Citigroup has successfully resolved key compliance shortcomings identified as part of a 2020 enforcement action but still has work to do to address data management weaknesses, according to federal banking regulators.

Representatives from the Federal Reserve Board and Federal Deposit Insurance Corporation (FDIC) said in a Nov. 22 letter to Citigroup’s board chair and chief executive officer the bank successfully addressed enterprise-wide risk management, compliance, and internal control deficiencies highlighted when it was fined $400 million by the Office of the Comptroller of the Currency (OCC) in October 2020.

Citigroup has “satisfactorily addressed the shortcoming the agencies identified,” the letter said, though the regulators noted improvements are still needed regarding the bank’s data management practices.

In October 2020, the OCC concluded Citibank used “unsafe and unsound” banking practices that led to “long-standing deficiencies” related to the implementation and maintenance of “an enterprise-wide risk management and compliance risk management program; internal controls; or a data governance program commensurate with the bank’s size, complexity, and risk profile.” The bank had promised to address the issues in a 2019 resolution plan it submitted to banking regulators.

The regulators identified “serious weaknesses” in data integrity and with the bank’s data management practices, which could affect the bank’s “ability to recognize the occurrence and severity of financial distress, facilitate provision of support to material legal entities in accordance with the firm’s secured support agreement, and enable the firm to evaluate and initiate bankruptcy proceedings in a timely fashion,” the letter said.

The letter ordered Citigroup to conduct a gap analysis remediation plan, which should outline the bank’s actions to address its data management deficiencies as well as provide a timeline for completion of the plan. The plan must be submitted to regulators by Jan. 31, 2023. The regulators will then review the plan to determine if the current weakness with the bank’s data management program would constitute a deficiency.

“Resolvability is about capabilities, not just passing a paper test. The agencies’ determination regarding Citigroup reflects and reinforces this,” said Acting Comptroller of the Currency Michael Hsu in a statement. Hsu also spoke in his capacity as an FDIC board member.

Citigroup response: In a Nov. 23 statement, Citigroup said it is “pleased that we have addressed the shortcoming identified in the 2019 resolution plan” and that it has made “significant investments in our data integrity and data management.”

“We will leverage that work to remediate the shortcoming identified today, as we acknowledge there is much more work to do,” the bank said.