Banking regulators, the Office of Comptroller of the Currency and the Federal Reserve, recently collected a $400 million civil penalty against Citigroup for long-standing deficiencies in its enterprise risk management, compliance controls and overall banking practices. The Consent Order is Here.
The aggressive enforcement action was the result of Citigroup’s continuing deficiencies in its operations, risk oversight and management practices. The OCC cited Citigroup for its continuing problems and “longstanding failure to establish effective risk management.”
Citigroup has been undergoing significant changes – a new CEO was announced this year, Jane Fraser is replacing Michael Corbat. Earlier this year, a Citigroup baker accidentally transferred $900 million to a group of lenders tied to Revlon. A Citi employee who was manually adjusting creditors’ share of a Revlon loan selected the incorrect option, allowing the loan to be paid in full rather than the intended monthly interest payment.
Citigroup has been cited for a number of governance and control deficiencies, including violations of anti-money laundering controls relating to tracking of illicit funds, and a number of governance and regulatory violations.
In the consent order, the OCC cited the following deficiencies: (1) failure to establish effective front-line units and independent risk management (12 C.F.R. Part 30, Appx D); (2) failure to establish an effective risk governance framework (12 C.F.R .Part 30, Appendix D); (3) failure of the Bank’s enterprise-wide risk management policies, standards, and frameworks to adequately identify, measure, monitor, and control risks; and (4) failure of compensation and performance management programs to incentivize effective risk management.
The order also identified deficiencies, noncompliance with 12 C.F.R. Part 30, Appendix D, or unsafe or unsound practices with respect to Citigroup’s data quality and data governance, including risk data aggregation and management and regulatory reporting.
The OCC’s consent order includes a broad set of requirements to remediate its overall risk management and internal controls, and specifically prohibits from acquiring any new entities unless approved by banking regulators. The OCC and Federal Reserve intend to exercise close oversight of Citigroup’s remediation efforts and can order additional changes.
The OCC determined that the Board and senior management oversight was inadequate to ensure timely appropriate action to correct the serious and longstanding deficiencies and unsafe or unsound practices in the areas of risk management, internal controls, and data governance.
The order states that this conduct contributed to other past violations and noncompliance, for which the OCC has assessed civil money penalties in 2019. The order further states that the Bank has begun taking corrective action and has committed to taking all necessary and appropriate steps to remedy the identified deficiencies.
In its order, the OCC demanded “the thorough redesign” of Citi’s “data architecture, re-engineering of processes, and modernization of system applications and information technology infrastructure that … maximize[s] straight-through processing and minimize[s] manual inputting and adjustments” — perhaps a direct reference to the Revlon matter.
Earlier this year, Citigroup announced it would invest $1 billion in improvements to address its enterprise data and risk management systems. In September, the CFTC imposed a $4.5 million fine against Citigroup for deletion of audio recording files, including trader recordings that were subpoenaed as part of a federal probe. Last year, the Bank of England fined Citigroup $56 million for inaccurate reporting about its capital and liquidity levels.
The Federal Reserve ordered Citigroup to submit a detailed plan to address deficiencies in the implementation and execution of “areas of risk management and internal controls, including for data quality management and regulatory reporting, compliance risk management, capital planning and liquidity risk management.” Citigroup’s plan must ensure that the board: (1) holds senior management accountable for executing effective and sustainable remediation plans; (2) improves and maintains effective and independent enterprise-wide risk management and makes sure that internal audit findings are effectively remediated; (3) earns incentive compensation that’s consistent with risk management objectives and measurement standards; (4) ensures proper oversight of senior management’s execution of the matters identified in the Fed’s order; and (5) conducts a gap analysis of its enterprise-wide risk management framework and internal controls systems to determine the enhancements that are necessary to meet the risk management requirements.