OCC Assesses $80 Million Civil Money Penalty Against Capital One

Category: Featured , Data Security , Cyberbytes , The Bottom Line
Author: NXTsoft

WASHINGTON—The Office of the Comptroller of the Currency (OCC) today assessed an $80 million civil money penalty against Capital One, N.A., and Capital One Bank (USA), N.A.

The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner. In taking this action, the OCC positively considered the bank's customer notification and remediation efforts. While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers. The OCC found the noted deficiencies to constitute unsafe or unsound practices and resulted in noncompliance with 12 C.F.R. Part 30, Appendix B, "Interagency Guidelines Establishing Information Security Standards."

The OCC penalty will be paid to the U.S. Treasury.

Read the Consent Order for the Assessment of the Civil Money Penalty

Read the Cease & Desist Order

New call-to-action

As part of the Fed's order, Capital One's board of directors is required to submit a plan within 90 days describing actions to improve its risk management program and internal governance and controls. Some items that it must include are an internal governance framework with "clearly defined operational risk roles and responsibilities," risk testing and validation processes, and measures to ensure proper training of operational risk personnel. Capital One is also required to provide a timeline for improvements to its cybersecurity and data loss protection program. Learn More In This Article: Bank Regulators Crack Down on Capital One After Its Massive Data Breach



August 7, 2020
Share this post on social media