Too Complex to Succeed: Citibank Incorrectly Disconnects $ 900 Million: Part 2 – Lessons in Compliance | Thomas Renard
Yesterday I started a review of the recent court decision regarding Citibank. The bank was trying to recover some $ 500 million out of a total of $ 900 million that it mistakenly wired on Revlon’s behalf to Revlon’s creditors. I would have thought that the legal doctrines of error or unjust enrichment would have allowed Citibank to do this. However, in the tradition of Dumb But Cool at its best, the obscure legal doctrine of the discharge for defense of value allowed creditors to retain all monies paid (subject to continued escrow while the matter is under appeal). The full opinion of the district court is available here.
It is as delicious legal advice as I have seen it for quite some time. In addition to stating the old adage of keepers finders in modern legal parlance, there were many angles of suitability to the case that merit consideration. For a more verbal take on the case, listen to Matt Kelly and I on this week’s show. Weed Compliance.
It took the court nearly 30 pages to review the facts. That alone tells you how complex the issue was to describe. Citibank, like most multinationals, is an acquisition-based business and therefore has several legacy ERP systems. The problem was the Flexcube bank’s software system, a software application and loan product processing program that the bank uses to initiate and execute wire transfers. The only way to complete the transaction “was to enter it into the system as if it were repaying the loan in full, thereby triggering accrued interest payments to all lenders, but directing the main part of the payment to. a “washing account” – “an internal Citibank account that displays journal entries. . . used for some Flexcube transactions to account for cashless and internal cash inflows. . . to help make sure the money doesn’t leave the bank.
For this transaction to go through an exception to the standard checks was necessary. The Order noted that according to the training materials for the Flexcube software, to perform this type of bank transfer, three separate boxes approving the exception had to be checked. The ordinance revealed that only one box was checked by everyone involved in the transaction, including “the creator, the verifier and the approver” or the principal “six eyes” of Citibank in action.
Compliance lesson – To paraphrase Andre Agassi, if something seems too complex, it’s too complex.
Another key question concerns training. The Order made it clear that this was not a problem with the software documentation or training manual, stating, “Notwithstanding these instructions, Ravi, Raj and Fratta all” performed the instructions incorrectly. What the Court did not address at all is the issue of training. Had they been poorly trained? Have they received training for abnormal wire transfers like the one involved here? If they received training, it obviously was not effective because “the manufacturer, the verifier and the approver” all thought they only had to click on one box instead of three to get it. correctly assign the transaction.
Many public servants in non-compliance consider compliance training to be a click on the box exercise at best. They will spend the absolute minimum on training. Yet this misses not only the importance of training, but also the power that effective compliance training can be useful for an organization. This is just one of the reasons the Department of Justice (DOJ) is increasingly emphasizing both. effective and targetcoaching. Imagine if Citibank’s sub-group of lending operations, Asset-Based Transitional Finance (ABTF), which focuses on the processing and servicing of asset-based loans and responsible for handling this type of transaction, had received training targeted and then tested at a certain interval to see if the training was effective? Perhaps this type of action would have moved the action from a simple mode of detection to a real mode of prevention.
Compliance lesson – Training must be both targeted and effective. Targeted training comes from the risk assessment of knowing who needs specific custodian training (i.e. manufacturer, verifier and approver). Effective training involves a post-training evaluation of the training presented to the employee.
This question is ripe for the exploration of this question. Obviously, the “six eyes” principle is internal control. However, this check failed. Was it due to non-existent or ineffective training? The court ruling made it clear that the software documentation was correct. Although a little less clear in the decision, it appears that the ABTF had executed the same or similar trades previously without errors. What happened to the control environment?
When you have an exception to a standard check, you need some type of compensation check as a backup. Anytime you have a non-standard transaction, this is where the risk arises. You can require additional approvals up front so that eight or ten eyes are put on a deal. You might have a check that affirmatively states that you have reviewed the software documentation. This is really a transactional check for a very rare event. I think this is something that you can easily integrate this type of control into your control environment.
Kelly advocated a more macro approach with process level control for such now standard events. However, the beauty of Matt’s approach is that it provides compensating control for standard and non-standard transactions. This control could consist of sending a notice by Citibank to the recipients of the transferred funds. This type of information was easily accessible to the bank because it was generated when the transaction was created. This notice would state the amount of the transaction and if the recipient received a different amount, it would notify the recipient of the correct amount and if an incorrect amount was inadvertently paid, the recipient would be notified to contact Citibank to arrange the return. funds.
Compliance lesson – Here I am quoting the coolest compliance guy, Matt Kelly, who briefly said in our podcast Compliance into the Weeds: A mess on their hands. And here we are. “
Join me tomorrow to review the claim that this was a Black Swan event, the importance of reputation, and some final thoughts.