On October 23, the U.S. Department of the Treasury’s Office of the Comptroller of the Currency announced that it had assessed a $100 million civil money penalty against Capital One, N.A., and Capital One Bank (USA), N.A. (collectively “Capital One”) for deficiencies in Capital One’s Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) program. The penalty stems from a 2015 Consent Order between the OCC and Capital One.
The 2015 Consent Order included the OCC’s findings that Capital One (1) had deficiencies in its BSA/AML compliance program and (2) “failed to adopt and implement a compliance program that adequately covers the required BSA/AML program elements due to an inadequate system of internal controls and ineffective independent testing, and the Bank failed to file all necessary Suspicious Activity Reports (‘SARs’) related to suspicious customer activity.” In particular, it found that some of the critical deficiencies in Capital One’s BSA/AML compliance program included:
- Lack of an enterprise-wide BSA/AML risk assessment.
- Systemic deficiencies in the bank’s transaction monitoring systems, risk management, and quality assurance programs for its remote deposit capture services.
- Systemic deficiencies in the bank’s customer due diligence (CDD) processes and failure to have CDD and enhanced due diligence (EDD) policies and processes specific to Correspondent Banking.
- Lack of a process by which BSA/AML control decisions are escalated to Risk Management.
The 2015 Consent Order also required Capital One to submit to the OCC’s Examiner-in-Charge an action plan that contains a complete description of the actions that are necessary and appropriate to achieve compliance with specified Articles in the Consent Order. Those provisions included:
- A comprehensive BSA/AML risk assessment (Article IV);
- Policies and procedures for gathering CDD and EDD information (Article V);
- Policies and procedures to provide for BSA compliance and for the appropriate identification and monitoring of high-risk transactions (Article V)I;
- A management information system assessment (Article VII);
- Appropriate risk-based controls over the usage and monitoring of the Remote Deposit Capture product by money service businesses or other “high-risk” customers (Article VIII);
- An effective program to audit the Bank’s BSA/AML compliance program (Article IX);
- A specialized BSA training program (Article X);
- A written program of policies and procedures to ensure the timely and appropriate review and disposition of suspicious activity alerts, and the timely filing of SARs (Article XI); and
- An action plan to conduct a look-back review of account and transaction activity (Article XII).
It further required the Action Plan to specify timelines for completion of each of those provisions.
The OCC’s 2018 Consent Order, after reciting the key requirements of the 2015 Consent Order, stated that the bank “failed to timely achieve compliance with the 2015 Consent Order (from July 1, 2016 to July 6, 2017) in violation of the Order.” It further stated that after the issuance of the 2015 Consent Order, Capital One “failed to file additional SARs in violation of [federal regulations] and initiated wire transfer transactions which contained inadequate or incomplete information in violation of [federal regulations].” It also acknowledged that Capital One “has undertaken corrective action, and is committed to taking all necessary and appropriate steps to remedy the deficiencies identified by the OCC, and to enhance the Bank’s BSA/AML compliance program.”
Note: The 2018 Consent Order gives little guidance about the extent to which the OCC deemed Capital One to have “failed to achieve timely compliance with the OCC’s 2015 order, as required,” other than the post-2015 Consent Order failure to file additional SARs and initiation of wire transfer transactions containing inadequate or incomplete information. Even so, it takes little reading between the lines to surmise that the OCC had little patience with Capital One’s failure to achieve sufficient BSA/AML compliance after 2015 – the more so because Capital One committed to an action plan with specified deadlines for completion of its key requirements.
That theme — regulatory impatience with regulated financial institutions’ failure to meet previously agreed commitments on key financial-crimes compliance programs — has already manifested itself this year in the Federal Reserve Board’s February 2018 actions vis-à-vis Wells Fargo, and is likely to continue into 2019 and beyond with other leading financial institutions. (Brief disclaimer: I was a Senior Vice President with Wells Fargo, heading Anti-Bribery & Corruption Governance, until July 2018. I had no involvement in the issues that led to the Federal Reserve’s February 2018 actions.)