The Office of the Comptroller of the Currency (OCC) assessed an $80 million civil money penalty against Capital One for its role in the 2019 hack of 100 million credit card applications. 

The OCC reached the decision due to “the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner,” according to a post.

The document also stated that the bank lacked sufficient network security and data loss prevention controls. The board also failed to hold the management accountable when internal audits showed the issues.

The Capital One breach followed Equifax’s 2017 breach that resulted in the personal information of 147 million people being stolen. Equifax then had to pay regulators $700 million.

“While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers,” the OCC stated. 

More details are available here.