Categories
Blog

Internal Controls and Humans in the Loop: Lessons from Citigroup’s $126 Million Mistake

The Citigroup internal control debacle in compliance and ethics is a glaring reminder of the critical importance of robust, well-designed, functioning, and effective internal controls. The U.K. Financial Conduct Authority fined Citigroup £27.7 million, and the Bank of England’s Prudential Regulation Authority fined Citigroup £33.9 million, and Citigroup’s own internal losses costs added to a total loss of some $126 million. Citigroup’s mistakes underscore the perils of inadequate internal controls and provide many lessons for compliance professionals. Matt Kelly and Tom Fox discussed the matter in the most recent Compliance into the Weeds episode.

A Citigroup trader made a fateful error on a seemingly ordinary Monday (more on this day later) in May 2022. He intended to sell $58 million worth of securities but mistakenly placed the amount in the units field, leading to an order to sell 444 billion units. Although some of Citigroup’s controls caught parts of the error, they did not see the entirety of the Fubar. This mistake led to a flash crash on European stock markets and cost Citigroup $126 million, including fines and losses.

Lesson 1: Simplify and Focus Controls

One of the primary lessons from this incident is the need to consider human nature when designing internal controls. Citigroup had what was termed ‘hard-block controls‘, which blocked $248 billion worth of the order, and those controls could not be overridden. However, there were also ‘soft-block controls’ in the form of a pop-up screen asking the trader if he wanted to move forward. The trader in question faced a warning screen with 711 individual red flags, a list so long that it became impractical to review. This scenario is akin to users scrolling through and ignoring lengthy user agreements—a typical human behavior.

Controls should be designed to be practical and actionable. Instead of presenting an overwhelming list of potential issues, a focused warning on the specific error or most critical issues could be more effective. This approach ensures that users pay attention to the most relevant information, reducing the risk of overlooked mistakes. Moreover, never present a front-line employee with 711 different red flags that they must navigate and try to (1) figure out what they did wrong and (2) remedy the situation.

Lesson 2: Strengthen Automated Controls

As noted, Citigroup had a mix of hard and soft controls. While some automated controls blocked a portion of the erroneous trade, others allowed it to proceed after a mere warning. This differentiation highlights the need for robust automated controls that do not solely rely on human intervention, especially in high-stakes environments. Automated controls should be comprehensive and prevent significant errors without relying exclusively on human review. Complex controls that automatically block erroneous transactions can prevent costly mistakes.

Lesson 3: Ensure Adequate Coverage

Remember when I open the tale of the story with the trade happening on an ‘ordinary Monday’? It was not an ordinary Monday as the trade occurred on a U.K. banking holiday, further complicating the situation. The primary monitoring team (Monitoring Team 1) was off due to the Bank Holiday, and the backup team (Monitoring Team 2) did not effectively manage or escalate the issue. Even when another monitoring team (Monitoring Team 3) discovered the error and sent the information back to Monitoring Team 2, the team in charge of the holiday, Monitoring Team 2, has yet to respond.  These lapses point to another critical area: adequate staffing and effective backup procedures.

Companies must ensure adequate staffing to monitor and manage risks always, including during holidays, weekends, and off-hours. Effective backup procedures and cross-training can ensure that critical functions are covered regardless of the timing. Adequate staffing also means competent staffing, with teams understanding how and when to respond.

Lesson 4: Implement Consistent Global Controls

A notable aspect of Citigroup’s failure was the inconsistency in control implementation across regions. While robust controls existed in New York, they were not in Europe. Citigroup had those hard-block controls, which stopped $248 billion worth of orders,  but only for its New York trading desk. Moreover, these hard-block controls had been implemented back in 2013. Yet, for some reason, these hard-block controls had not been implemented at the London trading desk. This discrepancy highlights the importance of consistent global controls. Once a risk is identified and control is implemented in one region, it is crucial to extend that control globally. This consistency ensures that all parts of the organization are equally protected against similar risks, preventing regional disparities in control effectiveness.

Lesson 5: Integrate The Human Element

Citigroup’s failure also demonstrates the need for a vital human element in internal controls. Despite having multiple layers of monitoring, human oversight needed to be improved due to insufficient staffing and ineffective backup systems. While automated controls are essential, they should be complemented with effective human oversight. Regular training and clear protocols can enhance the effectiveness of both human and computerized controls, ensuring a more resilient control environment.

This human element extends to reports of control weaknesses by internal audit, as Citigroup had previously identified internal control weaknesses yet failed to address them adequately. This ongoing neglect resulted in repeated issues and significant penalties. When internal audits flag control weaknesses, it is imperative to address these issues promptly. Delaying remediation can lead to repeated failures and compound risks, as demonstrated by Citigroup’s experience.

The Citigroup incident offers a comprehensive lesson in the importance of robust internal controls, consistent global implementation, and the need for practical, focused warnings. Compliance professionals should take these lessons to heart and ensure that their organizations are equipped to prevent similar costly errors.

By designing effective controls, ensuring adequate staffing, and promptly addressing risks, companies can safeguard against the significant financial and reputational damage resulting from control failures. The Citigroup case is a stark reminder of the high stakes involved, and the critical role that well-designed internal controls play in maintaining the integrity of global financial operations.

Resources

Matt Kelly in Radical Compliance

Categories
Daily Compliance News

Daily Compliance News: February 16, 2024 – The My Bad Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Lyft CEO says misplaced zero was his fault. (Bloomberg)
  • The Tesla Board Chair is under scrutiny for oversight of the company.  (NYT)
  • The FCA investigates insider trading claims. (Bloomberg)
  • A tale of 2 corps: Binance and FTX. (Reuters)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Daily Compliance News

Daily Compliance News: November 9, 2023 – The ESG Helps Hiring Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • ESG helps in hiring the best and brightest. (FT)
  • The UK hits Russia with new sanctions. (WSJ)
  • Indian anti-corruption journalist targeted in spy op. (Reuters)
  • GE Aerospace to pay $9.4M in a DOJ false claims case (Compliance Week)
Categories
10 For 10

10 For 10: Top Compliance Stories For the Week Ending September 30, 2023

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • Menendez was indicted for accepting bribes. (NYT)
  • Polish visa selling scandal. (FT)
  • FTC going after PE for serial acquisitions. (FT)
  • FCA to crack down on firms bullying their employees. (WSJ)
  • Cognizant execs trial delayed.  (Law360)
  • Indonesia vows to sue UK over Airbus settlement. (FT)
  • McKinsey to pay another $230MM for opioid settlement. (FT)
  • The US warns advisory services in China. (WSJ)
  • Chinese Deputy Bank head accused of bribery.  (Reuters)
  • SBF looking at a ‘very long’ sentence. (Reuters)

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day, here.

Connect with Tom 

Thread

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: September 27, 2023 – The Trump Guilty of Fraud Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • Trump found guilty of fraud.  (NYT)
  • FTC going after PE for serial acquisitions. (FT)
  • FCA to crack down on firms bullying their employees. (WSJ)
  • Binance melting away. (WSJ)
Categories
FCPA Compliance Report

FCPA Compliance Report: Adam Pollock – Mission Driven Law: Serving the Greater Public Good

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this episode, Tom Fox welcomes Adam Pollock, co-founder of PollockCohen and Qui Tam/FCA expert.

 Adam Pollock is an experienced lawyer with a unique blend of expertise in computer science and law. Having studied computer science at the University of Michigan before transitioning into law at the University of Pennsylvania, Pollock has spent over 15 years in the legal field, specializing in white-collar defense, Qui Tam cases, False Claims Act cases, whistleblower suits and public advocacy. His law firm’s impactful public advocacy cases is rooted in a mission-driven approach, focusing on cases that serve a greater public good. He cites examples such as challenging the government over the regulation of menthol cigarettes, which disproportionately affect the African American community, and fighting for the rights of New York City retirees. Pollock’s work is driven by a desire to create positive change and make a difference. Join Tom Fox and Adam Pollock as they take a deep dive into these topics and more on this episode of the FCPA Compliance Report podcast.

 Key Highlights

·      How far back Qui Tam case go in history

·      The intersection of Qui Tam, FCA and whistleblower cases

·      Mission Driven Litigation

·      Private Attorney Generals?

·      The FCA at the Supreme Court

Resources

Adam Pollock on LinkedIn

PollockCohenLLP

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 13 – The FCA Speaks Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode! In this episode, Tom and Kristy take on a wide variety of topics, including a visit to Florida Man.

In the world of business, compliance and investigation protocols play a crucial role in ensuring fairness, consistency, and institutional justice. Organizations need to establish robust frameworks to handle incidents effectively and mitigate risks. In this episode of 2 Gurus Talk Compliance, a new investigation by the FCA in the UK, Rubiales resigns (finally), an interesting cyber compliance enforcement action, and Roger Ng. Kristy takes the lead in highlighting a new DOJ Opinion Release. Join them as they delve deeper into this topic on this episode of the 2 Gurus Talk Compliance podcast.

Highlights Include:

1.     Insufficient cyber plan = FCA violation.  (DOJ Press Release)

2.     Roger Ng banned for life.  (YaHooFinance)

3.     FASB adopts crypto accounting rules. (WSJ)

4.     Ken Paxton and slow creep of corruption. (Texas Tribune)

5.     Rubiales resigns. (NYT)

6.   U.K. Financial Regulator to Review Bank Treatment of Politically Exposed Persons (WSJ)

7.   FCPA Opinion Release Provides Guidance on Payment of Travel and Other Expenses for Foreign Government Officials (Volkov)

8. AI in Employment: Privacy Regulation Is Here (PLI Chronicles/Gibson Dunn)

9. Is It Time to Update Your Company’s Dress Code? What ‘Business Casual’ Means Today (Inc.)

10. Florida man banned from the ocean after trying to sail homemade hamster wheel (local news)

Resources 

Kristy Grant-Hart on LinkedIn

Spark Consulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Compliance into the Weeds: Failure to Have Effective Compliance Program

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt consider the recent DOJ enforcement action involving Verizon Business Network Services for failure to have an effective cyber security compliance program.

The recent case of Verizon’s non-compliance with cybersecurity standards and subsequent remediation efforts has sparked a significant conversation in the realm of cyber compliance. Tom views this case as a roadmap for companies to enhance their cybersecurity programs, emphasizing the importance of gap analysis and pressure testing. He draws parallels between cybersecurity compliance and the Foreign Corrupt Practices Act (FCPA) compliance, suggesting that Verizon’s case could serve as an example for other companies.

Matt applauds Verizon’s voluntary self-disclosure and extensive remediation efforts. He underscores the importance of disclosure, cooperation, and remediation in both cybersecurity and corruption cases, viewing Verizon’s actions as a positive example for other companies. Join Tom Fox and Matt Kelly as they delve deeper into this topic in the latest episode of the Compliance into the Weeds podcast. 

Key Highlights

·      Verizon’s Cybersecurity Program Failures

·      Enhancing Cybersecurity Compliance through Remediation Measures

·      Automating Compliance Efforts with GRC Tools

·      Potential Penalties for Non-Disclosure of Cybersecurity Issues

 Resources

Matt in LinkedIn

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: September 11, 2023 – The 11,196 Years Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • Turkish fraud sentenced to 11,196 years in prison. (BBC)
  • FCA on the lookout for shirkers. (WSJ)
  • Argentina found liable for renationalization. (FT)
  • Kroger to pay $1.2bn to settle opioid claims. (NYT)
Categories
Daily Compliance News

Daily Compliance News: September 8, 2023 – The Slow Creep of Corruption Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.