Two regulators have teamed up to slap Citigroup with a $136 million dollar fine over an alleged failure to make sufficient progress towards compliance with an order to transform its risk management systems.
The Office of the Comptroller of the Currency (OCC) demanded a $75 million payment from Citibank over “deficiencies in enterprise-wide risk management, compliance risk management, data governance, and internal controls.”
“Citibank must see through its transformation and fully address in a timely manner its longstanding deficiencies,” said Acting Comptroller of the Currency Michael J. Hsu.
“While the bank’s board and management have made meaningful progress overall, including taking necessary steps to simplify the bank, certain persistent weaknesses remain, in particular with regard to data,” Hsu added.
"Today’s amendment requires the bank to refocus its efforts on taking necessary corrective actions and ensuring appropriate resources are allocated for this purpose.”
The Federal Reserve Board took a "separate but related action” against Citigroup, the parent company of Citibank, resulting in a $60.6 million fine.
“Citigroup has made insufficient progress remediating its problems with data quality management and failed to implement compensating controls to manage its ongoing risk,” The Fed wrote.
How has Citigroup spent its multi-billion-dollar IT budget?
In an earnings call in April 2024, Jane Fraser, Chief Executive Officer, claimed "transformation is our key priority." She joined Citi in 2021, launching "a multi-year strategy to transform, simplify and modernize the bank for the digital age."
Last year, Citi revealed $13.6bn IT spending plans, which were part of a $54 billion project to transform data, risk, infrastructure and technology processes.
"We're currently deep into a very large body of work, upgrading our data architecture, automating manual controls and processes, consolidating fragmented tech platforms," Fraser said on the earnings call. "And all of these help enhance our business performance more broadly, not just the risk and control in the medium term. As I've said, though, there are a few areas where we are intensifying our processes and data remediation, particularly related to regulatory reporting.
She revealed that expenses were up 11%, with the rise "largely driven by continued investments in technology and product innovation."
READ MORE: Citi retires 6% of its legacy applications – and 20,000 people
Fraser added: "The transformation is a multiyear effort to address issues that have spanned over two decades. We've made steady progress as we retire multiple legacy platforms, streamline end-to-end processes, and strengthen our risk and control environment, all of which are necessary not only to meet the expectations of our regulators but also to serve our clients more effectively. A transformation of this magnitude, well, it's never linear."
Last year, Citigroup retired 6% of its legacy technology applications. In a letter to shareholders, Fraser said its people are "beginning to feel the benefits of the Transformation as we consolidate fragmented technology platforms, upgrade our data architecture and modernize our operating model for the digital age."
In October 2020, regulators hit Citigroup with multiple consent orders, including a $400 million fine for a “long-standing” issue of inadequate internal controls related to compliance, data, and risk management. It also famously sent $900 million to clients by mistake in August 2020.
Tiago Veiga, CEO at Aurum Solutions, told The Stack: “Fines like this don’t just incur a huge financial cost, they also leave banks with a wounded reputation and potential customer losses. The longer that financial institutions leave manual processes in place for back-office functions and data governance, the more likely we are to see repeat penalties for these types of incidents.
“In an increasingly competitive landscape, banks simply can’t afford to take this risk and should take proactive steps to get their back-office in order. They need to replace current ways of working with automated, technology-driven solutions if they want to keep regulators happy.”