In the world of compliance and ethics, the Citigroup internal control debacle serves as a glaring reminder of the critical importance of robust, well-designed, functioning and effective internal controls. The U.K. Financial Conduct Authority fined Citigroup £27.7 million and the Bank of England’s Prudential Regulation Authority fined Citigroup £33.9 million and Citigroup’s own internal losses costs added to a total loss of some $126 million. Citigroup’s mistakes underscore the perils of inadequate internal controls and provides a plethora of lessons for compliance professionals. Matt Kelly and Tom Fox discussed the matter in the most recent episode of Compliance into the Weeds.

On a seemingly ordinary Monday (more on this day later) in May 2022, a Citigroup trader made a fateful error. He intended to sell $58 million worth of securities but mistakenly placed the amount in the units field, leading to an order to sell 444 billion units. Although some of Citigroup’s controls caught parts of the error, they did not catch the entirety of the Fubar. This mistake led to a flash crash on European stock markets and cost Citigroup the $126 million, including fines and losses.

Lesson 1: Simplify and Focus Controls

One of the primary lessons from this incident is the need to consider human nature when designing internal controls. Citigroup had what were termed ‘hard-block controls’ which blocked $248 billion worth of the order, and those controls could not be overridden. However, there were also ‘soft-block controls’ in the form of a pop-up screen asking the trader if he wanted to move forward. The trader in question faced a warning screen with 711 individual red flags, a list so long that it became impractical to review. This scenario is akin to users scrolling through and ignoring lengthy user agreements—a common human behavior.

Controls should be designed to be practical and actionable. Instead of presenting an overwhelming list of potential issues, a focused warning on the specific error or most critical issues could be more effective. This approach ensures that users pay attention to the most relevant information, reducing the risk of mistakes being overlooked. Moreover, never present a front line employee 711 different red flags that they must then navigate and try and (1) figure out what they did wrong and (2) remedy the situation.

Lesson 2: Strengthen Automated Controls

As noted, there was a mix of hard and soft controls at Citigroup. While some automated controls blocked a portion of the erroneous trade, others allowed it to proceed after a mere warning. This differentiation highlights the need for robust automated controls that do not solely rely on human intervention, especially in high-stakes environments. Automated controls should be comprehensive and capable of preventing significant errors without relying solely on human review. Where possible, hard controls that automatically block erroneous transactions can prevent costly mistakes.

Lesson 3: Ensure Adequate Coverage

Remember when I open the tale of the story with the trade happening on an ‘ordinary Monday’. Well, it was not actually an ordinary Monday as the trade occurred on a UK banking holiday, further complicated the situation. The primary monitoring team (Monitoring Team 1) was off due to the Bank Holiday, and the backup team (Monitoring Team 2) did not effectively manage the issue or escalate the issue. Even when yet another monitoring team (Monitoring Team 3) discovered the error and sent the information back to Monitoring Team 2, the team in charge on the holiday, Monitoring Team 2 never responded. These lapses points to another critical area: adequate staffing and effective backup procedures.

Companies must ensure that there is adequate staffing to always monitor and manage risks, including during holidays, weekends and off-hours. Effective backup procedures and cross-training can help ensure that critical functions are covered, regardless of the timing. Adequate staffing also means competent staffing with teams who understand how and when to respond.

Lesson 4: Implement Consistent Global Controls

A notable aspect of Citigroup’s failure was the inconsistency in control implementation across regions. While robust controls existed in New York, they were not in place in Europe. Citigroup actually had those hard-block controls, which stopped $248 billion worth of the order, but only for its New York trading desk. Moreover, these hard-block controls had been implemented back in 2013. Yet for some reason these hard-block controls had not been implemented at the London trading desk. This discrepancy highlights the importance of consistent global controls. Once a risk is identified and a control is implemented in one region, it is crucial to extend that control globally. This consistency ensures that all parts of the organization are equally protected against similar risks, preventing regional disparities in control effectiveness.

Lesson 5: Integrate The Human Element

Citigroup’s failure also demonstrates the need for a strong human element in internal controls. Despite having multiple layers of monitoring, the human oversight was inadequate due to insufficient staffing and ineffective backup systems. While automated controls are essential, they should be complemented with effective human oversight. Regular training and clear protocols can enhance the effectiveness of both human and automated controls, ensuring a more resilient control environment.

This human element extends to reports of control weaknesses by internal audit as Citigroup had previously identified internal control weaknesses yet failed to address them adequately. This ongoing neglect resulted in repeated issues and significant penalties. When internal audits flag control weaknesses, it is imperative to address these issues promptly. Delaying remediation can lead to repeated failures and compound risks, as demonstrated by Citigroup’s experience.

The Citigroup incident offers a comprehensive lesson in the importance of robust internal controls, consistent global implementation, and the need for practical, focused warnings. Compliance professionals should take these lessons to heart, ensuring that their organizations are equipped to prevent similar costly errors.

By designing effective controls, ensuring adequate staffing, and addressing risks promptly, companies can safeguard against the significant financial and reputational damage that can result from control failures. The Citigroup case is a stark reminder of the high stakes involved and the critical role that well-designed internal controls play in maintaining the integrity of global financial operations.

Resources

Matt Kelly in Radical Compliance

[View source.]