WASHINGTON — The Office of the Comptroller of the Currency issued a cease and desist order against Citibank N.A. Thursday for violations of the Bank Secrecy Act dating back to 2006.

The order requires Citibank — the main banking subsidiary of Citigroup Inc. (NYSE:C) — to take "comprehensive corrective actions" to improve its BSA compliance program, which the OCC said lacked proper internal controls and independent testing. The regulator also found that Citi failed to develop adequate due diligence on foreign correspondent bank customers, and did not file suspicious activity reports related to remote deposit capture and international cash letter activity in a timely manner.

"The bank has begun corrective action, and has committed to taking all necessary and appropriate steps to remedy the deficiencies identified by the OCC, and to enhance the bank's BSA/AML compliance program," the order said.

Some of the most critical deficiencies also included incomplete identification of high risk customers in multiple areas of the bank, and the inability to assess and monitor client relationships on a bank-wide basis, the order said. Although Citi voluntarily disclosed its failure to adequately monitor remote deposit capture from 2006 through 2010 — leading to its failure to file timely SARs — the OCC found that the bank's independent anti-money laundering audit had failed to identify other systemic deficiencies that the regulator found during the exam.

Citi, which neither admitted nor denied the findings, released a statement Thursday saying the company has taken significant steps in recent years to enhance its anti-money laundering programs and better manage risks across its businesses, products and geographies.

"Because of these actions, many of the issues highlighted in the OCC's order have already been remediated or are in the process of being remediated," the company said. "Furthermore, we are developing a plan to address the remaining OCC requirements."

The bank must submit the plan to the OCC within 60 days, and its compliance committee must provide quarterly progress reports beginning in 90 days detailing the actions it has taken to comply with the order.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.