Learning the lessons of the Citi ‘fat finger’ trading case

The Citi case highlighted compliance deficiencies compounded by human error. Here are some practical tips to avoid making the same mistakes.

The PRA had repeatedly warned Citigroup Global Markets Limited (CGML) about the “poor state of its trading controls”, and the bank’s own compliance and internal risk functions flagged their unsatisfactory state on multiple occasions. A number of incidents, audits and compliance reviews, beginning in 2018, all underlined their persistent weakness and culminated in a serious equity trading incident in 2022. This has led to the imposition of a fine of £33.8m ($43.03m) by the PRA and £27.7m ($35.3m) by the FCA.

For a fuller description of the facts of the case, see Citi incurs £61.6m in fines for lack of effective trading controls.

Lessons learned and practical tips

Be open and transparent with regulators

In this case Citi got a 30% discount on its fine because of its collaboration.

Conduct gap analysis

Conduct a gap analysis on systems and controls on the back of an enforcement case. Sit down with traders and go through live trade examples step by step to better understand what happens on the trading desk. It is always important to get into the real-life situation so that you can understand exactly what the trader is experiencing and how they are dealing in real time with the controls. Compliance needs to precisely understand the number of pop ups and blocks traders get in reality as there needs to be a balance between controls, commercial and practical day to day.

It’s not good enough to just presume that a control will operate well in practice, especially in a stressful environment. It is important to really try and understand what the trader is facing and build accordingly, not just blindly add more and more procedure controls as and when there are regulatory or audit requirements or rules change.

You need to:

  • understand system feeds;
  • understand how warning messages/alerts including soft/hard blocks are generated;
  • understand how they are addressed and escalated;
  • monitor and test warning messages, back-office checks, escalations points, 1LOD controls, SMF/desk heads checks and oversight, SMF accountability;
  • review and revise as necessary appropriate trading limits and thresholds suitable for different regions, asset classes and products;
  • review start-to-finish trading cycle and processes and implement, fully test and monitor these controls and processes;
  • recognize the importance of understanding appropriate systems and risk controls to prevent the sending of erroneous orders that could contribute to a disorderly market.

Systems and controls

  • Automated technology or algorithmic trading systems should have suitable and robust pre and post-trade controls to reduce potential trading risks before and after orders are created in trading systems. Any of these algo technology systems should be approved by all functions as a part of the work of a New Products Committee or Algo Trading Committee at the time of creation before launch (including all testing and monitoring in place) – noting different firms have different governance frameworks. A governance committee is where all functions must approve from their respective roles including compliance, legal, risk, finance, IT, ops etc for a new activity.
  • Key primary controls should have clear distinction and reminders, for example field difference between unit quality and notional value fields or other key fields. Perhaps this could be double-checking pop-up boxes or a final trade check reminder that the trader needs to fully read and validate before submitting. Once entered all final details should be verified before submission for execution.
  • Trading system, execution system, Order Management System, reviewing holiday and desk coverage including national holidays should be incorporated in terms of controls and monitoring.
  • Key controls should be checked. This means ascertaining whether traders are able to suspend live orders, and reviewing pop-up system to see if the traders are able to override soft limit pop up alerts without scrolling down or reading all the alerts. There must be real-time monitoring of internal executions.
  • Policies and procedures around trading controls should be reviewed, and checks that each process works in practice and is documented should be carried out.
  • There needs to be a clear set of policies and procedures around escalations, for example x number of alerts, market move, suspension alerts etc. Post trading controls also need be clear on escalating incidents, unusual number of alerts or suspension in real time monitoring. These levels of escalations, pop-ups and blocks should be reviewed depending on market volatility or other external factors with appropriate levels. Soft or hard blocks should be checked for efficient mitigants based on appropriate volume trends (for example average daily volume) and trading patterns and tested regularly.
  • You need to understand the broader framework for the firm’s risk management tools and implement any gaps or weaknesses including scenarios of preventing the sending of erroneous orders. Hard blocks with appropriate trading limits cannot be overridden by individual traders.
  • Preventative pre-trade controls, preventative controls within execution system and detective real time monitoring are essential. If a hard block exists, check that traders cannot override and the order would be cancelled and not sent to downstream systems or the market for execution.
  • Configuration of pop-up message should be visible clearly to traders without scrolling down or without reading and acknowledging the warning message. A trader should not be able to continue or proceed further.
  • Both soft and hard blocks should be set at notional and quantity appropriately. If trading index that need decomposition, the basket should be calculated appropriately and double checked. There should not be an option for traders to override any soft or hard warnings.
  • A control framework should include defining perimeters for permissible activities; pre-trade, trade-date, and post-trade controls; ongoing monitoring of MI; and holistic control testing.


A self-assessment is also a useful exercise to align the firm with regulatory expectations and industry practices. Industry roundtables often discuss take away points from an enforcement case in various working groups, so keep an eye out for these discussions.

Read regulatory publications

Take into consideration relevant thematic reviews, regulatory publications, Consultation Papers or Policy Statements by the regulators and other relevant topics discussed in general supervisory meetings with regulators including Periodic Summary Meeting (PSM) feedback.

For example, it was known to the industry that the growing regulatory focus was on the controls supporting the booking model. Do not forget there are also expectations by the regulators for each firm based on their supervisory relationships as well as general regulatory expectations which are often aligned. This is not just written in the rule books but also their speeches, statements, other papers where the regulators express concerns and highlight what the expectations are, including their principles.

Look at historical enforcement actions

Collate all other historical trading system and control failure enforcement cases and fines and review takeaway points. It is always helpful to gather multiple examples, this provides an overview of regulatory enforcement patterns too. Strengthening knowledge of all staff is incredibly important. It will remind them of accountability and responsibility in case of failure and the need to take appropriate actions.

Employee training

Provide training for front, middle and back-office staff, including a case study of when trade goes wrong. This is recommended in person and not online. his should be part of ongoing broader compliance training for all staff.

Collaboration across departments

  • Work with all functions in sales, trading, operations, IT, risk, finance, compliance etc to ensure there are no gaps.
  • Discuss and agree how to enhance existing controls, review current procedures and introduce new enhanced controls. The framework must be tested and a broader population needs to be trained before rolling it out.
  • If there is a full remediation needed, allocate to a proper project, invest time, resources and money to get it right. Preventative measures are almost always cheaper than getting fined.
  • Reputational damage is very difficult to regain. Make sure you have a senior management championing and supporting the project.

Stay up to date with your practices

  • Keep up to date with the progress on gap analysis and remediation projects, update the board, ex co/op co etc and supervisory meetings with the regulators.
  • Be transparent.
  • Once implemented, do not be afraid to ask your internal audit to do the third line check for assurance. Some firms do the internal audit review first to weaker areas to gain visibility and budget.
  • Do set realistic timelines, project implementation milestones, and allocate necessary resources and budget.
  • Prioritise with other internal agenda items. Importantly, do not ignore internal audit reports and recommendations, all need to be actioned and remediated.
  • All the progress should be highlighted in board/ex co packs which often go to the regulators.

Skilled Person Review

If it does go to a Skilled Person Review, do dedicate resources and invest time and efforts to get it right, this is usually the first step before any enforcement comes in. If it can be prevented by completing a comprehensive Skilled Person Review, an enforcement could be avoided although this is judged on a case-by-case basis by the regulators.

Sanction staff for policy breaches

Do sanction internal staff over any internal breaches of policies following proper internal HR procedures. When there is an enforcement case, there is usually an expectation that the firm needs to come forward and act in a responsible manner, setting the right conduct and culture within the firm.

These are the authors’ views and they do not constitute any advice. Each firm should take appropriate professional advice suitable for their needs, circumstances, and requirements.

Mark Taylor has worked in Financial Crime Compliance, Money Laundering, Anti-Bribery and Business Integrity for over 35 years in top global financial institutions including Goldman Sachs and Credit Suisse. Seung Earm is a highly regarded compliance professional in the investment banking, insurance and asset management industries with over two decades of experience in major global investment banks including Goldman Sachs and BNP Paribas. Mark & Seung are Partners and Co-Founders at Ibex Compliance.

Ibex Compliance provides financial and regulatory compliance consultancy covering various services, including investigations, policies & procedures, regulatory implementation, and remediation.