Operational Risk Management Weaknesses Leads to $80 Million Fine

Here’s an $80 million question: ‘What’s in your wallet?’

If you’re Capital One, the answer to the question is $80 million less than there used to be.

Last August Capital One got in trouble when a former Amazon Web Services employee hacked into one of its databases and accessed the data of 100 million Americans and 6 million Canadians, which includes names, addresses, zip codes/postal codes, phone numbers, email addresses, birthdates, income, credit scores, and payment history. The breach went on for three months before the bank was tipped off by an anonymous email.

At the time, Capital One said it expected the breach would cost the bank between $100 and $150 million, including customer notifications, credit monitoring, and legal costs.

Now we know what the civil money penalty will cost: $80 million.

The Office of the Comptroller of the Currency (OCC) came down hard on Capital One in a consent order, blaming the breach on Capital One’s failure to establish effective risk management processes and ignore operational risk management weaknesses. The Fed also joined in with a cease and desist order.

What went wrong? While initial speculation suggested a vendor management flaw since the perpetrator had been an employee of the vendor, it turns out weak risk management is to blame, the OCC says.

How to Avoid Capital One’s Risk Management Mistakes

There’s no excuse for mismanaging operational risk these days. The regulatory agencies have been emphasizing risk management for years, frequently warning that operational risk has been increasing.

Yet Capital One made many basic operational risk management weaknesses at both the board and management level.

Let’s take a look at four things your financial institution can do to avoid making Capital One’s mistakes.

1. Thinking of moving to the cloud? Assess the risks before making the jump. Banking is a look before you leap kind of business, but Capital One broke this cardinal rule, according to the OCC. The company “failed to establish effective risk assessment processes” before moving IT operations to the cloud. Learn more about cloud risk.
2. Don’t forget internal controls. Maybe if Capital One had conducted a risk assessment, they would have thought about controls for mitigating those risks—but they didn’t. The company “failed to establish appropriate risk management” for operating in the cloud. This includes designing and implementing internal controls for network security, data loss prevention, and alerts.
3. Build an effective internal audit operation. Capital One’s internal auditors failed to recognize numerous control weaknesses and gaps. Those they did find were not effectively reported.
4. Make sure the board holds management accountable. When presented with internal audit’s concerns, the board didn’t effectively hold management accountable. The board and management should get along, but the board should also know how to enforce consequences for management failures. The board needs to fulfill its duty.

How Capital One’s Board Will Correct Operational Risk Weaknesses

The Fed’s consent order makes it clear just how Capital One needs to correct its operational risk weaknesses. Capital One’s board has 90 days to develop a written plan for how it will improve oversight of risk management and internal controls.

That includes:

• How the board will ensure management maintains effective risk management and controls.
• How the board will ensure management improves and maintains independent and efficient management of operational risks. That includes having appropriate resources, responsibility, authority, and expertise.
• What kind of operational risk reporting the board will receive and review.
• How risk management will be tracked, escalated, and reviewed by management and the board. 

How Capital One’s Management Will Correct Operational Risk Weaknesses

The Fed gave senior management risk management homework too. It has 90 days to develop a plan to strengthen risk management governance and internal controls with a sustainable governance and internal controls framework.

That includes:

• Operational risk roles and responsibilities are broken down by business line, independent risk, and risk management.
• Testing and validation of operational risk controls.
• Effective training to ensure compliance with policies, procedures, and processes.
• Improved internal controls data and reporting for management and board.
• Better controls including timelines and milestones for improving cybersecurity and data loss prevention.
• Comprehensive risk identification and assessment processes.
• Assigning responsibility for aggregating, escalating, and reporting operational risk.
• Measures to ensure risk management has the necessary resources.
• Effective validation and testing of internal controls.
• Timely resolution of findings.

Reading over the Capital One consent orders, it’s clear that the mistakes made were basic in nature. Anyone with even a passing familiarity with enterprise risk management (ERM) knows the risk management lifecycle requires risk to be identified, assessed, mitigated, and monitored.

Now is the time to evaluate your risk management systems, including how you manage operational risk. Is your ERM program effectively managing all the types of risk your FI faces, including operational, strategic, cloud, compliance, third-party vendor, cybersecurity, credit, and transaction risk, among others?

Related: Creating Reliable Risk Assessments