Bloomberg Law Analysis

ANALYSIS: Capital One Case Teaches Old and New AML Lessons

Jan. 29, 2021, 5:49 PM

The Capital One anti-money laundering (AML) enforcement action that concluded in January does for AML enforcement actions what Martin Scorsese’s “The Irishman” did for gangster movies: cover most of its field’s major story lines of the past and present in a massive production packed with familiar names.

With one of the country’s best-known banks receiving a $390 million penalty for AML failures in 2008–2014 that involved old-fashioned check cashing—and even featuring the Genovese crime family in a prominent role—the Capital One enforcement action is a blockbuster with rather old-school marquee features. At the same time, it is clearly forward-looking, citing failures to comply with customer due diligence requirements that are a hot topic now, and conveying a significant lesson for financial institutions entering the financial technology sector.

Capital One, Part Two (or Three?)

The Capital One settlement, like many Hollywood productions and a few major AML enforcement actions, is a sequel. It is either the second or third in its series, depending on how you look at it.

In October 2018, the Office of the Comptroller of the Currency (OCC) imposed a $100 million penalty—the year’s largest civil monetary penalty in an AML enforcement action—on Capital One. The OCC cited AML program and suspicious activity report (SAR) filing failures that were the subject of a 2015 consent order.

In August 2020, the OCC imposed an $80 million penalty on Capital One for failures to establish effective risk assessment processes prior to migrating its information technology operations to a cloud operating environment in 2015, resulting in failure to comply with 12 C.F.R. Part 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards.” Remedial actions were specified in a simultaneous Consent Order between the OCC and Capital One.

On Jan. 15, the Financial Crimes Enforcement Network (FinCEN) assessed a far larger $390 million penalty on Capital One for AML compliance failures in 2008–2014, citing issues that the OCC did not mention in its 2018 AML enforcement action. FinCEN acknowledged the connection between the two AML enforcement actions by crediting the OCC’s $100 million penalty toward its $390 million penalty.

The Old Themes

The AML compliance failures cited by FinCEN were quite old, occurring from 2008 through 2014, and they involved long-established business activity and AML requirements that rarely showed up in recent years’ AML enforcement actions.

The Capital One business unit involved in the bank’s AML violations was the Check Cashing Group, which provided banking services to a customer base of check-cashing businesses. Its services and customer base did not present novel issues to complicate AML compliance.

The AML compliance failures that FinCEN cited were elementary: inadequate AML policies and procedures, failures to file SARs, and failures to file currency transaction reports (CTRs). The failures to file CTRs are especially revealing, because they were large in scale—50,000 reportable cash transactions totaling more than $16 billion in cash—and involved a relatively simple filing requirement compared to SARs. For the past decade, CTR filing failures have rarely been an element of AML enforcement actions, except those against small financial institutions with limited resources for AML compliance.

The New Themes

Capital One’s AML compliance failures may have been throwbacks, but FinCEN’s treatment of these issues is far from backward-looking. It conveys significant warnings on two currently significant AML issues that each could become the basis for further enforcement actions if financial institutions fail to pay sufficient attention to them.

Customer due diligence. FinCEN’s assessment emphasized the significance of customer due diligence (CDD) deficiencies to Capital One’s AML compliance violations. In a lengthy discussion almost two full pages in length, FinCEN described the importance of CDD to an AML compliance program and the deficiencies that it found in the customer risk-scoring system that Capital One used in 2008–2014. CDD deficiencies contributed to Capital One’s cited failures to file SARs on transactions by high-risk customers, including a check casher who was a member of the Genovese crime family and pleaded guilty to conspiring to commit money laundering in 2019.

FinCEN emphasized CDD even though it was not a formal AML program requirement until 2016 and compliance with the CDD rule was not required until 2018, years after the conduct cited in the Capital One enforcement action.

By doing so, FinCEN has sent financial institutions a reminder of the importance of CDD going forward and provided an example of deficient CDD in practice.

Merger, acquisition, and partnership risks. AML risks in mergers, acquisitions and partnerships are another key lesson of this enforcement action. Capital One created its Check Cashing Group after its 2005–2006 acquisition of smaller regional banks that had customer bases of check-cashing businesses and AML program deficiencies identified by regulators. Internally, Capital One recognized the risks of these banks’ inadequate AML programs, and it committed resources to addressing the deficiencies identified by regulators. But its response was inadequate to address the money laundering risks associated with the newly created Check Cashing Group.

Any financial institution contemplating a merger, acquisition, or partnership with another business—including with a fintech company—should recognize this lesson from FinCEN.

A Shift in FinCEN’s Enforcement Strategy for 2021?

In addition to addressing a mix of old and new issues, FinCEN’s enforcement action against Capital One may be signaling a shift in its enforcement strategy. Since 2018, FinCEN has concluded far fewer enforcement actions than in previous years and delegated AML enforcement actions to the primary regulators of financial institutions. FinCEN concluded only three enforcement actions in 2019–2020, none of them against a bank. Two were against virtual currency businesses with no primary regulator, and one was against the chief compliance officer of the last bank penalized by FinCEN in 2018.

Imposing a large penalty on a bank already penalized by its primary regulator may indicate that FinCEN enforcement is on a comeback trail (not to be confused with “The Comeback Trail,” a Robert De Niro mob/Hollywood financial crime film due for release in 2021). Events in 2021 will reveal whether the Capital One enforcement action is a one-off event or the start of a new trend in AML enforcement.

Bloomberg Law subscribers can find related content on our AML Compliance resource.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.

To read more articles log in. To learn more about a subscription click here.