Warren Buffet once said, “It’s good to learn from your mistakes. It’s better to learn from other people’s mistakes.”
This feels particularly appropriate when we look at the recent scandals to emerge from the financial services firm USAA; a company that primarily provides financial services to members and veterans of the U.S. military.
Over the last two years, USAA has been whacked with two compliance fines for failing to (1) comply with anti-money laundering laws and (2) insufficiently manage compliance risks.
Recent interviews with ex-USAA execs insinuate that these fines are just the tip of the iceberg. USAA’s entire culture has come into question, with a whistleblower stating that “the compliance department was basically a rubber stamp for what the business wanted.”
For organizations in highly-regulated sectors like FS and healthcare, the USAA case is a stark reminder of the importance of fostering a security-first, compliance-conscious culture.
Below, we’ll give you a deeper overview of what’s happened at USAA, why compliance can’t be an afterthought and how you can avoid making the same mistakes.
What’s happened at USAA?
In March of this year, The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency handed out fines to USAA of $80 million and $60 million respectively, creating a whopping total of $140 million in financial penalties.
As noted in its announcement about the fines, FinCEN said that “as its customer base and revenue grew in recent years, USAA willfully failed to ensure that its compliance program kept pace, resulting in millions of dollars in suspicious transactions flowing through the U.S. financial system without appropriate reporting.”
The notice went on to state that the bank had “received ample notice and opportunity” to fix its anti-money-laundering controls “but repeatedly failed to do so.”
This refers back to notices from FinCEN and the OCC, warning USAA to make changes to its practices back in 2018.
On top of this, in 2019, the Consumer Financial Protection Bureau fined the company $3.5 million in penalties and $12 million in restitution regarding data protection penalties. According to the penalty notice, USAA failed to stop-payment requests and reopened accounts without customers’ consent
How did so many violations happen at USAA?
The USAA fines have been accompanied by testimonies from several whistleblowers who used to work at the company. From reading their testimonies, we can quite quickly build a picture of the culture at the company, one where compliance with regulations was undervalued.
Here’s how Lenn Ferrer, former director of compliance at USAA and whistleblower put it:
“This has been a catastrophically mismanaged organization. It lost its way. It lost its core values…The compliance department was basically a rubber stamp for what the business wanted. That is not speculation. That is a fact. That is the culture I walked into in 2014.”
Further comments from anonymous executives add more detail to the USAA environment. Often, compliance personnel were asked to sign off documents that weren’t final, while other executives say leadership knowingly flouted regulations.
In part, they say, this is because USAA is a privately held company. While some organizations are subject to public filings and scrutiny, USAA could hide its activity behind a veil.
Moreover, the company appeared to remove any personnel who questioned their unfair practices. Ferrer himself was dismissed after blowing the whistle on the company’s illegal activities and USAA’s compliance department has been through four chief compliance officers in the last four years alone.
Clearly, the troubles within this organization are deeply embedded. There is a real cultural issue where the leadership team doesn’t understand or appreciate the value of abiding by regulations.
How to build a culture of compliance within your organization
Here are four proven ways to improve how your company approaches compliance at every level.
Attain buy-in from your colleagues and executives
Ideally, teams at every level of your business should prioritize compliance in their day to day operations. However, more often than not, cognitive dissonance sets in, meaning that teams make minimal or little effort to follow these practices. That’s why buy-in is so important: you must get your team to fully appreciate the consequences of lax measures.
There are a few ways you can do this. Firstly, consider taking a top-down approach. If you can get your executives to champion cybersecurity and compliance at the board level and mention it in company-wide meetings, your employees will quickly start to take note.
You can also share case studies and news like the USAA fiasco that demonstrate the importance of compliance to a company’s reputation and bottom line.
Lastly, consider creating a dedicated communications channel in Slack or Teams, where it’s easy for your employees to reach out to your security and IT personnel with any compliance questions.
Nudge your users towards a compliance mindset
Too many companies teach compliance through annual away days that rarely have the desired impact. Not only are these sessions often dull, but it’s impossible for your employees to retain lots of hefty information after just one lesson.
By contrast, day-to-day nudges are an excellent way to manipulate people towards better decisions. As your employees work day to day, compliance isn’t always going to be front of mind for them unless you put it front and center. This is where automated feedback loops become essential.
At Polymer, we use in-app nudges that show employees how their actions could result in data security or compliance violations. We make use of end of day reports and alerts within popular apps like Slack and Teams, which show employees the risks they have created and why their behavior was unsafe.
By making users feel directly accountable for compliance and security, we help companies to build a culture of trust and privacy. After all, compliance cannot just fall on a few individuals in one team. It’s up to every member of the organization to be conscious of following regulations.
Celebrate team members that contribute to security and privacy
Celebrating success is a proven way to motivate team performance. Reward those employees who champion security and compliance. For example, you could roll out a bug bounty program, or create clear pathways for team members who show that they excel in cybersecurity.
Another option is to deliver advanced cybersecurity or compliance education to employees that show a keen interest in your cybersecurity position. After all, security and compliance is a hot topic and team members will jump at the opportunity to add formal qualifications to their CVs.
Account for the unpredictability of human nature
Even as your compliance culture blossoms, you need to remember that humans are, well, human and will make mistakes at some point. To counteract the risks of human error, make sure you have solutions in place to catch out any deviation from the rules.
The best solution here is cloud-based data protection. Our solution, for example, becomes your virtual compliance officer. For HIPAA, GBLA, and other regulations, you can enforce DLP policies that capture, redact, and protect PPI and PHI as it travels through Slack and other collaboration tools.
Polymer DLP is changing how security and compliance products are onboarded and used with our next generation Data Governance and Data Loss Protection for 3rd Party SaaS Applications (Slack, Google Drive, Github, Zendesk, Teams). Find out more about our nudge solution now.