Lessons from Capital One – BSA: Cost Center or Gatekeeper?

Capital One fined $390MM for failing to report activity tied to money laundering and organized crime

In a recent announcement released by the Financial Crime Enforcement Network (FinCEN), Capital One is being fined $390 million for failing to properly identify, evaluate, and report on suspicious activity for a major money services business.

What Is BSA?

The Bank Secrecy Act, or BSA, is a piece of legislation that was passed by Congress in 1970. It requires financial institutions to collaborate with the US government around suspicious activity related to potential money laundering and fraud. Requirements of the BSA include establishing a program to detect suspicious activity, and to file timely reports to FinCEN explaining what the activity is, and why it is suspicious.

In the announcement, FinCEN highlights a few of the major shortcomings of the Capital One program and how they allowed their institution to be used for money laundering, tax-evasion, and fraud.

What Can We Learn From Capital One?

While reading through the announcement, one section stood out to me. By reading FinCEN’s analysis, financial institutions can gain insight into how they can safeguard themselves from falling into the same regulatory hot water that Capital One now finds themselves in.

“…Capital One was aware of several compliance and money laundering risks associated with banking this particular group, including warnings by regulators, criminal charges against some of the customers, and internal assessments that ranked most of the customers in the top 100 of the bank’s highest risk customers for money laundering.”

Risk Assessment

It is important that financial institutions have a tight grasp of the potential risks to their business.

  • Are there products/services offered that could pose a higher risk?
  • What is the severity of the risk?
  • Are there controls in place to address these risks?
  • What is the likelihood that it could occur?

These questions will allow a financial institution to risk rate their customers according to the risk profile established in the assessment, and according to their overall transaction activity. As a result of keeping customers’ risk ratings current and accurate, focus can be shifted to the highest risk population, and overall risk can be reduced.

KYC/Negative News

One of the most important elements of an effective BSA program is a strong “Know Your Customer” (KYC) process. Do you know who you are REALLY doing business with?

  • Who are they?
  • Is there a difference between their anticipated and actual behavior?
  • What do they do for work? Does their activity align?
  • What types of transactions are being conducted?
  • Is there any news on the person that would give further insight into who they are, or who they associate with?

The more you know about your customers, the easier it is to identify suspicious behavior.


A risk assessment helps you identify and evaluate the potential risks that could present themselves. After risk has been identified, key controls can be implemented to limit these risks. One of these essential controls is an effective KYC process. But how do you know if it is “effective”?

Controls should be evaluated, tested, and confirmed to be working. The best way to do this is through an internal and external audit process. An independent audit process (key word independent) safeguards against potential fines from regulators by reviewing regulatory requirements and ensuring that the controls put in place are doing what they should be.

  • Based on the business, what are the regulatory requirements?
  • What are the potential risks to the business?
  • What are the key controls in place to address those risks?
  • Is there a documented process for each control?
  • Is the process being followed, and is the control doing what it needs to?

Independence ensures that there is no bias or unnecessary influence while reviewing a business area’s (in this case BSA) processes and controls. By conducting a thorough review, auditors are able to explain their findings which helps stay one step ahead of regulators and their fines.

Learn From Others’ Mistakes

Financial institutions historically have shunned their BSA/AML programs. Shoving them into some damp corner of the office, only to bring them out when the regulators show up for their annual audits. C-Suite execs are solely focused on how they can generate the most profit, and BSA doesn’t do that.

Why waste time, money, and precious resources on developing an effective program to prevent money laundering and crime?

 I can think of 390 million reasons why.

Never stop chasing checkmate.

Leave a Reply

%d bloggers like this: