COMMENTARY: Citigroup surveillance lapses: “but for the grace of God”

September 9, 2015

By Scott McCleskey, Regulatory Intelligence Expert

NEW YORK, Sept. 9 – The recent SEC enforcement action against Citigroup for trade surveillance lapses provides an embarrassing lesson about the pitfalls of technology and the importance of the “third line of defense”, an effective audit of the processes of compliance and other control functions.

The thrust of the case was that the surveillance of trading at Citi’s subsidiary, CGMI, rested on the assumption that all trades were under surveillance.

They were not. For years, compliance analysts and their managers dutifully followed procedures, reviewing daily exception reports to see whether restricted securities were being traded in potential violation of insider trading laws or firm policies, oblivious to the fact that only a portion of the firm’s trades were being reviewed. Consequently, hundreds of thousands of trades were done in restricted securities. The restricted list might just as well not have been there.

Separately, the process to prevent advisor client orders from going to a proprietary desk for execution fell down when the automated system meant to tag the trades was inadvertently turned off. Now Citi is several million dollars lighter in the wallet and under the watchful eye of the SEC and outside consultants.

Managers in other firms should be saying “there but for the grace of God go I” as they nervously finger their collars.

Controls within compliance departments, and audits of their practices by Internal Audit, often begin with the existing procedures and look for failures to follow those procedures. The ‘upstream’ parts, which often lie outside the Compliance Department in places like IT, are often simply assumed to be in place.

This vulnerability stretches across requirements – surveillance of trading and communication, retention of books and records, Anti- money-laundering checks – all depend on multiple systems acting as a network, not a patchwork. Yet the underlying systems of most firms are a patchwork of platforms drawing on a patchwork of databases, replete with gaps and with incompatible data formats. It’s bad enough when these problems exist, but worse when you don’t know about them.

This problem will only get worse as big data gets bigger, and more legacy systems are piled on one another. IT must be recognized as a core function of compliance and risk management departments, not a resource for which they must stand in line behind the profit centers.

These departments should have their own IT solutions resources, whose priorities are established by the department head and who develop familiarity, if not expertise, in the disciplines and processes central to their work. Equally important is the presence of IT audit expertise in the internal audit department, which can independently review the data and systems behind the critical processes, challenge them, and track progress in their resolution. At the same time, regulators should acknowledge the time and resources required to undertake these efforts and not expect 90-day solutions.

The integration of new and legacy systems is critical to the effectiveness of Compliance and Risk Management programs, and failures hold the potential to render multiple processes invalid. No matter how impressive the individual platforms and how pretty the dashboards, they system only works when all the pipes are connected.


— The U.S. Securities and Exchange Commission on Aug. 19 fined Citigroup $15 million to settle charges that a unit of the bank failed to detect thousands of trades that contained material, non-public information over a period of 10 years. The bank used electronically generated reports to monitor suspicious trades but the reports failed to pick up trades that contained non-public information, the SEC said.

— SEC order

(Scott McCleskey is a financial services compliance and regulation advisor with 25 years of U.S. and international experience at senior professional and executive levels. He is the author of “When Free Markets Fail: Saving the Market When It Can’t Save Itself.” The views expressed are his own.)

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see