OCC fines Citibank US$70 million for failure to comply with AML consent order

Chris Hamblin

9 January 2018

The order for the penalty was signed last month but released to the public in the last few days. The bank neither admits nor denies the findings. The OCC, for its part, is silent about the ways in which the bank has failed to observe the previous order, preferring merely to state - in a distinctly unlettered fashion - that the bank "has not timely achieved compliance" with it.

An OCC examination (regulatory visit) in 2012 found that the bank's efforts to comply with the Bank Secrecy Act 1970 were lacking and that it had also contravened 12 CFR § 21.11 (Suspicious Activity Report Filings); and 31 USC § 5318(i) and its implementing regulation, 31 CFR § 1010.610 (Correspondent Banking). The CFR is the US Code of Federal Regulations and the USC is the US code of both civil and criminal laws.

The 'customer due diligence process' for which the order of 2012 calls is comprehensive and the bank may or may not have failed to observe it. It obliges the bank to do the following.

Keep information regarding the relationships of clients with the bank, all lines of business at the bank and all bank subsidiaries. This includes accounts in other lines of business, regions, and countries (as permitted by jurisdiction).
Set up an electronic 'due diligence' database that is readily accessible to relationship managers, AML compliance personnel, suspicious activity monitoring alert analysts and investigators, and quality control personnel. CDD ought to be updated periodically to take stock of changes in the customer’s behaviour, activity profile, derogatory information, periodic reviews of the customer relationship, or other factors that affect the AML risks he poses. The details of CDD updates must be written down and subject to quality assurance processes. The client relationship AML risk score ought to be detailed in the customer due diligence record, along with the supporting factors, including transaction activity, the countries involved, and suspicious activity monitoring alert and reporting history.
Ensure that 'specialised or enhanced due diligence' for higher risk clients and/or products and services takes place in every part of the enterprise the world over. The 'duly diligent' standards in question must comply with the FFIEC BSA/AML Examination Manual, the Interagency Guidance on Beneficial Ownership Information (OCC 2010-11), and industry standards.
The bank must employ 'management processes' every so often to review the type and volume of customers' activities in whose supervision relationship managers are involved. The idea is to find out whether the customer’s activity is reasonable, whether his risk rating is accurate, and whether CDD is current and complete. Quality assurance processes must be used. There must also be new standards and processes by which compliance officers can ask senior managers to rubber-stamp a hike in monitoring/due diligence or the closure of an account.