ORX News Deep Dive: Citibank loses USD 400 million
- 26 November 2020
Download the free Deep Dive from ORX News to find out why Citibank was fined USD 400 million over poor risk management, data governance and control failures. ORX News Deep Dives are a chance to explore specific losses in more detail – they analyse the event, provide information about what happened and explore the risk factors and impacts.
Subscribers to ORX News can request up to three Deep Dives each year for free and access a library of more than 100 Deep Dives. Because of the high amount of interest in, and media coverage of, the Citibank fine, we've made the Deep dive exploring this event free for you to download.
More operational risk support from ORX News
Deep dive: Citibank pays USD 400 million over poor risk management, data governance and control failures
On 7 October 2020, the US Office of the Comptroller of the Currency (OCC) assessed a USD 400 million civil money penalty against Citibank over longstanding deficiencies in enterprise-wide risk management, compliance risk management, data governance and internal controls. The OCC’s order was accompanied by a separate order from the US Federal Reserve Board (FRB) issued in concurrence.
On 7 October 2020, the OCC announced that it had fined Citibank USD 400 million (EUR 340 million), citing the bank’s “long-standing failure” to institute effective risk and compliance management, data governance and internal controls.
The OCC found that for several years, with some issues dating back to 2013, Citibank had failed to implement and maintain an enterprise-wide risk management and compliance risk program, internal controls, or a data governance program commensurate with the bank’s size, complexity, and risk profile. Specifically, the OCC found that Citibank had not complied with its 12 CFR part 30, Appendix D regulation. This regulation establishes minimum standards for the design and implementation of a covered bank's risk governance framework and minimum standards for the bank's board of directors in providing oversight to the framework's design and implementation of guidelines. These standards are in addition to any other applicable requirements in law or regulation.
Furthermore, OCC investigations established that Citibank had:
- Failed to establish effective front-line units and independent risk management as required by 12 CFR Part 30, Appendix D
- Failed to establish an effective risk governance framework as required by 12 CFR Part 30, Appendix D
- Failed to adequately identify, measure, monitor, and control risks through its enterprise-wide risk management policies, standards, and frameworks
- Failed to incentivise effective risk management through its compensation and performance management programmes
The OCC further identified unsafe or unsound practices with respect to the bank’s internal controls, including, an absence of clearly defined roles and responsibilities and noncompliance with multiple laws and regulations.
Citibank’s data governance and data quality were also identified as being deficient. The OCC found that Citibank had, with respect to its data quality and data governance, including risk data aggregation and management also failed to:
- Establish effective front-line units, independent risk management, internal audit, and control functions as required by 12 CFR Part 30, Appendix D
- Develop and execute on a comprehensive plan to address data governance deficiencies, including data quality errors and failure to produce timely and accurate management and regulatory reporting
- Adequately report to the bank’s board on the status of data quality and progress in remediating identified deficiencies
The OCC also determined that the bank’s board and senior management oversight was inadequate to ensure timely, appropriate actions to correct the serious and longstanding deficiencies and unsafe or unsound practices in the areas of risk management, internal controls, and data governance at the bank. Furthermore, inadequate reporting to the bank’s board was determined to hinder its ability to provide effective oversight. The OCC also said Citibank must seek the regulator’s “non-objection before making significant new acquisitions,” according to the statement. The OCC added that it may implement additional business restrictions or require changes in senior management” should the bank not address its shortcomings.
Additionally, on 7 October 2020, the FRB announced an enforcement action against Citigroup over the bank’s failure to take prompt and effective actions to correct practices regarding its risk management compliance, data quality management, and internal controls. In particular, the regulator highlighted Citibank’s deficiencies in capital planning and liquidity risk management. However, the FRB decided not to impose a fine on Citigroup besides the OCC USD 400,000,000 penalty but gave the bank a series of deadlines to analyse and report back within four months on how it would address the issues and hold senior management accountable and make executive compensation “consistent with risk management objectives”.
The sizeable penalty issued against Citibank by the OCC on 7 October 2020 follows renewed public and regulatory scrutiny of Citibank’s operations after an error led the bank to mistakenly send Revlon creditors USD 900 million of its own funds in August 2020. The bank is currently pursuing legal action against some lenders who are refusing to return the payment.
*Unless otherwise stated, the main sources throughout this Deep Dive are the Office of the Comptroller of the Currency (OCC) Cease and Desist and Civil Penalty Consent Orders of 7 October 2020.
Download the free Deep Dive to find out more about this operational risk event
Although Deep Dives are usually only available to ORX News subscribers, we've made this one freely available. Download it to find out more about the loss event, it's impact, the internal and external risk factors involved and what remedial measures were taken.