Risk Management Lessons from Government Action Against Citigroup and Citibank

Michael B. Abramson


September 29, 2021

A magnifying glass in front of a computer screen showing a Citi Consumer Business logo. In the background is a screen showing stock market numbers.

Citibank and its parent corporation Citigroup have a history of problems with their internal controls and fines from the U.S. government, paying hundreds of millions of dollars for violating various laws and regulations. In October 2020, Citibank entered into a consent decree with a fine of $400 million. Citibank and Citigroup previously faced and failed to meet the requirements of multiple consent orders, resulting in other large fines. These can provide lessons for risk management across industries.

Compliance Requirements for Parent Corporations       

The federal government assessed that Citigroup had "significant ongoing deficiencies in implementation and execution...with respect to various areas of risk management and internal controls." Parent corporations have a key role in ensuring that their subsidiaries perform accurate and timely compliance, and the steps that Citigroup was supposed to take should be part of any parent company's risk management procedures.

Citigroup was to serve as a "source of strength" to Citibank and provide financial and managerial resources, and its board of directors was also responsible for ensuring that senior management implement an effective compliance program. The company should have conducted "gap analysis of its enterprise-wide risk management framework and internal control systems" regarding "capital planning, liquidity risk management, and compliance risk management." Citigroup then needed to create a remediation plan to deal with any issues raised in the analysis, and had to develop a plan to "enhance its data quality management program, including data governance." Last, Citigroup needed to create a "written plan to enhance its compliance risk management program" which addressed risk factors, existing controls in business lines and testing, and information and data systems. 

Compliance Lessons for Subsidiaries and Companies

The 2020 consent order against Citibank focused on the following areas and can serve as a model for compliance in other organizations:

1. Compliance Committee: This five-member committee (a majority being non-employee and non-officer directors of the bank) oversees the bank's compliance with the consent order, meeting quarterly and submitting a written report to the bank’s board on the corrective actions and reporting of accurate and meaningful data. A committee overseeing compliance is a good practice even if the company is not facing government discipline.

2. Comprehensive Action Plan: The bank needed to create a written plan for implementing the consent order’s recommendations, including: corrective actions, a timeline for their implementation, and the people responsible. The bank was required to report its progress to the board, and the bank's internal audit department assessed this for any deficiencies. Companies need plans for compliance, and internal audit is a critical, but sometimes overlooked, function because companies must ensure that risk management measures are implemented and effective. 

3. Data Governance Program: The government mandated that the bank review and address the gaps in "data quality, aggregation, and management and regulatory reporting policies, procedures, and processes, including its end-user computing processes." The goal for data governance was to "ensure that data, throughout its lifecycle, is accurate, consistent, timely and complete and there is integrity in processing in order to facilitate timely and accurate management and regulatory reporting so that can management can take prompt and effective decision-making during normal times and period of stress." An effective data governance program required staff, management, financial resources, training, and effective computer systems. The bank was also required to have "procedures and policies for identifying, reporting, monitoring, escalating, and remediating all data quality concerns." Data is critical even if a company is not in finance, as most companies keep track of customer information, vendor data, etc. A robust data governance program is essential so that this information is not disbursed.

4. Enterprise-Wide Risk Management Program: The government also required the implementation of an "enterprise-wide risk management program." It required that each unit of the bank indicate possible risks, procedures to identify risk, metrics on how to measure risk, strategies to control the risks, and limits on how much risk to which the bank should be exposed (i.e., the setting of risk-tolerance). Front-line units and independent risk management should ensure "compliance with enterprise-wide corporate policies and laws and regulations." The enterprise-wide risk management program was intended to conform with the bank's risk appetite; risk limits; strategic, capital and liquidity plans; stress testing; and processes for new or modified products or services, with the board given ultimate responsibility for implementing and adhering to the program. Companies should consider their definitions of risk, risk tolerance, and procedures for approaching risk, and apply these principles on a company-wide basis.

5. Compliance Risk Management: The goal of this provision was to establish and adhere “to procedures and processes designed to result in compliance with laws, regulations and enterprise-wide corporate policies." The bank was required to create policies, processes and control systems; employ compliance risk management personnel in both frontline units and independent capacities; monitor and test risk management procedures; update practices to reflect new laws and regulations; train personnel; and a create a process to escalate and remediate compliance concerns." These programs should consider the lifecycle of risk management, including reviewing and testing a program, training and enacting new rules.

6. Staffing and Technology Resource Assessment: This assessment focused on frontline units, independent risk management and internal audit, and also looked at the number of staff and their skills/expertise. Bank technology needed to "execute and sustain a safe and sound system of internal controls and risk management for control functions." Companies need to budget the resources for compliance functions, necessary employees and technology.

7. Internal Controls: The bank was required to have ways to identify gaps and exposures, analyze them and determine the root cause of problems, and develop remediation plans. These systems also needed the ability to assess whether the problems affected other bank businesses, products, or services. Companies should regularly review their compliance procedures and keep current with rules and best practices for their industries.

8. Board and Management Oversight: The bank was charged to "enhance the effectiveness of oversight by the Board and senior management." It needed to create a system in which employees could raise concerns, the bank could track those complaints, and a senior management risk committee could review issues them. Companies should not forget that the board will be held responsible for compliance, and as such, it is important that it is regularly briefed on and engaged in risk management.

9. Board Responsibilities: The board was largely responsible for compliance and risk management. The order required the board to “ensure that the Bank has timely adopted and implemented all corrective actions required by this [Consent] Order, and shall verify that the Bank adheres to the corrective actions and they are effective in addressing the Bank's deficiencies that resulted in this Order." This directive required that the board oversee all aspects of the directives: authorization, direction, training, staffing, control systems, governance, execution, review and reporting. The board was also to "address any noncompliance with corrective actions in a timely and appropriate manner." It was responsible for the risk appetite statement, tracking and managing employee complaints, reviewing the project management office to ensure that projects complied with regulatory and internal standards; developing formal guidelines for new products or services; creating a set of actions that the board and audit committee would take to improve oversight of senior management; and ensuring that compensation and incentives aligned with risk management objectives. A board's responsibility for compliance is far-reaching, and board members must be apprised of these duties before they agree to serve.

The Benefits of Implementing Compliance Systems Early

It is unclear why Citibank and Citigroup did not make the improvements mandated in the consent orders. The government likely entered into the orders because it believed that the they would more quickly yield a system of compliance that protected Citibank and Citigroup's customers, rather than litigation.

The obvious lesson for practitioners is that when a company makes a deal with the federal regulators, the company should follow that deal. However, the more subtle takeaway is that compliance should be considered and implemented as early as possible. If it is not, costs can escalate far beyond the original price of compliance. In Citibank and Citigroup's case, aside from a $400 million fine, the companies suffered three other losses. First, in 2020, Citigroup invested "over $1 billion" in its risk and control environment, in 2021 planned to increase its spending by 2% to 3% with most of the increase to go toward compliance, and probably suffered damage to its reputation, likely resulting in old business leaving and new business going to competitors. Creating effective risk management procedures can be expensive, but is often cheaper in the long run.

Compliance as More than a Cost Center

Business owners, stockholders and executives often look at compliance with disdain because they see it as a cost center and only a means to satisfy government regulations or protect the business or customers from unlikely events. A successful compliance program, however, can lead to strong business outcomes. The former CEO of Citigroup, Mike Corbat, alluded to this in his August 10, 2020 "Internal Memo to All Employees," quoting race car driver Mario Andretti:  "It's amazing how many drivers, even at the Formula One level, think the brakes are for slowing down the car." Andretti's meant that the brakes allow one to control the car and thus win the race. Some may view compliance as slowing down an organization, but, in reality, compliance can make an organization go, and develop, faster.

Compliance can grow companies by decreasing costs and generating revenue. Onboarding clients can be faster due to a more efficient review of their transaction history and business. Vendor selection, and the resulting cost savings, can be quicker due to more streamlined risk assessments. Computer systems that "talk" to each other can also be used for cross-marketing and increased sales. Deals can be closed faster due to business unit knowledge of contract requirements, as well as increased efficiency in assessing other companies' risk assessment procedures. Sales and advertising can be more productive because customers want companies that have reputations for data privacy and are not known for money laundering or other nefarious activities. 

At the very least, successful risk management can prevent large penalties, reputational damage, expenses related to creating new risk management systems, and attorney fees for defending lawsuits and interfacing with regulators.

Michael B. Abramson is a lawyer in Atlanta, GA specializing in compliance, transactional work, and commercial litigation.