On August 6, 2020, the US Office of the Comptroller of the Currency (OCC) announced an $80 million civil penalty against Virginia-based Capital One, N.A., and Capital One Bank (USA), N.A. The fine was part of a settlement that the OCC reached with Capital One based on the OCC’s findings that the bank failed to implement effective risk assessment processes before it transferred a major portion of its information technology operation to a public cloud environment, and failed to establish appropriate risk management for that cloud operating environment.
The OCC found that Capital One transferred its information technology operations to the cloud environment in or around 2015, but failed to implement effective network security controls, adequate data loss prevention controls, and an effective alert system. The OCC also found that an internal audit by Capital One failed to identify and report deficiencies in its cloud environment to its Audit Committee, and that Capital One’s Board of Directors failed to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses. The OCC ultimately determined that Capital One failed to comply with 12 C.F.R. Part 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards,” and engaged in “unsafe or unsound practices that were part of a pattern of misconduct.”
Pursuant to the Consent Orders, Capital One is required to appoint a Compliance Committee that will submit periodic updates to OCC regarding its efforts to address the identified deficiencies. The bank must also develop a written “Comprehensive Action Plan” within 60 days of the effective date of the Orders detailing the remedial actions necessary to achieve compliance, and submit several risk assessment, audit, and oversight management reports to the OCC within 90 days that detail its plans to improve its cloud operation security program.
Capital One has already begun taking measures to correct the deficiencies, according to the Consent Orders. The OCC also expressed in its public statement that it “positively considered the bank’s customer notification and remediation efforts” when assessing the $80 million penalty.
The settlement follows a 2019 cyber incident that, according to Capital One, affected 100 million customers in the US and 6 million in Canada when a lone hacker gained access to personal information in credit card applications submitted to the bank between 2005 and 2019. The hacker was apprehended, and according to Capital One, the data was recovered by the FBI with no evidence that it was shared or used in a fraudulent manner.
OCC Press Release | Consent Order – Fine | Consent Order – Cease and Desist | Capital One Press Statement (2019)