Capital One hit with enforcement actions
The Federal Reserve Board issued a cease and desist order against Capital One Financial Corporation, McLean, Virginia, resulting from a significant March 2019 data breach at the firm's national bank subsidiaries affecting the personal information of Capital One credit card customers and applicants for credit card products.
The Office of the Comptroller of the Currency, in a coordinated action, assessed an $80 million civil money penalty order against Capital One, N.A., and Capital One Bank (USA), N.A., based on the banks' failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner. The OCC found the noted deficiencies to constitute unsafe or unsound practices and resulted in noncompliance with 12 C.F.R. Part 30, Appendix B, "Interagency Guidelines Establishing Information Security Standards." The OCC also issued a cease and desist order requiring the banks to take specified corrective actions.