What does it take to get a $400 million civil money penalty for data governance, risk management, and internal controls resulting in unsafe or unsound practices?
That’s what everyone is asking since the Office of the Comptroller of the Currency hit Citibank with a $400 million civil money penalty while the Fed released its own enforcement action against the megabank earlier this month.
The agencies are requiring Citi to take corrective action (beginning at the board level) to remediate an enterprise risk management (ERM) program that has repeatedly failed. Where did Citi go wrong and how can you avoid its mistakes? Here are six lessons learned:
Lesson #1: Correct Deficiencies
The Fed’s enforcement action shows that Citi was not on top of findings management. Both a March 2013 consent order to remediate deficiencies in Citigroup’s anti-money laundering compliance program and a May 2015 order to remediate compliance and control infrastructure deficiencies relating to its foreign exchange program and designated market activities had not been satisfactorily addressed. Systemic failures contributed to violations of the Fair Housing Act and the Flood Disaster Protection Act.
It seems like Compliance Management 101, but it is amazing how often financial institutions fail to correct deficiencies and report on progress. Don’t let findings management slip between the cracks. A transparent, centralized audit and exam findings management program can help you access, manage, and analyze findings in real-time.
Lesson #2: Make Sure ERM & Compliance Is Appropriate for Your Size
The OCC says that Citi didn’t implement or maintain an ERM and compliance risk management program, internal controls, or a data governance program commensurate with its size, complexity, and risk profile. As a large bank, Citi is subject to additional requirements and failed to establish:
- Effective front-line units and independent risk management
- An effective risk governance framework
- Policies, standards, and frameworks to adequately identify, measure, monitor, and control risks
- Compensation and performance management programs to incentivize effective risk management
The regulatory agencies have given financial institutions a lot of flexibility when it comes to risk management and compliance management because they know that one size doesn’t fit all. Rather than dictate exactly how programs should be structured, they instead lay out broad requirements so that FIs can develop programs appropriate for their size, complexity, and risk profile. Don’t mistake flexibility for leniency. The regulatory agencies expect to see a strong enterprise risk management program and the rationale behind it. Enterprise risk management software can help you proactively manage risk.
Lesson #3: The Board Will Be Held Accountable
The Fed’s enforcement action repeatedly mentions that the board needs to do a better job overseeing senior management. That includes:
- Holding them accountable for meeting remediation deadlines
- Ensuring the creation and maintenance of effective, independent ERM & findings management programs
- Aligning compensation with risk management objectives
- Require effective reporting
The OCC says that senior management oversight was inadequate to ensure timely, appropriate actions and its inadequate reporting hindered effective board oversight.
This is a reminder that when senior management fails it means that the board—as overseer of senior management—has failed too. The board needs enough risk and compliance management knowledge to recognize and question management when it appears to be falling short of expectations.
Lesson #4: Compliance is Built on the Fundamentals
The Fed wants Citi to evaluate where compliance went wrong and is telling the bank to go back to the basics. Citi needs to analyze material compliance risks by regulation/law, assess existing controls, develop measures to improve weak controls and develop a timeline for completion.
The OCC says Citi has to create a compliance committee with at least five members with majority independent board directors. The committee has 120 days to report quality as well as updates on corrective actions and milestones.
The basis of any compliance program is a compliance management system (CMS). A CMS is how a financial institution learns about its compliance responsibilities, incorporates them into business policies, ensures employees understand them and carry them out, and takes corrective action as needed.
Lesson #5: Don’t Fall into the Gap
The Fed said risk management policies, procedures, and internal controls were stymied by insufficient staff training and expertise, undefined roles, and an inappropriate escalation framework. It’s requiring a gap analysis of these areas to identify weaknesses and remediate them in a timely manner.
This problem could have been avoided if Citi had been proactive about measuring the effectiveness of its ERM and compliance programs. Having a risk management program in place is only half the battle. The other half is having internal controls to make the program effective and then regularly assessing the program’s performance. Make sure you’re regularly auditing your program to uncover weaknesses.
Lesson #6: Risk Management Requires Good Data
The Fed is requiring Citi to ensure it has timely, sufficient data on capital planning, liquidity, and compliance risk management to inform its ERM system and internal controls decisions. That includes how it will assess the accuracy and timeliness of the data.
Risk management informs strategic decision making. When risk management is based on poor data, it does nothing to promote strategic decision making. Make sure you develop and maintain accurate risk indicators and other metrics for risk management.
Until these issues are resolved, the OCC says Citi needs its approval before significant acquisitions. The OCC can also require changes in senior management if the board doesn’t meet progress deadlines.
Make sure your FI avoids Citi’s mistakes with strong findings management. Download our whitepaper Best Practices for Tracking Audit & Exam Findings for insights into how to leverage findings as a risk management tool.