NEW YORK (BLOOMBERG) - Citigroup will pay a US$400 million (S$543.7 million) penalty and must seek the US government's sign-off for major acquisitions after regulators chided the bank for several persistent problems with its risk controls.

Citigroup was fined by the Office of the Comptroller of the Currency for what the agency called an ongoing "failure to establish effective risk management and data governance programs and internal controls," according to a Wednesday (Oct 7) statement. The OCC also demanded that Citigroup seek its approval before "significant new acquisitions" and reserved the right to require changes in senior management if the company doesn't act quickly to address its shortcomings.

At the same time, the Federal Reserve issued a cease-and-desist order that directs the lender to "correct practices previously identified by the Board in the areas of compliance risk management, data quality management, and internal controls."

Citigroup shares were little changed after falling as much as 2 per cent after regular US trading hours. The orders were "broadly anticipated" in the wake of the recent management changes, including the pending departure of chief executive officer Michael Corbat, according to Credit Suisse Group analyst Susan Katzke, who noted that incremental spending to comply with regulators' wishes should be mitigated by the bank's recent gains in productivity.

The OCC's unusually forceful rebuke restricts the lender's ability to freely make even small acquisitions of non-bank companies or credit card portfolios. Anything beyond "hedging, market making and securitization transactions" has to get advance approval from the agency, according to the order. If the bank doesn't move quickly to fix its problems, the OCC threatened more actions - including the removal of top executives.

Still, the punishments fall short of what Wells Fargo & Co faced in the wake of its sales-practices scandal. That misconduct prompted the Fed to institute an unprecedented growth cap on the company.

REPORT DEADLINES

The Fed gave Citigroup a series of deadlines to analyze and report back on how it's repairing multiple issues. Within 120 days, the Fed said the bank's board of directors must submit a report detailing how it will hold senior management accountable and how executive compensation will be "consistent with risk management objectives."

The orders mean the bank will be embarking on another round of costly, years-long investments in its risk infrastructure and controls just as Jane Fraser takes the helm as CEO in February.

"Citi has significant remediation projects underway to strengthen our controls, infrastructure and governance," the bank said in a statement. 'While we have made progress in each of these areas, we recognize that substantial improvement is still required to meet the standards we have set for ourselves and that our regulators expect of us."

The bank noted it's made structural changes to better comply with the regulators' orders, including by hiring Karen Peetz as its new chief administrative officer to "steer these programs to completion." The Fed's order also requires Citigroup to make its general counsel in charge of compliance. The firm's chief compliance officer currently reports to Corbat.

YEARS-LONG ISSUE

The Fed mandated that Citigroup conduct a so-called gap analysis of its company-wide risk management framework and controls. While the bank has already pledged that it would spend US$1 billion on improving those systems this year, the order says the lender will need to use the analysis to determine how to improve processes around three key areas: capital planning, liquidity risk management and compliance risk management.

Citigroup for years has been plagued by issues with its core operating systems, which were cobbled together through several acquisitions.

The Fed's latest order comes more than seven years after the regulator first dinged Citigroup for failures in its firm-wide risk management programs, especially as it related to the company's compliance with Bank Secrecy Act and anti-money laundering requirements. In 2014, Citigroup was rebuffed in the Fed's annual stress test after the regulator found defects in the company's ability to project losses and to assess all business risks.

"Citigroup has not adequately remediated the longstanding enterprise-wide risk management and controls deficiencies previously identified by the Federal Reserve," the Fed said in its order on Wednesday.

REVLON MISTAKE

The admonishments from regulators come just weeks after Citigroup mistakenly sent US$900 million to lenders of the cosmetics giant Revlon. The bank ultimately chalked the wayward payment up to employee error, noting it was in the middle of transitioning to new software for its syndicated loan business.

The ensuing legal battle was an embarrassment for the bank as many of the lenders balked at Citigroup's pleas to return the funds. For regulators, who began scrutinizing the mistaken payment within days, the incident was illustrative of broader problems at the bank.

"We appreciate the urgency of the tasks at hand and we are committed to fulfilling our obligations to all of our stakeholders," Citigroup said in the statement.