Citi Gets $136M Butt-Kick
The compliance drama-rama at Citigroup continues! Regulators just imposed another $136 million in new monetary penalties for the bank’s failure to complete compliance and risk management improvements required by a previous consent order from 2020, which had imposed a $400 million penalty of its own.
So that’s more than half a billion dollars Citigroup is paying for its inability to get compliance, data governance, and risk management issues under control. Even for a bank with more than $2 trillion in assets, that stings. Citigroup serves as a cautionary tale to others not just about making compliance a top priority in large organizations — but also of keeping compliance as a top priority, even while your large organization goes through business transformations or turbulent economic times.
Let’s start with the new fines, announced Wednesday by the Office of the Comptroller of the Currency and the Federal Reserve. “Citibank must see through its transformation and fully address in a timely manner its longstanding deficiencies,” OCC director Michael Hsu said in a statement. “While the bank’s board and management have made meaningful progress overall, including taking necessary steps to simplify the bank, certain persistent weaknesses remain, in particular with regard to data.”
Specifically, OCC and the Fed faulted Citi for failing to comply with several sections of the 2020 consent order related to data quality issues and a comprehensive plan to improve Citi’s overall approach to compliance. Those shortcomings came to light in 2023 after an inspection by Fed examiners.
Under this week’s new order, Citi must now implement a new quarterly review process (the “Resource Review Plan”) to assess (1) whether the bank is devoting enough resources toward “achieving timely and sustainable compliance” with regulators’ demands, and (2) where the bank is falling behind.
Where Citi Went Wrong
If anyone wants to know the full history of that 2020 settlement order, Radical Compliance ran a four-part series on it when the order was first published, including one part specifically devoted to the data quality shortcomings that seem to be at the heart of this mess.
I’m more interested today in why Citigroup (and its U.S. retail bank subsidiary, Citibank) continue to struggle so much with making those improvements. For example, Citi suffered a so-called “fat finger error” in 2022, where an equities trader in London placed a huge sell order by mistake that caused European stock markets to plunge for a few minutes. (The bank paid $78 million to U.K. regulators earlier this year to settle that incident.)
That 2022 flash-crash, caused by poor internal controls, came more than 18 months after Citi’s original 2020 consent order. Yes, Citigroup is a huge and complicated business — but really? Eighteen months after a painful and clear message from regulators to do better, and still this happened? How?
As always, one should begin by looking at the top. Mike Corbat had been Citi’s CEO until September 2020; he resigned just before banking regulators imposed that first consent order and $400 million fine. Jane Fraser, a 20-year veteran of Citi, succeeded Corbat as CEO in March 2021, promising that improvements to the bank’s risk management, internal control, and compliance practices would be her “top priority.”
Maybe Fraser bit off more than she could chew, or maybe she was handed a poisoned chalice; it’s hard to tell. Either way, she clearly has made some progress to fix Citi’s regulatory woes, but not enough.
Some of the challenge seems to be around hiring the right lieutenants and keeping them in place. For example, Fraser had hired Rob Casper, a former chief data officer at JPMorgan, to help with Citigroup’s data governance issues; Casper lasted two years, leaving in May 2023. His successor, Kathleen Martin (who had also worked at JPMorgan), was fired earlier this year and is now suing Citigroup, according to the Financial Times. Martin says in her lawsuit that she was instructed to lie to regulators about the state of the bank’s risk management and data governance efforts. These days the bank’s chief data officer is Japan Mehta, who has been with Citi in various technology leadership roles since 2018.
What about other key risk and compliance personnel? Zdenek Turek was named chief risk officer in 2021, although he held other leadership roles in Citi prior to that. Ditto for Nadir Darragh, who was promoted to chief auditor in 2022. Tom Anderson joined Citi from JPMorgan in June 2021 to be chief compliance officer of Citi’s personal banking unit; he was promoted to chief compliance officer for all of Citi in June 2022.
So perhaps Fraser simply got off to a bad start, hiring Casper and Martin from the outside; and now she has been surrounding herself with data, risk, and compliance executives who have a longer history with Citi. We on the outside can’t really tell. (If anyone on the inside at Citi wants to tell me the scoop confidentially, I’m at [email protected].)
Money, Technology, and Compliance
We should also appreciate the staggering sums of money Citi is spending on technology, lots of it going to these regulatory compliance struggles. The bank spent more than $12 billion on technology in 2023. On an earnings call earlier this year, Fraser had this to say:
“We’re currently deep into a very large body of work, upgrading our data architecture, automating manual controls and processes, consolidating fragmented tech platforms. And all of these help enhance our business performance more broadly, not just the risk and control in the medium term. As I’ve said, though, there are a few areas where we are intensifying our processes and data remediation, particularly related to regulatory reporting.”
What does all that mean at the practical, daily level at Citigroup? We don’t specifically know, but broadly speaking one can assume that means a close look at…
- Redundant systems and redundant data, to see where you could simplify that part of the IT infrastructure;
- Data validation mechanisms, for greater assurance that the data being provided to management and regulators, or being used to guide automated risk management triggers, is correct;
- Internal control design, to find the right combination of automated, preventative controls for risks such as fat-finger errors; and
- Better reporting systems, so senior management in both the First Line operations and Second Line risk management functions can have a more complete, accurate picture of Citi’s risks and regulatory compliance.
The grand question is whether Fraser has the right people in place, both at the senior level and further down the ranks, to tackle those ambitions. It’s been a struggle so far — and a struggle that clearly has exasperated regulators. If Fraser and her team can’t turn those lofty promises on earnings calls into true action that’s visible in regulatory examinations, one wonders what the regulators impose next.