Banking regulators are slapping Capital One (COF 0.38%) with an $80 million fine and requiring it to improve its risk management systems in the wake of a hack at the bank last year that resulted in one of the largest personal data breaches ever.
The U.S. Office of the Comptroller of the Currency (OCC), which regulates national banks, issued the fine and a cease and desist order, while the Federal Reserve, which regulates bank holding companies, issued its own cease and desist order.
Last July, an Amazon software engineer was able to obtain access to a Capital One server containing credit card applications and accounts. She then posted personal and financial data about more than 100 million people on the GitHub platform.
According to the OCC's order, Capital One did not implement "effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment." The bank also failed to implement the proper controls for its cloud operating environment, and therefore violated a law regarding information security.
As a result, the OCC is requiring Capital One to appoint a compliance committee and create a written plan detailing how it will get into compliance with proper information security standards. The bank must also create and submit detailed plans of how it will improve internal controls and oversight of its cloud operating environment and other technology systems.
Cease and desist orders are among the most severe enforcement actions regulatory agencies can take, and can be in place for several years. Capital One will likely have to invest in its regulatory infrastructure to get into compliance.
The Fed's cease and desist order was somewhat similar to the OCC's. It found deficiencies in Capital One's "enterprise wide risk management program," and mandates that the company create a new, more comprehensive plan that can better identify and detect risks across the organization.