Balch and Bingham’s Data Privacy & Security Observer

OCC Issues $400 Million Civil Penalty in Consent Order with Citibank Over Risk and Data Governance

On October 7, 2020, The Office of the Comptroller of the Currency (“OCC”) announced that it had assessed a $400 million civil penalty against Citibank, N.A. regarding alleged deficiencies in its enterprise-wide risk management and data governance programs and its internal controls. In particular, the OCC found violations of 12 CFR Part 30, Appendix D (“OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches”. The OCC also issued a cease and desist order requiring the bank to take “broad and comprehensive corrective actions to improve risk management, data governance and internal controls.” The order requires the bank to seek OCC’s non-objection before making significant new acquisitions and reserves the authority to implement additional business restrictions or require changes in board composition or senior management should the bank not comply with the order with timely sufficient progress.

Brandon N. Robinson, Balch & Bingham LLP

In the consent order, the OCC found the following deficiencies:

· Failure to establish effective front-line units and independent risk management (12 C.F.R. Part 30, Appx D);

· Failure to establish an effective risk governance framework (12 C.F.R .Part 30, Appx D);

· Failure of the Bank’s enterprise-wide risk management policies, standards, and frameworks to adequately identify, measure, monitor, and control risks; and

· Failure of compensation and performance management programs to incentivize effective risk management.

The order also identified deficiencies, noncompliance with 12 C.F.R. Part 30, Appendix D, or unsafe or unsound practices with respect to the Banks’ data quality and data governance, including risk data aggregation and management and regulatory reporting. The OCC determined that the Board and senior management oversight was inadequate to ensure timely appropriate action to correct the serious and longstanding deficiencies and unsafe or unsound practices in the areas of risk management, internal controls, and data governance.

For more articles on the Financial Industry, Information Governance and Risk Management, and Litigation and Dispute Resolution, visit Balch & Bingham’s Data Privacy & Security Observer.

Author Brandon Robinson is a Partner at Balch & Bingham, a corporate law firm with more than 200 attorneys across offices in Alabama, Florida, Georgia, Mississippi, and DC. Mr. Robinson represents public utilities and energy companies in a wide variety of matters, specializing in issues related to: North American Electric Reliability Corporation (NERC) electric reliability policy and compliance, cybersecurity, smart grid, physical security, electric transportation, smart grid technologies, drones (“UAS”), customer data privacy, Internet of Things (IoT), renewable energy and energy efficiency, negotiating acquisitions and power purchase agreements, Leadership in Energy and Environmental Design (LEED) green building, and issues surrounding government contracts and federal grant compliance.

About Balch & Bingham LLP

Balch & Bingham is a corporate law firm recognized nationally for its deep experience and counsel in regulated industries including energy and financial services, and its highly regarded practices in business, environmental, government relations, healthcare, labor and employment and litigation. The firm includes more than 200 attorneys in offices across the Southeast and Washington, D.C., who are known for a collaborative, multidisciplinary approach. Since its founding in 1922, Balch’s commitment to an uncommon, efficient client experience has remained at the core of its mission. For more information, visit www.balch.com.

No representation is made that the quality of legal services to be performed is greater than the quality of legal services performed by other lawyers. This website, blog or newsletter is made available for educational purposes and is meant to give only general information about the law. See Disclaimers and Terms of Use on our website for more information.