Banking regulators have walloped Citigroup with a $400 million fine and a freeze on new acquisitions without regulatory approval, and given the bank a long list of improvements to make after years of ineffective risk management and poor internal control.
The rebuke wasn’t unexpected, but is still tough medicine to swallow. Compliance professionals have much to consider here about where Citigroup went wrong and what steps it will need to take to remedy its predicament; enough that Radical Compliance will be doing a series of posts to analyze the case in detail. Let’s get to it.
We begin with a recap of what actually happened this week. The Office of the Comptroller of the Currency and the Federal Reserve reached the settlement with Citi. Technically, the bank was deemed in violation of OCC’s heightened standards for large national banks, as dictated by the Federal Deposit Insurance Act.
More simply: the OCC sanctioned Citi for “the bank’s unsafe or unsound banking practices for its long-standing failure to establish effective risk management and data governance programs and internal controls.” Citi, like any business trying to settle a massive problem, neither admits nor denies the allegations.
Aside from the $400 million fine, Citigroup also must now seek regulatory approval before it makes any significant new acquisitions; create a compliance committee on its board; and implement a host of reforms to its internal risk management and compliance procedures.
To a certain extent, what happened at Citi is a junior varsity version of the misconduct at Wells Fargo. That is, both banks have suffered from poor governance and internal controls. Wells Fargo’s poor systems, however, mixed with a toxic corporate culture that went unchecked for years. Hence we saw numerous high-profile scandals and staggering compliance remediation costs.
Citigroup’s woes are more about poor regulatory reporting, sloppy internal oversight, and other unsexy shortcomings — but the OCC and Fed consent orders don’t mention any glaring concerns with Citi’s corporate culture. Those internal system shortcomings never spawned incidents of misconduct on a Wells Fargo scale.
So as one reads through the consent orders, the material is really about how Citi must build better systems, rather than correct flawed corporate culture.
Better Data Governance
The OCC consent order spends a lot of time talking about data governance concerns. That’s no surprise, because the behemoth known as Citigroup ($2.23 trillion in assets) is the result of many acquisitions over the years. So a single customer might have numerous accounts in different parts of the enterprise, each one tracking that customer’s activity using separate technology and different identifier codes. Good luck getting a holistic understanding of risk with that approach.
To remedy that, Citigroup will need to conduct a review of all its data quality, aggregation, and management and regulatory reporting policies, procedures, and processes; and then identify any gaps between those current processes and what OCC expects for effective data governance. Then Citi will need to develop a formal Data Governance Plan (submitted to the OCC for review) to close those gaps.
What has to go into that Data Governance Plan? OCC offered a (long) list:
- Establish clear roles, responsibilities, and accountability for respective front-line units, independent risk management, internal audit, and relevant control functions.
- Identify the skills and expertise needed to execute the plan and any gaps with current staff, along with a program to develop, attract, and retain talent and maintain appropriate staffing levels to fulfill respective roles in the bank’s Data Governance Program.
- Ensure adequate financial resources to develop and implement the plan.
- Establish procedures to notify OCC of any material changes to the budget for the data governance plan, or of any material difference between the budget approved by OCC and what was actually spent.
- Establish and ensure adherence to consistent and comprehensive data policies, procedures, and standards.
- Strengthen procedures and processes for identifying, reporting, monitoring, escalating, and remediating all data quality concerns.
- Strengthen procedures and processes for the continuous improvement of data quality.
- Implement policies, procedures, and processes for identifying and reporting significant exceptions to the Data Governance Program.
- Implement a comprehensive training program on the Data Governance Program for all personnel responsible for data quality, data aggregation, management and/or regulatory reporting.
Hooo boy, that’s quite a To Do list. But when you stare at it for a while, several themes emerge that tell a lot about how a large enterprise can build a strong data governance system.
First, Figure Out the People
Notice that the first corrective action OCC demands is to clarify roles and responsibilities, particularly for risk management executives housed in First Line of Defense operating units and the independent risk management function in Citi’s Second Line of Defense.
Folks, it’s always about clear roles and responsibilities. Without that clarity, employees either spend time engaged in turf wars, or go about their jobs assuming somebody in another enterprise silo is taking care of the work the first employee isn’t doing. That’s how risks and remediation go unaddressed.
It’s not our place here to suggest how Citigroup should structure and coordinate its various risk management teams — but for the rest of us, wondering how we can avoid falling into Citi’s predicament, start by answering that question for your own organization. Do we have a clear, agreed-upon division of labor for risk management and quality improvement, so remediation happens promptly?
Only then can you begin to address the issues raised in some of those other OCC bullet points. For example, you can’t implement a training program for data governance if you’re not clear on who is responsible for what parts of data governance. And that’s a tricky issue, because at least some responsibility for data governance resides with the IT department building and maintaining systems; but other parts, such as escalating concerns that systems aren’t capturing a certain type of useful data, might be more the responsibility of First Line operating units or the compliance team.
Use This as an Audit Map
For audit executives wondering how they might assess data governance within their own organization, this OCC demand list also seems like a rich vein of ideas to mine. You can begin by auditing that bigger, enterprise-level question of personnel structure. After that, proceed to all those policy-and-procedure points in the second half of the list.
I’d particularly want to know about procedures to identify and escalate concerns about the quality of data, especially if you’re a highly acquisitive company. Either you need to be really good at integrating acquisitions (which hardly any company is), or you need sharp IT systems to pull together disparate piles of data from various corporate fiefdoms for reliable reporting to senior management (which hardly any company has).
I’d also look closely at systems to identify and report on significant exceptions to your data governance program. Exceptions tell you that either the system isn’t working, because it can’t accommodate certain unusual transactions; or the transaction is something strange that your standard management systems don’t encounter.
Either one is a concern that needs the attention of someone in compliance or risk management. So the true risk here is not knowing that the exceptions exist, and management blissfully marches on without understanding the full picture of risk.
That’s enough for today. Next post, we’ll look at what OCC wants to see for improvements to the compliance and risk management functions.