3 Compliance Lessons from Capital One’s $390M BSA/AML Fine

What happens when you mix a high-risk business unit with insufficient controls? In the case of Capital One Bank, the answer is a $390 million civil money penalty from The Financial Crimes Enforcement Network (FinCEN).

Our story begins in 2009 when the Virginia-based bank acquired two banks with 90 to 150 check cashing business customers. Capital One established a Check Cashing Group to provide banking services, including check processing.

It’s no secret that banking check cashers present a variety of compliance risks, especially when it comes to the Bank Secrecy Act (BSA) and anti-money laundering (AML). The law and consequences of violating it are clear--$25,000 per violation and a separate violation for each day the violation continues.

Related: How to Build a Strong Fair Lending & Redlining Compliance Management System

Meanwhile, the Office of the Comptroller of the Currency (OCC) had warned Capital One of the risks associated with banking its Check Cashing Group. Internally, the bank recognized it had “residual AML risk attributable to inadequate AML internal controls.”

From 2009 to 2014 FinCEN found Capital One didn’t implement and maintain an effective AML program. It didn’t file timely and accurately Suspicious Activity Reports (SARs) for millions of dollars in transactions, allowing organizations related to organized crime, tax evasion, fraud to launder money into the U.S. financial system. It also didn’t file currency transaction reports (CTRs).

Capital One had hired BSA/AML officers to build a program, including policies, procedures, and controls, but FinCEN found they were inadequately, inconsistently, and inefficiently implemented. The enforcement action also mentions “technical failures” and being too quick to believe “dubious explanations” such as check cashers explaining away large transactions as them “aggressively looking to manage down excess currency.”

This happened even though Capital One was aware of the risks, knew of criminal charges against some of the customers, and its own internal assessments ranked most check cashing customers among the top 100 highest-risk customers for money laundering. 

Ultimately, close to 50,000 transactions worth over $16 billion weren’t reported.

“Capital One willfully disregarded its obligations under the law in a high-risk business unit,” said FinCEN’s Director Kenneth A. Blanco

Missing major red flags

The FinCEN enforcement action focuses on one customer in particular: a check cashing company president that was also a member of an organized crime family. The customer eventually plead guilty in May 2019 of conspiring to commit money laundering in connection to loan sharking and illegal gambling proceeds—with funds that flowed through Capital One.

In 2010 an AML analyst raised questions about the customer’s transactions, but no action was taken—even though he was listed among the customer with the highest-risk for money laundering. Capital One also let transactions continue even after the Florida’s Workers Compensation Fraud task force seized approximately $1 million from the customer’s check cashing business accounts and in 2013 when he was arrested for a large check-cashing scheme to avoid paying workers’ compensation coverage. There were also warning signs of check kiting.

FinCEN noted a similar oversight when the owner of one check cashing group was indicted for falsifying business records, concealing structured transactions, and either falsifying or failing to file CTRs. The owner of another check cashing business also continued to be banked without CTRs after a similar indictment.

Lessons Learned

1. Be careful who you acquire. In both 2006 and 2008, Capitol One acquired banks with regulator-noted deficiencies in their AML programs. This included weaknesses in transaction monitoring, SARs, and CTR filing.
   
   When acquiring an institution, make sure you’re aware of all compliance weaknesses—and have a plan in place to correct them. The acquired institution’s weaknesses become your weaknesses until you correct them.
   
   
2. Higher-risk activities require more resources and oversight. High-risk activities require more scrutiny and attention. That’s one of the reasons they are labeled high risk.
   
   Though Capital One voluntarily decided to leave the check cashing business in 2013, it tripled the budget and staffing of its AML program since 2013. It also brought in new leadership. If Capital One had invested in the compliance resources it needed from the beginning, it could have avoided the fine. At least its other areas should be in a better position to mitigate BSA/AML risk.
   
   
3. Take corrective action promptly. In 2015, the OCC issued a consent order against Capital One after an exam uncovered these same deficiencies in the bank’s BSA program. It later fined Capital One $100 million in 2018 for failing to correct the deficiencies within the required time.
   
   While Capital One has since improved its program—a reason FinCEN didn’t fine the bank as much as it could have—it could have saved even more money by fixing the problem promptly after the OCC discovered it (or before).
   
   
4. Don’t ignore public information. Semi-annual high-risk customers reviews should have caught any negative news about a customer. The criminal activities of some of these customers were no secret.
   
   Whether you have a high-risk customer or a high-risk vendor, make sure you are proactively monitoring news to ensure that risk ratings remain accurate. An increase in risk may mean more controls or needed—or that the relationship might need to end.

Are your policies and procedures strong enough to protect your institution from compliance risk? Reach out to our team to know more about our products and services to help you mitigate risks. 

Learn more from our on-demand webinar, Policies as a Power Tool: Creating Policies that Get the Job Done.