Unless otherwise stated, the main sources throughout this document are the Office of the Comptroller of the Currency (OCC) Cease and Desist and Civil Penalty Consent Orders of 7 October 2020.
On 7 October 2020, the OCC announced that it had fined Citibank USD 400 million (EUR 340 million), citing the bank’s “long-standing failure” to institute effective risk and compliance management, data governance and internal controls.
The OCC found that for several years, with some issues dating back to 2013, Citibank had failed to implement and maintain an enterprise-wide risk management and compliance risk program, internal controls, or a data governance program commensurate with the bank’s size, complexity, and risk profile. Specifically, the OCC found that Citibank had not complied with its 12 CFR part 30, Appendix D regulation. This regulation establishes minimum standards for the design and implementation of a covered bank's risk governance framework and minimum standards for the bank's board of directors in providing oversight to the framework's design and implementation of guidelines. These standards are in addition to any other applicable requirements in law or regulation.
Furthermore, OCC investigations established that Citibank had:
- Failed to establish effective front-line units and independent risk management as required by 12 CFR.
- Failed to establish an effective risk governance framework as required by 12 CFR.
- Failed to adequately identify, measure, monitor, and control risks through its enterprise-wide risk management policies, standards, and frameworks.
- Failed to incentivise effective risk management through its compensation and performance management programs.
The OCC further identified unsafe or unsound practices with respect to the bank’s internal controls, including, an absence of clearly defined roles and responsibilities and noncompliance with multiple laws and regulations.
Citibank’s data governance and data quality were also identified as being deficient. The OCC found that Citibank had, with respect to its data quality and data governance, including risk data aggregation and management also failed to: Establish effective front-line units, independent risk management, internal audit, and control functions as required by 12 CFR. Develop and execute on a comprehensive plan to address data governance deficiencies, including data quality errors and failure to produce timely and accurate management and regulatory reporting; and, Adequately report to the bank’s board on the status of data quality and progress in remediating identified deficiencies.
The OCC also determined that the bank’s board and senior management oversight was inadequate to ensure timely, appropriate actions to correct the serious and longstanding deficiencies and unsafe or unsound practices in the areas of risk management, internal controls, and data governance at the bank. Furthermore, inadequate reporting to the bank’s board was determined to hinder its ability to provide effective oversight. The OCC also said Citibank must seek the regulator’s “non-objection before making significant new acquisitions,” according to the statement. The OCC added that it may implement additional business restrictions or require changes in senior management” should the bank not address its shortcomings.
Additionally, on 7 October 2020, the FRB announced an enforcement action against Citigroup over the bank’s failure to take prompt and effective actions to correct practices regarding its risk management compliance, data quality management, and internal controls. In particular, the regulator highlighted Citibank’s deficiencies in capital planning and liquidity risk management. However, the FRB decided not to impose a fine on Citigroup besides the OCC USD 400,000,000 penalty but gave the bank a series of deadlines to analyse and report back within four months on how it would address the issues and hold senior management accountable and make executive compensation “consistent with risk management objectives”.
The sizeable penalty issued against Citibank by the OCC on 7 October 2020 follows renewed public and regulatory scrutiny of Citibank’s operations after an error led the bank to mistakenly send Revlon creditors USD 900 million of its own funds in August 2020. The bank is currently pursuing legal action against some lenders who are refusing to return the payment.
