Citibank’s $900M oops !

Lots of Issues, But I want to focus on Process

Source: Zeta Technologies Website

WOW! Citibank “accidentally” sent $900M in a series of wire transfers. There are a few things at work here including the legal implications, the software used which was Flexcube. But what I want to talk about is Process.

A couple of things to set straight, up front.

• I am a proud former Citibanker, I actually love my Alma Mater and am bummed this happened, my hope is we can use it to teach other banks some key lessons.
• The money is not gone, they just paid off something way too early from their account instead of Revlon’s, so now Citi owns $500M of a potentially bad loan to Revlon.
• The money was moved using a series of Wire Transfers over FedWire.
• The UX issue was well covered by Dimitri Dadiomov at Modern Treasury: https://www.moderntreasury.com/journal/bad-software-and-expensive-mistakes
• The best overall writeup on the Citi snafu is by Matt Levine in Bloomberg: https://www.bloomberg.com/opinion/articles/2021-02-17/citi-can-t-have-its-900-million-back

Using the Bloomberg writeup as a basis, let’s look at the process that allowed this to happen.

“any payment entered into the system is released as a wire payment unless the maker suppresses the default option. Citibank’s internal Fund Sighting Manual provides instructions for suppressing Flexcube’s default.” Matt Levine Bloomberg.

So they have a manual that tells them how to suppress the Flexcube default. This is more a software issue than process as the software is inflexible, but they are aware enough of the issue to have a process to go around the software default.

Anyone at Citibank care to share the date that the Manual was written?

BTW, this is the first time I have used the word Manual in my blog.

Looking at this screenshot from the Bloomberg story my first thought was

“what version of Flexcube are they on, have they never upgraded it?”

This looks like a slight upgrade over a DOS interface.

I won’t use the names of the folks involved, they have suffered enough I am sure. But the three people that looked at this transaction meeting Citibank’s horribly named “6 eyes rule” for large wire transfers communicated over email. The post from Modern Treasury points this out as sub-optimal and I can not agree more.

A key point that Dimitri of Modern Treasury points out is that the Email communication lacks context or what a payments person would call Remittance Data. Like Metadata it tells the story of the transaction and gives it context. Let’s also think about our own emails. Mine is currently filled with some jokes (safe for work), favor requests from friends, SPAM and meeting requests. I would not want to mix in hundred million dollar approvals.

A key point for me is that two of the people involved were sub-contractors. I understand outsourcing as a way to be more efficient or cost effective,

but a bank using sub-contractors to wire hundreds of millions of dollars is borderline insane.

Moving money is a core activity of a bank and using subcontractors means the bank doesn’t really have control or accountability. I also wonder does Citibank’s 6 eye rule say that 4 of the 6 eyes can be non-Citibank employees. I am guessing not. So did they actually follow their own process is a question for the post mortem team.

I heard Reed Hastings of Netflix on a Podcast, and thought wow, what an innovation leader. When I saw Reed had written a book called “No Rules Rules, Netflix and the Culture of Reinvention.” I bought it. But to be clear, the lessons for a Netflix are very different from a bank. Banks need consistent processes to do what they do and meet audit and regulatory requirements.

As a fan of automation I would be remiss in not pointing out the limit of RPA | Robotic Process Automation for high value transactions. As you may recall when I wrote about AP automation, that RPA is like a software program that pushes buttons on another software program saving time and effort. Great. But using RPA means that if every case is not considered you could have this same fiasco but automated and possibly occurring faster.

I work with a software company out of Australia called Cloudcase and they do something they call

Integrated Process Automation (IPA)

They like to say that they:

‘Automate your complex mission critical processes’

I feel multi-million dollar wire transfers probably qualifies as Mission Critical.

I mention Cloudcase as I like what they do and how they do it because they account for the real world of today’s banks and the myriad complex processes that operate within every bank in the world. Home loans, commercial loans, account opening, construction lending and yes wire transfers are all processes that banks operate daily. Working with a company like Cloudcase allows a bank to really look at their processes and using sophisticated forms based input, develop new digital processes. Plus it accounts for the people that operate the processes.

I often say to bankers,

“be careful of arthritis creeping into your processes”

Processes like my knees are not as limber as they were a few years ago and they need maintenance too. Processes are great to drive efficiency and consistency at a bank. And of course banks need to have processes to ensure compliance. But so often a process is developed and never reviewed or updated. Even worse is when someone that works at the bank says…

“We have always done it this way.”

My challenge for bankers reading this is to look at a process in your bank and ask these questions.

1. Have you done a process evaluation in the last 2 years?
2. Have you automated parts of the process that are manual and tedious?
3. Have you looked at the forms and paperwork that drives the process?
4. Have you done an audit to determine if your team is actually following the process?

And yes as a bank consultant this is one of the things I do for banks but this is not a sales pitch it is a request that banks look under the covers at their processes before the big Oops happens.