Citi exits 2024 enforcement action

• Key insight: Citi has been freed from an amended consent order issued by the OCC in July 2024.
  
• What's at stake: The megabank continues to operate under 2020 enforcement actions filed by the OCC and the Fed, which took issue with Citi's long-troubled risk management infrastructure.
  
• Forward look: Citi will focus next year on continuing to improve its data quality management, Chief Financial Officer Mark Mason has said.

Citi has been freed from one of the enforcement actions it's been operating under, a signal that regulators are satisfied with some of the work the bank is doing to clean up its long-troubled risk management programs.

The Office of the Comptroller of the Currency terminated an amended consent order that it filed against Citi in July 2024 for allegedly violating the requirements of earlier consent orders.

The OCC said that it "believes that the safety and soundness of the bank and its compliance with laws and regulations does not require the continued existence of the amendment."

The amended order was a supplement to an October 2020 OCC order, which remains in place. Citi executives have previously said the amended order was related to data quality management issues.

"Our transformation has been our No. 1 priority and we are dedicating the resources necessary to modernize our systems and strengthen our risk and control environment," Citi said Thursday in response to the OCC's action. "Most of our programs are at or nearly at target-state and we are seeing the benefits of improved, standardized, automated and digitized controls."

Citi has been working for five years to free itself from a pair of enforcement actions that required the bank to improve its enterprisewide risk management and internal controls program.

Following a mistaken $900 million payment that Citi made to lenders to the cosmetics company Revlon in the summer of 2020, both the OCC and the Federal Reserve issued consent orders and fined the bank $400 million. The Fed's consent order also remains in place.

Both agencies criticized Citi for certain deficiencies in data governance, risk management and internal controls that led to unsafe and unsound practices. In addition to the $400 million penalty in 2020, the bank was later forced to pay $136 million in fines for violating the 2020 orders.

Anand Selva, Citi's chief operating officer, has been in charge of the remediation of Citi's risk management and internal controls programs since March 2023. Selva, who has worked at the megabank for more than three decades, reports to Citi Chair and CEO Jane Fraser.

The overhaul has been expensive. This year alone, the bank has spent a little less than $3.5 billion on risk-management improvements, Chief Financial Officer Mark Mason said at a recent industry conference. By way of comparison, Citi reported net income of $12.7 billion for all of 2024.

The remediation costs should start to decline since the bank is "roughly two-thirds at, or near completion, in the way of achieving some" of the related target states, Mason said.

The work has involved standardizing controls, replacing manual work with automated processes and improving regulatory reporting, according to Mason.

"I think the area where we're still really pushing for continued progress would be around data and specifically as it relates to [regulatory] reporting," Mason said. The bank has "really leaned in on that" and made "meaningful progress" over the past 12 months, including centralizing oversight and using artificial intelligence and other technology to produce those reports, he said.

"But there's more work that we need to do around there. So that would be an area that I'd say we will have continued focus as we go through 2026 and try to continue to deliver on the progress there," Mason said.