News

     

Adulali Jiwaji reflects on the takeaways from Citigroup’s £61.6M regulatory trading fine

By Abdulali Jiwaji

Partner Abdulali Jiwaji examines the key takeaways from the £61.6 million trading fines issued against Citigroup by the Financial Conduct Authority and the Prudential Regulation Authority, following a catastrophic so-called fat finger error by one of its bankers.

Abdulali’s article was published in Law360, 25 June 2024, and can be found here. 

On May 22, fines were issued against Citigroup Global Markets Ltd. after a catastrophic so-called fat finger error by one of its bankers — one of the most significant recent examples, but by no means the first, of such a mistake. [1]

In this instance, the bank was fined £61.6 million ($78.03 million) by financial regulators after its internal systems failed to prevent the slip-up, causing a flash crash by erroneously placing more than £1 billion of orders.

Inputting Error

The inputting error was made by a trader making an entry into the wrong field in Citigroup’s order management system, intending to sell equities to the value of approximately $58 million (£46 million).

By entering the figure into the wrong field, a basket of stocks with a notional size $444 billion was created, sufficient to cause a brief but significant wobble on European exchanges. It could, however, have been worse.

In recent years, there have been a number of examples of erroneous trades and transactions created by similarly basic unintended blunders. [2] One memorable example involved the Japanese bank Mizuho Securities Co. Ltd. in 2005. [3]

The firm blamed a typing error for someone working within its brokerage arm accidentally offering to sell 610,000 shares in an employment agency at ¥1 ($0.006) instead of what had been intended, which was to sell one share at ¥610,000 ($3,821).

Put together, these two incidents — separated by almost 20 years, during which time we have also seen examples of similar mistakes involving institutions such as Deutsche Bank — illustrate the constant battle for financial institutions to structure systems to catch erroneous trades before they are executed.

With the latest Citigroup mistake, it is vital to appreciate just how quickly the situation unraveled. On May 2, 2022, between 8:47 a.m. and 8:54 a.m., a trader was booking a basket of equities to hedge a proportion of Citigroup Global Market’s European exposure to the MSCI World Index.

The trader’s intention was initially to sell $58 million. But rather than entering $58 million into the “notional” field, the trader entered $58 million into the “quantity” field. At 8:56 a.m., a “Trade Limit Warning” pop-up alert appeared, which presented the trader with 711 warning messages.

The trader, however, did not appreciate the inputting error at that point, and instinctively clicked through to override the warnings. Citigroup’s internal systems blocked $255 billion of the equities basket progressing, but the remaining $189 billion was sent to a trading algorithm that sold shares into the market.

A total of $1.4 billion of sell orders were executed across various European exchanges. This coincided with a material short-term drop in several European indices, which lasted a few minutes. At 9:10 a.m. the order was canceled in full by the trader.

The entire episode took place within a brief window of 14 minutes, but this was sufficiently long to instigate serious market disruption.

Regulatory Action

For this reason, and to send out a message across the sector, regulatory action has followed. The U.K. Financial Conduct Authority fined Citigroup Global Markets £27.77 million, and the Prudential Regulation Authority meanwhile imposed a financial penalty of £33.88 million after its own investigation. As Citigroup settled early, both of these fines were discounted by 30%.

Under both the FCA and the PRA rules, which are overlapping, a firm must conduct its business with due skill, care and diligence. Furthermore, a firm must take reasonable care to organize and control its affairs responsibly and effectively, with adequate risk management systems. [4]

A firm must also have in place effective systems and controls, suitable to the business it operates, to ensure that its trading systems prevent the sending of erroneous orders, or the systems otherwise functioning in a way that may create or contribute to a disorderly market. [5]

Controls

In this case, Citigroup did have various controls designed to catch trading errors. There was a combination of hard and soft blocks that were applicable, as well as preventative controls and a system for real-time monitoring.

As demonstrated by the impact of the mistake, the controls were clearly insufficient to catch the error in time, for a variety of reasons. One of the key controls had been increased in response to higher volatility at the start of the COVID-19 pandemic, without more recent review and adjustment.

There was a pop-up system of warnings, but traders were able to override multiple alerts without scrolling down or reading all the alerts. There was a lack of effective and appropriate hard blocks to limit or prevent erroneous orders.

A key absence was a notional basket-level limit in the form of a hard block, and one hard block that was in place was not set at an effective level — the limit in place of $2 billion for each individual order item was set too high to be effective.

Hard and soft limit alert pop-up notifications were poorly designed and did not operate effectively as a risk management tool. Most stark, perhaps, was a failing in the adequacy of real-time human monitoring of the erroneous trade during the execution process.

In the Citigroup incident, the relevant team failed to escalate and respond to alerts, and only reacted after the trader had already canceled the order. The eyes of an attentive supervisor might have spotted the mistake even if it had passed the automated safety mechanisms.

Level of Fine

In making their rulings, the regulators took into account both mitigating and aggravating factors relevant to the human error, and Citigroup’s ability to counter its consequences in time. Aggravating factors included previous fines issued, which related to prior systems and controls failings to do with trading activity.

The regulators had previously flagged the effectiveness of the control environment as a key risk and highlighted deficiencies in systems for trade surveillance.

In the course of its investigation, the PRA noted some instances of incomplete production of documents, which affected its ability to conclude its enforcement process promptly and efficiently, and fell short of expectations.

In contrast, the PRA also referenced Citigroup’s ready willingness to cooperate. Both regulators acknowledged that Citigroup undertook significant remediation in respect of trading controls and booking model controls, including working with an external consultant.

The clear inference for banks and other financial institutions that could find themselves in a similar situation is that the response to an investigation and the dynamic with the regulator can play a significant part in the outcome.

Learning Points

Several learning points flow that institutions should take on board. Regular reviews of trading controls and booking model controls need to be undertaken, adding hard blocks as necessary, and to consider whether all controls are set at effective levels.

Pop-up warnings must not become routine and subject to click-through. From time to time, the presentation and format should be reviewed to ensure that familiarity does not mean that pop-ups are routinely disregarded or overridden.

Banks should also ensure that systems for real-time monitoring are effective. Where there is a level of human intervention, it needs to be meaningful and prompt enough, although the reality is that human monitoring will often be unable to keep up with the pace of events.

Some of the systems issues exposed by the investigations have echoes of the failings in banks’ control systems when a payment fraud is taking place. The speed of events can render automated and human controls redundant in the face of deliberate fraud against bank customers.

Conclusion

This year, we have already seen significant fines imposed by the FCA. According to the FCA website, it has issued £35.09 million in fines to financial institutions in 2024. In contrast and for the same period in 2023, the FCA issued under £30 million in fines. [6]

The outlook for the rest of the year is that there will likely be more enforcement activity in comparison to last year. In 2023, only 12 fines were issued by the FCA, raising a total of £53.4 million. This compares with 26 fines levied in 2022 with an aggregate value of £215.8 million. So, in 2024 enforcement activity is starting from a relatively low base.

With this in mind, firms need to be constantly monitoring their systems and keeping up with technological developments in both trading strategies and algorithmic trading to ensure that the controls are up to scratch.

Regulators will certainly be looking to move quickly to issue penalties in relation to these types of incidents in order to get their messages out to the market.

 

[1] FCA fines CGML £27,766,200 for failures in its trading systems and controls – Financial Conduct Authority, 22 May 2024; and The Prudential Regulation Authority (PRA) fines Citigroup Global Markets Limited (CGML) £33,880,000 for failures in its trading systems and controls, Prudential Regulation Authority, 22 May 2024.

[2] https://www.bbc.co.uk/news/business-61303217

[3] https://www.theguardian.com/business/2005/dec/09/japan.internationalnews1

[4] FCA Principles 2 and 3 and PRA Fundamental Rules 5 and 6.

[5] FCA Market Conduct Handbook MAR 7A.3.2 and PRA Rulebook on Algorithmic Trading at Rules 2.1 and 2.2.

[6] https://www.fca.org.uk/news/news-stories/2024-fines

Latest news

All news