Categories
Blog

Internal Controls and Humans in the Loop: Lessons from Citigroup’s $126 Million Mistake

The Citigroup internal control debacle in compliance and ethics is a glaring reminder of the critical importance of robust, well-designed, functioning, and effective internal controls. The U.K. Financial Conduct Authority fined Citigroup £27.7 million, and the Bank of England’s Prudential Regulation Authority fined Citigroup £33.9 million, and Citigroup’s own internal losses costs added to a total loss of some $126 million. Citigroup’s mistakes underscore the perils of inadequate internal controls and provide many lessons for compliance professionals. Matt Kelly and Tom Fox discussed the matter in the most recent Compliance into the Weeds episode.

A Citigroup trader made a fateful error on a seemingly ordinary Monday (more on this day later) in May 2022. He intended to sell $58 million worth of securities but mistakenly placed the amount in the units field, leading to an order to sell 444 billion units. Although some of Citigroup’s controls caught parts of the error, they did not see the entirety of the Fubar. This mistake led to a flash crash on European stock markets and cost Citigroup $126 million, including fines and losses.

Lesson 1: Simplify and Focus Controls

One of the primary lessons from this incident is the need to consider human nature when designing internal controls. Citigroup had what was termed ‘hard-block controls‘, which blocked $248 billion worth of the order, and those controls could not be overridden. However, there were also ‘soft-block controls’ in the form of a pop-up screen asking the trader if he wanted to move forward. The trader in question faced a warning screen with 711 individual red flags, a list so long that it became impractical to review. This scenario is akin to users scrolling through and ignoring lengthy user agreements—a typical human behavior.

Controls should be designed to be practical and actionable. Instead of presenting an overwhelming list of potential issues, a focused warning on the specific error or most critical issues could be more effective. This approach ensures that users pay attention to the most relevant information, reducing the risk of overlooked mistakes. Moreover, never present a front-line employee with 711 different red flags that they must navigate and try to (1) figure out what they did wrong and (2) remedy the situation.

Lesson 2: Strengthen Automated Controls

As noted, Citigroup had a mix of hard and soft controls. While some automated controls blocked a portion of the erroneous trade, others allowed it to proceed after a mere warning. This differentiation highlights the need for robust automated controls that do not solely rely on human intervention, especially in high-stakes environments. Automated controls should be comprehensive and prevent significant errors without relying exclusively on human review. Complex controls that automatically block erroneous transactions can prevent costly mistakes.

Lesson 3: Ensure Adequate Coverage

Remember when I open the tale of the story with the trade happening on an ‘ordinary Monday’? It was not an ordinary Monday as the trade occurred on a U.K. banking holiday, further complicating the situation. The primary monitoring team (Monitoring Team 1) was off due to the Bank Holiday, and the backup team (Monitoring Team 2) did not effectively manage or escalate the issue. Even when another monitoring team (Monitoring Team 3) discovered the error and sent the information back to Monitoring Team 2, the team in charge of the holiday, Monitoring Team 2, has yet to respond.  These lapses point to another critical area: adequate staffing and effective backup procedures.

Companies must ensure adequate staffing to monitor and manage risks always, including during holidays, weekends, and off-hours. Effective backup procedures and cross-training can ensure that critical functions are covered regardless of the timing. Adequate staffing also means competent staffing, with teams understanding how and when to respond.

Lesson 4: Implement Consistent Global Controls

A notable aspect of Citigroup’s failure was the inconsistency in control implementation across regions. While robust controls existed in New York, they were not in Europe. Citigroup had those hard-block controls, which stopped $248 billion worth of orders,  but only for its New York trading desk. Moreover, these hard-block controls had been implemented back in 2013. Yet, for some reason, these hard-block controls had not been implemented at the London trading desk. This discrepancy highlights the importance of consistent global controls. Once a risk is identified and control is implemented in one region, it is crucial to extend that control globally. This consistency ensures that all parts of the organization are equally protected against similar risks, preventing regional disparities in control effectiveness.

Lesson 5: Integrate The Human Element

Citigroup’s failure also demonstrates the need for a vital human element in internal controls. Despite having multiple layers of monitoring, human oversight needed to be improved due to insufficient staffing and ineffective backup systems. While automated controls are essential, they should be complemented with effective human oversight. Regular training and clear protocols can enhance the effectiveness of both human and computerized controls, ensuring a more resilient control environment.

This human element extends to reports of control weaknesses by internal audit, as Citigroup had previously identified internal control weaknesses yet failed to address them adequately. This ongoing neglect resulted in repeated issues and significant penalties. When internal audits flag control weaknesses, it is imperative to address these issues promptly. Delaying remediation can lead to repeated failures and compound risks, as demonstrated by Citigroup’s experience.

The Citigroup incident offers a comprehensive lesson in the importance of robust internal controls, consistent global implementation, and the need for practical, focused warnings. Compliance professionals should take these lessons to heart and ensure that their organizations are equipped to prevent similar costly errors.

By designing effective controls, ensuring adequate staffing, and promptly addressing risks, companies can safeguard against the significant financial and reputational damage resulting from control failures. The Citigroup case is a stark reminder of the high stakes involved, and the critical role that well-designed internal controls play in maintaining the integrity of global financial operations.

Resources

Matt Kelly in Radical Compliance

Categories
Compliance Into the Weeds

Compliance into the Weeds: Of Fat Fingers, Internal Controls and Compliance

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom and Matt delve deep into Citigroup’s $126 million trading error, resulting from poor internal controls.

They discuss how a simple ‘fat finger’ error by a trader led to a major flash crash on European stock exchanges in 2022, and how the failure of Citigroup’s internal controls allowed it to happen. The discussion covers multiple compliance lessons, including the importance of understanding the human element in control design, the need for adequate staffing and monitoring, and the necessity of consistent global risk management.

Fox and Kelly also highlight the importance of addressing findings from internal audits and maintaining urgency in improving internal controls. They emphasize that companies should think creatively about risk management, taking into account various global factors, including holidays and local regulations.

Key Highlights:

  • The Citigroup Internal Control Fiasco
  • Compliance Lessons from Citigroup’s Mistake
  • The Human Element in Compliance and Control Failures
  • Global Consistency in Risk Management

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Train to Your Strength

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In today’s episode, we demonstrate the power of strength-based training, which focuses on the strengths and capabilities of employees.

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Daily Compliance News

Daily Compliance News: May 29, 2024 – The Near Settlement Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Private-Equity Giants Near Settlements With SEC Over Texting Violations (WSJ)
  • Malta ex-PM to face corruption charges. (US News & World Report)
  • FTX exec sentenced. (NYT)
  • Adam Neumann gives up on WeWork again. (NYT)

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
The Hill Country Podcast

The Hill Country Podcast: A Deep Dive into Filmmaking with CJ Goodwyn

Welcome to the award-winning The Hill Country Podcast. The Texas Hill Country is one of the most beautiful places on earth.

In this podcast, Hill Country resident Tom Fox visits with the people and organizations that make this the most unique area of Texas.

This week Tom visits Hill Country movie director CJ Goodwyn, who shares his journey from growing up in Kerrville, his transition into the film industry, and his experiences making feature films.

They discuss his creative process, the challenges he faced, and his most recent works, including ‘GH5,’ ‘Jackson,’ ‘Eyes of a Roman,’ and ‘Sherlock Holmes: Mare of the Night.’ CJ also talks about his approach to humanizing the iconic character of Sherlock Holmes and his unique methods of screenwriting and production in the Texas Hill Country.

Key Highlights:

  • CJ Goodwyn’s Early Life and Entry into Filmmaking
  • The Journey of Making the First Feature Film
  • Exploring CJ’s Feature Films and Creative Process
  • Deep Dive into ‘Sherlock Holmes: Mirror of the Night’
  • The Creative Process Behind Screenwriting
  • Filmmaking in the Texas Hill Country
  • Future Projects and Where to Find CJ’s Work

Resources

CJ Goodwyn on Linkedin

CJ Goodwyn on YouTube

CJ Goodwyn on Facebook

Other Hill Country-Focused Podcasts

Hill Country Authors Podcast

Hill Country Artists Podcast

Texas Hill Country Podcast Network

Categories
Great Women in Compliance

Great Women in Compliance: Building Great Mentor/Mentee Relationships

Welcome to the Great Women in Compliance podcast on the Compliance Podcast Network, sponsored by Corporate Compliance Insights. In today’s episode, Lisa Fine and Ellen Hunt speak with Melanie Sponholz and Margarita Derelanko, Senior Director of Compliance, Ivy Rehab Network, about mentor/mentee relationships.

The group discusses various aspects of mentoring, from choosing a mentor to building a relationship. They also discuss how this is a 2-way street and how mentors and mentees learn from one another. Mel and Margarita have an established mentoring relationship, and they talk about their experiences with one another and what they see as successes and pitfalls. They discuss the importance of having an authentic connection between the two individuals.

A mentor can provide critical support and guidance throughout one’s career. This episode can help those looking for mentors and how you can maximize this relationship, whether you are the mentor or mentee.

Topics include:

  • How being curious is a critical skill for a mentor
  • The importance of being open and vulnerable
  • How to reach out and make an initial connection with a potential mentor
  • Mentor/mentee relationships take many different forms 
  • Practical tips for mentors and mentees

You can join the LinkedIn podcast community or the Great Women in Compliance podcast community here.