Citigroup fined $7m over 15-year coding error in bank's reporting systems

Regulators criticise bank over the error, and for not reporting it when it was uncovered

A programming error that was allowed to fester for 15 years has cost global banking giant Citigroup a $7m (£5.3m) fine from the Securities and Exchange Commission (SEC), the US financial services regulator.

The coding error in the bank's reporting software resulted in incomplete "blue sheet" information being submitted to the SEC for a decade and a half, from May 1999 to April 2014. Blue-sheet data includes details about trades, such as their timing, types of trades, volumes traded, prices and sensitive information identifying customers.

However, due to the coding error Citigroup omitted 26,810 securities transactions in its responses to more than 2,300 blue-sheet requests. Furthermore, after discovering the programming error, the bank failed to report the incident to the SEC or even to take steps to provide the omitted data until nine months later, in January 2015.

The reporting system was originally implemented in the 1980s as trading volumes went through the roof and the SEC moved to an all-electronic submission system. Citigroup's "failure to discover the coding error and to produce the missing data for many years potentially impacted numerous Commission investigations," claimed the SEC in the results of its investigation.

The error resulted from a mix-up in the three-letter codes used to distinguish different transactions and the alphanumeric codes used to identify branches, which was introduced in 1998.

"After this change, the EBS [electronic blue sheet] system could not distinguish between the testing branch codes and certain newly introduced alphanumeric branch codes," explains the report.

"The EBS system filtered out transactions from codes for actual branch offices that began with the number 10 followed by a letter (for example, 10B or 10C) because the program's reporting logic treated those alphanumeric branch codes as falling within the omitted testing range between '089' and '100'. Between 1999 and 2008, CGMI used 11 alphanumeric branch codes for offices that handled customers' securities transactions and were subject to this coding error."

The SEC accuses Citigroup of failing to discover the programming error because it did not have in place "a reasonable process to check the accuracy and completeness of its EBS submissions". Additional controls were implemented in April 2013, but even these did not uncover the errors.

Indeed, the error was only uncovered after the SEC made a request to Citigroup for a large tranche of data on 14 April 2014.

"While assisting in this EBS request, the technical support team identified a responsive trade that had been incorrectly excluded by [Citigroup's] EBS program code. An examination of this trade resulted in the discovery of the coding error that caused its exclusion."

Citigroup's technical support team notified the bank's Institutional Client Group operations personnel of the coding error on 25 April 2014, and proposed a fix to resolve the problem, which was implemented on 29 April 2014 - but the bank kept quiet about it for another nine months, a failing that has only added to the size of the fine being levied by the SEC.