Syedur Rahman of business crime specialists Rahman Ravelli emphasises the need for effective control systems.
The United States third-largest bank Citigroup has been fined $400 million and ordered to put right serious deficiencies in its risk management systems.
In fining Citigroup, US banking regulator the Federal Reserve told the bank it had to correct the problems it had in areas including data management, regulatory reporting and capital planning. The fine was imposed for the bank’s long-standing failure to remove problems in its risk and data systems.
In a statement, Citigroup said: “We are disappointed that we have fallen short of our regulators’ expectations, and we are fully committed to thoroughly addressing the issues identified. Citi has significant remediation projects under way to strengthen our controls, infrastructure and governance.”
The Federal Reserve and the Office of the Comptroller of the Currency (OCC) – an arm of the US Treasury which supervises banks and which imposed the fine – have been putting pressure on Citigroup for years to tackle its problems. The penalty imposed is large but significantly less than the $1 billion fine the OCC imposed on Wells Fargo in 2018 for its risk management failings.
The main problem identified at Citigroup is the infrastructure in place for identifying risk and protecting customer data. Regulators were concerned that the way various systems were run across the numerous parts of the bank could lead to costly and damaging mistakes being made.
Citigroup has been ordered to create a new board committee to oversee major changes that have been identified as necessary by the regulators and to introduce ways of holding management to account.
It is worth noting that the punishment handed down to Citigroup came within days of the OCC imposing a $60 million penalty on Morgan Stanley for the investment bank’s data protection failings. Both cases are a clear indicator of the major problems and high costs that can result from ineffective controls.
The cases may have their differences but they both underline the fact that strong and effective internal audit functions are necessary for keeping organisations out of trouble. To ignore this or to circumvent this makes it likely that the regulators will take an interest, which could mean serious charges and big fines.