BSA Enforcement (USAA) and Privacy in Mergers and Acquisitions
The USAA penalties show how the and anti-money-laundering rules are enforced and by whom. Mergers and acquisitions raise distinct privacy challenges, and a 2024 CCPA amendment requires an acquiring business to honor opt-out requests the consumer made to the seller.
In 2022 the Office of the Comptroller of the Currency (OCC) and FinCEN imposed civil penalties totaling $140 million against USAA Federal Savings Bank for willfully failing to comply with anti-money-laundering and Bank Secrecy Act requirements. The conduct included an inadequate AML program and a failure to file timely Suspicious Activity Reports.
BSA and AML failures are not policed by the FCRA accuracy regulators. In the USAA matter the OCC (the national bank regulator) and FinCEN (the financial-crimes bureau) acted together.
Mergers, acquisitions, and divestitures create privacy challenges: incompatible or outdated security systems, gaps in data mapping, and differing regulatory requirements across jurisdictions. Early due diligence on data is therefore essential before a deal closes.
California amended the CCPA in September 2024 to require a business that acquires personal information as an asset in a merger or acquisition to honor opt-out requests the consumer already made to the transferring business.