commensurate with the risk profile and risk appetite of the Bank applicable to each of the three lines of defense, namely front-line units, independent risk management, and internal audit
  5. An effective enterprise architecture
  6. An information security program that complies with the requirements set forth in 12 C.F.R. Part 30, Appendix B [Note: these are Interagency Guidelines Establishing Information Security Standards for the banking industry]
  7. Controls to ensure adherence to policies, procedures, and processes
  8. IT risk appetite metrics and limits
  9. IT risk reporting and information systems
  10. Procedures for reporting and escalating significant IT risks and concerns and remediation activities to senior management and the Board
  11. A comprehensive training program for front-line units, independent risk management, and internal audit personnel

The Notice of Charges agreement also calls out USAA for a lack of third-party risk management, and there is much more in the document, which runs 21 pages.

You can read the Federal Government action against USAA Federal Savings Bank for yourself.

[RESOURCE: SecureWorld web conference available on demand, The Future of Securing Data Storage]