Citibank, N.A.
Sioux Falls, South Dakota
In October 2020, the OCC issued a consent order (EA2020-056) against Citibank, N.A. citing significant deficiencies in the bank's risk management, internal controls, and data governance practices. These deficiencies were found to have led to violations of law. The order required Citibank to undertake corrective actions to remediate the identified weaknesses. While Citibank is a national bank rather than a BaaS-specific institution, the order's focus on risk management and data governance has implications for banks engaged in fintech partnerships and third-party relationships. The action followed the widely reported erroneous $900 million transfer incident involving Citibank. No suspension of activities was imposed, but the consent order mandated comprehensive remediation efforts.
Verified from source: This is OCC enforcement action EA2020-056, a PDF document from the OCC's enforcement actions repository. While the PDF content is not fully readable in plain text, the URL and document reference number are consistent with the OCC's consent order against Citibank, N.A. issued in October 2020 addressing risk management, internal controls, and data governance deficiencies.
- Reinforces OCC expectations for robust risk management and internal controls at large banks, setting a benchmark that applies to banks with fintech partnerships
- Highlights data governance as a key supervisory focus area, relevant to BaaS banks managing data across multiple fintech partners
- Signals that operational failures in payment processing and fund transfers will attract enforcement action