6 Lessons Learned from a Bank’s $400 Million Mistake

What does it take to get a $400 million civil money penalty for data governance, risk management, and internal controls resulting in unsafe or unsound practices?

That’s what everyone is asking since the Office of the Comptroller of the Currency hit Citibank with a $400 million civil money penalty while the Fed released its own enforcement action against the megabank earlier this month.

The agencies are requiring Citi to take corrective action (beginning at the board level) to remediate an enterprise risk management (ERM) program that has repeatedly failed. Where did Citi go wrong and how can you avoid its mistakes? Here are six lessons learned:

Lesson #1: Correct Deficiencies

The Fed’s enforcement action shows that Citi was not on top of findings management. Both a March 2013 consent order to remediate deficiencies in Citigroup’s anti-money laundering compliance program and a May 2015 order to remediate compliance and control infrastructure deficiencies relating to its foreign exchange program and designated market activities had not been satisfactorily addressed. Systemic failures contributed to violations of the Fair Housing Act and the Flood Disaster Protection Act.

It seems like Compliance Management 101, but it is amazing how often financial institutions fail to correct deficiencies and report on progress. Don’t let findings management slip between the cracks. A transparent, centralized audit and exam findings management program can help you access, manage, and analyze findings in real-time.

Lesson #2: Make Sure ERM & Compliance Is Appropriate for Your Size

The OCC says that Citi didn’t implement or maintain an ERM and compliance risk management program, internal controls, or a data governance program commensurate with its size, complexity, and risk profile. As a large bank, Citi is subject to additional requirements and failed to establish:

  • Effective front-line units and independent risk management
  • An effective risk governance framework
  • Policies, standards, and frameworks to adequately identify, measure, monitor, and control risks
  • Compensation and performance management programs to incentivize effective risk management

The regulatory agencies have given financial institutions a lot of flexibility when it comes to risk management and compliance management because they know that one size doesn’t fit all. Rather than dictate exactly how programs should be structured, they instead lay out broad requirements so that FIs can develop programs appropriate for their size, complexity, and risk profile. Don’t mistake flexibility for leniency. The regulatory agencies expect to see a strong enterprise risk management program and the rationale behind it. Enterprise risk management software can help you proactively manage risk.

Lesson #3: The Board Will Be Held Accountable

The Fed’s enforcement action repeatedly mentions that the board needs to do a better job overseeing senior management. That includes:

  • Holding them accountable for meeting remediation deadlines
  • Ensuring the creation and maintenance of effective, independent ERM & findings management programs
  • Aligning compensation with risk management objectives
  • Require effective reporting

The OCC says that senior management oversight was inadequate to ensure timely, appropriate actions and its inadequate reporting hindered effective board oversight.

This is a reminder that when senior management fails it means that the board—as overseer of senior management—has failed too. The board needs enough risk and compliance management knowledge to recognize and question management when it appears to be falling short of expectations.

Lesson #4: Compliance is Built on the Fundamentals

The Fed wants Citi to evaluate where compliance went wrong and is telling the bank to go back to the basics. Citi needs to analyze material compliance risks by regulation/law, assess existing controls, develop measures to improve weak controls, and develop a timeline for completion.

The OCC says Citi has to create a compliance committee with at least five members with majority independent board directors. The committee has 120 days to report quality as well as updates on corrective actions and milestones.

The basis of any compliance program is a compliance management system (CMS). A CMS is how a financial institution learns about its compliance responsibilities, incorporates them into business policies, ensures employees understand them and carry them out, and takes corrective action as needed.

Related: How to Buy CMS Software: 7 Key Features Every CMS Needs

Lesson #5: Don’t Fall into the Gap

The Fed said risk management policies, procedures, and internal controls were stymied by insufficient staff training and expertise, undefined roles, and an inappropriate escalation framework. It’s requiring a gap analysis of these areas to identify weaknesses and remediate them in a timely manner.

This problem could have been avoided if Citi had been proactive about measuring the effectiveness of its ERM and compliance programs. Having a risk management program in place is only half the battle. The other half is having internal controls to make the program effective and then regularly assessing the program’s performance. Make sure you’re regularly auditing your program to uncover weaknesses.

Lesson #6: Risk Management Requires Good Data

The Fed is requiring Citi to ensure it has timely, sufficient data on capital planning, liquidity, and compliance risk management to inform its ERM system and internal controls decisions. That includes how it will assess the accuracy and timeliness of the data.

Risk management informs strategic decision making. When risk management is based on poor data, it does nothing to promote strategic decision making. Make sure you develop and maintain accurate risk indicators and other metrics for risk management.

Until these issues are resolved, the OCC says Citi needs its approval before significant acquisitions. The OCC can also require changes in senior management if the board doesn’t meet progress deadlines.

Make sure your FI avoids Citi’s mistakes with strong findings management.


Michael Berman is the founder and CEO of Ncontracts, a leading provider of risk management solutions. His extensive background in legal and regulatory matters has afforded him unique insights into solving operational risk management challenges and drives Ncontracts’ mission to efficiently and effectively manage operational risk. During his legal career, Mr. Berman was involved in numerous regulatory, compliance, and contract management challenges and assisted in the development of information systems to better manage these efforts. Prior to founding Ncontracts, he was General Counsel for Goldleaf Financial Solutions, Tecniflex, Inc. and Imagic Corporation. Mr. Berman is a wellregarded speaker at financial institution conferences on risk management. He received his undergraduate degree from Cornell University and holds a J.D. degree from the University of Tennessee.