Citigroup is fined $400 million, must seek U.S. approval for deals

Citigroup Inc. has agreed to pay $400 million and must seek the U.S. government’s sign-off for major acquisitions after federal regulators identified several long-standing problems with its risk controls.

The bank was fined by the Office of the Comptroller of the Currency for what the agency called an ongoing “failure to establish effective risk management and data governance programs and internal controls,” according to a Wednesday statement. The agency also demanded that Citigroup seek its approval before “significant new acquisitions” and reserved the right to require changes in senior management if the company doesn’t act quickly to address its shortcomings.

At the same time, the Federal Reserve issued a cease-and-desist order that directs the lender to “correct practices previously identified by the board in the areas of compliance risk management, data quality management, and internal controls.”

Citigroup shares rose 43 cents, or 1%, to $44.84 in regular trading Wednesday but fell as much as 2% in after-hours trading.

The Fed gave Citigroup a series of deadlines to analyze and report back on how it’s repairing multiple issues. Within 120 days, the bank’s board of directors must submit a report detailing how it will hold senior management accountable and how executive compensation will be “consistent with risk management objectives,” the Fed said.

The orders mean the bank will embark on another round of costly, years-long investments in its risk infrastructure and controls just as Jane Fraser takes the helm as chief executive in February.

“Citi has significant remediation projects underway to strengthen our controls, infrastructure and governance,” the bank said in a statement. “While we have made progress in each of these areas, we recognize that substantial improvement is still required.”

The bank noted that it has made structural changes to better comply with the regulators’ orders, including by hiring Karen Peetz as its new chief administrative officer to “steer these programs to completion.”

The orders come weeks after Citigroup mistakenly sent $900 million to lenders of the cosmetics giant Revlon Inc. The bank ultimately chalked the wayward payment up to employee error, noting that it was in the middle of transitioning to new software for its syndicated loan business.

The ensuing legal battle was an embarrassment for the bank as many of the lenders balked at Citigroup’s pleas to return the funds. For regulators, who began scrutinizing the mistaken payment within days, the incident was illustrative of broader problems at the bank.

“We appreciate the urgency of the tasks at hand, and we are committed to fulfilling our obligations to all of our stakeholders,” Citigroup said in the statement.

The Fed order requires Citigroup to conduct a gap analysis of its companywide risk management framework and controls. Although the bank has already pledged that it would spend $1 billion on improving those systems this year, the order says the lender must use the analysis to determine how to improve processes around three key areas: capital planning, liquidity risk management and compliance risk management.

Citigroup has been plagued for years by issues with its core operating systems, which were cobbled together through the many acquisitions that made the company into a financial behemoth as part of executives’ hopes to turn it into a one-stop financial supermarket in the early 2000s. Decades later, regulators are now requiring the bank to improve the ways it manages data and handles risk.