USAA Federal Savings Bank has been slapped with a cease-and-desist order by the Office of the Comptroller of the Currency for, among other things, an IT programme not in compliance with information security standards.
In a consent order, which saw USAA neither admit nor deny the OCC's claims, the bank has been ordered to take a host of steps to improve its systems and programmes, but escapes financial penalties.
The OCC says: "The Bank has failed to implement and maintain an effective, comprehensive IT program, and its IT program is not in compliance with the guidelines established" for information security standards.
The order also states that USAA has "failed to implement and maintain" an effective bank-wide risk management programme commensurate with its size, complexity and risk profile. In addition, internal controls and information systems do not meet guidelines, the bank's audit programme is insufficient, and the compliance management system is not effective.
The bank has been given deadlines to develop and implement fixes to the issues raised. It has been told to carry out an IT assessment and provide "a written plan describing the actions necessary for the bank to implement and maintain an effective IT Risk Governance Program".
In a statement, USAA says: "Over the past year, we have created a comprehensive action plan across the enterprise to strengthen our risk, compliance, IT and audit functions."
This is the second time in quick succession that USAA has fallen foul of regulators; in January, the Consumer Financial Protection Bureau told the bank to pay $12 million in restitution to customers for failing to honour requests to stop payments.