Skip to content


ORX News


ORX News Community

Deep Dive - Nov 2020

Citibank pays USD 400 million over poor risk management, data governance and control failures.

On 7 October 2020, the US Office of the Comptroller of the Currency (OCC) assessed a USD 400 million civil money penalty against Citibank over longstanding deficiencies in enterprise-wide risk management, compliance risk management, data governance and internal controls. The OCC’s order was accompanied by a separate order from the US Federal Reserve Board (FRB) issued in concurrence.
Find out more about this major operational risk loss event by downloading the free Deep Dive from ORX News.

The Deep Dive, usually only available to ORX News subscribers, provides vital information about this information security event, including:

  • A detailed explanation of the event
  • Attack method
  • Internal risk factors, including risk governance framework and inadequate technology resources
  • External risk factors, including risk management failures and compliance
  • Remedial measures taken in response to the event
  • Financial and non-financial impacts

Download the free Deep Dive for all this information and more.

Executive summary

Unless otherwise stated, the main sources throughout this document are the Office of the Comptroller of the Currency (OCC) Cease and Desist and Civil Penalty Consent Orders of 7 October 2020.

On 7 October 2020, the OCC announced that it had fined Citibank USD 400 million (EUR 340 million), citing the bank’s “long-standing failure” to institute effective risk and compliance management, data governance and internal controls.

The OCC found that for several years, with some issues dating back to 2013, Citibank had failed to implement and maintain an enterprise-wide risk management and compliance risk program, internal controls, or a data governance program commensurate with the bank’s size, complexity, and risk profile. Specifically, the OCC found that Citibank had not complied with its 12 CFR part 30, Appendix D regulation. This regulation establishes minimum standards for the design and implementation of a covered bank's risk governance framework and minimum standards for the bank's board of directors in providing oversight to the framework's design and implementation of guidelines. These standards are in addition to any other applicable requirements in law or regulation.

Furthermore, OCC investigations established that Citibank had:

  • Failed to establish effective front-line units and independent risk management as required by 12 CFR.
  • Failed to establish an effective risk governance framework as required by 12 CFR.
  • Failed to adequately identify, measure, monitor, and control risks through its enterprise-wide risk management policies, standards, and frameworks.
  • Failed to incentivise effective risk management through its compensation and performance management programs. 

The OCC further identified unsafe or unsound practices with respect to the bank’s internal controls, including, an absence of clearly defined roles and responsibilities and noncompliance with multiple laws and regulations.

Citibank’s data governance and data quality were also identified as being deficient. The OCC found that Citibank had, with respect to its data quality and data governance, including risk data aggregation and management also failed to: Establish effective front-line units, independent risk management, internal audit, and control functions as required by 12 CFR. Develop and execute on a comprehensive plan to address data governance deficiencies, including data quality errors and failure to produce timely and accurate management and regulatory reporting; and, Adequately report to the bank’s board on the status of data quality and progress in remediating identified deficiencies.

The OCC also determined that the bank’s board and senior management oversight was inadequate to ensure timely, appropriate actions to correct the serious and longstanding deficiencies and unsafe or unsound practices in the areas of risk management, internal controls, and data governance at the bank. Furthermore, inadequate reporting to the bank’s board was determined to hinder its ability to provide effective oversight. The OCC also said Citibank must seek the regulator’s “non-objection before making significant new acquisitions,” according to the statement. The OCC added that it may implement additional business restrictions or require changes in senior management” should the bank not address its shortcomings.

Additionally, on 7 October 2020, the FRB announced an enforcement action against Citigroup over the bank’s failure to take prompt and effective actions to correct practices regarding its risk management compliance, data quality management, and internal controls. In particular, the regulator highlighted Citibank’s deficiencies in capital planning and liquidity risk management. However, the FRB decided not to impose a fine on Citigroup besides the OCC USD 400,000,000 penalty but gave the bank a series of deadlines to analyse and report back within four months on how it would address the issues and hold senior management accountable and make executive compensation “consistent with risk management objectives”.

The sizeable penalty issued against Citibank by the OCC on 7 October 2020 follows renewed public and regulatory scrutiny of Citibank’s operations after an error led the bank to mistakenly send Revlon creditors USD 900 million of its own funds in August 2020. The bank is currently pursuing legal action against some lenders who are refusing to return the payment. 

Download the Deep Dive

Fill in the form below to get your free copy of the Deep Dive exploring the Citibank loss event.

About ORX News

ORX News is the industry’s leading source of operational risk loss events. Firms can subscribe for exclusive data and analysis tailored to the banking, insurance, and asset management sectors.

How does it work?

Our team of dedicated researchers can collectively speak over seven major languages. Accessing recent operational and non-financial risk (ONFR) loss events is made effortless through the ORX News website, where they are summarised in English, categorised, searchable, and exportable. ORX News keeps you informed and connected with the latest ONFR developments and you can use the data for modelling, benchmarking and scenarios.

Find out more about ORX News


Disclaimer: ORX has prepared this resource with care and attention. ORX does not accept responsibility for any errors or omissions. ORX does not warrant the accuracy of the advice, statement or recommendations in this resource. ORX shall not be liable for any loss, expense, damage or claim arising from this resource. The content of this resource does not itself constitute a contractual agreement, and ORX accepts no obligation associated with this resource except as expressly agreed in writing. ©ORX 2024


Lily Richardson

Lily Richardson

News Manager, ORX

Helen L’Abbate

Helen L’Abbate

Deputy Director - Research & Information, ORX

More resources from ORX News


Want to read more Deep Dives from ORX News? 

Become an ORX News subscriber to read about operational risk loss events from around the world.


Find out more about ORX News