Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	Citi’s technology and cybersecurity risk management program is built on Citi’s three lines of defense, each of which is integrated into Citi’s overall risk management systems and processes. Citi’s Chief Information Security Office, which is led by Citi’s Head of Foundational Services and Chief Information Security Officer (CISO), serves as the first line of defense. This office provides frontline business, operational and technical controls and capabilities to (1) protect against cybersecurity risks, and (2) respond to cyber incidents, including data breaches. Citi manages cybersecurity threats through its state-of-the-art fusion centers, which serve as central commands for monitoring and coordinating responses to cyber threats. Citi’s Chief Information Security Organization is responsible for application and infrastructure defense and security controls, performing vulnerability assessments and third-party information security assessments (including cybersecurity risk assessments associated with Citi’s use of products and services from vendors and other third-party providers), employee awareness and training programs, and security incident management. In each case, the enterprise information security team works in coordination with a network of information security officers who are embedded within Citi’s global businesses and functions, consistent with Citi’s philosophy that all Citi stakeholders have a responsibility in managing cyber and information security risks. Citi’s Technology and Cyber Compliance and Operational Risk Office (TCCORO) serves as the second line of defense. This office independently evaluates and challenges Citi’s risk mitigation practices and capabilities, from a fused operational risk and compliance lens. It functions as a joint second line of defense and in accordance with Citi’s Cybersecurity Risk Appetite Statement. TCCORO also advises first line partners in CISO, supporting enterprise-wide efforts to proactively identify and remediate cybersecurity risks before they materialize as incidents that negatively affect business operations. To address evolving cybersecurity risks and corresponding regulations, TCCORO monitors cybersecurity legal and regulatory requirements, identifies and defines emerging risks, executes strategic cybersecurity threat assessments, performs new product and initiative reviews, performs data management risk oversight and conducts cybersecurity risk assurance reviews (inclusive of third-party assessments). In addition, this office oversees and challenges metrics related to cybersecurity and technology and ensures they remain aligned with Citi’s overall operational risk management framework to effectively track, identify and manage risk. TCCORO presents an independent viewpoint on enterprise cybersecurity risk posture, and oversees CISO’s cybersecurity risk identification, measurement and enterprise-wide governance of cybersecurity risk. Internal Audit serves as Citi’s third line of defense and provides independent assurance to the Audit Committee of the Board on the effectiveness of controls operated by the first and second lines of defense to manage cybersecurity risk. Citi recognizes the risks associated with outsourcing services to, sharing data with, and/or technologically interacting with third parties. Citi has built a robust third-party information security risk management program that governs third-party engagements from selection, to the establishment of legal agreements that govern the relationship, to ongoing monitoring through the duration of the relationship. Third-party risk management includes reliance on contractual requirements around data and cybersecurity, vulnerability assessments, third-party information security assessments performed at intervals determined by risk level, governance to manage end-of-life and end-of-vendor-support risks, and third-party incident response protocols.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	Citi’s technology and cybersecurity risk management program is built on Citi’s three lines of defense, each of which is integrated into Citi’s overall risk management systems and processes.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Board of Directors Oversight [Text Block]	Board Governance Citigroup’s Board of Directors and its committees provide oversight of senior management’s efforts to mitigate cybersecurity risk and respond to cybersecurity incidents. Citi’s Board includes members with cybersecurity expertise and experience. Citigroup’s full Board is briefed annually on cybersecurity risks and receives updates as needed on Citi’s cyber and information security program, including changes to the threat landscape and a roadmap for progress around addressing related risks. Additionally, Citigroup’s Board participates in cybersecurity exercises to improve preparedness to address cybersecurity incidents. The Board’s Technology Committee receives quarterly updates from the Chief Information Security Office on the cybersecurity threat landscape, regulatory landscape, posture, and strategy and engages in discussions throughout the year with senior management and subject matter experts on the effectiveness of Citi’s overall cybersecurity program. The Board’s Risk Management Committee (RMC) approved a standalone Cybersecurity Risk Appetite Statement against which Citi’s performance is measured quarterly. In addition, the RMC oversees Citi’s risk profile, which includes cybersecurity risk, and monitors whether Citi is operating within its cybersecurity risk appetite under its mandate to review key operational risks, including steps taken by management to control such risks. In the event of a potentially material cybersecurity incident impacting Citi, the Board would be made aware of such incident via lines of communication that run from the Chief Information Security Office to senior management and also to the Board. This contemporaneous reporting on significant cyber events includes information and discussion around incident response, legal obligations (including disclosure), and outreach and notification to regulators and customers when needed. For additional information on the Board’s oversight of cybersecurity risk management, see Citi’s upcoming 2025 Annual Meeting Proxy Statement to be filed with the SEC in March 2025.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	Citigroup’s Board of Directors and its committees provide oversight of senior management’s efforts to mitigate cybersecurity risk and respond to cybersecurity incidents. Citi’s Board includes members with cybersecurity expertise and experience. Citigroup’s full Board is briefed annually on cybersecurity risks and receives updates as needed on Citi’s cyber and information security program, including changes to the threat landscape and a roadmap for progress around addressing related risks. Additionally, Citigroup’s Board participates in cybersecurity exercises to improve preparedness to address cybersecurity incidents. The Board’s Technology Committee receives quarterly updates from the Chief Information Security Office on the cybersecurity threat landscape, regulatory landscape, posture, and strategy and engages in discussions throughout the year with senior management and subject matter experts on the effectiveness of Citi’s overall cybersecurity program. The Board’s Risk Management Committee (RMC) approved a standalone Cybersecurity Risk Appetite Statement against which Citi’s performance is measured quarterly. In addition, the RMC oversees Citi’s risk profile, which includes cybersecurity risk, and monitors whether Citi is operating within its cybersecurity risk appetite under its mandate to review key operational risks, including steps taken by management to control such risks.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	Citigroup’s Board of Directors and its committees provide oversight of senior management’s efforts to mitigate cybersecurity risk and respond to cybersecurity incidents. Citi’s Board includes members with cybersecurity expertise and experience. Citigroup’s full Board is briefed annually on cybersecurity risks and receives updates as needed on Citi’s cyber and information security program, including changes to the threat landscape and a roadmap for progress around addressing related risks. Additionally, Citigroup’s Board participates in cybersecurity exercises to improve preparedness to address cybersecurity incidents. The Board’s Technology Committee receives quarterly updates from the Chief Information Security Office on the cybersecurity threat landscape, regulatory landscape, posture, and strategy and engages in discussions throughout the year with senior management and subject matter experts on the effectiveness of Citi’s overall cybersecurity program. The Board’s Risk Management Committee (RMC) approved a standalone Cybersecurity Risk Appetite Statement against which Citi’s performance is measured quarterly. In addition, the RMC oversees Citi’s risk profile, which includes cybersecurity risk, and monitors whether Citi is operating within its cybersecurity risk appetite under its mandate to review key operational risks, including steps taken by management to control such risks.
Cybersecurity Risk Role of Management [Text Block]	Citi’s Head of Technology and Business Enablement, who reports directly to Citi’s CEO, has overall responsibility for Citi’s first line of defense cyber and information security and technology programs. Citi’s Head of Technology and Business Enablement has over 30 years of experience in the financial services industry. Prior to joining Citi, he was Senior Partner at PriceWaterhouseCoopers where he oversaw the firm’s strategy and execution. For additional information, see “Corporate Information—Executive Officers” below. Citi’s Head of Foundational Services and CISO, who reports directly to Citi’s Head of Technology and Business Enablement, has primary responsibility to assess and manage Citi’s material risks from cybersecurity threats. Citi’s CISO has decades of experience in managing cybersecurity risks from prior roles as Deutsche Bank’s Chief Security Officer, the Chief Information Officer for the Central Intelligence Agency and the Chief Information Officer for the U.S. Intelligence Community. The CISO is supported by a team of subject matter experts in security operations, network architecture, cyber and information security governance and cybersecurity operations. Citi’s Chief Information Security Office employs approximately 3,400 individuals to manage its operations. Citi’s Chief Technology Officer (CTO) and Head of Emerging Technology and Strategic Partnerships, who also reports to Citi’s Chief Information Officer, has primary responsibility for technology policy, innovation enablement and strategy. Citi’s CTO has served in various technology roles at Citi since 2012, including most recently as Group Head of Engineering and Architecture. Prior to joining Citi, the CTO worked in equity linked technology at Bank of America Merrill Lynch. Multiple management committees and functions also support Citi’s cyber and information security management. The Chief Information Officer Committee (CIOC), which consists of, among others, the Head of Technology and Business Enablement, Citi’s Co-Chief Information Officers (who report to the Head of Technology and Business Enablement), the CISO, and the Head of TCCORO (who reports both to Citi’s Head of Operational Risk within the Risk organization and its Head of Global Functions Compliance within the Global Legal and Compliance organization), serves as an escalation forum for items requiring the attention of technology senior management, including approval of policies, and reports items requiring further escalation to the Technology Committee of the Board of Directors, as appropriate. The Information Security Risk Operating Committee (ISROC) is chaired by the CISO and comprises senior members of the Chief Information Security Office and representatives from partner organizations. This committee sets the direction and prioritization for the implementation of the cyber and information security program across Citi. The committee reports and escalates to the CIOC, including for intermediary review and approval of policies escalated from the Information Technology Policy Council (see below). Any actions constituting risk exceptions are escalated to the ISRC. The Security Architecture Council, which reports to the ISROC, is an oversight and decision-making body focused on ensuring that the target level of security architectural maturity is attained. This council is co-chaired by two representatives from the security architecture and cybersecurity services organizations. Citi’s Information Technology Policy Council provides a centralized review to oversee consistency in the formation of information technology policies and standards. This counsel maintains oversight of policy document requirements to ensure that information technology policy documents meet Citi’s objectives as established internally and are in line with laws and regulations as identified and communicated by ICRM. In addition, Citi regularly engages third parties globally to assess, audit and/or exercise Citi’s cyber and information security program, which is ISO-27001 certified. ISO-27001 is an international standard for information security management systems. Citi is regulated by bodies across the globe that also regularly examine and audit Citi’s cyber and information security program against local laws, regulations and industry best practices.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	Citigroup’s Board of Directors and its committees provide oversight of senior management’s efforts to mitigate cybersecurity risk and respond to cybersecurity incidents. Citi’s Board includes members with cybersecurity expertise and experience. Citigroup’s full Board is briefed annually on cybersecurity risks and receives updates as needed on Citi’s cyber and information security program, including changes to the threat landscape and a roadmap for progress around addressing related risks. Additionally, Citigroup’s Board participates in cybersecurity exercises to improve preparedness to address cybersecurity incidents. The Board’s Technology Committee receives quarterly updates from the Chief Information Security Office on the cybersecurity threat landscape, regulatory landscape, posture, and strategy and engages in discussions throughout the year with senior management and subject matter experts on the effectiveness of Citi’s overall cybersecurity program. The Board’s Risk Management Committee (RMC) approved a standalone Cybersecurity Risk Appetite Statement against which Citi’s performance is measured quarterly. In addition, the RMC oversees Citi’s risk profile, which includes cybersecurity risk, and monitors whether Citi is operating within its cybersecurity risk appetite under its mandate to review key operational risks, including steps taken by management to control such risks.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	Citi’s Head of Technology and Business Enablement has over 30 years of experience in the financial services industry. Prior to joining Citi, he was Senior Partner at PriceWaterhouseCoopers where he oversaw the firm’s strategy and execution.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	The Board’s Technology Committee receives quarterly updates from the Chief Information Security Office on the cybersecurity threat landscape, regulatory landscape, posture, and strategy and engages in discussions throughout the year with senior management and subject matter experts on the effectiveness of Citi’s overall cybersecurity program.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Citi’s technology and cybersecurity risk management program is built on Citi’s three lines of defense, each of which is integrated into Citi’s overall risk management systems and processes.

Citi’s Chief Information Security Office, which is led by Citi’s Head of Foundational Services and Chief Information Security Officer (CISO), serves as the first line of defense. This office provides frontline business, operational and technical controls and capabilities to (1) protect against cybersecurity risks, and (2) respond to cyber incidents, including data breaches. Citi manages cybersecurity threats through its state-of-the-art fusion centers, which serve as central commands for monitoring and coordinating responses to cyber threats.

Citi’s Chief Information Security Organization is responsible for application and infrastructure defense and security controls, performing vulnerability assessments and third-party information security assessments (including cybersecurity risk assessments associated with Citi’s use of products and services from vendors and other third-party providers), employee awareness and training programs, and security incident management. In each case, the enterprise information security team works in coordination with a network of information security officers who are embedded within Citi’s global businesses and functions, consistent with Citi’s philosophy that all Citi stakeholders have a responsibility in managing cyber and information security risks.

Citi’s Technology and Cyber Compliance and Operational Risk Office (TCCORO) serves as the second line of defense. This office independently evaluates and challenges Citi’s risk mitigation practices and capabilities, from a fused operational risk and compliance lens. It functions as a joint second line of defense and in accordance with Citi’s Cybersecurity Risk Appetite Statement. TCCORO also advises first line partners in CISO, supporting enterprise-wide efforts to proactively identify and remediate cybersecurity risks before they materialize as incidents that negatively affect business operations.

To address evolving cybersecurity risks and corresponding regulations, TCCORO monitors cybersecurity legal and regulatory requirements, identifies and defines emerging risks, executes strategic cybersecurity threat assessments, performs new product and initiative reviews, performs data management risk oversight and conducts cybersecurity risk assurance reviews (inclusive of third-party assessments). In addition, this office oversees and challenges

metrics related to cybersecurity and technology and ensures they remain aligned with Citi’s overall operational risk management framework to effectively track, identify and manage risk. TCCORO presents an independent viewpoint on enterprise cybersecurity risk posture, and oversees CISO’s cybersecurity risk identification, measurement and enterprise-wide governance of cybersecurity risk.

Internal Audit serves as Citi’s third line of defense and provides independent assurance to the Audit Committee of the Board on the effectiveness of controls operated by the first and second lines of defense to manage cybersecurity risk.

Citi recognizes the risks associated with outsourcing services to, sharing data with, and/or technologically interacting with third parties. Citi has built a robust third-party information security risk management program that governs third-party engagements from selection, to the establishment of legal agreements that govern the relationship, to ongoing monitoring through the duration of the relationship. Third-party risk management includes reliance on contractual requirements around data and cybersecurity, vulnerability assessments, third-party information security assessments performed at intervals determined by risk level, governance to manage end-of-life and end-of-vendor-support risks, and third-party incident response protocols.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Citi’s technology and cybersecurity risk management program is built on Citi’s three lines of defense, each of which is integrated into Citi’s overall risk management systems and processes.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

Board Governance

Citigroup’s Board of Directors and its committees provide oversight of senior management’s efforts to mitigate cybersecurity risk and respond to cybersecurity incidents. Citi’s Board includes members with cybersecurity expertise and experience.

Citigroup’s full Board is briefed annually on cybersecurity risks and receives updates as needed on Citi’s cyber and information security program, including changes to the threat landscape and a roadmap for progress around addressing related risks. Additionally, Citigroup’s Board participates in cybersecurity exercises to improve preparedness to address cybersecurity incidents.

The Board’s Technology Committee receives quarterly updates from the Chief Information Security Office on the cybersecurity threat landscape, regulatory landscape, posture, and strategy and engages in discussions throughout the year with senior management and subject matter experts on the effectiveness of Citi’s overall cybersecurity program.

The Board’s Risk Management Committee (RMC) approved a standalone Cybersecurity Risk Appetite Statement against which Citi’s performance is measured quarterly. In addition, the RMC oversees Citi’s risk profile, which includes cybersecurity risk, and monitors whether Citi is operating within its cybersecurity risk appetite under its mandate to review key operational risks, including steps taken by management to control such risks.

In the event of a potentially material cybersecurity incident impacting Citi, the Board would be made aware of such incident via lines of communication that run from the Chief Information Security Office to senior management and also to the Board. This contemporaneous reporting on significant cyber events includes information and discussion around incident response, legal obligations (including disclosure), and outreach and notification to regulators and customers when needed.

For additional information on the Board’s oversight of cybersecurity risk management, see Citi’s upcoming 2025 Annual Meeting Proxy Statement to be filed with the SEC in March 2025.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Role of Management [Text Block]

Citi’s Head of Technology and Business Enablement, who reports directly to Citi’s CEO, has overall responsibility for Citi’s first line of defense cyber and information security and technology programs. Citi’s Head of Technology and Business Enablement has over 30 years of experience in the financial services industry. Prior to joining Citi, he was Senior Partner at PriceWaterhouseCoopers where he oversaw the firm’s strategy and execution. For additional information, see “Corporate Information—Executive Officers” below.

Citi’s Head of Foundational Services and CISO, who reports directly to Citi’s Head of Technology and Business Enablement, has primary responsibility to assess and manage Citi’s material risks from cybersecurity threats. Citi’s CISO has decades of experience in managing cybersecurity risks from prior roles as Deutsche Bank’s Chief Security Officer, the Chief Information Officer for the Central Intelligence Agency and the Chief Information Officer for the U.S. Intelligence Community. The CISO is supported by a team of subject matter experts in security operations, network architecture, cyber and information security governance and cybersecurity operations. Citi’s Chief Information Security Office employs approximately 3,400 individuals to manage its operations.

Citi’s Chief Technology Officer (CTO) and Head of Emerging Technology and Strategic Partnerships, who also reports to Citi’s Chief Information Officer, has primary responsibility for technology policy, innovation enablement and strategy. Citi’s CTO has served in various technology roles at Citi since 2012, including most recently as Group Head of Engineering and Architecture. Prior to joining Citi, the CTO worked in equity linked technology at Bank of America Merrill Lynch.

Multiple management committees and functions also support Citi’s cyber and information security management.

The Chief Information Officer Committee (CIOC), which consists of, among others, the Head of Technology and Business Enablement, Citi’s Co-Chief Information Officers (who report to the Head of Technology and Business Enablement), the CISO, and the Head of TCCORO (who reports both to Citi’s Head of Operational Risk within the Risk organization and its Head of Global Functions Compliance within the Global Legal and Compliance organization), serves as an escalation forum for items requiring the attention of technology senior management, including approval of policies, and reports items requiring further escalation to the Technology Committee of the Board of Directors, as appropriate.

The Information Security Risk Operating Committee (ISROC) is chaired by the CISO and comprises senior members of the Chief Information Security Office and representatives from partner organizations. This committee sets the direction and prioritization for the implementation of the cyber and information security program across Citi. The committee reports and escalates to the CIOC, including for intermediary review and approval of policies escalated from the Information Technology Policy Council (see below). Any actions constituting risk exceptions are escalated to the ISRC.

The Security Architecture Council, which reports to the ISROC, is an oversight and decision-making body focused on ensuring that the target level of security architectural maturity is attained. This council is co-chaired by two representatives from the security architecture and cybersecurity services organizations.

Citi’s Information Technology Policy Council provides a centralized review to oversee consistency in the formation of information technology policies and standards. This counsel maintains oversight of policy document requirements to ensure that information technology policy documents meet Citi’s objectives as established internally and are in line with laws and regulations as identified and communicated by ICRM.

In addition, Citi regularly engages third parties globally to assess, audit and/or exercise Citi’s cyber and information security program, which is ISO-27001 certified. ISO-27001 is an international standard for information security management systems. Citi is regulated by bodies across the globe that also regularly examine and audit Citi’s cyber and information security program against local laws, regulations and industry best practices.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Citi’s Head of Technology and Business Enablement has over 30 years of experience in the financial services industry. Prior to joining Citi, he was Senior Partner at PriceWaterhouseCoopers where he oversaw the firm’s strategy and execution.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true