Citigroup Fined $400m for ‘Serious' Deficiencies in Risk Management
US regulators fined Citigroup Inc. $400 million and ordered the nation’s third-largest bank to fix its risk-management systems, citing “significant ongoing deficiencies.”
In a consent order agreed to by the New York bank’s board, the Federal Reserve faulted Citigroup for falling short in “various areas of risk management and internal controls” including data management, regulatory reporting and capital planning. The Office of the Comptroller of the Currency, in a separate consent order, said the fine was punishment for the bank’s “longstanding failure” to remedy problems in its risk and data systems.
The Wall Street Journal earlier reported that the Fed and the OCC were planning to reprimand Citigroup for failing to improve its risk-management systems—an expansive set of technology and procedures designed to detect problematic transactions, risky trades and anything else that could harm the bank.
“We are disappointed that we have fallen short of our regulators’ expectations, and we are fully committed to thoroughly addressing the issues identified in the Consent Orders,” the bank said. “Citi has significant remediation projects under way to strengthen our controls, infrastructure and governance.”
The public rebuke marks a major escalation of regulators’ efforts to get Citigroup to fix its risk systems. For years, the Fed and the OCC have privately pushed Citigroup Chief Executive Michael Corbat to give priority to an overhaul of the systems. Their decision to issue consent orders requiring the changes indicates the pressure they were exerting behind the scenes wasn’t enough.
The reprimand, in the works for several months, accelerated planning for Mr. Corbat’s retirement. Mr. Corbat, who said last month that he would step down in February, felt the expensive, multiyear overhaul was best left in the hands of his successor, Jane Fraser, the Journal previously reported.
The punishment, while substantial, is gentler than the rebuke Wells Fargo & Co. got for weaknesses in its risk-management systems brought to light by its 2016 fake-account scandal. The OCC in early 2018 fined the bank more than $1 billion, and the Fed imposed an unprecedented growth cap on the bank.
At issue at Citigroup is the infrastructure underpinning its systems meant to identify risk and protect customer data.
Many of Citigroup’s various businesses, for example, run on their own independent systems that have their own methods for tracking customers and transactions. There are hundreds of identification systems inside the bank. A customer doing business with multiple parts of the bank could have different identification codes for each one.
Regulators have long fretted that the hodgepodge of systems, a legacy of a string of deals in the 1990s that turned Citigroup into a financial powerhouse, could make the bank vulnerable to costly and potentially damaging missteps. A recent high-profile error—Citigroup’s accidental $900 million payment to creditors of cosmetics company Revlon Inc.—gave credence to their concerns.
The consent orders from the OCC and Fed leave Citigroup with a lengthy to-do list. The regulators ordered the bank to form a new board committee to oversee the risk overhaul and to develop plans for holding management accountable.