We finish our examination of the Citigroup enforcement action with a look at the issue most dear to compliance officers’ hearts: compliance risk, and how Citigroup needs to improve its compliance risk management function to meet regulators’ expectations.
First, the backstory. On Oct. 7 the Office of the Comptroller of the Currency levied a $400 million penalty on Citibank, the consumer banking division of Citigroup, along with a long list of corrective actions Citibank needs to make. At the same time, the Federal Reserve imposed its own consent order with Citigroup, the corporate parent. The Fed’s order didn’t include a monetary fine, but did have its own laundry list of reforms Citigroup must make, too.
The sanctions came after years of frustration with Citi, and both consent orders cited four areas where the bank needs major improvement: data governance, enterprise risk management, compliance, and internal controls.
Taken together, the enforcement actions are a wealth of insight about how other risk and compliance professionals might improve their own operations, even if you don’t work in the banking sector. So Radical Compliance has churned out a series of posts, looking at the issues in depth:
- Part I: Data quality and governance issues
- Part II: Better enterprise risk management
- Part III: Better governance at the board level
And this post is Part IV: how Citi can improve its management of compliance risk. Let’s get to it.
Compliance Risk at Citibank
Throughout this series, the OCC consent order against Citibank has proven much more detailed and informative, so we’ll start here.
First, Citibank needs to draft a compliance risk management plan, and submit that to OCC examiners for review. The plan needs to explain how Citibank’s compliance program will achieve numerous goals, most of them standard fare for a corporate compliance program:
- A compliance risk governance framework that establishes the roles, responsibilities, and accountability for front-line units and independent compliance risk management.
- Policies, processes, and control systems within front-line units to assess, measure, and limit regulatory compliance exposures commensurate with the risk profile and risk appetite of the bank.
- Policies, processes, and control systems within independent compliance risk management to assess, measure, aggregate, and limit regulatory compliance exposures commensurate with the risk profile and risk appetite of the bank.
Let’s pause here to consider these first three points. The message is that for effective compliance programs, you first need to define the relationship between the First and Second lines of defense. That is, which compliance duties fall to managers in First Line operations units, and which duties remain with an enterprise-wide compliance function in the Second Line?
OCC made that same point about Citibank’s enterprise risk management function: that each line of defense needs to understand what it’s responsibilities are. It illustrates just how important clear roles and lines of responsibility are for good corporate governance generally.
Second, once those roles and responsibilities are established, each line then needs the proper policies, procedures, and tools to fulfill those duties. I’d love more detail here about just what those policies, procedures, and tools might be; since what’s necessary for the First Line won’t be the same as what’s necessary for the Second Line — especially since part of the compliance function’s job is to monitor the success of the First Line at managing compliance risk on a daily basis.
Anyway, let’s get back to the other compliance program reforms:
- Procedures and processes to ensure that enterprise-wide policies are timely updated on a periodic and as-needed basis to address changes in applicable laws and regulations.
- Enterprise-wide policies and processes to promote effective compliance governance and to develop and maintain an effective change management program to include the bank’s products, services, geographies, and/or customer types.
We can pair together the above two points as well. Both of them drive at the need for a dynamic compliance program, that evolves along with new compliance risks to the business. Sometimes those risks arise from new regulations (the first point above); other times they arise from new ways the company does business (the second point). Regardless, the compliance program needs to be sophisticated enough — especially with development of policy and procedure — to keep pace with those changes.
Which is, incidentally, the primary message in the Justice Department’s latest guidelines on effective compliance programs issued over the summer. Funny how this point keeps cropping up.
And the rest of the OCC’s corrective steps are straightforward, must-have capabilities for any compliance function. All five points below map to the criteria for an effective compliance program dictated by the U.S. Sentencing Guidelines:
- An independent monitoring and testing function supported by sufficiently skilled staff and resources that provides risk-based scope and coverage to provide credible challenge and escalation of issues identified by front-line units.
- A program to provide for effective third-party compliance risk management.
- Compliance information systems to measure, track, and report risk.
- Procedures and processes for identifying, reporting, escalating, and remediating significant compliance concerns, and for documenting the identification, reporting, escalation, and remediation of such concerns.
- A comprehensive training program for front-line units, independent compliance risk units, and internal audit staff.
What we don’t know is how off-course Citibank’s compliance risk management program had previously been, if these are the goals that Citibank needs to achieve now. If anyone out there has insight into what Citibank had been doing in recent years, drop me a line at [email protected].
Meanwhile, at the Fed
The Fed’s consent order directs Citigroup to submit a plan for revamping its compliance risk management program too. This order isn’t nearly as exacting as what OCC served to Citibank; it’s more about an analysis of risk factors, assessment of control systems’ effectiveness, improvements that should be made, and so forth.
The one point in the Fed’s order that did jump out at me (emphasis added):
A provision that Citigroup’s general counsel shall have overall responsibility for oversight of the compliance function at Citigroup and its subsidiaries, and a timeline that provides for an orderly transfer of the compliance function under the general counsel that will be carried out in coordination with all other aspects of this plan.
Um, wow. For years and years we’ve talked about the importance of a strong, independent compliance function, where the chief compliance officer answers directly to the board or the CEO — and along comes the Fed, contradicting that message in a single sentence.
I don’t get the logic here. Compare it to the OCC order, which talks at length about the importance of empowered, independent compliance and risk management functions. The OCC never expressly says, “So don’t make your general counsel the chief compliance officer,” but that prohibition seems implicit in the whole idea of a strong, independent compliance function — unless you believe that compliance is only about regulatory compliance, without any consideration for ethics and good corporate conduct generally.
Then again, we are talking about a Wall Street bank. So who knows.
This general counsel stipulation does leave me wondering about Mary McNiff, chief compliance officer for Citigroup right now. McNiff assumed the CCO role in June, after a year as CEO of Citibank — yes, the same Citibank that OCC just raked over the coals. At Citibank, McNiff “led project management of significant Citi-wide remediation initiatives,” as her biography says. Clearly OCC believes Citibank has more to do on that front.
Prior to her stint as head of Citibank, McNiff was chief auditor for Citigroup. She’s also held various other roles at the bank since she joined in 2012, mostly in audit, administration, or special projects involving risk frameworks and transformation.
Still, the Fed says Citigroup’s general counsel must have ultimate responsibility for compliance. That person is Rohan Weerasinghe, who has held the role since 2012.
So I’ll be curious to see how that all shakes out.