Recent developments surrounding Citigroups’s Chief Operations Officer (COO) Anand Selva, and Swedbank’s Chief Executive Officer (CEO), Birgitte Bonnesen have brought critical attention to the role of senior leadership and ‘tone from the top’ within the financial services space. Selva and Bonnesen have been reprimanded for data handling failures and misleading information respectively. Selva has been stripped of his responsibility to head up a data overhaul project at Citigroup, while Bonnesen has been sentenced to 15 months in prison for her role in managing anti-money laundering (AML) protocols.
There is an increasing amount of scrutiny positioned towards communication failures, data handling, and reporting, and they are drawing sharp responses from regulators such as the Securities and Exchange Commission (SEC). The fines imposed by the SEC recently serve as stark reminders of the issues associated with, and the importance of eradicating, instances of data incompleteness and insufficient reporting processes.
The cases as they stand
In Citigroup’s case, speculation around potential reprimands for Anand Selva have largely stemmed from reporting failures, which resulted in incomplete or inaccurate data submissions to regulators earlier in the year. In July 2024, the Federal Reserve and the Office of the Comptroller of the Currency (OCC) fined the bank $136 million for making “insufficient progress” in fixing data management issues that had been identified in 2020. It is likely that this fine was the stimulus for Selva’s reduction of responsibilities.
This case outlines a fundamental principle – data completeness is critical not just for compliance, but also for overall risk management. Citigroup, a major financial institution with far-reaching operations, must manage large volumes of data across various platforms, locations, and regulatory environments. Any error in ensuring the accuracy and completeness of that data can lead to significant regulatory breaches, as witnessed in Selva’s case.
A similar case arose with JP Morgan Chase in March 2024 for its failure to surveil “billions of instances of trading activity on at least 30 trading venues”. The need for venue completeness within firms is clearly a regulatory priority. Swedbank’s CEO has also been caught in the regulatory crossfire, with major sentencing linked to misleading reporting and lapses in AML controls. This signifies the broader challenges seen across the industry, where inaccurate data reporting has led to fines and the erosion of trust between financial institutions and regulators. This wave of C-suite focused action makes clear that regulators and lawmakers alike will hold the C-suite directly accountable for non-compliance, and expect them to implement a compliant culture, as well as comprehensive data handling procedures. The consequences are now greater than financial penalties, senior officials may face jailtime.
Data mishandling comes in all shapes and sizes
Data management issues can occur for various reasons, including poor internal controls, a lack of clear direction from leadership, and inadequately integrated and resourced systems that fail to capture and report all necessary information. Regulators, including the SEC, have long maintained that incomplete data submissions are unacceptable, as they hinder effective regulatory oversight and increase the potential for misconduct going undetected. This is a notable shift from regulators previously focusing and honing in on wrongdoing where they are now placing a larger emphasis on data completeness, even without wrongdoing identified.
This aligns closely with the SEC’s enforcement actions regarding WhatsApp communications and the use of non-compliant messaging platforms. Many firms, including Citigroup, have been fined for failures in retaining communications conducted on unauthorized messaging platforms like WhatsApp. The inability to capture complete communication data, be it for employee surveillance or regulatory reporting, directly compromises a firm’s ability to manage risks effectively. These cases demonstrate the need for financial institutions to implement comprehensive recordkeeping and archiving solutions that are capable of capturing all relevant data, including off-channel communications, and ensuring full visibility for compliance purposes.
