OCC FINES CAPITAL ONE $100 MILLION ON LAX AML PROGRAM, OVERSIGHT OF CORRESPONDENT PORTALS, RDC, SARS

The federal regulator of the nation’s largest and most complex banks Tuesday penalized a household name credit card company $100 million for failing to adequately correct a host of deficiencies cited in a prior enforcement action centered around the oversight of correspondent accounts, remote deposit capture facilities and not reporting instances of aberrant activity.

The penalty against Capital One is a rare foray for the U.S. Treasury’s Office of the Comptroller of the Currency (OCC) against a company known primarily for its credit card operations, with the well-known slogan, “What’s in your wallet,” though this action levels the bulk of criticism for Capital One Bank.

The bank suffered “systemic deficiencies” across all prongs of its anti-money laundering (AML) program, including properly risk ranking individuals and companies at account opening, in some cases failing to realize certain entities required a deeper due diligence dive, leading to gaps in transaction monitoring when out-of-scope activities arose.

Compounding the problem is that even when compliance staffers captured precise customer details and the transaction system properly produced alerts for review, Capital One lacked the individual expertise and accumulated AML acumen to correctly decide and dispose of alerts, leading to suspicious activity not being escalated to higher-level risk reviews.

In tandem, the high-profile figure further echoes issues highlighted as fincrime focal points in prior federal AML skirmishes, including correspondent banking, the accuracy, depth and timeliness of risk assessments, transaction monitoring tangles and related decision-making and missed suspicious activity reports (SARs).

At the same time, the OCC action continues a trend of federal and state regulators levying hefty fines after they felt prior non-monetary enforcement actions were not taken seriously enough. In this case, examiners brought the bulk of the AML issues to Capital One’s attention in a prescriptive, 31-page July 2015 consent order. To read the full actions, click here.

In recent enforcement orders and actions, U.S. regulators, including the Financial Crimes Enforcement Network (FinCEN) and even law enforcement agencies are giving extra scrutiny to domestic and international financial institutions that can act as gateways giving easy entry into the financial system for regions considered to be at a higher risk for money laundering, terror financing or moving corruption-tinged assets.

As a point of context, the Capital One sanction is a departure from recent federal and state regulatory fines and censures, with these agencies in the past few months focusing their wrath chiefly against the domestic connections of large foreign banks in Asia, the Middle East and Eastern Europe with threadbare AML programs.

No doubt on the radar of U.S. authorities in these scenarios: nested sub-entities coming in through a foreign correspondent connection that U.S. respondent banks wouldn’t be able to see and, correspondingly, to risk rank, track or report on in the case of buried illicit fiscal subterfuge.

Frontend, backend, backstop failures

Capital One “failed to adopt and implement a compliance program that adequately covered the required BSA/AML program elements due to an inadequate system of internal controls and ineffective independent testing,” with the overall result being missed SARs, a vital resource for all manner of agencies investigating complex financial crimes.

In the latest action, the OCC highlighted a familiar refrain of AML deficiencies, many of which trailed over from the 2015 action, including:

  • Lack of an enterprise-wide AML risk assessment.
  • Systemic deficiencies in Capital One Bank’s transaction monitoring systems, risk management, and quality assurance programs for its remote deposit capture services.
  • Systemic deficiencies in its customer due diligence processes.
  • Failing to have customer due diligence (CDD) and enhanced due diligence (EDD) policies and processes specific to Correspondent Banking.
  • Lack of adequate processes for AML decisions related to alert disposition, escalation and what was done by upper level risk management officers.
  • Failing to identify significant volumes of suspicious activity and file required SARs

The 2015 order requires Capital One to tackle risk “holistically” and not just through the lens of individual lines of business, and compare those findings – weaving in things like the risk of the business, region of the world, products and sums involved – and calibrate where mitigating AML controls are not in line with tabulated risk exposure.

These processes also can’t happen in a vacuum, but must also factor in sanctions exposure related to the U.S. Treasury’s Office of Foreign Assets Control (OFAC), which manages lists of individuals, companies and countries that are off limits for U.S. and many international banks.

These risk assessments are also, according to the OCC, not a one-time exercise.

The regulator exhorted Capital One to not less risk languish unexamined for too long, noting that bank-wide assessments should be updated annually, or sooner, for entities judged to be on the higher end of the risk spectrum.

Board not feted, but feet to fire

While AML and sanctions penalties into the millions, hundreds of millions and even billions of dollars have become commonplace over the past decade, their pace in recent years has slowed and overall figures rarely hit their prior stratospheric pinnacles.

But what does mark this latest OCC action as significant is its focus on getting the bank’s senior executives and, in particular, its board of directions to be more accountable and attentive this time around to shepherd this latest AML remediation and ensure compliance improvement goals and milestones get met.

The OCC is requiring more than a dozen signatures from board members with names and dates.

In many prior actions, federal regulators simply called for stronger board involvement and oversight, but didn’t add the additional specter of individual liability by naming individuals and requiring their John Hancock – a taciturn tactic attempted unsuccessfully in the 2015 order.