18 Jul5 lessons from Citibank’s recent $7 million fine for reporting errors. 

That sort of money is a big deal for ordinary folk, it is even enough to pay 20 people at Goldman Sachs for a year and while it may not be a lot for Citi, which has a rap sheet as long as a career criminal’s in Essex, if you are the the Bankers’ Plumber you wonder where things go wrong. A few thoughts on the old enemy of Operational Risk.

Citi’s latest fine is from the US regulator, the Securities & Exchange Commission (SEC). for failings in its reporting in response to special enquiries from the SEC. Some 27’000 failings across 2’300 requests in a 15 year period; some10 per response and consistently over the 15 years. Citi are not alone; both Credit Suisse and Scottrade have been fined large amounts in the last two years.

This all comes under the heading of Operational Risk:

“The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.”

Banking insiders would say that the controls did not work. Somebody from outside a bank would perhaps put things more simply: “Someone did not do their job properly.”

Rather than waxing lyrical on the promise of the B-word du jour, Blockchain, this is about a more simple B-word: the Basics. What are the basic controls, how should they have worked and what might have gone wrong?

Control Principle

Control Standard

What might have happened?

Timeliness

All tasks must be completed in a timely manner.

Looks like this part was correct. Whatever was done, was done on time

Completeness

A process is required to ensure that all items that should have bene reported were. A reconciliation.

One or more of the following:

There was no proper reconciliation process to check the output vs. the underlying systems

There was a reconciliation, but one or more systems were omitted. It is very common in banks to have multiple systems doing the same thing. For example, the FX desk trades with the Street and so does the Equity desk. Both book to different systems. Activity in the “minor” system in Equities are easily forgotten

Accountability & segregation of duties

Each process must have a clear accountability structure to ensure that every process step is owned by the most appropriate individual/team

Where tasks are split across several departments (e.g. reconciliations), overall responsibility should be with one team and the line of delineation for the supporting tasks clearly defined

Possible combinations of issues here:

Adequate vs. inadequate procedure: By adequate procedure, I mean a process supported by the right kind of tools and clear responsibility.

Unclear responsibility: Only one person can be responsible. Now maybe there were several underlying source systems, however one and only one person should be responsible for the outward facing reporting.

Exceptions Management

Processes have been designed in such a way that ensures Straight Through Processing, (STP) where transactions or updates are correct, with any incorrect items highlighted as breaches or exceptions

This is a case of “how easy is it to do the job properly”?

If items that do need attention as exceptions are reported in the midst of “false positives”, then control will suffer due to inability to focus quickly on the real problems.

This is what can simply be termed: “Looking for a needle in a haystack”. The tools available make it easy to mis something. See prior blog post on the 3C Advisory website for a short case study.

Transparency

Processes should be set up so that the status of the task required and the potential risk associated with not completing it is clear and communicated to all interested stakeholders.

Oversight is an important check & balance. The status should be visible “up the chain” of command.

Lessons Learned: If I was an investigator in a case like this, I would take a simple view of this type of issue:

  1. Was there an adequate procedure: one that made it easy to spot exceptions and one that made those exceptions visible to those in the chain of command?
  2. Was the procedure followed or not?

By those tests, given that Citi’s issues stretched over 15 years, my simple mind would say: Inadequate procedure.

Right now, the financial services industry is rightly getting excited about the very real potential of the Blockchain, even as it suffers under the weight of regulatory demands.

With that said, it is vital to keep an eye on the basics. Good controls are the foundation of our business. That discipline needs to stay front and central in bankers’ minds.

Previous Posts 

Are available on the 3C Advisory website, click here.

Publications

The Bankers’ Plumber’s Handbook

How to do Operations in an Investment Bank, or not! Includes many of the Blog Posts, with the benefit of context and detailed explanations of the issues. True stories about where things go wrong in the world of banking. Available in hard copy only.

Cash & Liquidity Management

An up to date view of the latest issues and how BCBS guidance that comes into force from Jan 1 2015 will affect this area of banking. Kindle and hard copy.

Hard Copy via Create Space: Click here

Amazon UK: Click here

Amazon US: Click Here

Thanks for your support.