Citibank will pay a civil monetary penalty of $400 million after regulators identified “deficiencies” in its enterprise-wide risk management program.

On October 7, the Office of the Comptroller of the Currency (OCC) announced on its website that the penalty was the result of Citibank having violated 12 CFR Part 30, Appendix D, “OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches.”

The OCC specifically found the following shortcomings in Citibank’s risk management efforts:

  • The Bank failed to create “front-line units” as well as processes for carrying out independent risk management. In doing so, they failed to comply with multiple laws and regulations.
  • The Bank did not create an effective risk governance framework.
  • The previous risk management policies used by the Bank failed to adequately address risk within the organization.
  • The Bank’s internal controls were not sufficient insofar as they didn’t clearly define roles and responsibilities.
  • The Bank lacked internal audit and control functions with respect to its data governance obligations. In particular, the Bank had not developed a plan to rectify a lack of timely reporting and/or address other data governance weaknesses.
  • The Bank’s Board and senior management oversight were not sufficient to correct the issues discussed above, and it lacked reporting mechanisms to ensure effective oversight.

In response to these failings, the OCC issued a consent order in which it mandated that Citibank fulfill a civil monetary penalty of $400 million via wire transfer.

The OCC didn’t just impost a fine on Citibank. It also ordered that Citibank, the consumer division of financial services multinational Citigroup, cease and desist by making changes to its enterprise-wide risk management program. Specifically, it set out the following remediation steps:

Create a Compliance Committee

The Bank will create a “Compliance Committee” consisting of at least five individuals who are not employed by the Bank or its affiliates/subsidiaries. That Committee will be responsible for reporting every 120 days on the Bank’s efforts to take corrective actions related to the Controller’s findings for its enterprise-wide risk management program.

Develop a Comprehensive Action Plan

The Bank shall develop a Consent Order Action Plan (COAP) and a Data Governance Plan (DGP) that together will constitute a “comprehensive action plan.” This framework will consist of the corrective actions that the Bank intends to take, a timeline in which it expects it will complete those remediation steps and the names of those responsible for ensuring those goals are met. Once approved by the Deputy Comptroller, the comprehensive action plan will guide the Bank going forward with the expectation that the Bank won’t significantly deviate from its course without filing a revised plan. Along the way, it will provide progress reports and complete internal audits to gauge the effectiveness of its efforts in adopting the plan.

Strengthen the DGP

The Bank will assess its current data governance state from the framework intended by the OCC. The results of the assessment, once approved, will form the basis of the Bank’s Data Governance Program (DGP). The DGP shall incorporate data quality through its lifecycle including its processing for management and regulatory reporting.  This plan will include a data governance framework, which will includes data policies, procedures, and standards for operations and oversight; clear explanation of roles and responsibilities; as well as a redesign of the Bank’s data architecture, processes and systems.

Enhance an Enterprise-Wide Risk Management Plan

The Bank must submit an Enterprise-Wide Risk Management Program (EWRMP) that requires a process for identification and definition of risks, a profile of the Bank’s risk appetite; and an alignment for each front-line unit to adhere to a comprehensive risk-control self-assessment framework. The EWRMP will also include accountability and responsibility documentation for each front-line unit, a training program for each front-line unit and independent risk management unit to fulfill their duties, the creation of risk management metrics and written policies as well as the formation of policies for reporting potential risks to the Board.

Write a Compliance Risk Management Plan

At the same time that the Bank submits its DGP, it will create an acceptable Compliance Risk Management Plan (CRMP). This strategy will include an effective compliance risk management framework for developing roles, responsibilities and accountability pertaining to front-line unites and independent compliance risk management. The Plan will also require that the Bank create policies and processes around updating corporate policies as relevant laws and regulations change affecting the Bank’s products, service, geographies, and/or customers. Further, the Plan would include testing, monitoring, and reporting on compliance with subject areas noted in the Plan. The Plan will cover all facets of the Bank’s business including its relationships with third parties.

Improve Its Capital Planning Processes

The Bank will improve its capital planning processes by developing effective governance over its capital planning and calculations. These measures will also help the Bank to more effectively identify and report capital and risk-weighted assets as well as to undergo periodic assessments for keeping its management and reporting in line with its size, complexity, and risk profile.

Enhance Its Internal Controls

The Bank will enhance its internal controls in order to address the concerns identified by regulators and continue to monitor the existing controls on an ongoing basis. The Bank will perform a root cause analysis of the issues leading to the internal control concerns, develop action plans, implementing additional internal controls, and identifying whether issues involving its internal controls affect other parts of the business. It will also craft measures that will help to improve internal reporting channels involving the Board.

Submit a Staffing and Technology Resource Assessment

Along with the DGP, the Bank will submit a Staffing Assessment and a Technology Resource Assessment. The former will identify the required number of staff along with the needed skills/expertise to execute the Bank’s internal controls and risk management functions as well as pinpoint the Bank’s strategy for addressing gaps/deficiencies. The latter will provide similar information with respect to the organization’s technology resources. Subsequently, the Compliance Committee will use those assessments to evaluate for any deficiencies at least once a year.

Receive Approval for New Acquisitions

The Bank will ensure that the Deputy Comptroller provides no supervisory objection to any new acquisitions including portfolio and business acquisitions. That request will include certification by a member of the Executive Management Team that the new acquisition will comply with applicable laws and regulations. As part of that process, the Bank will agree to not move forward with any new acquisition until it receives written determination of no supervisory objection from the Deputy Comptroller.

Augment Its Board and Management Oversight

The Bank will augment the effectiveness of the oversight conducted by its Board and senior management. It will do so by adopting enterprise-wide policies and procedures for tracking employee complaints and for improving the Bank’s project management program. Additionally, the plan will include a description of the actions that the Board and Audit Committee will take to enhance its oversight of the Plans, senior management, and maintain the corrective efforts of the Order.

In response to the OCC’s consent order as well as similar action filed by the Federal Reserve Board, Citibank published a statement on its website.

In it, the Bank articulated it was “disappointed that we have fallen short of our regulators’ expectations.” It went on to say that it had launched “significant remediation projects” to address the issues affecting its controls, infrastructure and governance.

“To that end, we have accelerated investments and made structural changes,” Citibank explained in its statement. “This year alone, we will invest over $1 billion in this area…. The entire management team is committed to achieving operational excellence and a best-in-class risk and control environment. We appreciate our regulators’ acknowledgments in the orders that we have begun taking action and are committed to addressing these issues.”

Citibank went on to clarify that the consent orders from OCC and the Federal Reserve Board will not affect its ability to continue to serve its customers and clients amidst COVID-19.

Developing a new and improved risk management program isn’t always to do on your own. To do this, organizations need to obtain a clear understanding of emerging digital and compliance risks that threaten their business and/or industry. With this dynamic understanding, organizations then need to implement a program whose design accommodates those emerging and existing risks and their threat vectors by developing the right controls, metrics and remediation activities. Without the proper streams of threat intelligence or security experience, organizations could fail to consider certain digital threats or dedicate too much time and resources to risks that aren’t significant to their business. Both avenues could increase their digital risk and leave them vulnerable to attack.

Fortunately, organizations don’t need to be alone in this. ITEGRITI has years of experience helping organizations conduct cybersecurity risk management assessments, conduct gap analyses of their compliance programs and design internal controls. Not only that, but it also offers unique service offerings that help to streamline the process of providing oversight, aligning security needs with business objects and submitting to third-party audits.

Learn how ITEGRITI can help your organization with its risk management processes today.