Risk Management Shortfalls Lead to $400 Million Citibank FineFederal Reserve Requires Bank's Board to Take Action
The Treasury Department's Office of the Comptroller of the Currency has hit Citibank with a $400 million fine for deficiencies in enterprisewide risk management, compliance risk management, data governance and internal controls.
OCC is also requiring Citibank to obtain its approval "before making significant new acquisitions.” And it says it may “implement additional business restrictions or require changes in senior management and the bank’s board should the bank not make timely, sufficient progress in complying with the order."
Meanwhile, the Federal Reserve Board is requiring Citigroup Inc. of New York City, which owns Citicorp, the holding company for Citibank, to submit within three months a plan to address deficiencies in the implementation and execution of "areas of risk management and internal controls, including for data quality management and regulatory reporting, compliance risk management, capital planning and liquidity risk management."
The Fed’s Demands
The Fed says Citigroup’s plan to address deficiencies must cover actions the board will take to ensure senior management:
- Is held accountable for executing effective and sustainable remediation plans;
- Improves and maintains effective and independent enterprisewide risk management and makes sure that internal audit findings are effectively remediated;
- Earns incentive compensation that’s consistent with risk management objectives and measurement standards;
Plus, the board must spell out how it will provide oversight of management’s execution of the matters identified in the Fed's order.
The Fed also is demanding Citigroup conduct a gap analysis of its enterprisewide risk management framework and internal controls systems to determine the enhancements that are necessary to meet the risk management requirements.
In other recent action, the OCC fined Morgan Stanley $60 million for the investment bank's failure to properly oversee the decommissioning of several data centers, putting customer data at risk of exposure (see: Morgan Stanley Fined $60 Million for Data Protection Mishaps).