Yesterday, I began a review of the recent court decision involving Citibank. The bank was attempting to recoup some $500 million of a total of $900 million it erroneously wired out on behalf of Revlon to Revlon’s creditors. I would have thought the legal doctrines of either mistake or unjust enrichment would enable Citibank to do so. However, in the tradition of Dumb But Cool at its finest, the arcane legal doctrine of the discharge for value defense allowed the creditors to keep the full amount of money paid (subject to continued escrow while the case is on appeal). The full District Court opinion is available here.
This is as delicious a legal opinion as I have seen in some time. In addition to stating the age-old adage of finders keepers in modern day legal parlance, there were numerous compliance angles to the case which bear consideration. For a more verbal take on the case, listen to Matt Kelly and myself on this week’s Compliance into the Weeds.
It took the court almost 30 pages just to go through the background facts. That alone tells you how complex the matter was to describe. Citibank, like most multinationals is a company built through acquisitions and therefore has multiple legacy ERP systems. At issue was the bank’s software system Flexcube, a software application and loan product processing program that the bank uses for initiating and executing wire payments. The only way to execute the transaction “was to enter it in the system as if paying off the loan in its entirety, thereby triggering accrued interest payments to all Lenders, but to direct the principal portion of the payment to a “wash account” — “an internal Citibank account that shows journal entries . . . used for certain Flexcube transactions to account for internal cashless fund entries and . . . to help ensure that money does not leave the bank.””
For this transaction to go through an exception to the standard controls was required. The Order noted that according to the Flexcube software training materials, in order to make this type of wire transfer, three separate boxes approving the exception had to be checked. The Order revealed that only one box was checked by all persons involved in the transaction, including “the maker, the checker and the approver” or the Citibank’s ‘six-eyes’ principal in action.
Compliance Lesson – To paraphrase Andre Agassi, if something appears too complex, it is too complex.
Another key question is regarding training. The Order made clear that it was not a software documentation or training manual issue, stating, “Notwithstanding these instructions, Ravi, Raj, and Fratta all” incorrectly executed the instructions. What the Court did not address was the training issue at all. Had they been incorrectly trained? Did they receive any training for anomalous wire transfers like the one involved herein? If they received training it obviously was not effective as “the maker, the checker and the approver” all believed they only had to click one box instead of three to affect the transaction correctly.
Many non-compliance functionaries view compliance training as a click the box exercise at best. They will spend the absolute minimum when it comes to training. Yet this misses not only the importance of training but also the power that effective compliance training can bring to bear for an organization. This is just one of the reasons the Department of Justice (DOJ) has increasingly insisted on both effective and targetedtraining. Imagine if the Citibank’s Loan Operations subgroup, the Asset-Based Transitional Finance (ABTF), that is focused on processing and servicing of asset-based loans and charged with handling this type of transaction, had received targeted training and was then tested at some interval to see if the training had been effective? Perhaps this type of action would have moved the action from simply a detect mode to an actual prevent mode.
Compliance Lesson – Training must be both targeted and effective. Targeted training comes from assessing the risk of who needs specific gatekeeper training (i.e., a maker, a checker and an approver). Effective training involves post-training assessment of the training presented to the employee.
This issue is ripe for exploration in this matter. Obviously the ‘six-eyes’ principal is an internal control. Yet this control failed. Was it due to non-existent or ineffective training? The court decision made clear that the software documentation was correct. Although somewhat less clear in the decision, it appears that the ABTF had executed the same or similar transactions previously without the error. What happened to the control environment?
When you have an exception to a standard control, you need some type of compensating control as a backup. Anytime you have a non-standard transaction, that is where the risk occurs. You can require additional approvals up the line so that maybe eight or 10 eyes are put on a transaction. You could have a control which affirmatively states you have reviewed the software documentation. This really is a transactional control for a very rare event. I think this is something you can easily build this type of control into your control environment.
Kelly advocated a more macro approach with a process level control for such now-standard events. However, the beauty of Matt’s approach is that it provides a compensating control for both standard and non-standard transactions. That control could consist of Citibank sending out advanced notice to the recipients of wire transferred funds. This type of information was readily available to the bank as it was generated when the transaction was being created. This notice would give the amount of the transaction and if the recipient received a different amount it would put the receiver on notice of both the correct amount and if an incorrect amount was inadvertently paid, the receiver would be on notice to contact Citibank to arrange return of the funds.
Compliance Lesson – Here I quote to the Coolest Guy in Compliance, Matt Kelly, who succinctly stated in our Compliance into the Weeds podcast, “But because it did not have the process level controls above that to help steer all transactions the right way, they wound up with a mess on their hands. And here we are.”
Join me tomorrow where I consider the claim this was a Black Swan event, how reputation matters and some final thoughts.