Citibank’s parent company, Citigroup, disclosed this year that an astounding 15 percent of its employees are now categorized as “risk, regulatory, and compliance staff,” up from 4.3 percent about ten years ago. And yet last week, the Office of the Comptroller of the Currency (OCC) fined Citibank $400 million for multiple risk management and compliance-related deficiencies. What gives?
The OCC described Citibank’s “unsafe or unsound banking practices for its long-standing failure to establish effective risk management and data governance programs and internal controls.” The Federal Reserve brought a parallel enforcement action against the parent Citigroup for the same offenses.
With 30,000 risk and compliance-related personnel (let that number sink in), how did Citigroup and the bank fall short in so many ways?
For several years, Citibank failed to “implement and maintain an enterprise-wide risk management and compliance risk management program, internal controls, or a data governance program” commensurate with its size, complexity, and risk profile, the OCC said.
One underlying cause: The failure of Citibank’s “compensation and performance management programs to incentivize effective risk management.”
Citibank’s conduct “contributed to violations of laws and regulations,” the OCC said. The regulator ordered America’s third-biggest bank to take numerous corrective actions.
As part of the corrective actions, Citibank must:
- Create an enterprise-wide risk management and compliance risk management program.
- Establish effective front-line units and independent risk management as required by federal law.
- Adopt a data governance program to identify all gaps in its current data governance and what corrective actions are needed to plug the gaps.
- Establish a compliance committee of at least five board members, with a majority of outside directors, to monitor and report on the OCC-mandated corrective actions.
- Obtain prior OCC clearance for “any significant new acquisitions, including portfolio or business acquisitions.”
Before last week’s enforcement action, Citibank had assembled an army of risk and compliance personnel. But did mass hirings improve Citibank’s performance? Or did the hirings amplify its “unsafe or unsound” banking practices? Without a consistent enterprise-wide approach to key risk and compliance functions, or a properly incentivized management group, it’s fair to ask if adding risk and compliance personnel confused the mission even more.
Why did Citigroup dramatically swell its risk and compliance ranks? The latest annual report cites “extensive and frequently changing regulatory and legislative requirements,” along with “heightened regulatory scrutiny and expectations in the U.S. and globally for large financial institutions.”
The 331-page annual report also refers to “changing or conflicting regulatory guidance, legal challenges or legislative action to modify or repeal existing rules or enact new rules . . . resulting in large volumes of regulation and potential uncertainty [about what’s] required in order to be in compliance.”
One result of the hiring spree: cost pressures. Again from the annual report,
Increased and ongoing compliance requirements and uncertainties have resulted in higher costs for Citi . . . These higher compliance costs can require management to incur additional expense, including potentially away from ongoing business investment initiatives.
A final note: FCPA Tracker shows Citigroup has disclosed two ongoing investigations involving potential corruption-related issues.
FIFA. The DOJ sent subpoenas to Citibank in its investigation of alleged bribery, corruption, and money laundering involving FIFA, “and the potential involvement of financial institutions in that activity,” Citigroup said.
Princelings. The SEC and other agencies are investigating or “making inquiries” about hiring candidates referred by or related to foreign government officials.
Citigroup said it is cooperating with both investigations.