Citi fined $400M over risk management, data governance issues

Dive Brief:

The Office of the Comptroller of the Currency (OCC) fined Citi $400 million Wednesday over persistent issues in risk management, data governance and internal controls, and ordered the bank to seek the regulator's approval before making any "significant new acquisitions." The OCC also reserved the right to require Citi to make changes to senior management and its board if the regulator deems the bank is moving too slowly.
The Federal Reserve also issued a cease-and-desist order Wednesday, demanding the bank "correct practices previously identified by the Board in the areas of compliance risk management, data quality management, and internal controls." Under the order, Citi's board of directors has 120 days to submit a report detailing how it will hold senior management accountable and how it will make executive compensation "consistent with risk management objectives."
"We are disappointed that we have fallen short of our regulators' expectations, and we are fully committed to thoroughly addressing the issues identified in the Consent Orders," the bank said in a statement seen by The Wall Street Journal and Bloomberg. "We appreciate the urgency of the tasks at hand and we are committed to fulfilling our obligations to all of our stakeholders."

Dive Insight:

Speculation about a regulator reprimand of Citi had persisted for nearly a month before the OCC and the Fed issued their enforcement actions Wednesday. Citi's errant transmission of $900 million in August to creditors of cosmetics firm Revlon likely served as a reminder to regulators that long-standing risk management issues had yet to be fully resolved.

In its order, the OCC demanded "the thorough redesign" of Citi's "data architecture, re-engineering of processes, and modernization of system applications and information technology infrastructure that … maximize[s] straight-through processing and minimize[s] manual inputting and adjustments" — perhaps a direct reference to the Revlon matter.

The bank said a Citi employee who was manually adjusting creditors' share of a Revlon loan selected the incorrect option, allowing the loan to be paid in full rather than the intended monthly interest payment. Citi is embroiled in a court battle against some creditors who have refused to return the money.

That transaction may stand as a cautionary tale for the bank and a symbol of larger-scale issues. The bank has said it is spending $1 billion this year on improving its risk management frameworks and controls. The Fed, in its order Wednesday, wants Citi to use "gap analysis" to determine how to improve processes around capital planning, liquidity risk management and compliance risk management.

One major component to that may be unifying the patchwork of systems the bank uses to track customers and transactions. Many of the bank's business units run their own system with separate customer identification measures — a money-laundering vulnerability, regulators have said — and some systems have roots in the late 1990s. The bank decided to replace its loan operation software last year, but the transition is not complete.

Citi in June also hired former Bank of New York Mellon President Karen Peetz as its new chief administrative officer, in part to help comply with regulators' orders.

"Citi has significant remediation projects underway to strengthen our controls, infrastructure and governance," the bank said in its statement Wednesday. "While we have made progress in each of these areas, we recognize that substantial improvement is still required to meet the standards we have set for ourselves and that our regulators expect of us."

For the Fed, the enforcement action may also serve to hasten the bank's resolution of issues it has cited for years that have not been "adequately remediated." The central bank issued Citi a consent order in 2013 over deficiencies in the bank's anti-money-laundering compliance program, and another in 2015 over its compliance and control infrastructure. Between those orders, Citi failed the Fed's 2014 stress test for not fixing previously identified risk management issues.

The financial toll on Citi of Wednesday's actions is significantly less than some big banks have seen from the OCC and the Fed. The OCC cited risk management failures when it, along with the Consumer Financial Protection Bureau (CFPB), fined Wells Fargo $1 billion in 2018 in connection with the bank's 2016 fake accounts scandal. The Fed imposed a $1.95 trillion asset cap on the bank that's still in effect.

The structural toll for Citi, however, may be substantial. The OCC's insistence on signing off on any "significant new acquisitions" covers anything beyond "hedging, market making and securitization transactions." Further, the regulator drew attention to a lack of "clearly defined roles and responsibilities" for leaders of Citi's board of directors, and called out the bank's procedures for reporting problems within the bank.

Citi is already undergoing a management change. The threat of regulator reprimand was reportedly a factor in CEO Michael Corbat's decision last month to retire in February and accelerate a transition to CEO-in-waiting Jane Fraser. The 120-day deadline for the Fed's report on management accountability falls right when Fraser is expected to take the top role.