The US Office of the Comptroller of the Currency has levied a $400 million civil money penalty on Citibank for bad enterprise-wide risk management, compliance risk management, data governance, and internal controls.

Citigroup Inc owns and controls Citibank and various non-banking subsidiaries and the Federal Reserve System is the group's regulator. The OCC, meanwhile, has supervisory authority over Citibank. The Fed has published a cease-and-desist order against the group, exhorting it to correct several longstanding deficiencies by improving its firm-wide risk management and internal controls. The OCC has issued its fine in a freshly-published consent order.

A brief litany of remonstrances

For several years, according to the OCC, the bank failed to set up and run an enterprise-wide risk-management regime, a regime for managing compliance risk, a regime for 'governing' data and internal controls that were commensurate with its size, complexity and risk profile. The bank, while accepting the penalty, has neither confirmed nor denied the accusations.

Without going into much detail, the OCC says that the bank:

• failed to establish effective front-line units and independent risk management as required by 12 CFR Part 30, Appendix D;
• failed to establish an effective risk governance framework as required by the same law;
• failed in its enterprise-wide risk-management policies and standards by failing to measure, monitor and control risks; and
• failed in its management of compensation and performance to 'incentivise' effective risk management.

On top of all this, the OCC has decided that the bank's board and senior management oversight is inadequate to ensure that timely, appropriate action to correct these deficiencies and other unsafe practices in the areas of risk management, internal controls and data governance. It believes that inadequate reporting to the board makes it harder for it to oversee things.

Remediation

As a consequence, a good four-fifths of the order concern the remedial steps that the OCC expects the bank to take.

Within 15 days of the order, the board is obliged to appoint a Compliance Committee of at least five very senior people. Its job will be to oversee the bank's compliance with the order. The committee must send the OCC progress reports every three months or so. The examiner-in-charge to whom the board's submissions go is to be Greg Sullivan, an OCC man.

The board has to submit a comprehensive action plan to Sullivan, detailing the corrective actions that it is taking and a timetable. The OCC can force it to change this plan at any time. It must also hand Sullivan an acceptable Enterprise-Wide Risk Management Plan.

Within 120 days, the bank must analyse the quality of its data, aggregation, management and regulatory reporting policies, procedures and processes, including its End-User-Computing  processes, to spot all avenues for improvement that it or the OCC has identified, sending Sullivan a report.

It must also come up with a plan that contains a comprehensive data governance policy, an operating model and a plan for "management oversight" that must: (i) establish clear responsibilities and accountability for front-line units, independent risk management, internal audit, and relevant control functions;  (ii) identify the skills and expertise needed to execute the plan and any 'gaps', along with a plan to develop, attract and retain talent and maintain appropriate staffing levels to help it 'govern' data properly; (iii) provide adequate financial resources to do this; (iv) establish and ensure adherence to consistent and comprehensive data policies, procedures, and standards; (v) strengthen procedures and processes for identifying, reporting, monitoring, escalating and remediating all concerns about data quality; (vi) strengthen procedures and processes for the continuous improvement of data quality; (vii) implement policies, procedures, and processes that spot and report significant exceptions to something that the OCC calls "the Data Governance Programme" and other things; and (viii) organise training to do with this programme for all people who are responsible for data quality, data aggregation, management and/or regulatory reporting.

The OCC is also calling for a thorough redesign of data architecture, a re-engineering of processes and the modernisation of system applications and the bank's information technology infrastructure.

The Enterprise-Wide Risk Management Programme must include 'enhancements' that result (among many other things) in a programme in each front-line unit and independent risk management unit to measure and control risks consistent with the bank’s risk-appetite statement, concentration risk limits, strategic, capital and liquidity plans, stress testing and processes for approving new or modified products or services. 

The bank must submit a Compliance Risk Management Plan to Sullivan as well. This must be clear about who is responsible for what and at least some compliance risk management must be 'independent,' presumably of the bank. There has to be a programme - by which the OCC presumably means some kind of plan of action - to provide for effective third-party compliance risk management - an unexplained phrase that the OCC never mentions again.

The bank is also charged with improving its capital planning processes. It must develop and adhere to effective ways of 'governing' capital planning and calculations, report capital and risk-weighted assets appropriately, and assess its capital calculations and management and regulatory reporting periodically to ensure that these things take into account its size, complexity and overall risk profile.

Internal controls must also improve. At the same time, the bank is obliged to come up with a "staffing assessment" that relates to its front-line unit functions that are responsible for risk management and its internal audit function.

The order requires the bank to seek the OCC’s approval (or, as it puts, it, 'non-objection') before making significant new acquisitions. At any time, the OCC might impose restrictions on an acquisition or require changes at senior level and even on the board if the bank fails to keep it abreast of matters.

Then there has to be a Technology Resource Assessment for the bank’s control functions that will allocate money to technological projects. This assessment must identify the number and types of technological resources that the bank needs to have a safe and sound system of internal controls and risk management for control functions. It must spot gaps in the number and/or types of resources currently allocated to control functions. This threatens to become the largest drain on the bank's resources out of all the provisions in the order.

The wrath of the Fed

Citigroup, meanwhile, is required to maintain an enterprise-wide risk management programme to identify and manage risks across the whole of its purview and not just at Citibank. The Fed's most recent supervisory assessment has spotted long-standing deficiencies with respect to various areas of risk management and internal controls which include data quality management, regulatory reporting, compliance risk management, capital planning and liquidity risk management. The Fed had previously identified these problems but Citigroup had not fixed them. It had also slapped the group with a consent order in 2013 which ordered the group to improve its anti-money laundering compliance, followed by another consent order in 2015 which obliged the group to improve its compliance and control infrastructure that dealt with its foreign exchange operations and designated market activities. The group, according to the Fed, did not make these improvements.

Within 120 days of the cease-and-desist order, Citigroup’s board of directors has to submit a written plan that the Fed finds acceptable that describes the actions that it will take to execute its obligations under the order. Deadlines abound.

This particular order goes into no detail at all about the problems at Citigroup, merely exhorting the group to clear up all the problems that it promised to handle in its previous commitments. It has to set out the following.

• Actions that the board of directors will take to hold senior management accountable for keeping to deadlines.
• Actions that the board will take to ensure that senior managers improve enterprise-wide risk management and see to it that the findings of internal auditors are acted upon.
• Actions that the board will take to ensure that senior managers' pay incentives are consistent with risk management objectives and measurement standards.
• Actions that the board will take to make sure that it can oversee progress.

Risk management and internal controls

Citigroup has to meet the risk management requirements set forth in Regulation YY of the Board of Governors (12 CFR § 252.33) with respect to capital planning, liquidity risk management and compliance risk management.

Citigroup has to submit a written plan to the Fed on this last subject, which its General Counsel has to review first. The plan has to include:

• a detailed analysis of the most pressing risk factors related to US laws and regulations that apply to the group;
• an assessment of existing controls, including business-line controls and testing processes, to ensure that they comply with the law;
• measures to improve such controls wherever they are needed;
• improvements to management information systems, data and reports provided to Citigroup’s board of directors about compliance; n timelines for implementing the plan;
• measures for managing and controlling Citigroup’s compliance risks until the plan is consummated; and
• a provision that obliges Citigroup’s General Counsel to oversee the compliance function at Citigroup and its subsidiaries, for the time being. Progress reports are de rigeur.