Citigroup 2018: $70M Enforcement Action

What happened?

Over a multi-year period leading up to January 2018, Citigroup and its primary banking subsidiary Citibank, N.A. accumulated significant deficiencies in their Bank Secrecy Act compliance programs. According to regulatory enforcement records, the problems were not confined to one business unit. They reflected systemic gaps in how the bank identified, investigated, and reported potentially suspicious activity.

The OCC, which regulates national banks under 12 CFR Part 21, identified weaknesses that persisted despite prior supervisory feedback. FinCEN, exercising its civil money penalty authority under 31 U.S.C. § 5321 and the Bank Secrecy Act, coordinated with the OCC on a joint enforcement response. The combined $70 million sanction, announced in January 2018, covered violations that regulators alleged had been ongoing for a substantial period before the formal action.

The enforcement record indicates Citigroup's compliance function had not scaled adequately relative to the volume and risk profile of its business. Transaction monitoring alerts accumulated in backlogs rather than being cleared within required timeframes. Customer due diligence processes had gaps, particularly for higher-risk account relationships. And suspicious activity reports were not always filed within the 30-day window mandated under 31 C.F.R. § 1020.320.

The OCC's enforcement actions database and FinCEN's civil money penalty notices at https://www.fincen.gov/news/enforcement-actions are the authoritative public record for the terms and scope of the sanctions. Citigroup did not publicly contest the core factual findings.

What did regulators say?

The enforcement action reflected the regulators' determination that Citigroup's AML program fell below the standards required by the Bank Secrecy Act and its implementing regulations. The OCC's public enforcement disclosures, available at https://www.occ.gov/news-issuances/enforcement-actions/, characterized the deficiencies as requiring immediate and sustained remediation.

FinCEN, in its capacity as administrator of the BSA, alleged that Citigroup's policies, procedures, and internal controls did not adequately address the money laundering risks present across the institution's business lines. The consent order required the bank to take specific corrective action: upgrades to transaction monitoring systems, improvements to KYC and customer due diligence processes, and remediation of SAR filing deficiencies.

Regulators made clear that they expected measurable, documented progress on a defined timeline. That kind of forward-looking obligation is standard in consent orders of this type, but it carries its own weight: the bank's compliance progress continued to be evaluated by examiners long after the initial penalty was assessed.

The coordinated approach between the OCC and FinCEN sent a message the industry heard. Systemic AML deficiencies at a major institution attract multi-regulator scrutiny, and the agencies were prepared to act together. For the official record, see FinCEN's enforcement actions at https://www.fincen.gov/news/enforcement-actions and the OCC's database at https://www.occ.gov/news-issuances/enforcement-actions/.

What controls failed?

The enforcement action identified several distinct control failures, each mapping to a specific regulatory obligation.

Transaction monitoring. The bank's automated monitoring system generated alerts that weren't reviewed within required timeframes. A material backlog accumulated. Under BSA regulations and FATF Recommendation 20, financial institutions must have systems in place to detect and report suspicious transactions. An unworked alert backlog directly undermines that obligation: activity that should have triggered investigation and a SAR instead sat in a queue.

Customer due diligence. The bank's CDD processes, as governed by FATF Recommendation 10 and the FinCEN CDD Final Rule, were inconsistently applied across certain business lines. Higher-risk customer segments didn't always receive enhanced due diligence commensurate with their risk profile. Beneficial ownership information wasn't captured or verified to the required standard in all cases, a direct gap against FATF Recommendation 24 and the CDD rule's legal entity customer requirements.

SAR filing timelines. SARs were not filed within the 30-day statutory window in a number of instances. Late filings undercut the entire purpose of the suspicious activity reporting regime: giving law enforcement timely intelligence. A SAR filed six months after the suspicious activity was detected has substantially less investigative value than one filed on time.

Governance and escalation. The compliance function's resources weren't sufficient to handle the volume of alerts and investigations generated by a bank of Citigroup's size. When problems aren't escalated, they compound. Regulators consistently find that governance failures amplify control failures, and Citigroup's enforcement action fit that pattern.

Which regulations were violated?

The primary legal framework was the Bank Secrecy Act (31 U.S.C. § 5311 et seq.), which requires U.S. financial institutions to maintain AML programs with four mandatory elements: written internal controls, independent testing, a designated compliance officer, and ongoing training. FinCEN's civil money penalty authority derives from 31 U.S.C. § 5321, which allows penalties of up to $1 million per day for willful violations.

The OCC's jurisdiction over Citibank's AML program flows from 12 CFR Part 21, which sets the BSA compliance program requirements for national banks. OCC examiners conduct regular BSA/AML examinations and have authority to issue formal agreements, consent orders, and civil money penalties independently of FinCEN.

The SAR filing failures implicated 31 C.F.R. § 1020.320 directly. The CDD deficiencies bore on the FinCEN CDD Final Rule, which was finalized in 2016 and required covered institutions to collect and verify beneficial ownership information for legal entity customers opening new accounts.

At the international standard level, the failures cut across the FATF Recommendation 1 requirements for risk-based AML programs and the record-keeping obligations in FATF Recommendation 11. The U.S. regulatory framework is explicitly aligned with FATF standards, so failures against one effectively signal failures against the other.

Which typologies were involved?

The Citigroup 2018 enforcement action wasn't a single-typology case. The compliance failures cut broadly, but several financial crime patterns were most directly enabled by the control gaps regulators identified.

Structuring and layering under monitoring thresholds. When alert backlogs run into the thousands, structuring activity can pass through undetected. Bad actors who understand monitoring trigger levels will keep individual transactions below those thresholds, relying on the bank's failure to connect patterns across accounts and timeframes. A functioning transaction monitoring program catches this cross-account behavior. A backlogged one often doesn't.

Correspondent banking exposure. As a major U.S. bank with extensive correspondent banking relationships, Citigroup's AML program gaps had implications for the integrity of the broader correspondent network. FATF Recommendation 13 requires that correspondent banks satisfy themselves a respondent institution has adequate AML controls before providing services. When the correspondent's own program has deficiencies, that due diligence obligation is harder to discharge credibly.

Shell company and beneficial ownership opacity. The CDD gaps, particularly around beneficial ownership, created conditions where legal entity customers could maintain accounts without their ultimate controllers being identified. Shell company layering, one of the most documented financial crime typologies in the enforcement record, depends on financial institutions failing to look through corporate structures. Incomplete beneficial ownership data is the precondition that makes it work.

Intelligence gaps from late SARs. Late or missing SARs don't just create regulatory violations. They impair law enforcement's ability to act. Investigations that should have received timely intelligence signals from the bank's filings instead were delayed, potentially allowing illicit activity to continue longer than it should have.

Aftermath and remediation

The $70 million civil money penalty was the most visible consequence, but the remediation obligations imposed under the consent order carried their own costs. Many compliance professionals would tell you the remediation bill exceeds the penalty by a significant multiple once technology upgrades, headcount additions, and third-party monitoring are included.

Citigroup was required to implement a comprehensive remediation program covering the deficiencies the OCC and FinCEN identified. This included retooling the transaction monitoring system, upgrading KYC and CDD procedures for both new and existing accounts, establishing clearer escalation protocols for SAR decisions, and providing periodic progress reports to regulators. That last requirement is standard in consent orders of this type, but it's meaningful: examiners return to test whether the bank actually fixed what it said it would.

The reputational impact was material. Citigroup entered 2018 already managing a complex relationship with its regulators following enforcement actions in other areas. The AML action added to perceptions that the bank's compliance infrastructure hadn't kept pace with regulatory expectations, and it drew direct board-level attention to compliance governance.

For peer institutions, the aftermath carries a practical lesson: a consent order is the beginning of regulatory engagement, not the end. Banks that treat the penalty as a close-out payment and deprioritize remediation tend to find examiners returning with escalated concerns.

Lessons for other institutions

Several takeaways from this case are directly transferable to compliance teams at peer institutions.

Alert backlog is a regulatory finding, not an operational inconvenience. Regulators treat unworked transaction monitoring alerts the same way they treat a failed internal control. If your team can't clear the alert queue within required timeframes, the answer is more resources or better triage, not tolerance of the backlog. Many institutions set an internal SLA of five to seven business days for initial alert review and escalate exceptions to senior compliance leadership. That's the right model.

CDD gaps at onboarding compound over time. When beneficial ownership information isn't captured correctly at account opening, every subsequent monitoring decision is made with incomplete customer risk context. Under the FinCEN CDD Final Rule, legal entity customer requirements deserve ongoing attention. Run periodic lookback reviews of existing accounts against current CDD standards, particularly for legal entity customers opened before the 2016 rule.

SAR deadlines are hard limits. The 30-day filing requirement under BSA regulations leaves no room for ambiguity. Build compliance workflows around the filing deadline from the moment an investigation is opened. Track SAR decision timelines in your case management system and surface overdue decisions to the BSA officer daily.

Governance matters as much as technology. Citigroup had transaction monitoring systems. The failure was in the processes and resources surrounding them. Board-level AML oversight, documented escalation paths from the BSA officer to senior leadership, and clear accountability structures aren't optional. Regulators assess them directly during BSA examinations.

Scale your compliance function to your business. The most consistent thread in large-bank AML enforcement is a compliance infrastructure that didn't grow with the institution. Headcount, technology, and training budgets should be benchmarked against the volume and risk of the book of business, not against last year's budget.

How FluxForce helps prevent similar failures

FluxForce runs continuous behavioral monitoring across account activity, surfacing anomalies in real time rather than generating static queues for manual review. Nova Sentinel automates initial investigation steps, correlating signals across accounts and timeframes to detect structuring and layering patterns that manual review misses. Aiden Flux maintains current customer risk profiles, including beneficial ownership data, and triggers enhanced due diligence workflows when risk indicators change. Every alert decision, SAR filing, and CDD update is logged with a complete evidence trail, giving compliance teams audit-ready documentation when examiners arrive. Request a demo to see how FluxForce maps to your institution's BSA program obligations.