The Office of the Comptroller of the Currency (OCC) announced on August 6 that it had issued an $80 million civil penalty against Capital One, N.A., and Capital One Bank (USA), N.A.
The OCC cited noncompliance with 12 C.F.R. Part 30, Appendix B, “Interagency Guidelines Establishing Information Security
Standards.” Similar versions of these standards apply to other financial institutions that are regulated by the Gramm Leach Bliley Act.
The OCC said the bank failed to:
- Establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment
- Establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts
- Identify, through its internal audit, numerous control weaknesses and gaps in the cloud operating environment
- Take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses