The Office of the Comptroller of the Currency Assesses $80 Million Civil Money Penalty Against Capital One

The Office of the Comptroller (OCC) has issued an $80 million civil penalty against Capital One, N.A., and Capital One Bank (USA), N.A. and mandated them to strengthen their compliance programme by appointing a compliance committee and developing comprehensive action plan to comply with the order. This decision is the result of failing to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner. In taking this action, the OCC positively considered the bank's customer notification and remediation efforts. The OCC stated: "While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers."

A reminder, on July 19, 2019, the Bank has determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for our credit card products. Capital One press release on the breach is available here.

The OCC based its decision on the following:

1) In or around 2015, the Bank failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment. The Bank also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls,adequate data loss prevention controls, and effective dispositioning of alerts;

2) The Bank’s internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment. Internal audit also did not effectively report on and highlight identified weaknesses and gaps to the Audit Committee;

3) For certain concerns raised by internal audit, the Board failed to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses;

4) By reason of the foregoing conduct, the Bank was in non compliance with 12 C.F.R. Part 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards,” and engaged in unsafe or unsound practices that were part of a pattern of misconduct;

5) The Bank has begun addressing the identified corrective action and has committed to providing resources to remedy the deficiencies.

In addition to the monetary fine, the Board of Directors (Board) shall appoint a Compliance Committee of at least three members. This Committee shall submit to the Board, a report detailing the progress of the compliance with the OCC order within 45 days after the end of each quarter. The Bank will have to develop a written action plan to comply with the OCC’s Order. Some of the elements which will have to be in the plan are: actions which will be taken to achieve compliance with the order along with timelines and a person responsible for their completion. The Bank should develop and submit to the OCC for the review the risk assessment of its cloud and legacy technology operating environments, along with the plan to improve independent risk management of the cloud operating environment and enhance internal control testing and validation plan. The enhanced internal audit plan will require the Bank to reassess its cyber and technology risk framework, incorporate lessons learned from the data breach, assess audit staff expertise and training needs and take additional actions ordered by the OCC. More information about the imposed actions can be found in the Consent Order available  here.

Read the press release here.

Photo by Tingey Injury Law Firm on Unsplash.