Citibank hit with $400M CMP for lax risk management
On October 7, the Office of the Comptroller of the Currency assessed a $400 million civil money penalty against Citibank, N.A, of Sioux Falls, South Dakota, related to deficiencies in enterprise-wide risk management, compliance risk management, data governance, and internal controls.
The OCC took these actions based on the bank’s unsafe or unsound banking practices for its long-standing failure to establish effective risk management and data governance programs and internal controls. This failure also resulted in a violation of 12 CFR Part 30, Appendix D, “OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches.”
The bank was also issued a cease and desist order requiring the bank to take broad and comprehensive corrective actions to improve risk management, data governance, and internal controls. The order requires the bank to seek the OCC’s non-objection before making significant new acquisitions and reserves the OCC’s authority to implement additional business restrictions or require changes in senior management and the bank’s board should the bank not make timely, sufficient progress in complying with the order.
The Federal Reserve Board took a separate but related action against Citigroup, the bank’s holding company.
Specific findings in the civil money penalty order identified these deficiencies:
- failure to establish effective front-line units and independent risk management as required by 12 C.F.R. Part 30, Appendix D;
- failure to establish an effective risk governance framework as required by 12 C.F.R. Part 30, Appendix D;
- failure of the Bank’s enterprise-wide risk management policies, standards, and frameworks to adequately identify, measure, monitor, and control risks; and
- failure of compensation and performance management programs to incentivize effective risk management.
The order also stated that Citibank's deficiencies have contributed to violations of laws and regulations and the OCC assessed civil money penalties in 2019 based specifically on violations of the Fair Housing Act, 42 U.S.C. § 3601—19, and its implementing regulation, 24 C.F.R. Part 100; violations of the holding period for other real estate owned, 12 U.S.C. § 29 and 12 C.F.R. § 34.82; and in 2020 based specifically on violations of the Flood Disaster Protection Act, as amended, 42 U.S.C. § 4012a(f), and its implementing regulations, specifically 12 C.F.R. § 22.7(a).