The Federal Reserve and Office of the Comptroller of the Currency said the country's third-largest bank had for years failed to address the issues despite repeated warnings.
It must take "comprehensive" action to overhaul its risk management, data governance, internal controls and some compensation practices, the regulators said in separate orders and statements.
The orders, which could curtail Citi's ability to make acquisitions and personnel decisions, intensify challenges facing incoming Chief Executive Jane Fraser, who also needs to revive the bank's lagging revenues and tarnished brand.
Citi's risk management was not "commensurate with the Bank's size, complexity, and risk profile," the OCC said.
Citi responded in a statement that it was disappointed to have fallen short of regulatory expectations and had "significant remediation projects" under way. It said it had "accelerated investments and made structural changes," citing over $1 billion in spending this year to address the problems.
The hefty penalty follows renewed public and regulatory scrutiny of Citi's operations after an "error" led the bank to mistakenly send Revlon creditors $900 million of its own funds in August. The bank is pursuing legal action against some lenders who are refusing to return the payment.
Since then it has announced that Chief Executive Mike Corbat would retire earlier than expected, with Fraser taking over in February. She has highlighted improving risk and control systems as a priority.
"We will invest in our infrastructure, risk management and controls to ensure that we operate in a safe and sound manner," she said in a statement last month.
The OCC order gives the regulator the right to veto any significant new acquisitions by the bank, and to require changes to senior management or the bank's board if necessary. It also requires Citi to create new senior teams devoted to addressing the issues, and for the board to provide frequent updates to regulators on how the comprehensive overhaul is progressing.
YEARS OF FAILURES
Some of the issues highlighted in the Fed's order date back to 2013, the regulator said.
In 2014, Citi flunked the Fed's annual "stress test" exam for not fixing previously identified risk management issues — a major setback for Corbat. That year Citi disclosed that its Mexican subsidiary Banamex lost more than $500 million on fraudulent loans to a supplier to state-owned oil company Pemex.
Since then, the bank has paid roughly $1 billion to US regulators for lapses that included money laundering control failures, illegal credit card practices, violations on fair housing, flood insurance, and for holding foreclosed property too long.
Banking experts have said the problems arose from decades of acquisitions that led to a hodge-podge of technology systems. Those deals made Citigroup the biggest US bank going into the 2008 financial crisis.