by Stephen Cutler, Lee Meyerson, Keith Noreika, Adam Cohen, and Spencer Sloan

On October 7, the Office of the Comptroller of the Currency assessed a $400 million civil money penalty against Citibank, N.A. related to deficiencies in enterprise-wide risk management, compliance risk management, data governance and internal controls, and issued a cease and desist order requiring Citibank to take comprehensive corrective actions. Concurrently, the Federal Reserve issued a separate cease and desist order requiring Citibank’s parent, Citigroup Inc., to enhance its firm-wide risk management and internal controls as a result of Citigroup’s failure to adequately remediate “longstanding enterprise-wide risk management and control deficiencies” previously identified by the Federal Reserve in consent orders from 2013 and 2015.

There are a number of noteworthy items in the two orders. Among them:

1. Significant penalty despite absence of customer harm or bank losses. It is unusual for bank regulators to impose significant civil money penalties for deficiencies in a bank’s risk management and compliance practices without also alleging customer harm or losses to the bank resulting from the deficient practices. The large penalty appears to be in response to Citibank’s failure to address long-standing supervisory concerns.
2. OCC consent order may be expanded to cover future deficiencies. The OCC’s order provides that the remedial actions required of Citibank can be expanded by OCC staff to cover future deficiencies in “Matters Requiring Attention” or “MRAs” that are substantially related to the items addressed in the order. The potential for a regulator unilaterally to broaden the scope of a consent order raises due process questions and can make it difficult for a bank to achieve compliance with a consent order in a reasonable time frame.
3. Compliance reporting to Legal. The Federal Reserve’s order requires Citigroup’s general counsel to have overall responsibility for overseeing the compliance function at Citigroup and its subsidiaries, and requires Citigroup to submit a timeline for an orderly transfer of the compliance function under the supervision of the general counsel. Notably, this requirement contrasts with recent trends within the banking industry to house the compliance department under the risk function or have it report directly to the CEO. Whether this is an idiosyncratic response to specific issues at Citigroup, or is indicative of the Federal Reserve’s views on best practices for structuring a compliance department within an organization, remains to be seen.
4. Restriction on acquisitions. Citibank is required to obtain a written determination of no supervisory objection from the OCC prior to making any significant new acquisitions, including portfolio or business acquisitions, although it may continue to engage in of ordinary course transactions (to the extent consistent with recent historical levels) without prior approval.

Stephen Cutler, Lee Meyerson, and Keith Noreika are partners, Adam Cohen is counsel, and Spencer Sloan is an associate, at Simpson Thacher & Bartlett LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.