USAA Risk and Compliance Committee Charter

UNITED SERVICES AUTOMOBILE ASSOCIATION RISK AND COMPLIANCE COMMITTEE OF THE BOARD OF DIRECTORS CHARTER

Last Updated: Aug. 2024

I. SCOPE AND PURPOSE

The Risk and Compliance Committee ("Committee") is established by the Board of Directors ("Board") of United Services Automobile Association ("USAA") and shall have, as its sole and exclusive function, oversight of, and responsibility for holding management accountable for managing risk within USAA, including the establishment and adherence to the USAA Enterprise Risk Management ("ERM") Framework as well as the strategies, policies, and governance practices established by management to identify, assess, measure, and manage risk that will foster an appropriate risk management culture. In executing its responsibilities, the Committee will set clear and consistent direction regarding USAA's risk management strategy and risk appetite. Jointly with the Chief Executive Officer, and in accordance with the provisions below, the Committee has oversight responsibility for the Chief Risk Officer.

II. RESPONSIBILITIES

The Committee shall have the following responsibilities:

A. Enterprise Risk Management Framework and Governance Documents

Review and approve material changes and oversee operation of the ERM Framework considering (i) applicable regulatory or legal requirements and guidance, (ii) the evolution of industry risk management practices, (iii) USAA's structure, risk profile, complexity, activities, and size, (iv) establishment of a strong risk management culture, and (v) alignment to strategic, capital and liquidity plans.
Review and approve, as necessary, significant risk management frameworks, policies, and governance practices.

B. Risk Appetite and Risk Profile

Annually review and approve USAA's risk appetite statement, ensuring alignment to USAA's strategic, capital and liquidity plans.
Annually review and approve enterprise risk appetite metrics (RAMs), and corresponding risk appetite and triggers associated with those metrics, based on the size and volatility of risks and any material changes in USAA's business model, strategy, risk profile, or market conditions.
Review and discuss the enterprise risk profile, including but not limited to (i) significant financial and other risk exposures that could adversely affect USAA, members or its employees, (ii) risk trends and concentrations in USAA's portfolios and major risk concentrations, and (iii) the steps management has taken or plans to take to monitor, mitigate or control, and report such risk exposures, trends and concentrations.
Review and challenge management's assumptions, decisions, and recommendations that could cause USAA's risk profile to exceed its risk appetite or jeopardize the safety and soundness of USAA.

C. Risk Program Oversight

Oversee USAA's firmwide risk management function, including (i) the strategies, processes and controls pertaining to material risk programs and initiatives; and (ii) the independent risk management function including supporting its stature, authority, and independence. Review and assess the allocation of adequate funding for personnel and other resources for the independent risk management function to execute its responsibilities.
Annually review and assess the USAA Strategic and Operational Plans relative to Risk Appetite, Risk Profile, and capital and liquidity adequacy.
Oversee the Credit Risk Review system for enterprise-wide credit risks.

D. Capital Adequacy and Liquidity Risk

Oversee USAA's capital adequacy and liquidity risks. Jointly with the Finance and Audit Committee:

Review and assess the sufficiency of the capital adequacy management program and appropriateness for USAA's overall size, complexity, and risk profile.
Annually review and approve the USAA Consolidated Capital Plan and USAA Consolidated Contingency Funding Plan.
Annually review and approve enterprise-wide capital stress testing results for inclusion in the capital plan, and any remediation or recovery planning efforts which result from such stress testing.
Annually review enterprise-wide liquidity stress testing results for inclusion in the funding plan, and any remediation or recovery planning efforts which result from such stress testing.
Oversee efforts to restore capital or liquidity above the risk appetite established through the Enterprise Capital Contingency Plan or Consolidated Contingency Funding Plan.

E. Senior Management Reports

Review and discuss, as appropriate, the following reports from senior management:

On a quarterly basis, review reporting on the following topics:
a. Capital adequacy and liquidity including (i) current capital levels and risks with consideration of planned capital contributions and distributions, (ii) liquidity risk profile, and (iii) adequacy of liquidity for current and projected enterprise cash flow needs, and for consistency with established risk tolerances.
b. Credit Risk Review.
On an as needed basis, review reporting on the following topics:
a. The Bank Secrecy Act (“BSA”) / Anti-Money Laundering ("AML") program.
b. USAA's blended professional liability insurance program, including coverage for USAA's directors and officers, cyber insurance, and the USAA financial institution bond program.
On an as needed basis, review reporting on the following topics:
    a. Selected risk topics, including, but not limited to, material risks, concentrations and emerging risks.
    b. Risk and compliance related issues identified by regulatory authorities or in audit reports, management letters, and other reports and presentations. Discussions on material legal or regulatory matters may include the Chief Legal Officer, or regulators, as appropriate, and at the Committee's discretion report such matters to the Board.
    c. Updates on regulatory matters including (i) the schedule and results of significant regulatory examinations and the nature and status of any corrective actions, and (ii) ongoing regulatory projects.

F. Executive Session

Meet with the Chief Risk Officer and such employees of USAA as deemed appropriate by the Committee in a separate executive session as needed to discuss any matters that the Committee or the Chief Risk Officer believes should be discussed privately. Such matters may include, but not be limited to risk or compliance levels, risk and compliance control environment adequacy, compliance by executive management with frameworks, policies, or governance practices, and performance and incentives of executive management relative to risks and USAA's risk appetite.

G. Oversight of Chief Risk Officer

The Chief Risk Officer shall report jointly to the Committee and to the Chief Executive Officer, who shall jointly oversee the Chief Risk Officer including:

Review and approve the appointment of, and if necessary, replacement, reassignment, or dismissal of, the Chief Risk Officer.
Review and concur in the performance evaluation and compensation of the Chief Risk Officer and evaluate whether the compensation and other incentives paid to the Chief Risk Officer are consistent with providing an objective assessment of the risks taken by USAA. As part of the performance evaluation, jointly with the Chief Executive Officer, establish and approve nonfinancial performance objectives for the Chief Risk Officer aligned with USAA's risk strategy and tolerance.

H. Corporate Performance

At least annually, review and assess whether USAA's incentive compensation plans and arrangements are consistent with safety and soundness, satisfy regulatory expectations, and do not encourage imprudent risk taking inconsistent with the long-term health of USAA.

I. Committee Performance

Annually review and assess the Committee's performance and provide the results to the Board.
Annually review the Committee Charter and recommend any necessary changes for approval by the Board.
Recommend to the Board, as necessary, investigations into any matters under the Committee's purview.

J. Other

The Committee shall perform such other duties as may be delegated to it from time to time by the Board.
The Committee shall coordinate its work with other committees as it deems appropriate.
The Committee may delegate its authority to subcommittees, which shall report regularly to the Committee.

III. DURATION

The Committee shall continue in existence until dissolved by the Board.

IV. CHAIR AND VICE CHAIR

The Chair and the Vice Chair of the Committee ("Committee Chair" and "Committee Vice Chair") shall be elected by the Board annually, or as necessary, with due consideration given to nominee(s) recommended by the Nominating and Governance Committee. The Committee Chair shall be an independent director and shall meet the independence requirements as set forth in the Corporate Governance Guidelines. In the event of the death, disability, or other incapacity that prevents the Committee Chair from properly performing his or her duties, the duties of the Committee Chair shall pass to the Committee Vice Chair until a new Committee Chair is elected as provided for herein.

V. COMMITTEE MEMBERSHIP

The Committee shall consist of at least three members. The membership of the Committee shall be through appointment by the Board on consideration of nominee(s) recommended by the Nominating and Governance Committee. The Board shall have the authority to fill any vacancies and to remove any Committee member for any reason. At least one member of the Committee shall have appropriate risk and compliance management expertise, as such qualification is interpreted by the Board in its business judgment considering regulatory guidance and industry best practices. The Committee will be comprised solely of independent directors as set forth in the Corporate Governance Guidelines. Each Committee member will annually execute a "Certification Regarding Qualifications" (the "Certification") prepared by the Chief Legal Office.

Each Committee member shall maintain a working familiarity with relevant operational risk and compliance management principles and practices.

No less than annually, the Board shall assess Committee members' independence and determine if they meet applicable requirements.

VI. OUTSIDE CONSULTANTS

The Committee shall have the sole authority, without further approval by the Board to select, retain, evaluate the performance of and terminate such outside consultants or counsel as it determines appropriate to assist it in the performance of its functions, or to advise or inform the Committee. The Committee shall be able to approve, without further approval by the Board, any compensation payable by USAA to such consultant, including the fees, terms, and other conditions for the performance of such services.

VII. MEETINGS

The Committee shall meet at such times and shall conduct such business as required to fulfill its responsibilities under this charter, with at least four regular meetings per year. Agendas and materials will be provided to Committee members in advance of any regular meetings. Special meetings may be held as called by the Committee Chair in consultation with the Chairman. A majority of the members of the Committee shall constitute a quorum and the affirmative vote of a majority of the members of the Committee participating in any meeting of the Committee is necessary for the approval of any Committee business. The Committee may also act by unanimous written consent. Meetings by telephonic or video conference call are authorized, and actions taken during such meetings shall have the same force and effect as actions taken in an in-person meeting.

Meetings between the Committee and external regulators will be coordinated by management. The Committee will extend a standing offer to meet with regulators. Any member of the Committee has the right to contact the Chief Risk Officer directly. The Chief Risk Officer has the right to contact the Committee Chair or any member of the Committee, if warranted.

Meetings are to be attended only by members of the Committee, the appointed recorder, designated management, and guests approved by the Committee Chair.

VIII. MINUTES AND REPORTS

The Corporate Secretary, in collaboration with the Committee Chair, shall designate a person to record the proceedings of the Committee's meetings. The records of the Committee meetings shall be confidential and retained in accordance with USAA's records retention schedule.

The Committee Chair may authorize the creation and distribution of reports or position papers as appropriate. The Committee shall make regular reports to the Board regarding its deliberations and actions and to make recommendations to the Board.

IX. EFFECTIVE DATE

This Charter was approved by the Board on August 22, 2024, to be effective August 31, 2024, and shall govern the operation of the Committee hereafter.

Use of the term "member" or "membership" refers to membership in USAA Membership Services and does not convey any legal or ownership rights in USAA. Restrictions apply and are subject to change. To join USAA, separated military personnel must have received a discharge type of Honorable or General Under Honorable Conditions. Eligible family members may also join USAA.

USAA means United Services Automobile Association and its affiliates.

USAA Federal Savings Bank offers deposit, credit card, consumer lending, mortgage, and other banking products and services. USAA Federal Savings Bank is a Member of FDIC. Credit card, mortgage and other lending products not FDIC-insured.