The Office of the Comptroller of the Currency (OCC) has levied fines totalling $460 million on two of the US’s biggest banking groups.
Citibank, part of Citigroup, was fined $400 million on October 7 for failings related to a “long-standing failure to establish effective risk management and data governance programs and internal controls”.
The bank must “broad and comprehensive corrective actions” to address the shortcomings, the OCC said, and will require approvals from the OCC before any significant acquisitions.
Alongside the OCC penalty, parent company Citigroup was also censured by the Federal Reserve Board.
In an analyst report, credit rating Moody’s said the fine reflected Citigroup’s complexity “even after simplification and restructuring” and “despite the bank’s multiyear effort to strengthen its safety and soundness and enhance its regulatory relations”.
“The fine, the need to prioritize control investments and seek special approvals for significant acquisitions will reduce management flexibility and increase costs amid reduced profitability, adding to existing profit pressures in the second half of 2020,” Moody’s said.
However, if it succeeds, the company “will have fortified its operating platform”, the rating agency added.
In a statement last week, Citi said it was carrying out “significant remediation projects” to address the issues and strengthen controls, infrastructure, and governance.
“However, while we have made progress in each of these areas, we recognize that substantial improvement is still required to meet the standards we have set for ourselves and that our regulators expect of us,” the statement said.
The company announced investments totaling more than $1 billion to address the issues identified by the regulators and highlighted the appointment of Karen Peetz as chief administrative officer, who has been tasked with centralizing program management and leading remedial programs.
Separately, on October 8, the OCC fined Morgan Stanley Bank and Morgan Stanley Private Bank a total of $60 million after the companies failed to adequately oversee the decommissioning of two data centers.
The OCC said the banks failed to “effectively assess or address risks” linked to the decommissioning process, including its oversight of a third-party vendor for the project. These failings were then repeated last year when decommissioning network devices storing customer data.
Morgan Stanley told Bloomberg that it had “continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused”. The company has improved its security measures and will continue to do so, it added.
However, Moody’s recently upgraded its rating of Morgan Stanley based on its recently completed acquisition of E*TRADE Financial. The company also announced last week that in intended to acquire the $500 billion asset manager Eaton Vance in a deal worth approximately $7 billion.
The deals served to “tilt” Morgan Stanley’s portfolio “further toward lower-risk, recurring revenue streams from its inherently higher-risk institutional securities segment”, Moody’s said.
Both Eaton Vance and E*TRADE had higher profit margins than Morgan Stanley, the rating agency said, implying that the banking giant would be financially boosted by the purchases.