Finance & Banking , Governance & Risk Management , GRC

Risk Management Shortfalls Lead to $400 Million Citibank Fine

Federal Reserve Requires Bank's Board to Take Action
Risk Management Shortfalls Lead to $400 Million Citibank Fine

The Treasury Department's Office of the Comptroller of the Currency has hit Citibank with a $400 million fine for deficiencies in enterprisewide risk management, compliance risk management, data governance and internal controls.

See Also: Zero Trust Cybersecurity for Federal Agencies: Building an Integrated Approach

OCC is also requiring Citibank to obtain its approval "before making significant new acquisitions.” And it says it may “implement additional business restrictions or require changes in senior management and the bank’s board should the bank not make timely, sufficient progress in complying with the order."

Meanwhile, the Federal Reserve Board is requiring Citigroup Inc. of New York City, which owns Citicorp, the holding company for Citibank, to submit within three months a plan to address deficiencies in the implementation and execution of "areas of risk management and internal controls, including for data quality management and regulatory reporting, compliance risk management, capital planning and liquidity risk management."

The Fed’s Demands

The Fed says Citigroup’s plan to address deficiencies must cover actions the board will take to ensure senior management:

  • Is held accountable for executing effective and sustainable remediation plans;
  • Improves and maintains effective and independent enterprisewide risk management and makes sure that internal audit findings are effectively remediated;
  • Earns incentive compensation that’s consistent with risk management objectives and measurement standards;

Plus, the board must spell out how it will provide oversight of management’s execution of the matters identified in the Fed's order.

The Fed also is demanding Citigroup conduct a gap analysis of its enterprisewide risk management framework and internal controls systems to determine the enhancements that are necessary to meet the risk management requirements.

In other recent action, the OCC fined Morgan Stanley $60 million for the investment bank's failure to properly oversee the decommissioning of several data centers, putting customer data at risk of exposure (see: Morgan Stanley Fined $60 Million for Data Protection Mishaps).

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.