On October 7, 2020, The Office of the Comptroller of the
Currency (“OCC”) announced that it had assessed a $400
million civil penalty against Citibank, N.A. regarding alleged
deficiencies in its enterprise-wide risk management and data
governance programs and its internal controls. In particular,
the OCC found violations of 12 CFR Part 30, Appendix D (“OCC
Guidelines Establishing Heightened Standards for Certain Large
Insured National Banks, Insured Federal Savings Associations, and
Insured Federal Branches”. The OCC also issued a cease
and desist order requiring the bank to take “broad and
comprehensive corrective actions to improve risk management, data
governance and internal controls.” The order requires
the bank to seek OCC’s non-objection before making
significant new acquisitions and reserves the authority to
implement additional business restrictions or require changes in
board composition or senior management should the bank not comply
with the order with timely sufficient progress.
In the consent order, the OCC found the following
- Failure to establish effective front-line units and independent
risk management (12 C.F.R. Part 30, Appx D);
- Failure to establish an effective risk governance framework (12
C.F.R .Part 30, Appx D);
- Failure of the Bank’s enterprise-wide risk management
policies, standards, and frameworks to adequately identify,
measure, monitor, and control risks; and
- Failure of compensation and performance management programs to
incentivize effective risk management.
The order also identified deficiencies, noncompliance with 12
C.F.R. Part 30, Appendix D, or unsafe or unsound practices with
respect to the Banks’ data quality and data governance,
including risk data aggregation and management and regulatory
reporting. The OCC determined that the Board and senior
management oversight was inadequate to ensure timely appropriate
action to correct the serious and longstanding deficiencies and
unsafe or unsound practices in the areas of risk management,
internal controls, and data governance.
The order states that this conduct contributed to other past
violations and noncompliance, for which the OCC has assessed civil
money penalties in 2019. The order further states that the Bank has
begun taking corrective action and has committed to taking all
necessary and appropriate steps to remedy the identified
deficiencies. The OCC penalty will be paid to the U.S.
The Federal Reserve Board took a separate but related action
against Citigroup, the bank’s holding company.
To view the press release, click
To view the consent order, click
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.