Despite major growth, US banking giant Citigroup has failed to address fundamental data governance processes leading to a multitude of fines and an erosion in trust. We examine a legacy of regulatory failures that exemplify the importance of a comprehensive governance strategy.
Citigroup has been involved in a series of compliance failures dating back to 2013, resulting in over $1.5 billion in fines paid to US regulators for lapses in risk management and other key areas. In addition to significant financial penalties, these serious regulatory missteps have damaged the bank's reputation.
In 2020, the Federal Reserve and Office of the Controller of the Currency (OCC) fined Citigroup $400 million for deficiencies in compliance and data governance. This marked a turning point for the bank, highlighting long-standing issues in managing its technology infrastructure and data, but the penalties kept coming.
In May 2024, Citibank was fined £62 ($82.8) million by British financial regulators for failing to catch a $1.4 billion trading error, and then in June 2024, it faced another $136 million penalty for inaccurately reporting loans to regulators.
Since 2021, Citigroup has spent over $7.4 billion to overhaul its technology. Yet, these investments have not been enough to resolve deep-rooted issues. Today, the bank continues to face challenges in data governance and risk management.
According to Citigroup CEO Jane Fraser, the core issue lies in outdated, fragmented technology and decades of underinvestment. Citigroup’s organizational structure, coupled with multiple acquisitions, resulted in a "hodgepodge" of technology systems. As Fraser explained to analysts, "Our transformation is addressing decades of under-investment in large parts of Citi's infrastructure and in our risk and control environment.
"When you unpack that, those areas where we had an absence of enforced enterprise-wide standards and governance, we've had a siloed organization that's prevented scale, a culture where a lot of groups were allowed to solve the same problem in different ways, fragmented tech platforms, manual processes and controls, and a weak first line of defense."
- CitiGroup
Citigroup’s acquisition strategy compounds these problems. Over the past two decades, the bank has acquired several companies, including Salomon Brothers and Travelers Group, each with its legacy IT infrastructure. Instead of fully integrating these systems, Citigroup opted to run them in parallel, resulting in a sprawling, fractured IT environment.
The result? Critical data is stored in isolated silos across different formats, making it nearly impossible to create a unified data governance framework.
According to Mark Mason, Citigroup's Chief Financial Officer, the bank must generate 11,000 global regulatory reports, with some requiring up to 750,000 lines of data. Despite the volume of these reports, Citigroup is currently focusing on fixing just 15 to 30 reports required by US regulators. To help manage these complexities, Citigroup plans to leverage AI to quickly identify data anomalies.
The issues with Citigroup’s technology and data governance are not limited to regulatory compliance. They also affect the bank's business operations. Citigroup's fragmented tech infrastructure has impacted the company’s wealth management division. For example, it takes an average of nine days to open a new account, compared to an industry standard of just three days. Additionally, Citigroup's wealth management business has a wallet share of just 13%, significantly lower than the 64% average among its competitors.
Auditors Ernst & Young estimated that overhauling Citigroup Wealth’s technology systems, which currently include 30 content platforms and over 70 product processors, would take at least four years and upwards of $500 million. Despite a 2021 reorganization that consolidated three units—private banking, CitiGold, and Wealth at Work—the products and data from these divisions were never fully integrated. While Citigroup has retired 400 legacy applications as of 2023, it still operates 6,000 more.
Citigroup’s lack of a cohesive data governance strategy has had long-term consequences, both in regulatory penalties and lost business opportunities. Banks must prioritize integrating technology systems alongside business operations as they grow through acquisitions.
Otherwise, they risk facing escalating fines and an erosion of customer confidence. As Citigroup's journey shows, fixing these problems is not just about adding new technology; it's about tackling the root causes of a fragmented system that spans decades.
So, how should the company proceed? Citigroup needs a very clear charter at the organizational level, which must come from the executive group. The charter should outline the primary objectives of data governance within the organization. It should not only explain why data governance is important but also clearly articulate the specific steps being taken to follow a particular approach.
Next, the company should consider its data governance strategy across multiple companies and units within Citigroup. It will need to slow down the pace of report creation that leverages data to prevent further chaos while disparate data sources are unified.
Related Post: Data Governance: What, Why, Who & How. A practical guide
It's crucial to have comprehensive organizational and department-level business glossaries in place. These must be implemented as the highest priority. Only after these business glossaries are in place can the company begin implementing a data quality improvement strategy.
Finally, every unit and department must have access to an automated data catalog and established lineage so that all data and inventory are clear to everyone.