U.S. regulators have asked Citigroup for urgent changes to the way it measures default risk of its trading partners and the bank’s own auditors have found a plan to improve internal oversight to be lacking, developments that could hinder CEO Jane Fraser’s plans to revive the bank’s fortunes.
Late last year, the Federal Reserve sent Citi three notices directing the bank to address in the coming months how it measures risk of default by counterparties in derivative transactions, a source with direct knowledge of the matter said.
Separately, Citi’s internal audit unit said more work was needed in at least one instance to address problems previously raised by regulators, according to an email seen by Reuters. The work was in response to enforcement actions, called consent orders, that date back to October 2020.
In December, the internal audit unit found some of the work done to improve risk management across the bank to be inadequate, according to the email. The audit unit also found that Citi failed to meet a requirement that it have procedures in place to ensure the board and senior management receive comprehensive reports about risks across the company, the email showed.
Another banking regulator, the Office of the Comptroller of the Currency, also conducted exams in September and October to assess whether Citi had made as much progress on data integrity as it claimed, a source with direct knowledge of the matter said, requesting anonymity to discuss confidential information. Citi failed those exams, forcing it to do additional work, the source said.
The regulatory notices come as the bank works through two 2020 consent orders, in which the Fed and the OCC directed the bank to fix longstanding and widespread deficiencies in its risk management, data governance and internal controls. The enforcement actions followed Citi’s botched transfer of about $500 million to lenders of cosmetics firm Revlon in 2020. Citi has thousands of employees focused on resolving these issues.
The notices from the Fed and the problems with the separate work around the consent orders have not been previously reported. Reuters could not determine the impact these issues have had on Citi’s overall efforts to resolve its regulatory problems.
The new details provide insight into the complexity of the task facing CEO Fraser as she carries out the bank’s biggest overhaul in decades to boost profits and shares, which have lagged peers. The third-largest U.S. lender has been selling businesses and laying off thousands of employees to simplify the bank’s structure.
In a statement to Reuters, Citi said meeting its regulators’ expectations was a top priority, and it was “making steady progress simplifying and modernizing our bank.”
“Like any multi-year effort of this scale, progress isn’t linear and there are important learnings along the way that we’re incorporating into our efforts, including in the areas of regulatory reporting, infrastructure and data enhancement,” the bank said.
Regulatory notices and examinations are standard practices in bank supervision, said a source close to Citi who requested anonymity to discuss confidential regulatory matters.
The Fed and the OCC declined to comment.
Progress on its regulatory issues is crucial for the bank. Regulators have the authority, for example, to limit Citi’s growth and ask for changes in senior management or the board if the bank is not timely at complying with the consent orders.
Julie Hill, a professor at the University of Alabama School of Law, characterized the demand for urgent action from regulators and the incomplete compliance with prior consent orders as serious issues for any bank that could result in tougher and more costly enforcement. Hill was speaking generally about the regulatory process rather than specifically about Citi.
FED NOTICES
The three Fed notices sent to Citi late last year are called Matters Requiring Immediate Attention. The requests typically concern deficiencies and banks can have many outstanding MRIAs at any given time, but they are confidential and rarely come into public view.
The content of the three MRIAs was described to Reuters by a source with direct knowledge of them. They have deadlines of six months to a year, the source said. They instruct Citi to improve its data and governance around how it sets aside capital to account for counterparty credit risks, the source said.
Banks measure the riskiness of their derivatives business to help determine how much capital they need to set aside to withstand potential losses.
One of Citi’s MRIAs has a six-month deadline and relates to data, laying out more than a dozen issues that the bank needs to fix, the source said.
The other two have one-year deadlines. One relates to how Citi uses proxies in calculating counterparty credit risk when the data is not available, and the other relates to governance failings, specifically around lack of clarity over who is responsible in various legal entities of the bank, the source said.
Citi’s two consent orders lay out several major issues that the bank needs to resolve, with work further broken down into smaller steps. Problems with any of the steps can lead to the bank not being able to resolve the main issue even if it has made progress in other areas, according to two sources familiar with the matter.
The finding of Citi’s internal audit unit relates to a “corrective action plan” by the bank to address an issue that appears in both consent orders, calling for the leadership to have better oversight of the bank, the email showed.
The audit email also shows how the work had been delayed. The original due date on the matter was June 30, 2022, but had been revised to Sept. 30, 2023. Under a column titled ‘status’, it said, “Re-Open.”
Subsequently, Citi set a target date of July 31, 2024, to clear the audit, according to one of the sources.
This story originally appeared on CNBC