Capital One hit with $80 million civil money penalty over 2019 data breach

August 6, 2020 OCC, The Fed 0

A 2019 data breach affecting the personal information of more than 100 million credit card customers and credit card applicants of Capital One has yielded an $80 million civil money penalty for the bank and cease-and-desist orders against both the bank and its holding company, federal regulators said Thursday.

The Federal Reserve entered into a consent cease-and-desist order with the holding company, Capital One Financial Corporation of McLean, Va., that requires the firm to enhance its risk-management program and related governance and controls, specifically around cybersecurity and information security. Meanwhile, Capital One N.A. and Capital One Bank N.A. (USA) – referred to together as the “Bank” – have signed a C&D order with the Office of the Comptroller of the Currency (OCC) and agreed to pay an $80 million CMP.

The OCC, in its orders, stated that in or around 2015, the bank failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment. It said the bank also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

The orders also cite failures in the bank’s internal audit to identify control weaknesses and gaps in the cloud operating environment and the institution board’s failure to take effective actions to hold management accountable for the issues that the audit did raise.

“By reason of the foregoing conduct, the Bank was in noncompliance with 12 C.F.R. Part 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards,” and engaged in unsafe or unsound practices that were part of a pattern of misconduct,” the OCC said in the CMP order. It said the bank has begun to address the issues raised.

The OCC said in taking action, it “positively considered the bank’s customer notification and remediation efforts,” it said in a release.

Federal Reserve Board issues enforcement action with Capital One Financial Corporation

OCC Assesses $80 Million Civil Money Penalty Against Capital One

WA bank fined $500k over FTC Act, RESPA violations

April 26, 2024 0

A bank that the federal bank deposit insurer said violated Federal Trade Commission (FTC) Act and Real Estate Settlement Procedures Act (RESPA) rules was assessed a $500,000 civil money penalty (CMP) in March, the Federal Deposit Insurance Corp. (FDIC) said [...]
Five new members of community banking advisory panel named; will join May 2 meeting

April 26, 2024 0

Five new members of the community banking advisory committee to the federal bank deposit insurance agency were named Friday by the organization, which also said the group will attend its first meeting May 2. The Federal Deposit Insurance Corp. (FDIC) [...]
Competing proposals to change rules on Bank Control Act withdrawn after neither can win majority of FDIC Board votes

April 25, 2024 0

Neither of two competing proposals for changes to the federal bank deposit insurer’s rules implementing the Bank Control Act (BCA) were adopted Thursday by the agency’s board after sponsors of the two proposals withdrew them, largely after it became apparent [...]
FDIC: Deposit Insurance Fund on track to reach statutory minimum before deadline

April 25, 2024 0

The federal bank deposit insurer’s Deposit Insurance Fund (DIF) reserve ratio grew from 1.11% June 2023 to 1.15% in December and remains on track to return to its statutory minimum of 1.35% before its statutory deadline of Sept. 30, 2028, [...]
CFPB’s consumer panel to meet May 15

April 25, 2024 0

A public meeting of the Consumer Advisory Board (CAB) of the federal consumer financial protection agency is slated for May 15 from 10:30 a.m. to 1 p.m. Eastern. CAB is charged with advising and consulting with the Consumer Financial Protection [...]

Related