Capital One's analysts flagged the business as high-risk. They still didn't file the SARs.

Issue #5 | May 26, 2026 | 6 min read

Capital One paid $390 million to FinCEN in January 2021 for BSA violations tied to its Check Cashing Group, a business unit the bank had internally classified as high-risk. The compliance program covered the bank, it didn't adequately cover the unit generating the most risk.

Two years after Binance filed zero SARs across its entire global operation and called it a business decision, Capital One is a useful reminder that willful non-filing isn't a crypto phenomenon. This issue breaks down how that gap formed, what FinCEN found, and what it means for programs that have done the risk classification work but haven't connected it to the monitoring program.

ENFORCEMENT ACTION

Capital One knew its check-cashing customers were high-risk. Six years of evidence confirmed it. The SARs still didn't get filed.

Capital One, N.A. received a $390 million civil money penalty from FinCEN on January 15, 2021, covering BSA violations tied to its Check Cashing Group (CCG), a business unit that provided banking services to check cashing businesses across the United States. The violations ran from at least 2008 through 2014. Capital One admitted to willfully failing to implement and maintain an effective AML program for the CCG portfolio, willfully failing to file thousands of SARs, and negligently failing to file approximately 50,000 Currency Transaction Reports on roughly $16 billion in cash handled by CCG customers.

FinCEN's finding on the SARs was willful failure, not negligence and not a systems gap.

The Check Cashing Group served businesses that are, by definition, elevated-risk under BSA guidance. Check cashers handle large volumes of cash, serve customers who may be unbanked or underbanked, and operate in a sector with documented links to money laundering and tax evasion. Capital One's own risk classification recognized this. The problem wasn't that the bank didn't know the risk, it was that the AML program in place for CCG didn't match what the bank had already concluded about that risk.

The consent order's most specific finding makes this harder to dismiss as an oversight. Capital One continued processing over 20,000 transactions valued at approximately $160 million for a customer's businesses after that customer had been convicted as an associate of the Genovese organized crime family. The bank knew. It processed anyway. FinCEN's consent order documented that suspicious transactions tied to CCG customers included proceeds connected to organized crime, tax evasion, and fraud that moved through Capital One into the U.S. financial system unreported.

What FinCEN Found

What This Means for Your Program

The Capital One case is useful because the bank didn't skip the risk assessment step. High-risk was identified, documented, and applied to the CCG portfolio. What failed was the translation of that classification into a functioning monitoring and reporting program.

The exam question this creates: are your high-risk designations driving program design, or just sitting in a risk matrix? A customer or business line rated high-risk should generate more monitoring activity, lower alert thresholds, and closer SAR review, not the same coverage as a standard retail account. If your enterprise AML program is calibrated to your typical customer and high-risk segments are layered on without dedicated configuration, the Capital One gap is structurally replicable.

The $390 million penalty was one of FinCEN's largest at the time of assessment. The willful finding means Capital One couldn't frame the violations as oversight or resource constraint. Six years of deficient SAR filing on a portfolio the bank had already designated high-risk voids that argument.

Binance filed zero SARs for years while processing hundreds of millions in sanctioned-country transactions. Capital One filed too few SARs for six years on a high-risk domestic business it knew was connected to criminal activity. The business models couldn't be more different. The legal conclusion of willful failure is the same.

Source: FinCEN Consent Order, In the Matter of Capital One, N.A. | FinCEN press release, January 15, 2021

INTELLIGENCE BRIEFING

FinCEN — FinCEN issued a proposed rule in April 2026 to fundamentally reform how financial institutions must structure their AML/CFT programs. The NPRM would require programs to be explicitly "effective, risk-based, and reasonably designed", language that shifts the standard from structural compliance to demonstrated effectiveness. It also requires that AML officers be located in the United States and accessible to regulators, and introduces a framework distinguishing between program design failures and implementation failures. For institutions whose current programs are built around meeting structural requirements, this is a signal that exam scrutiny is moving toward whether the program actually works. Comment period closes June 9, 2026. Source: FinCEN, Notice of Proposed Rulemaking, April 2026.

FinCEN — The Investment Adviser AML Rule, originally scheduled to take effect January 1, 2026, has been postponed to January 1, 2028. A FinCEN exemptive relief order exempts registered investment advisers and exempt reporting advisers from all AML/CFT program requirements until then. Investment advisers collectively manage trillions in assets. The two-year delay means a sector that handles significant flows of high-net-worth capital continues to operate without mandatory SAR filing obligations, a gap that has been on FinCEN's radar since the first IA AML proposal in 2015. Source: FinCEN Final Rule, Investment Adviser AML Rule Postponement.

OFAC — On May 20, 2026, OFAC designated more than a dozen individuals and entities across two networks tied to the Sinaloa Cartel's fentanyl trafficking operations. One network, led by Armando de Jesus Ojeda Aviles, specializes in laundering fentanyl proceeds on the cartel's behalf. The second, led by Jesus Gonzalez Penuelas, combines trafficking with money laundering for the cartel. Both were designated under Executive Order 14059. Drug trafficking and its proceeds are one of FinCEN's eight national AML/CFT priorities; this action is a reminder that the cartel's financial infrastructure, including its dedicated laundering networks, remains an active enforcement focus for institutions with exposure to Mexico-linked cash flows. Source: Treasury, May 20, 2026.

FROM THE SOURCE

The word "admits" is doing real work in that sentence. Consent orders routinely involve institutions neither admitting nor denying findings. When an institution admits, it means the factual record is clean enough that contesting it isn't viable. Capital One's internal documentation of the CCG risk designation, combined with the SAR gap and the Genovese associate transactions, produced a record that admission was the only defensible position. The willful finding on the SARs and negligent finding on the CTRs are separate in legal terms, but both flow from the same root failure: a high-risk business line operating without a commensurate compliance program.

Source: FinCEN, In the Matter of Capital One, National Association — Enforcement Action Page

If someone forwarded this to you, welcome.

The AML Brief goes out every Tuesday. Subscribe for free and get the Top 10 AML Red Flags cheat sheet as a thank you:

[BUTTON: Subscribe → theamlbrief.com]

Already subscribed? Forward this to one colleague who works in financial crimes. That's how we grow.

The AML Brief | theamlbrief.com/posts

Disclaimer: The AML Brief is an independent financial crimes intelligence publication. All content is sourced from publicly available regulatory documents, enforcement actions, and published research. Nothing published here constitutes legal, compliance, or regulatory advice. The AML Brief is not affiliated with any financial institution, regulator, law firm, or employer. For advice specific to your situation, consult a qualified attorney or compliance professional.