Citibank 2015 Annual Report Download - page 76

Download and view the complete annual report

Please find page 76 of the 2015 Citibank annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 332

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327
  • 328
  • 329
  • 330
  • 331
  • 332

58
unavailability of service; computer viruses or other malicious code; cyber
attacks; and other events. These threats arise from numerous sources, not all
of which are in Citi’s control, including among others human error, fraud
or malice on the part of employees or third parties, accidental technological
failure, electrical or telecommunication outages, failures of computer
servers or other damage to Citi’s property or assets, natural disasters or
severe weather conditions, health emergencies or pandemics, or outbreaks of
hostilities or terrorist acts.
Additional challenges are posed by external parties, including extremist
parties and certain foreign state actors that engage in cyber activities as
a means to promote political ends. As further evidence of the increasing
and potentially significant impact of cyber incidents, during 2015, the
U.S. government as well as several multinational companies reported
cyber incidents affecting their computer systems that resulted in the data
of millions of customers and employees being compromised. In addition,
in recent years several U.S. retailers and financial institutions and other
multinational companies reported cyber incidents that compromised
customer data.
While Citi has not been materially impacted by these reported or other
cyber incidents, Citi has been subject to other intentional cyber incidents
from external sources over the last several years, including (i) denial of
service attacks, which attempted to interrupt service to clients and customers;
(ii) data breaches, which obtained unauthorized access to customer account
data; and (iii) malicious software attacks on client systems, which attempted
to allow unauthorized entrance to Citi’s systems under the guise of a client
and the extraction of client data. While Citi’s monitoring and protection
services were able to detect and respond to the incidents targeting its systems
before they became significant, they still resulted in limited losses in some
instances as well as increases in expenditures to monitor against the threat
of similar future cyber incidents. There can be no assurance that such cyber
incidents will not occur again, and they could occur more frequently and on
a more significant scale.
Although Citi devotes significant resources to implement, maintain,
monitor and regularly upgrade its systems and networks with measures
such as intrusion detection and prevention and firewalls to safeguard
critical business applications, there is no guarantee that these measures
or any other measures can provide absolute security. In addition, because
the methods used to cause cyber attacks change frequently or, in some
cases, are not recognized until launched, Citi may be unable to implement
effective preventive measures or proactively address these methods until they
are discovered.
If Citi were to be subject to a cyber incident, it could result in the
disclosure of personal, confidential or proprietary client information, damage
to Citi’s reputation with its clients and the market, customer dissatisfaction,
additional costs to Citi (such as repairing systems, replacing customer
payment cards or adding new personnel or protection technologies),
regulatory penalties, exposure to litigation and other financial losses to both
Citi and its clients and customers. Such events could also cause interruptions
or malfunctions in the operations of Citi (such as the lack of availability of
Citi’s online banking system or mobile banking platform), as well as the
operations of its clients, customers or other third parties. Given Citi’s global
footprint and the high volume of transactions processed by Citi, certain errors
or actions may be repeated or compounded before they are discovered and
rectified, which would further increase these costs and consequences.
Third parties with which Citi does business, as well as retailers and other
third parties with which Citi’s customers do business, may also be sources
of cybersecurity or other operational and technological risks, particularly
where activities of customers are beyond Citi’s security and control systems.
Citi outsources certain functions, such as processing customer credit card
transactions, uploading content on customer-facing websites, and developing
software for new products and services. These relationships allow for the
storage and processing of customer information by third-party hosting of or
access to Citi websites, which could result in service disruptions or website
defacements, a risk the confidentiality, privacy and security of data held by
third parties may be compromised and the potential to introduce vulnerable
code, resulting in security breaches impacting Citi customers. While Citi
engages in certain actions to reduce the exposure resulting from outsourcing,
such as performing onsite security control assessments and limiting third-
party access to the least privileged level necessary to perform job functions,
ongoing threats may result in unauthorized access, loss or destruction of data
or other cyber incidents with increased costs and consequences to Citi such
as those discussed above. Furthermore, because financial institutions are
becoming increasingly interconnected with central agents, exchanges and
clearing houses, including as a result of the derivatives reforms over the last
few years, Citi has increased exposure to operational failure or cyber attacks
through third parties.
While Citi maintains insurance coverage that may, subject to policy terms
and conditions including significant self-insured deductibles, cover certain
aspects of cyber risks, such insurance coverage may be insufficient to cover
all losses.
Citi’s Ability to Utilize Its DTAs, and Thus Reduce
the Negative Impact of the DTAs on Citi’s Regulatory
Capital, Will Be Driven by Its Ability to Generate
U.S. Taxable Income.
At December 31, 2015, Citi’s net DTAs were approximately $47.8 billion,
of which approximately $31.0 billion was excluded from Citi’s Common
Equity Tier 1 Capital, on a fully implemented basis, under the U.S. Basel III
rules (for additional information, see “Capital Resources—Components
of Citigroup Capital Under Basel III (Advanced Approaches with Full
Implementation)” above). In addition, of the net DTAs as of year-end 2015,
approximately $15.9 billion related to foreign tax credit carry-forwards
(FTCs). The carry-forward utilization period for FTCs is 10 years and
represents the most time-sensitive component of Citi’s DTAs. Of the FTCs at
year-end 2015, approximately $4.8 billion expire in 2018 and the remaining
$11.1 billion expire over the period of 2019-2025. Citi must utilize any FTCs
generated in the then-current year tax return prior to utilizing any carry-
forward FTCs.