[fusion_builder_container hundred_percent=”no” hundred_percent_height=”no” hundred_percent_height_scroll=”no” hundred_percent_height_center_content=”yes” equal_height_columns=”no” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” status=”published” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” enable_mobile=”no” parallax_speed=”0.3″ video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” border_style=”solid” type=”legacy” admin_toggled=”no”][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ spacing=”” center_content=”no” link=”” target=”_self” min_height=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_image_id=”” background_position=”left top” background_repeat=”no-repeat” hover_type=”none” border_color=”” border_style=”solid” border_position=”all” border_radius=”” box_shadow=”no” dimension_box_shadow=”” box_shadow_blur=”0″ box_shadow_spread=”0″ box_shadow_color=”” box_shadow_style=”” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”” margin_bottom=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=”” last=”true” border_sizes_top=”0″ border_sizes_bottom=”0″ border_sizes_left=”0″ border_sizes_right=”0″ first=”true” type=”1_1″][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” content_alignment_medium=”” content_alignment_small=”” content_alignment=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” sticky_display=”normal,sticky” class=”” id=”” font_size=”” fusion_font_family_text_font=”” fusion_font_variant_text_font=”” line_height=”” letter_spacing=”” text_color=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=””]Citibank will pay a civil monetary penalty of $400 million after regulators identified \u201cdeficiencies\u201d in its enterprise-wide risk management program.<\/p>\n
On October 7, the Office of the Comptroller of the Currency (OCC) announced on its website<\/a> that the penalty was the result of Citibank having violated 12 CFR Part 30, Appendix D, \u201cOCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches<\/a>.\u201d<\/p>\n The OCC specifically found the following shortcomings in Citibank\u2019s risk management efforts:<\/p>\n In response to these failings, the OCC issued a consent order<\/a> in which it mandated that Citibank fulfill a civil monetary penalty of $400 million via wire transfer.<\/p>\n The OCC didn\u2019t just impost a fine on Citibank. It also ordered that Citibank, the consumer division of financial services multinational Citigroup, cease and desist<\/a> by making changes to its enterprise-wide risk management program. Specifically, it set out the following remediation steps:<\/p>\n The Bank will create a \u201cCompliance Committee\u201d consisting of at least five individuals who are not employed by the Bank or its affiliates\/subsidiaries. That Committee will be responsible for reporting every 120 days on the Bank\u2019s efforts to take corrective actions related to the Controller\u2019s findings for its enterprise-wide risk management program.<\/p>\n The Bank shall develop a Consent Order Action Plan (COAP) and a Data Governance Plan (DGP) that together will constitute a \u201ccomprehensive action plan.\u201d This framework will consist of the corrective actions that the Bank intends to take, a timeline in which it expects it will complete those remediation steps and the names of those responsible for ensuring those goals are met. Once approved by the Deputy Comptroller, the comprehensive action plan will guide the Bank going forward with the expectation that the Bank won\u2019t significantly deviate from its course without filing a revised plan. Along the way, it will provide progress reports and complete internal audits to gauge the effectiveness of its efforts in adopting the plan.<\/p>\n The Bank will assess its current data governance state from the framework intended by the OCC. The results of the assessment, once approved, will form the basis of the Bank\u2019s Data Governance Program (DGP). The DGP shall incorporate data quality through its lifecycle including its processing for management and regulatory reporting.\u00a0 This plan will include a data governance framework, which will includes data policies, procedures, and standards for operations and oversight; clear explanation of roles and responsibilities; as well as a redesign of the Bank\u2019s data architecture, processes and systems.<\/p>\n The Bank must submit an Enterprise-Wide Risk Management Program (EWRMP) that requires a process for identification and definition of risks, a profile of the Bank\u2019s risk appetite; and an alignment for each front-line unit to adhere to a comprehensive risk-control self-assessment framework. The EWRMP will also include accountability and responsibility documentation for each front-line unit, a training program for each front-line unit and independent risk management unit to fulfill their duties, the creation of risk management metrics and written policies as well as the formation of policies for reporting potential risks to the Board.<\/p>\n At the same time that the Bank submits its DGP, it will create an acceptable Compliance Risk Management Plan (CRMP). This strategy will include an effective compliance risk management framework for developing roles, responsibilities and accountability pertaining to front-line unites and independent compliance risk management. The Plan will also require that the Bank create policies and processes around updating corporate policies as relevant laws and regulations change affecting the Bank\u2019s products, service, geographies, and\/or customers. Further, the Plan would include testing, monitoring, and reporting on compliance with subject areas noted in the Plan. The Plan will cover all facets of the Bank\u2019s business including its relationships with third parties.<\/p>\n The Bank will improve its capital planning processes by developing effective governance over its capital planning and calculations. These measures will also help the Bank to more effectively identify and report capital and risk-weighted assets as well as to undergo periodic assessments for keeping its management and reporting in line with its size, complexity, and risk profile.<\/p>\n The Bank will enhance its internal controls in order to address the concerns identified by regulators and continue to monitor the existing controls on an ongoing basis. The Bank will perform a root cause analysis of the issues leading to the internal control concerns, develop action plans, implementing additional internal controls, and identifying whether issues involving its internal controls affect other parts of the business. It will also craft measures that will help to improve internal reporting channels involving the Board.<\/p>\n Along with the DGP, the Bank will submit a Staffing Assessment and a Technology Resource Assessment. The former will identify the required number of staff along with the needed skills\/expertise to execute the Bank\u2019s internal controls and risk management functions as well as pinpoint the Bank\u2019s strategy for addressing gaps\/deficiencies. The latter will provide similar information with respect to the organization\u2019s technology resources. Subsequently, the Compliance Committee will use those assessments to evaluate for any deficiencies at least once a year.<\/p>\n The Bank will ensure that the Deputy Comptroller provides no supervisory objection to any new acquisitions including portfolio and business acquisitions. That request will include certification by a member of the Executive Management Team that the new acquisition will comply with applicable laws and regulations. As part of that process, the Bank will agree to not move forward with any new acquisition until it receives written determination of no supervisory objection from the Deputy Comptroller.<\/p>\n The Bank will augment the effectiveness of the oversight conducted by its Board and senior management. It will do so by adopting enterprise-wide policies and procedures for tracking employee complaints and for improving the Bank\u2019s project management program. Additionally, the plan will include a description of the actions that the Board and Audit Committee will take to enhance its oversight of the Plans, senior management, and maintain the corrective efforts of the Order.<\/p>\n\n
Corrective Actions to Be Taken<\/h2>\n
Create a Compliance Committee<\/h3>\n
Develop a Comprehensive Action Plan<\/h3>\n
Strengthen the DGP<\/h3>\n
Enhance an Enterprise-Wide Risk Management Plan<\/h3>\n
Write a Compliance Risk Management Plan<\/h3>\n
Improve Its Capital Planning Processes<\/h3>\n
Enhance Its Internal Controls<\/h3>\n
Submit a Staffing and Technology Resource Assessment<\/h3>\n
Receive Approval for New Acquisitions<\/h3>\n
Augment Its Board and Management Oversight<\/h3>\n
Statement from Citibank<\/h2>\n