Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

At Large: For Citibank, how many compliance officers are enough?

Citibank’s parent company, Citigroup, disclosed this year that an astounding 15 percent of its employees are now categorized as “risk, regulatory, and compliance staff,” up from 4.3 percent about ten years ago. And yet last week, the Office of the Comptroller of the Currency (OCC) fined Citibank $400 million for multiple risk management and compliance-related deficiencies. What gives?

The OCC described Citibank’s “unsafe or unsound banking practices for its long-standing failure to establish effective risk management and data governance programs and internal controls.” The Federal Reserve brought a parallel enforcement action against the parent Citigroup for the same offenses.

With 30,000 risk and compliance-related personnel (let that number sink in), how did Citigroup and the bank fall short in so many ways?

For several years, Citibank failed to “implement and maintain an enterprise-wide risk management and compliance risk management program, internal controls, or a data governance program” commensurate with its size, complexity, and risk profile, the OCC said.

One underlying cause: The failure of Citibank’s “compensation and performance management programs to incentivize effective risk management.”

Citibank’s conduct “contributed to violations of laws and regulations,” the OCC said. The regulator ordered America’s third-biggest bank to take numerous corrective actions.

As part of the corrective actions, Citibank must:

  • Create an enterprise-wide risk management and compliance risk management program.
  • Establish effective front-line units and independent risk management as required by federal law.
  • Adopt a data governance program to identify all gaps in its current data governance and what corrective actions are needed to plug the gaps.
  • Establish a compliance committee of at least five board members, with a majority of outside directors, to monitor and report on the OCC-mandated corrective actions.
  • Obtain prior OCC clearance for “any significant new acquisitions, including portfolio or business acquisitions.”

Before last week’s enforcement action, Citibank had assembled an army of risk and compliance personnel. But did mass hirings improve Citibank’s performance? Or did the hirings amplify its “unsafe or unsound” banking practices? Without a consistent enterprise-wide approach to key risk and compliance functions, or a properly incentivized management group, it’s fair to ask if adding risk and compliance personnel confused the mission even more.

Why did Citigroup dramatically swell its risk and compliance ranks? The latest annual report cites “extensive and frequently changing regulatory and legislative requirements,” along with “heightened regulatory scrutiny and expectations in the U.S. and globally for large financial institutions.”

The 331-page annual report also refers to “changing or conflicting regulatory guidance, legal challenges or legislative action to modify or repeal existing rules or enact new rules . . . resulting in large volumes of regulation and potential uncertainty [about what’s] required in order to be in compliance.”

One result of the hiring spree: cost pressures. Again from the annual report,

Increased and ongoing compliance requirements and uncertainties have resulted in higher costs for Citi . . . These higher compliance costs can require management to incur additional expense, including potentially away from ongoing business investment initiatives.

A final note: FCPA Tracker shows Citigroup has disclosed two ongoing investigations involving potential corruption-related issues.

FIFA. The DOJ sent subpoenas to Citibank in its investigation of alleged bribery, corruption, and money laundering involving FIFA, “and the potential involvement of financial institutions in that activity,” Citigroup said.

Princelings. The SEC and other agencies are investigating or “making inquiries” about hiring candidates referred by or related to foreign government officials.

Citigroup said it is cooperating with both investigations.

Share this post



  1. Its not the number of compliance officers you have, or whether you have a wonderfully drafted code of conduct, etc. Its about the mindset of the people who are on the ground and on the frontline. The question they need to ask all the time is: what is the ethical dimension to the situation I am facing right now? They need to understand that ethics and compliance is not about the shiny new code of conduct, or the number of compliance sub committees there are. Its about the foot soldiers, the foxholes and the front line. Wars are not fought and won by weapons. They are fought and won by people who use the weapons the right way, and fight to win, not just to survive. Ethics and compliance will always fall short if we look in the wrong places or think that more structures, more codes, more regulations, more committees, more pledges, will fix the problem.

  2. I did let that sink in. 30,000 is a farce. It is emblematic of an improperly designed and most likely ineffective compliance function. Give me one good compliance analyst, and there are very few, a little tech and you can design something effective. Irrespective of the complexity of legal/regulatory environment.

  3. This reminds me of the old joke about lawyers and lightbulbs. I repeat it here for any who haven’t heard it:

    Question: How many lawyers does it take to screw in a lightbulb?

    Answer: How many can you afford?

  4. It’s a real shame this problem exists for citi as it is a good bank I have had experience with all my life. Some of the complexity has to do with it being a global bank versus the other of the big 4 who are U.S. centric. We look at the P/E and forward P/E of tech firms and it is astounding citi is in the single digits and with a tangible book value 60% more than share price.

    Citi would be wise to streamline its business and reduce its focus to what will be most profitable and consistent. It can keep its China business as it is now licensed by Beijing, but it should sell its other global operations. It does well with trading and maybe should build up its investment bank (it unfortunately lost smithbarney to MS).

    Citi has the opportunity to capture the fintech growth if it utilizes it in its operations and invests in promising companies. PayPal has double the market cap as citi. Maybe lending money is worth the effort in the grand scale that it does.

Comments are closed for this article!