Citi has been fined $135.6 million by US regulators for not sufficiently addressing risk management and data governance deficiencies, four years after a cease and desist order was issued against the bank.
The Office of the Comptroller of the Currency (OCC) has amended the initial order and imposed a $75 million fine on Citi, while the Federal Reserve Board has added a $60.6 million penalty due to violations of its 2020 enforcement action.
The OCC initially issued the original order, which included a $400 million fine for Citi’s failure to rectify deficiencies in enterprise-wide risk management, compliance risk management, data governance, and internal controls. This action was based on the bank’s long-standing failure to establish effective risk management and data governance programs.
The order followed Citi’s 2013 consent agreement with the Federal Reserve aimed at improving its anti-money-laundering compliance program, along with a 2015 directive to strengthen compliance and control in foreign exchange activities.
The order required Citi to take prompt action to improve risk management, data governance, and internal controls. However, the recent amendment was prompted by what the OCC describes as the bank’s “failure to meet remediation milestones and make sufficient and sustainable progress.”
Acting Comptroller of the Currency Michael Hsu noted that while the bank’s board and management have made meaningful overall progress, certain persistent weaknesses remain, particularly with regard to data. He emphasized that the amendment requires the bank to refocus its efforts on necessary corrective actions and ensure that appropriate resources are allocated for this purpose.