Four banks account for over half of $2.2bn fines for systems and controls failings

Four banks account for over half of the some $2.2. billion in fines US financial services regulators meted out to financial services firms for systems and control failures in 2024. The Toronto-Dominion Bank (TD Bank), JPMorgan Chase, Citigroup and Royal Bank of Canada together accounted for $1.3 billion in fines attributable to management lapses, Corlytics data shows.

TD Bank was hit by four regulators for more than $603 million. Its two biggest fines came from the Office of the Comptroller of the Currency (OCC) and the Board of Governors of the Federal Reserve System (FRB), $450 million and $123 million respectively, for anti-money laundering (AML) systems and control failures.

The OCC also imposed growth restrictions on TD Bank, while the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) both fined TD Securities for failings related to market manipulation.

Growth over controls

TD Bank’s AML fines were among the largest handed to a single bank in 2024 globally. The OCC put an asset cap on the bank, which is a restriction on growth and one of the harshest penalties a US authority can impose.

“TD Bank’s persistent prioritisation of growth over controls allowed its employees to break the law and facilitate the laundering of hundreds of millions of dollars. The bank’s blatant risk management failures attracted illicit actors, and are egregious and unacceptable,” Michael Hsu, acting Comptroller of the Currency, said in October.

“The OCC’s coordinated and comprehensive action, including the imposition of an asset cap, will ensure that the bank focuses on building proper controls commensurate with its risk profile,” he added.

TD Bank was fined a further $2.7 billion combined by the US Department of Justice and the US Department of the Treasury‘s Financial Crimes Enforcement Network (FinCen) for the AML failures and Bank Secrecy Act (BSA) violations. The Financial Transactions and Reports Analysis Centre of Canada (Fintrac) also fined TD Bank about $6.7 million for AML failings it found.

Trade surveillance, fiduciary duty failures

JPMorgan Chase and its subsidiaries were fined five times by five separate regulators to the tune of $494 million. The bulk of the fines, $448 million, were imposed by the OCC, the FRB, and the Commodity Futures Trading Commission (CFTC) for shortcomings in trade surveillance that meant the bank failed to monitor billions of trades on 30 different trading venues globally.

The OCC fine came with a consent order compelling JPMorgan Chase to fix its trade surveillance programme as well as remediate governance around trading venues and data. It is prohibited from onboarding new trading venues unless and until it receives consent from the OCC examiner. The OCC required the bank to instruct a third party to assess its trade surveillance programme.

Another $151 million in fines stemmed from five SEC enforcement actions in which JPMorgan made misleading disclosures to investors; breached its fiduciary duty; made prohibited joint transactions and principal trades; and failed to make recommendations in the best interest of customers.

“JPMorgan’s conduct across multiple business lines violated various laws designed to protect investors from the risks of self-dealing and conflicts of interest,” said Sanjay Wadhwa, acting director of the SEC’s enforcement division.

“With today’s settlements, which include multiple self-reports and large voluntary payments to harmed investors, JPMorgan is being held accountable for its regulatory failures,” Wadhwa added.

Just this month the Monetary Authority of Singapore (MAS) fined JPMorgan $1.7 million for misconduct by its relationship managers. The bank did not “establish adequate processes and controls to ensure that its RMs adhered to pre-agreed spreads with clients when executing OTC bond transactions on their behalf”, MAS said. 

Bold statements, big legal bills

JPMorgan’s 2023 annual report, published in April, called for a serious review of the bank regulatory and supervisory process (pages 30-32). Broadly, the bank observed that there were too many rules and some were “duplicative, inconsistent, procyclical, contradictory, extremely costly, and unnecessarily painful for both banks and regulators”.  

“I know this might be wishful thinking, but now would be a good time to step back and have a thorough and candid review of the thousands of new rules passed since Dodd-Frank,” chief executive Jamie Dimon said in the report. “This is not about JPMorgan Chase — we believe we can manage through whatever is thrown our way.”

Dimon called for collaboration between banks and regulators to “redirect enormous resources from things that don’t matter to things that do”.

“It takes 80,000 pages to describe a CCAR [comprehensive capital analysis and review] test and 80,000 pages to detail recovery and resolution. The talent and resources at the banks and regulators could be better used elsewhere. Such overload is distracting and takes your eye off the ball on real, emerging risks, including China, trade, payment systems and cybersecurity, among others,” Dimon said.

The same annual report noted JPMorgan put aside $1.4 billion for legal expenses in 2023, a big increase from the $266 million set aside in 2022 and 2021ʼs provision of $426 million. The firm currently faces US government inquiries related to the Zelle digital payments network. It also faces 1MDB-related litigation and investigations in Malaysia and Switzerland, as well as litigation related to Russia sanctions, the annual report said.

Citiʼs 2020 fine topped up

Citigroup is currently under an OCC consent order, imposed in 2020, in response to firm-wide risk management failings. Its annual report says its ability to meet the terms of the consent order by transforming its risk and controls environment is a strategic risk.

The order came with a $450 million OCC fine and a restriction on growth. Citi must obtain prior approval of any significant new acquisition, including any portfolio or business acquisition. It has also been tasked with transforming its risk and controls environment, which is said to have cost $3 billion already.

“We know that to truly simplify Citi and unlock our firm’s full potential, we must continue investing in our transformation. This is our multi-year effort to strengthen our risk and controls environment and data architecture, and it remains our number one priority,” said Jane Fraser, Citi’s chief executive, in its annual report.

Despite Citi prioritising risk and controls, the OCC and the Fed hit the bank with another $135 million worth of fines and an amendment to the 2020 order in July.

“While the bank’s board and management have made meaningful progress overall, including taking necessary steps to simplify the bank, certain persistent weaknesses remain, in particular with regard to data. Today’s amendment requires the bank to refocus its efforts on taking necessary corrective actions and ensuring appropriate resources are allocated for this purpose,” said the OCC’s Hsu.

Citi was fined another $92.3 million by British and German regulators for failures related to its equity trading business’s systems and controls.

RBC subsidiary hit with business restrictions

RBC and its subsidiary City National Bank were fined for a total of more than $110 million.  Some $65 million of that was imposed by the OCC on City National Bank for engaging in “unsafe or unsound” practices, including “systemic deficiencies related to the bank’s operational, compliance, investment management, and strategic risk management and internal controls”.

The OCC also found the bank was non-compliant with “guidelines establishing heightened standards for certain large insured national banks, insured federal savings associations, and insured federal branches, and (2) violations of the Bank Secrecy Act (BSA) and 12 C.F.R. 9 – fiduciary sctivities of national banks”.

The consent order imposes “restrictions on significant deviation”. This means the bank may not “significantly deviate from the products, services, asset size, funding sources, structure, operations, and markets of the bank that existed as of the date of this order without first obtaining the examiner-in-charge’s prior written determination”.

The OCC defines significant deviation as “acquisitions or divestitures of portfolios, businesses, or entities; or a change in the bank’s markets, products and services, or asset size, any of which, alone or in the aggregate, may have a material effect on the bank’s operations or financial condition; or changes in personnel, operations, or other strategic changes that may have a material effect on the bank’s operations or financial condition”.

The OCC imposed about 13 cease and desist/consent orders on banks in 2024. Not all orders come with a penalty.