The OCC Gets Dragged into a Wrongful Termination Lawsuit
Connecting the dots between an ex MD's lawsuit and a 2020 OCC Consent order.
(Note - all views are those of Fintech Compliance Chronicles/my personal views and not affiliated with any other organization)
In a time where layoffs are at their worst level since 2009, it is natural that there's going to be sour grapes. After all, those of us who have experienced a layoff in the last year or two have been told "it's not our fault" and "this has no reflection on your performance" but end up having to take the financial hit for the implied mistakes of the person running the company or the person in charge of a massive division. However, there are some instances where that assertion is challenged - and indeed, the Equal Employment Opportunity Office of Inspector General a few months back released statistics showing the number of cases relating to employment discrimination that they handled increased by 50% since 2022.
In today's edition of our newsletter, we focus on one particular lawsuit which on the surface, would seem to have all the hallmarks of one of those cases of sour grapes. An employee is hired with promises of her job scope, then a new boss comes in and has a different vision, and eventually decides to move on from the hire. As frustrating as that sounds, it is something many of us have become used to and is hardly shocking anymore (and is perfectly legal). And one thing to note is that many law firms are very hesitant to take on wrongful termination lawsuits, with one lawyer saying about 98% of them get rejected.
So it's with that context that we come to the story of Kathleen Martin, Citi's onetime data transformation chair who filed a lawsuit a few weeks ago in the U.S. District Court for the Southern District of New York challenging her September 2023 termination. And the reason we're covering it is what is at the heart of her claim as to why she was terminated - she alleges that she was fired by Citi's newly minted COO Anand Selvakesari because she refused to withhold information from the OCC, regarding remediation of a 2020 consent order, that would make Citi look bad.
What Was in the OCC Consent Order
It's not often that consent orders, already a form of legal judgment, are cited at the heart of other lawsuits. And since one of the things we do here is track these orders, let's dive in and recap the consent order in question here - OCC's 2020 Consent Order against Citi.
Lack of an ERM, Compliance Risk Management, Internal Controls, and most relevant, a data governance program. Also cited is the lack of an effective compensation and performance management program.
On the point of data governance, the OCC calls out the lack of dedicated focus on this topic from front line units, second line risk management, and third line Internal Audit, the lack of a process to respond to data governance deficiencies, and inadequate reporting on the status of data quality and progress in remediating said data governance deficiencies.
The order tasks the creation of an independent Compliance Committee to focus on reporting to the board how the company is doing in improving its data quality, including developing meaningful and accurate metrics to assess data quality. The order also mandates the creation of a Data Governance Plan.
The Data Governance program that the OCC expects to be developed should include 1) as a starting point, an assessment of everything (policies, procedures, processes) it has today around data quality/aggregation/etc , including End User Computing Tools (which are essentially complex tools that don't quite fit the definition of software - think complex worksheets in Excel - and can thus escape scrutiny usually afforded to systems) 2) A final plan 90 days after this initial assessment that ultimately should serve to help management "make prompt and effective decision making during normal times and periods of stress."
Specific components of the data governance program - 1) roles and responsibilities 2) skills gap assessment and a plan to fill the gaps 3) budgeting to make the plan implementation a reality 4) creation of policies/procedures/standards and ways to ensure adherence with a focus on data quality 5) an exception handling process 6) training 7) improvement of capabilities 8) an overhaul of data-related systems, processes and architecture with a focus on reducing manual inputs, eliminating redundant systems/tools, standardize ledger systems, using authoritative data, clarify enterprise-wide data (vs department-specific data), clarifying authoritative data vs reference/test data, and ensuring everyone uses standard technology solutions
A notable focus on liquidity data management, including asks to develop 1) liquidity tolerance-related reporting for the board 2) timely reporting generally 3) inventorying, monitoring and reassessment of all tools used to make decisions about liquidity 4) testing of the data that feeds into liquidity related systems 5) reports to the board including information about significant liquidity concentrations and whether they are within tolerances
The development of an EUC tools framework
There are parts that are focusing on broader asks as well, but we'll also highlight the somewhat brief and seemingly random inclusion of a section where the OCC seeks the improvement of the company's Capital Planning processes. This will become important later.
Who Is Kathleen Martin
Martin is a 21-year veteran of the industry, having previously worked at Morgan Stanley, GE Capital and JP Morgan before making her way to Citi in November 2021. Pretty much the entire focus in her career has been on enterprise data management, with one thing of note that at the time she established herself especially at Morgan Stanley, data as a concept and discipline was something foreign to a lot of folks. The ability to interrogate wide swaths of data at scale was nowhere near what it is today, with the concept of cloud computing just emerging.
There isn't much out there about her beyond this lawsuit, which sadly is all too common with folks who spend most of their time purely in the banking world. The ability to share insights in the field more openly with others is limited, sometimes by choice but more often by specific bank restrictions. It would have been nice to understand her thought process and how she views and talks about data, but clearly the career progression speaks for itself, especially her ability to be successful across multiple firms.
Who Is Anand Selvakesari
Unlike Martin, there is a lot more out there about Selvakesari. From Citi's website:
"Anand Selvakesari is Citi’s Chief Operating Officer and is responsible for leading the Transformation of the firm to deliver client excellence, improved operating efficiency and returns. His responsibilities include an enterprise-wide effort to strengthen the firm’s risk and controls and data, modernize infrastructure while simplifying the operating model and executing the strategic priorities for the firm. Anand is a member of Citi’s Executive Management Team."
Selvakesari has spent his entire 32-year career at Citi, with a classic feel good story of starting his career in operations in India, before doing stints in Taiwan, Singapore, and China, and focusing on retail banking, consumer banking, and wealth management, before getting the call from CEO Jane Fraser to become the company's new COO in early 2023. He speaks at countless investor days and various clips of his speeches and styles can be found on YouTube and elsewhere.
What Does the Lawsuit Say
The lawsuit has gotten a lot of coverage, mostly for the fact that it targets Selvakesari and also because in a rarity, it references a regulator and a well-publicized consent order (there's the case of Compliance Exec Shaquala Williams suing JP Morgan for her wrongful termination back in 2021 that alleged false reporting to the SEC, but there wasn't an already-existing consent order involved).
You can read the full lawsuit here. The biggest highlights are as follows:
"Citi recruited Martin into a leadership role to help Citi clean up its unlawful data maintenance practices and avoid further legal liability.At the time, Martin was hesitant to leave her secure position with JPMC. However, Citi represented that her role with the Bank would be a long-term leadership position, and Martin knew that it would take the Bank many years to come into full compliance with the Consent Order.
"Martin was, according to the Bank’s internal documents, explicitly rated as an “exemplary” performer."
"In March of 2022, Martin led a small team that crafted a pre-submission plan for Citi’s Board, outlining how the Bank would come into compliance with Article V of the Consent Decree. That pre-submission plan ultimately became Citi’s September 15, 2022 submission to the OCC—a detailed plan to satisfy the Bank’s continuing legal obligations to the regulator. The plan consisted of several hundred pages, over 1,000 milestones, 9,000 deliverables, and this success resulted in Martin’s promotion to an even more important role at Citi." - This section is key because it essentially is the gap assessment we talked about earlier in the recap of the consent order and the Data Governance Plan itself.
"On or about September 26, 2022, Citi announced Martin as the new Interim Data Transformation Chair reporting directly to Karen Peetz (“Peetz”), the Bank’s Chief Administrative Officer (“CAO”). Peetz explained to Martin that the “interim” status was merely a formality, as Peetz explained that Citi required such label when an internal candidate elevates their reporting line to an EMT4 member."
"In the last quarter of 2022, Martin continued to interact with regulators to keep Citi out of legal jeopardy. For instance, she held 10 meetings with the OCC and satisfactorily responded to more than 325 questions from the regulator about the transformation of the Bank’s data governance practices."
"On or about March 27, 2023, Citi promoted Selva to become the Bank’s new COO, replacing Peetz. Selva became Martin’s direct manager. Almost as soon as he was promoted, Selva began to urge Martin to make false reports to the Board, which would be transmitted electronically to the OCC under the Consent Order. Specifically, on May 12, 2023, Martin held a meeting with Selva about a metric designating “Authoritative Data Sources” (“ADSs”) within the Bank as required by Article V (2)(d)(iv) of the Consent Order. Pursuant to the Article V plan, as approved by the OCC, a key deliverable was designating an ADS for each set of unique data. To demonstrate the Bank’s progress, Citi developed a specific metric that would show the designation of each ADS data set. Selva, however, wanted Martin to misreport the data. He was concerned that by reporting the ADS designations accurately, Citi would “highlight gaps,” which would be a “bad thing.” According to Selva, “we don’t want the regulators to know that we have, say, 90% gaps.”"
"Martin was highly concerned that the failure to report this data accurately was a violation of the Consent Order, including Citi’s obligation to identify and report “gaps” under Article V(1) and (2), as well as its obligation to report to the OCC “metrics that are accurate and meaningful” under Article III(2)(a). Martin protested to Selva that the Bank had to report this metric accurately and, over Selva’s objection, included the metric in the report to the OCC."
According to the lawsuit, Selva tells her that he is not going to lift her "interim" title as Peetz promised her previously, and then meets with her in early September 2023 to discussion additional reporting they had to make to the OCC. "Under the reporting methods that had been developed, the Bank was required to report a “data governance health score” to the Board and the regulators under a color-coding system. “Green” represented that the goal had been achieved and “red” represented that the Bank had not yet delivered the goal. Martin told Selva that the output of the data governance health score was low, as expected, because the data was not yet “under governance” as required by Article V, and therefore had to be reported as “red.” Selva refused, explaining, “I don’t think we can show this” because it “makes us look bad” to the regulators. He left the meeting, stating that he would have to “think about it."
"Shortly thereafter, on or about September 11, 2023, Selva told Martin that she should report the metric as “green.” He then discussed how to manipulate the data to make it appear as if the Bank had achieved a “green” status, when it, in fact, had not. Martin protested because she believed that doing so would be misleading and unlawful. Selva then began to question whether the Bank should report the metric at all, asking, “who is asking us to do this” and “why do we have to use this metric.” Martin responded that the reporting of this metric was specifically required by the Consent Order (Article III and V) and that, as Data Transformation Chair, she was not comfortable reporting a false data governance health score. Ultimately, Martin refused to follow Selva’s directives that she either falsely report the metric as “green” or not report it all. Rather, she accurately reported the metric to the Board and regulators as “red,” even though doing so arguably meant that the Bank was not yet in complete compliance with the Consent Order, as expected by the timing of the agreed-to deliverables."
Citi fires Martin two weeks later, according to the lawsuit bringing up concerns about engagement, then leadership, then declaring her position eliminated. She throws in a shot at her replacement, stating "the Bank replaced Martin with Japan Mehta, an Indian man who is far less qualified than Martin for the role."
What Is Actually Going On?
Martin's story is compelling, but she loses a lot of sympathy for me with the "Indian man" comment about Mehta. This comes across as a stunningly racist and confusing addition in the suit. There doesn't seem to be any context provided to why this statement was included. Is she trying to imply Selvakesari only brought on Mehta because he was Indian like him? Is she trying to accuse Citi of outsourcing her job (Mehta lives in Dallas)? Is she just trying to be descriptive? It is really weird.
Regarding the lawsuit, without knowing the details of the conversations from Selvakesari's side, I can see a few areas of misunderstanding - 1) the consent order talks about authoritative data sources; but seems to leave it to the bank to figure out how to designate those and then provide metrics associated with whatever they are. Martin mentions that Selvakesari says they have "90% gaps" and they don't want to report on those - but it's very possible that he may in fact be concerned that they don't have enough data sources that they can truly consider authoritative, and thus shouldn't be reporting them as such, actually pointing to a larger issue (which would have already been defined in Martin's initial gap assessment). 2) the consent order talks about data quality reporting metrics that are accurate and meaningful - and the lawsuit says that the specific metrics that were in contention in the second meeting are required. The disagreement here likely came down to how the data governance health score was generated, which technically isn't covered in the consent order (the concept of a score isn't referenced in the order either). Again, this is all conjecture and trying to figure out how two clearly smart people could be so far on opposite ends to the point where Martin files a lawsuit against her former employer. We are absolutely not taking sides.
The repeated references to liquidity and EUC in the consent order make me wonder if the problems for Citi are bigger than the lawsuit. The consent order is not like most, where the specific violations are called out and then the asks for development are added later. Instead, you only get hints about what might be happening and a lot more of "do this." As someone who used to audit EUC in the past, the inclusion of having to create governance around them suggests that there was likely some creative modeling in some spreadsheets happening somewhere that wasn't getting picked up by controls meant to internally govern standard software/data/tools, and this was directly linked to treasury/liquidity/capital-related processes that have suddenly gone wayward. Kudos to Wall Street on Parade for drawing the connections in their article on this mess earlier in the week by pointing out $102.5 billion in debt maturing in three years, taking out a large amount of FHLB loans in 2022 similar to failed banks SVB, Silvergate, Signature, and First Republic, and 85.5% of their over $1 trillion in deposits lacking FDIC insurance.
Bank of America gives an endorsement that all is well because Citi is "de-risking" the bank and keeps the "buy" rating on the firm. Is this something to feel good about, or is this just another big bank holding water for its fellow participant in a banking system teetering on the edge?
We'll keep plugged in on this case and Citi as things develop.