Capital One Whacked on AML Failures
Talk about mistakes that come back to haunt you: Capital One just agreed to pay a $390 million penalty for anti-money laundering compliance failures in a check-cashing unit the bank hasn’t even owned for seven years.
The settlement was announced by FinCEN last Friday. The 22-page statement of facts is a tale of poor risk assessment, poor program implementation, and poor regulatory reporting, which allowed millions of dollars in suspicious transactions to go unreported — including transactions involving customers who the bank knew were connected to the Genovese crime family in New York. Yikes.
The events in question happened from 2008 to 2014, when Capital One managed an operating division known as the Check Cashing Group to provide back-end services to storefront check-cashing outlets in New York and New Jersey. Capital One had been on an expansion kick in the mid-2000s, picking up banks in the Northeast such as North Fork Bank and Hibernia Bank. The check-cashing joints had been their customers, not Capital One’s.
Banking regulators had already flagged problems in the AML compliance programs of both banks before Capital One showed up; that was one early warning sign. In 2008, regulators warned Capital One itself that they had concerns about the AML compliance capability of the newly formed Check Cashing Group. That same year, prosecutors in New York City also indicted one of the CCG’s customer businesses and its owner.
So almost from the inception of this six-year misadventure in the check-cashing business, Capital One knew it had significant remedial work to do in its AML compliance program. “But these efforts,” the FinCEN settlement said, “failed to effectively address the illicit finance risk associated with the CCG.”
Let’s look at some of those errors.
Poor AML Program Development
First, the FinCEN order said, Capital One failed to implement a sufficiently strong AML compliance program even when the bank knew it had inherited significant problems from the Hibernia and North Fork acquisitions. Yes, Capital One did build up an AML compliance team and even developed policies, procedures, and controls for an enterprise-wide AML compliance program.
Then what? Let’s excerpt directly from the FinCEN order:
However, these controls and procedures were inadequate to address the money laundering risk associated with the CCG, were inconsistently and ineffectively implemented for CCG customers, were plagued by a number of technical failures that were not promptly addressed, and gave too much credence to dubious explanations from the business line about CCG banking activity, all of which ultimately resulted in a failure to guard against money laundering and other criminal and suspicious activity.
There’s not a lot of specific detail there, but it does paint a picture of executives focused too much on compliance program design, and not enough on program execution. Inconsistent application of controls and procedures, technical glitches not fixed in a timely manner, compliance analysts not calling BS on whatever the business line was saying about sketchy behavior — that’s poor execution.
Capital One also missed the mark on customer due diligence and reviews. For example, the compliance program developed a spreadsheet formula that aggregated the credits and debits of a CCG customer under review, and then compared that analysis against a sample of historical transactional data. That’s how the compliance team determined whether a customer’s activity had significantly departed from historical norms.
Even when a customer did have unusual activity, however, so long as those transactions appeared to be related to the customer’s business model or could be readily explained away, the compliance team deemed the departure from historical norms “reasonable” and closed the review.
The flaw in that approach, FinCEN said, was that compliance analysts ended up relying too much on consistency of transactions as the basis for judging suspicious activity, “without taking additional investigative steps or incorporating additional knowledge about the customers.”
“In other words,” FinCEN said, “Capital One improperly used consistency as the primary benchmark for reasonableness, overlooking the nature or apparent lawful purpose of their customer’s underlying activity and the patterns therein.”
That’s failure to build comprehensive risk profiles for your customers. It’s a cardinal offense in the world of AML compliance, and a cautionary tale for compliance officers in non-financial sectors. Effective due diligence depends on building a complete profile of who your third party is, and many times the most important details about that party won’t emerge from analyzing transaction records.
So you need to design due diligence and customer review procedures that will capture those other types of information (background checks, adverse media reports, and so forth), and consolidate all the information into one holistic profile. Only then do you make the decision about what’s suspicious or not.
Tangled Relationships With First Line
And as we so often see, Capital One also struggled with AML compliance investigations because of tangled relationships with business managers in the First Line of Defense.
For example, AML analysts repeatedly identified suspicious activity with at least 30 customers in the Check Cashing Group, flagging those suspicions as “medical fraud ring,” “excessive corporate check cashing,” “high dollar checks,” “structured third-party checks,” and so forth.
Except, standard AML compliance policy for the Check Cashing Group was for the compliance analyst then to contact the relationship manager for the customer under suspicion, and ask that executive what was going on. The relationship managers then replied with all manner of “vague and implausible explanations,” according to FinCEN — flimflam such as “Hurricane Sandy work,” “high number of customers in February because of tax refunds being cashed at the stores,” or “Aggressively looking to manage down excess currency,” to name a few excuses.
“At times, AML analysts accepted such justifications from the CCG business line at face value, which limited their ability to perform effective AML scrutiny” and file suspicious activity reports, FinCEN said. “As a consequence, Capital One failed to fully investigate much of this activity, or report it to FinCEN as suspicious.”
This is a refrain we hear all the time: compliance functions lacking enough independence and authority to pursue suspicious activity as needed. Heck, it’s the same flaw we saw with Deutsche Bank and its corruption settlements just last week. Compliance teams need to be competent, independent, and empowered to act — which includes the power to tell business execs in the First Line of Defense that they’re full of it.
Remediation Counts for Something
FinCEN did praise Capital One for remediation steps the bank took in the early 2010s, such as catching up with more than 50,000 currency transaction reports that hadn’t been filed promptly, and performing a voluntary look-back in 2013 on transactions that an AML tool hadn’t captured the first time around. (Both of these sound to me like getting praise for working late when you’d forgotten to do your job the day prior, but whatever.) Senior management has also more than tripled Capital One’s AML budget and staff since 2014.
Ultimately, Capital One decided to exit the check-cashing business in 2013 and was fully out of the game by 2014. Then it agreed to extend the statute of limitations while FinCEN and other banking regulators picked over this episode for the ensuing seven years.