Citigroup : Regulators Prepare to Reprimand Citigroup for Failing to Improve Risk Systems, Sources Say

By David Benoit and Ben Eisen

Federal regulators are preparing to reprimand Citigroup Inc. for failing to improve its risk-management systems -- an expansive set of technology and procedures designed to detect problematic transactions, risky trades and anything else that could harm the bank.

The expected rebuke from the Office of the Comptroller of the Currency and the Federal Reserve accelerated planning for Chief Executive Michael Corbat's retirement, according to people familiar with the matter. Regulators didn't ask Mr. Corbat to step down, the people said. Rather, he came to believe that an expensive, multiyear systems overhaul designed to address regulators' concerns was best left in the hands of his successor, Jane Fraser, they said.

Citigroup on Thursday said Mr. Corbat will retire in February, surprising analysts and investors who expected him to remain in the job for a few more years.

A consent order likely will require Citigroup to develop and execute a plan to fix its risk systems, the people said. Such formal regulatory actions sometimes come with fines or stricter oversight, but it isn't clear what, if any, punishment would be imposed, they said.

"We are completely committed to improving our risk and control environment," a Citigroup spokeswoman said, citing the bank's efforts to strengthen controls, infrastructure and governance. "However, while we have made significant and demonstrable progress in each of these areas, we recognize that we are not yet where we need to be and that has to change."

For years, regulators have privately pressed Citigroup and Mr. Corbat to fix the bank's risk systems, according to people familiar with the matter. A public rebuke would significantly ratchet up the pressure. The Fed and the OCC have many tools at their disposal to address problems out of the public eye. A consent order indicates that those methods didn't achieve the desired results.

Regulators have faulted Citi's management for not giving priority to the risk-management overhaul, the people said. A recent high-profile flub, Citigroup's accidental $900 million payment to creditors of cosmetics company Revlon Inc., was seen as evidence of weaknesses in the system, the people said.

Mr. Corbat, who has run the bank since 2012, had been expected to retire sometime around 2022. Citigroup last year elevated Ms. Fraser to president and put her in charge of its consumer bank, a move that established her as the front-runner to succeed Mr. Corbat.

Mr. Corbat was quietly planning a 2021 exit but hadn't discussed the exact timing with Ms. Fraser or the board, some of the people said. Over the Labor Day weekend, he decided he would retire after closing out 2020, in part because of the work needed to address regulators' concerns, the people said.

In memos to Citigroup staff Thursday, both Mr. Corbat and Ms. Fraser acknowledged that the bank needs to transform its internal systems for risk and compliance.

Mr. Corbat is widely credited with sharpening the bank's focus and reducing its sprawl during his eight years as CEO. Yet the bank has long struggled to convince regulators that it was moving fast enough to address their concerns.

The Federal Reserve in 2014 gave Citigroup a failing grade on its annual stress test, citing the bank's ability to assess risk in its capital planning. The bank revamped its risk models and hired more compliance employees. It hasn't failed the test since.

Citigroup is still operating under consent orders from 2012 and 2013 that required it to improve its anti-money-laundering processes. The OCC fined it in 2017 for failing to comply with the 2012 order.

At issue now is the infrastructure underpinning its broader risk systems, a legacy of a string of deals in the 1990s that transformed the bank into a financial supermarket.

For instance, many of Citigroup's various businesses -- commercial banking, credit cards, corporate-advisory services, to name a few -- run on their own independent systems that have their own methods for tracking customers and transactions. There are hundreds of identification systems inside the bank. A customer doing business with several parts of the bank could have different identification codes for each one.

Banking regulators require banks to track customers across all of their operations. The idea is to catch crimes like money laundering and avoid errors, intentional or otherwise, that could harm customers. While Citigroup is able to keep tabs on customers across its businesses, regulators worry that its mishmash of systems makes it vulnerable to costly and potentially damaging missteps, people familiar with the matter said.

Citigroup in recent months has tried to highlight its efforts to shore up its systems and convince regulators it is taking their concerns seriously.

In January, a Citigroup executive told Bloomberg News the bank would hire 2,500 coders to work on the technology underpinning its investment- and corporate-banking businesses, with an eye toward improving the bank's ability to use the data they generate.

In June, it named a new compliance chief and hired Karen Peetz, the former president of Bank of New York Mellon Corp., to fill the newly created role of chief administrative officer. Ms. Peetz was given authority over broad bank safety projects, including those aimed at improving data, and anti-money-laundering efforts. At the time, Mr. Corbat said she would bring "consistency and clarity" to dealings with regulators.

Mr. Corbat has said the investments, which total $1 billion this year alone, will make Citigroup safer and more competitive.

"One thing has become very clear to me...we need to think about infrastructure and controls very differently," Mr. Corbat wrote to staff in August. "We can't think of them as just something that is important to our regulators."

--Christina Rexrode contributed to this article.

Write to David Benoit at david.benoit@wsj.com and Ben Eisen at ben.eisen@wsj.com