| Insights | Blog

OCC Issues $400 Million Civil Penalty in Consent Order with Citibank Over Risk and Data Governance

On October 7, 2020, The Office of the Comptroller of the Currency (“OCC”) announced that it had assessed a $400 million civil penalty against Citibank, N.A. regarding alleged deficiencies in it enterprise-wide risk management and data governance programs and its internal controls. In particular, the OCC found violations of 12 CFR Part 30, Appendix D (“OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches”. The OCC also issued a cease and desist order requiring the bank to take “broad and comprehensive corrective actions to improve risk management, data governance and internal controls.” The order requires the bank to seek OCC’s non-objection before making significant new acquisitions and reserves the authority to implement additional business restrictions or require changes in board composition or senior management should the bank not comply with the order with timely sufficient progress.

In the consent order, the OCC found the following deficiencies:

  • Failure to establish effective front-line units and independent risk management (12 C.F.R. Part 30, Appx D);
  • Failure to establish an effective risk governance framework (12 C.F.R .Part 30, Appx D);
  • Failure of the Bank’s enterprise-wide risk management policies, standards, and frameworks to adequately identify, measure, monitor, and control risks; and
  • Failure of compensation and performance management programs to incentivize effective risk management.


The order also identified deficiencies, noncompliance with 12 C.F.R. Part 30, Appendix D, or unsafe or unsound practices with respect to the Banks’ data quality and data governance, including risk data aggregation and management and regulatory reporting.   The OCC determined that the Board and senior management oversight was inadequate to ensure timely appropriate action to correct the serious and longstanding deficiencies and unsafe or unsound practices in the areas of risk management, internal controls, and data governance.

The order states that this conduct contributed to other past violations and noncompliance, for which the OCC has assessed civil money penalties in 2019. The order further states that the Bank has begun taking corrective action and has committed to taking all necessary and appropriate steps to remedy the identified deficiencies.  The OCC penalty will be paid to the U.S. Treasury.

The Federal Reserve Board took a separate but related action against Citigroup, the bank’s holding company.