(Provisional Translation)
July 14, 2006
Financial Services Agency
The Government of Japan

Administrative Actions on Citibank, N.A., Japan Branches

I.  Description of Administrative Actions

Business Improvement Order based on Article 47 (2) and (3) and Article 26 (1) of the Banking Law

1. In order to develop an oversight and control framework for system development and operation, data processing and related operations at Citibank, N.A., Japan Branches (hereinafter referred to as ''the Branches''), the Branches' current system of governance, internal control and outsourced (or subcontracted) operations (including adequate staffing and the construction of a proper organization and structure) must be fundamentally reevaluated and redeveloped with due emphasis on the following points:
   1. An unequivocal statement of the management's commitment with respect to system risk management.
   2. Thorough recognition and understanding of system risk by officers and employees.
   3. Reevaluation of the organization, structure and operational method of the management committee of the Branches and the establishment of a proper oversight and responsibility framework (including the reevaluation of the positioning of the management committee with respect to the management and operations of the Branches, the management organization structure, the operational method of the management committee and the vertically-segmented oversight and execution framework organized along business lines, as well as the establishment of a proper oversight and executive authority of each member of the management and the clarification of their responsibilities).
   4. The establishment of an oversight and execution framework to supervise internal control operations and system development and operation meeting the operational standards required by the Branches, and the establishment of a clear system of segregated responsibilities (including the fundamental reevaluation of existing operations relying on outsourcing overseas and the assignment of responsibilities, and the development of a sufficiently strong internal control system commensurate with the nature, scale, etc. of operations outsourced overseas).
   5. The development of an internal control system, operational procedures, etc. which enable a prompt and appropriate response in the event of system failure, etc. (including the development of a system to provide customers with an accurate explanation and make public announcements by fully taking into consideration the impact of the system failure, etc. and the occurrence of risks).
   6. Strict enforcement of effective internal audits and third-party assessment relating to system risk.
   7. Clarification of the respective responsibilities of relevant officers and employees.
2. Measures to prevent recurrence and a plan to improve business operations pertaining to 1 described above, which take into account the results of the special investigation, internal audits, etc. conducted with respect to the cause, impact, etc. of the system failures at the Branches must be submitted by August 14, 2006 and implemented promptly. (The improvement plan must encompass the development of a control system to ensure the implementation of measures to prevent recurrence and improvements, as well as a clear assignment of responsibilities to ensure their effectiveness.)
3. Subsequent to the implementation of 2 described above, and until measures to prevent recurrence and the plan to improve the business operations are fully carried out, a summary outlining the progress and implementation of the plan, etc. and the status of improvement must be prepared every three months, starting at the end of December 2006, and is to be submitted by the 15th day of the following month.

II.  Reasons for Administrative Actions

1. There was a failure in the transaction processing system of the Consumer Bank Division: when the payment and receipt transactions for May 3 through May 8 should have been processed at the time of automatic batch processing performed at night after business hours on Monday, May 8, 2006, the payment and receipt transactions for May 2 were processed redundantly by failure, and customers' transactions for May 3 through May 8 were unrecorded or undisplayed. This caused confusion and problems in customer account transactions, settlement, etc. The system failure affected approximately 97,000 customers (approximately 100,000 accounts) of the Branches, having such as yen or US-dollar ordinary savings accounts.
2. There was another system failure in the Corporate Bank Division on Friday, June 23, 2006: due to the improper execution of nighttime batch processing of the system that governs the operation of the global cash management service which allows customers to manage their cash balances at real-time and other services, some transactions involving payment, receipt, etc. dated June 22 were either displayed twice or not displayed at all. The system failure affected approximately 1,900 transactions out of approximately 2,200 transactions dated June 22 (approximately 200 companies).
3. Both of the aforementioned system failures occurred at the system development department and the data processing center of Citigroup in Singapore to which the Branches outsourced. As the system development department had been performing development work, etc. inconsistently with the actual operation environment and requirements when developing and transferring the customer account transactions processing system of the Consumer Bank Division, faults in the basic programs caused system malfunctions and the aforementioned system failures.
   At the data processing center, when the system (hard disk) of the Corporate Bank Division broke down, the failure was caused by a rudimentary mistake during the recovery work: wrong steps were taken in the basic backup process.
4. In February 2004, the data processing center caused an accident involving the massive loss of customer information of the Branches. As problems were identified in the Branches' system to oversee and control customer information management and the outsourcee, the Branches received a business improvement order under the Banking Law. The series of system failures which occurred recently revealed that, although the development and operation of the Branches' mission-critical operation system are being outsourced overseas on a large scale, no appropriate oversight and control system commensurate with it has been developed at the Branches (in terms of adequate staffing and the construction of a proper organization and structure).
5. On the other hand, the Branches are currently deemed to have operational problems in terms of its inability to judge and respond to the situations in a timely and appropriate manner by fully taking into consideration the impact of system failures on customers and the increase of customer risks after the system failures. In addition, the Branches failed to properly develop a framework and control procedures to respond promptly in the event of system failures.
   In particular, no framework of authority or segregation of responsibilities has been developed for an executive officer who oversees the internal control of the Branches to instruct and oversee the sales and operation divisions in a timely and appropriate manner.
6. Moreover, the management committee--the top decision-making body in the Branches--does not comprehensively examine or discuss important management decisions, such as the decision to develop and transfer mission-critical systems, etc. and policies on how to respond to the situation, how to deal with customers, etc. in the event of system failures. It is deemed to have organizational and operational problems which prevent it from fulfilling its oversight and checking functions with respect to sales and operation divisions.
7. As described above, system malfunctions and failures are being caused by organizational and operational problems in the Branches' control system for system management, given the Branches and outsourcee's response to the series of system failures and management's revel of involvement, it is difficult to assume that voluntary actions of the Branches alone would bring in necessary improvements.