Lessons From Citigroup’s Fat Finger

This week Citigroup agreed to pay $78 million to settle charges that its internal controls failed to catch a so-called “fat finger error” in 2022, when a Citigroup trader placed a gigantic sell order by mistake and sent European stock markets plunging. Compliance officers should pull up a chair; we have several lessons to learn here. 

So what happened? As outlined by the British regulators that brought the charges, on the morning of 2 May 2022, an absent-minded trader in the London offices of Citigroup Global Markets Ltd. tried to place a sell order for a basket of $58 million in securities. Except, the trader plugged the wrong number into the wrong field, and accidentally placed an order worth $444 billion

Several of Citigroup’s internal controls quickly intercepted the error, and canceled parts of the order immediately — but other internal controls didn’t work as expected, including a warning message that the trader closed without reading it fully. When all was said and done, Citigroup still dumped $1.4 billion of securities onto the European markets, which briefly caused the markets to plunge by 4 percent. 

For perspective, that 4 percent drop would be equivalent to the Dow Jones industrial average falling more than 1,500 points. It would be front-page news. This flash-crash was at the time

Now the U.K. Financial Conduct Authority has fined Citigroup £27.7 million, and the Bank of England’s Prudential Regulation Authority tacked on a £33.9 million fine of its own. Citigroup also booked a $48 million loss as it unwound its erroneous trades two years ago. 

In total, that’s $126.5 million Citigroup has paid to cover the costs of poor internal controls. What went wrong here? 

Flawed Control Design and Control Planning

To appreciate the larger failures of the control environment, we should first examine the exact control failures that happened. Thankfully the FCA settlement order provides lots of detail on that question.

The error was that the trader entered the wrong number in the wrong place in Citigroup’s internal trading system. He wanted to sell $58 million worth of securities, but he entered that 58 million number in the field for units of securities to be sold. That’s how the value of his trading order ballooned to $444 billion. 

Right away, two “hard-block” controls baked into Citi’s trading systems blocked $248 billion worth of the order, and those controls could not be overridden. The remaining $196 billion were then paused by a “soft-block” control that was simply a pop-up warning presented on the trader’s computer screen. 

That pop-up warning listed 711 individual warning messages, all presented as a single alert. Only the first 18 lines of alerts were visible on the user’s screen; if you wanted to see the rest, you had to scroll manually through the rest of the alert. 

Or you could just skip all that and click “OK,” which is what the trader did. 

Now, I have never worked in financial services and algorithmic trading. But from my layman’s perspective, shouldn’t Citigroup’s internal control team have anticipated the potential risk of someone ignoring a long pop-up warning? Because I’ve skipped through long, arcane user agreements without reading them for years. So have you, and you know it.

Moreover, I no longer do this because several years ago Apple (my IT vendor of choice) stopped allowing users to hit “OK” without reading the whole user agreement. When you upgrade software or install new apps, you need to scroll through the entire agreement (which I still don’t read) before the option to press the “OK” button activates. 

That’s the most immediate lesson here, really: that internal control teams should think about human nature, risk, and business processes altogether, and then design controls that address the risk effectively.

Otherwise you’re just creating a control to force people to go through an exercise (such as dismissing a warning box) without fully addressing the risk (by reading the warning, or at least skimming through the entire length of it). You’re engaging in compliance, rather than risk management. 

Staffing Levels and Remediation

Back to our rogue trader and his enormous erroneous trade. Shouldn’t someone else within the vast empire of Citigroup have, ya know, noticed it? 

Yes, but a series of unfortunate events thwarted that too. The trade was placed on a banking holiday in Britain, so the team normally responsible for monitoring internally placed orders was off duty. Instead, another team responsible for monitoring external trading orders was covering, and that team didn’t escalate the alarms generated by Citigroup’s trading systems. 

The only folks who did raise alarms were yet another monitoring group, who didn’t even notice the erroneous trade until 35 minutes after it had been placed (and 20 minutes after the trader himself recognized his error and tried to cancel his order). When that third team escalated to the monitoring team covering for the day, that second group never replied.

Quite simply, there was a staffing shortage. Citigroup didn’t have enough monitoring staff, and those that were available weren’t versed in the appropriate monitoring procedures. As the Financial Conduct Authority put it:

The desk was understaffed and an open role had remained unfilled for a year, despite the firm’s efforts to fill the vacancy. This meant that there were insufficient levels of staffing within EMEA with the requisite skills and experience that was performing that monitoring.

Let’s also go back to hard controls for a moment. If staffing was a potential risk, shouldn’t Citigroup have been more diligent about implementing hard-block controls to block improper trades? 

Turns out that Citigroup actually did have those hard-block controls — but only for its New York trading desk (which had implemented them in 2013), not for the European trading desk. 

When we talk about inadequate staffing, or remediation in some locations but not others, we’re really talking about a poor control environment; one that isn’t pushing hard enough to get internal controls as effective as they need to be. That’s the true lesson others can take away from this latest Citigroup fiasco.

Let’s remember that this is the same Citigroup that accidentally wired $900 million of the bank’s own money to creditors of Revlon, essentially paying off a Revlon loan in full by accident. It’s the same Citigroup that paid $400 million to U.S. regulators in 2020 for poor internal controls and promised a program to improve them. 

Even the U.K. Prudential Regulation Authority, in its settlement order, noted that Citigroup’s own internal audits flagged concerns about the trading desk as far back as 2018. So even though inadequate staffing was one cause of this 2022 debacle, don’t shrug that off as part of the tight labor market at the time. 

Citigroup has struggled for years to build a rigorous system of internal controls; it struggles today still. The lesson for the rest of us is to invest in strong internal controls and compliance early, because that’s a whole lot cheaper than investing in them late.

Leave a Comment

You must be logged in to post a comment.