Capital One’s $390,000,000 BSA/AML Penalty – Are We Asking the Right Questions?

Supervision [of banks] happens behind closed doors. It relies upon secrecy and involves a system of discretionary actions by supervisory staff. This zone of secrecy is traditionally justified for the sake of financial stability and bank safety and soundness. There has long been an uneasy truce between the transparency and accountability required by the rule of law and the secrecy and discretion of supervision. That uneasy truce has become untenable.[1]

I was reminded of this statement by the brilliant banking attorney Meg Tahyar as I read that the OCC (and other federal financial regulators) had finalized a proposed rule that clarified the role of supervisory guidance, notably that agencies do not take enforcement actions based on supervisory guidance.[2] And this final rule on enforcement actions came just a few days after FinCEN – the primary anti-money laundering regulator – imposed a $390,000,000 penalty against Capital One for BSA violations that occurred from 2008 to 2014.

But wait: hadn’t Capital One already been fined by the OCC, its primary banking regulator, in 2018 for BSA violations that occurred during this same 2008-2014 period? Perhaps not. So what happened? Does the zone of secrecy and closed door of bank supervision allow us to determine what happened? Let’s take a look.

“Capital One Fined $390M For Violating Bank Secrecy Act”. “FinCEN Hits Capital One For $390 Million; Says Bank Violated Bank Secrecy Act”. “FinCEN Fines Capital One $390M Over AML Violations”.

These were just some of the headlines on January 15, 2021 when the Financial Crimes Enforcement Network, or FinCEN, the branch of the Treasury Department that is responsible for regulating and enforcing the anti-money laundering laws and regulations did, in fact, fine Capital One, NA $390,000,000 for “both willful and negligent violations of the Bank Secrecy Act (BSA) and its implementing regulations.” (quoting FinCEN’s press release at FinCEN Announces $390,000,000 Enforcement Action Against Capital One, National Association for Violations of the Bank Secrecy Act | FinCEN.gov). That press release spawned articles in the mainstream media, social media, within the BSA/AML community on LinkedIn, and in the banking trade publications. Everyone was focused on (1) what Capital One did or didn’t do over the seven-year period (2008-2014) of its “egregious” failures, and (2) on the staggering amount of the penalty. No one that I read was asking “where was Capital One’s regulator this whole time, and why did it take FinCEN so long to bring its action?”

But I’m asking. And after looking at what is in the public realm – what is not behind the zone of secrecy – I don’t have any answers. Let’s take a look.

FinCEN’s January 2021 Enforcement Action Against Capital One

The FinCEN press release continues with a good summary of what Capital One did, or didn’t do, to merit a fine. Warning: this is a lengthy press release! And I have highlighted some words and phrases that I’ll focus on later …

Specifically, FinCEN determined and Capital One admitted to willfully failing to implement and maintain an effective Anti-Money Laundering (AML) program to guard against money laundering.  Capital One also admitted that it willfully failed to file thousands of suspicious activity reports (SARs), and negligently failed to file thousands of Currency Transaction Reports (CTRs), with respect to a particular business unit known as the Check Cashing Group.  The violations occurred from at least 2008 through 2014, and caused millions of dollars in suspicious transactions to go unreported in a timely and accurate manner, including proceeds connected to organized crime, tax evasion, fraud, and other financial crimes laundered through the bank into the U.S. financial system.  As stated in the Assessment of Civil Money Penalty, Capital One admitted to the facts set forth by FinCEN and acknowledged that its conduct violated the BSA and regulations codified at 31 C.F.R. Chapter X.

“The failures outlined in this enforcement action are egregious,” said FinCEN’s Director Kenneth A. Blanco.  “Capital One willfully disregarded its obligations under the law in a high-risk business unit.  Information received from financial institutions through the Bank Secrecy Act plays a critical role in protecting our national security, and depriving law enforcement of this information puts our nation and our people at risk.  Capital One’s failures did just that. Capital One’s egregious failures allowed known criminals to use and abuse our nation’s financial system unchecked, fostering criminal activity and allowing it to continue and flourish at the expense of victims and other citizens.  These kinds of failures by financial institutions, regardless of their size and believed influence, will not be tolerated.  Today’s action should serve as a reminder to other financial institutions that FinCEN is committed to protecting our national security and the American people from harm and we will bring appropriate enforcement actions where we identify violations.”

As outlined in the Assessment, in 2008, after Capital One acquired several other regional banks, Capital One established the Check Cashing Group as a business unit within its commercial bank.  The group was comprised of between approximately 90 and 150 check cashers in the New York- and New Jersey-area.  Capital One provided banking services to the Check Cashing Group, including providing armored car cash shipments and processing checks deposited by Check Cashing Group customers.  During the course of establishing the Check Cashing Group and banking these customers, Capital One was aware of several compliance and money laundering risks associated with banking this particular group, including warnings by regulators, criminal charges against some of the customers, and internal assessments that ranked most of the customers in the top 100 of the bank’s highest risk customers for money laundering.

Despite the warnings and internal assessments, Capital One willfully failed to implement and maintain an effective AML program in many ways.  Capital One’s process for investigating suspicious transactions was weak and resulted in the failure to fully investigate and report suspicious activity to FinCEN.  Capital One often failed to detect and report suspicious activity by the check cashers themselves, even as it detected and reported activity by the check casher’s customers.  And Capital One’s implementation of a specialized report to provide insight into larger checks cashed by the Check Cashing Group customers’ customers (the check cashers’ patrons) failed to properly connect and report suspicious banking activity by certain check cashers.

Capital One also acknowledged failing to file SARs even when it had actual knowledge of criminal charges against specific customers, including Domenick Pucillo, a convicted associate of the Genovese organized crime family.  Pucillo was one of the largest check cashers in the New York-New Jersey area, and one of the highest-risk Check Cashing Group customers.  Capital One was made aware of Pucillo’s participation in potential criminal activity and other risks on several occasions, including learning in early 2013 about potential criminal charges in two different jurisdictions.  Despite this information, Capital One failed to timely file SARs on suspicious activity by Pucillo’s check cashing businesses, and continued to process over 20,000 transactions valued at approximately $160 million, including cash withdrawals, for Pucillo’s businesses.  According to public sources, in May 2019 Pucillo pleaded guilty to conspiring to commit money laundering in connection with loan sharking and illegal gambling proceeds that flowed through his Capital One accounts.

Capital One also admitted to negligently failing to file CTRs on approximately 50,000 reportable cash transactions representing over $16 billion in cash handled by its Check Cashing Group customers.  Specifically, Capital One utilized an internal system that assigned a “cash” code for customer withdrawals to trigger CTR filings.  In designing its system, Capital One failed to assign this “cash” code to armored car cash shipments for a number of Check Cashing Group customers.  Accordingly, these transactions were not identified as customer cash withdrawals and were not reported to FinCEN through Capital One’s CTR reporting systems.

In determining the final amount of the civil money penalty, FinCEN considered Capital One’s significant remediation and cooperation with FinCEN’s investigation.  In addition to exiting the Check Cashing Group and taking specific remedial efforts related to its SAR and CTR filing systems, Capital One has made significant investments in and improvements to its AML program over the past several years.  The bank also provided FinCEN with voluminous and well-organized documents, made several presentations of its findings, and signed several agreements tolling the statute of limitations during this investigation.  FinCEN strongly encourages financial institutions and other businesses and individuals subject to the BSA to self-disclose any violations of FinCEN’s regulations and cooperate with its enforcement investigations.

To recap … from at least 2008 through 2014, a span of seven years, Capital One willfully failed to file thousands of suspicious activity reports (SARs), and negligently failed to file thousands of Currency Transaction Reports (CTRs). These egregious failures allowed known criminals to use and abuse the US financial system unchecked, fostering criminal activity and allowing it to continue and flourish at the expense of victims and other citizens. And although there were warnings by regulators, those warnings apparently occurred behind closed doors and in the supervisory “zone of secrecy”.

Warnings by Regulators?

As one of the largest national banks in the country, Capital One’s primary regulator is the Office of the Comptroller of the Currency, or OCC. The OCC is the primary regulator of about 820 national banks, 280 federal savings associations, and 50 federal branches and agencies of foreign banks. The OCC is organized into four geographic regions, a headquarters region, and a “Large Bank” group. Capital One, and thirty-seven of the other largest national banks, are part of this Large Bank group. The OCC has full-time examiners dedicated to most, if not all, of those large banks (in some of the largest banks like Capital One, the OCC may have as many as 100 full-time examiners). In other words, OCC large bank examiners don’t drop in every year or so, conduct an examination, and leave: they’re essentially embedded in and are continually examining and supervising the operations of these large banks.

And for banks like Capital One, the Federal Reserve and the FDIC have jurisdiction and will conduct their own exams, either on their own or as part of a multi-agency examination. Specifically for BSA, the OCC will conduct multiple exams every year on a risk-basis: they will examine higher risk business lines, delivery channels, customer segments, products and services, and geographies. And every year the OCC will examine the bank’s over-all BSA compliance program. The examinations are ongoing, constant, and all-encompassing. And if those exams don’t go well, the OCC has an escalating path of actions it can take, from private actions such as Matters Requiring Attention, or MRAs, and Part 30 actions (those are the actions that occur behind closed doors in the zone of secrecy), to public enforcement actions such as Cease & Desist Orders and orders for Civil Money Penalties.

As the primary regulator to Capital One, NA, surely the OCC must have been the agency that first discovered all of the egregious violations that FinCEN cited in its January 2021 enforcement action: the willful failure to file thousands of SARs in its Check Cashing Group from 2008 to 2014, and the negligent failure to file $16 billion in CTRs in 2011. The answer to whether the OCC was the agency that discovered these egregious failures should be found in its public enforcement action …

The OCC’s July 2015 Consent Order Against Capital One

The OCC issued a Cease & Desist Order against Capital One (with the consent of Capital One; thus the term “Consent Order”) for multiple failures of Capital One’s BSA/AML program from 2008 through 2014.[3] The OCC found that two of the four required program components were lacking – the system of internal controls and independent testing – that Capital One had a full program violation (12 CFR 21.21) a SAR filing violation (12 CFR 21.11), and had critical deficiencies in its enterprise-wide risk assessment, its Remote Deposit Capture product and program, its Correspondent Banking business and program, and did not have a process to escalate BSA/AML control decisions to the Risk Management group. The OCC also noted that Capital One “failed to identify significant volumes of suspicious activity”, but didn’t identify that activity. The OCC ordered Capital One to reform its program and conduct a lookback of potential suspicious activity.

The Consent Order did not mention the CCG business or the late-filed CTRs.[4] There was nothing in the Order that spoke of MRAs or other informal or formal warnings. There was nothing about failed exams, or even whether any exams were done. Perhaps the follow up exam (done behind closed doors) that must have been done (something must have led to a second public order in 2018) provides more information …

The OCC’s October 2018 Civil Money Penalty

After Capital One determined that it had completed its remediation of the issues found in the 2015 Consent Order, the OCC found that it had actually violated the terms of that Order by failing to complete the remediation in a timely fashion. The OCC also found that Capital One had still missed filing some SARs after 2015, had back-filed other SARs because of suspicious activity found during the lookback, and had violated some funds transfer recordkeeping requirements (the so-called “Travel Rule”). As a result, in October 2018 the OCC fined Capital One $100 million. That Civil Money Penalty order did not mention the CCG business or the late-filed CTRs.[5]

Summary of the Three Orders

  • FinCEN found that from 2008 to 2014 the Check Cashing Group (CCG) of Capital One willfully failed to maintain a BSA program and willfully failed to accurately and timely file SARs, and that Capital One otherwise failed to file CTRs until 2011 when it voluntarily backfiled 50,000 CTRs for $16,000,000,000.
  • The OCC’s July 2015 Consent Order – no civil penalty – made no mention of CCG, no mention of CTRs, and instead referred to Remote Deposit Capture and Correspondent Banking.
  • The OCC’s October 2018 civil penalty of $100,000,000 provided that the July 2015 Order had been violated because they were a year late in doing the remediation, that there were additional violations – missed SARs after 2015, more SARs from a lookback, and a Travel Rule violation on wires … but again, no mention of CCG and late CTRs.

Sed quis custodiet Ipsos Custodes – but who will guard the guards themselves? Juvenal, c. 100 A.D.

The OCC examined Capital One every year for BSA … but missed what FinCEN found? How can this CCG activity have gone on for seven years without the OCC (apparently) doing anything about it? Or perhaps the OCC did do something about it, but whatever it did was behind the zone of secrecy.

So we’re left with three questions that need to be asked that currently aren’t being asked and, because of the zone of secrecy, probably cannot or will not be answered.

Q1 – Why did the OCC’s 2018 penalty of $100 million not mention the 2008-2014 willful failures that FinCEN relied on for its 2021 $290 million penalty?

Q2 – Why did it take FinCEN six years (since the OCC’s original 2015 Consent Order) to resolve violations that occurred from 2008 to 2014?

Q3 – How did FinCEN settle on a fine of $390,000,000? FinCEN’s regulations have section-by-section penalty amounts in its regulations, and even mentioned these in its Enforcement Action. But it didn’t provide any detail on how it reached its penalty figures or why it gave credit for the $100,000,000 paid to the OCC if, as it appears, the OCC order covered different activity.

Which leads me to end where I began:

Supervision [of banks] happens behind closed doors. It relies upon secrecy and involves a system of discretionary actions by supervisory staff. This zone of secrecy is traditionally justified for the sake of financial stability and bank safety and soundness. There has long been an uneasy truce between the transparency and accountability required by the rule of law and the secrecy and discretion of supervision. That uneasy truce has become untenable.

[1] Statement of Margaret E. Tahyar, Guidance, Supervisory Expectations, and the Rule of Law: How Do the Banking Agencies Regulate and Supervise Institutions?, Hearing Before the Senate Committee on Banking, Housing, and Urban Affairs (Apr. 30, 2019) Tahyar Testimony 4-30-19.pdf (senate.gov)

[2] The agencies first issued a statement in September 2018. On November 5, 2020 the agencies published a proposed rule to codify that statement. On January 19, 2021 the OCC issued a press release that it had finalized the rule. IT will become final once published in the Federal Register. The OCC press release is at OCC Approves Final Rule on Supervisory Guidance | OCC

[3] Consent Order 2015-081 (occ.gov)

[4] The 2015 Consent Order was terminated on November 4, 2019. See Terminates #2015-081 (occ.gov)

[5] The Civil Money Penalty is at EA 2018-080 (occ.gov). The press release is at OCC Assesses $100 Million Civil Money Penalty Against Capital One | OCC