Jump to In focus: fat-finger flubs | Spotlight: cyber fines
August’s largest loss event occurred at Citi, which accidentally wired $900 million to a group of lenders to cosmetics giant Revlon. The two sides were already locked in a dispute over a soured loan to the private equity-backed firm. As of August 21, Citi has not recovered a total of $520.4 million, for which the bank is now suing the lenders involved.
On August 11, Citi had sent notice to Revlon lenders, intending to pay them accrued interest payments. However, due to apparent issues with loan-processing systems, the payment to each lender was on average more than 100 times the interest due. Multiple news outlets suggest the bank inadvertently paid back both the loan principal and the accrued interest. Citi had intended to send one lender a total of $1.5 million, for example, but instead sent $176.2 million.
The bank was able to stop some of the payments, which totalled almost $900 million. It has now filed lawsuits against lenders, who are refusing to pay back the money, accusing them of holding on to money to which they are not otherwise entitled. The lenders argue that Revlon had defaulted on its loans, and thus were using the funds to pay back the loan. The day after Citi’s payment, Revlon’s lenders sued the company.
The second largest loss in August occurred at Scotiabank which was ordered by the US Department of Justice and the Commodity Futures Trading Commission to pay over $127.4 million for multiple instances of precious metals price manipulations.
Between January 2008 and July 2016, four traders at the firm placed multiple unlawful orders for gold, silver and other metals futures traded on commodities exchange Comex to deceive other traders and benefit their employer. The CFTC found the traders had been spoofing the market and had made false statements during the CFTC’s investigation. The charges also concerned swap dealer compliance and supervision violations.
In all, regulators found that over a seven-year period, the bank had concealed the bank’s full mark-up from counterparties for tens of thousands of swaps. The bank had violated various requirements relating to its counterparty onboarding process, record-keeping, chief compliance officer reporting and supervision, they found, and had made false or misleading statements to CFTC staff concerning its audio retention and supervision.
The CFTC ordered Scotiabank to pay $127.4 million, while the Department of Justice ordered it to pay a monetary penalty of $42 million, disgorgement of $11.8 million and victim compensation of $6.6 million. Up to half of the monetary penalty may be offset against the CFTC’s payment, however. ORX has therefore recorded the loss amount as $127.4 million until the settlements are finalised.
TD Bank paid $122 million in restitution over overdraft enrolment practices, placing it third in August’s largest losses.
The US Consumer Financial Protection Bureau found that, from January 1, 2014 until December 31, 2018, the bank had failed to obtain consumers’ affirmative consent to enrol them in the bank’s optional overdraft protection service.
It subsequently charged those consumers overdraft fees for ATM and one-time debit card transactions, violating the Electronic Fund Transfer Act and US Federal Reserve Board’s Regulation E guidelines for issuers of electronic debit cards.
The CFPB also found instances of TD Bank violating the Consumer Financial Protection Act of 2010 by engaging in abusive acts or practices by materially interfering with consumers’ ability to understand terms and conditions. For example, TD Bank presented the service to new customers as “free” or as a “feature” or “package”, despite charging customers $35 for each overdraft transaction.
After its investigation, the CFPB ordered TD to pay an estimated $97 million in restitution to 1.42 million affected customers and to pay a civil monetary penalty of $25 million. TD Bank said it disagreed with the CFPB’s conclusions and did not admit any wrongdoing.
In August’s fourth largest loss, Capital One was fined $80 million by the US Office of the Comptroller of the Currency for failing to establish effective cyber risk assessment processes from 2015 and to correct these deficiencies in a timely manner. The deficiencies were made evident by a data breach in April 2019, when a hacker stole the personal data of 100 million credit card applicants, as well as 140,000 social security numbers and 80,000 bank account numbers of existing credit card customers.
The banking watchdog found Capital One failed to establish effective risk assessments processes before transferring its IT operations to a cloud operating environment in or around 2015. Capital One also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.
August’s fifth largest loss occurred at Interactive Brokers, which was fined a total of $38.7 million over anti-money laundering failings by the US Securities and Exchange Commission, the CFTC and the Financial Industry Regulatory Authority.
The fines related to Interactive Brokers’ failure to file suspicious activity reports (SARs) from at least July 1, 2016 to June 30, 2017. The SEC found that the firm ignored or failed to recognise numerous red flags, failed to properly investigate certain conducts required by its written supervisory procedures and failed to file SARs on suspicious activity. It also failed to review at least 14 deposits of US microcap securities where the security had been subject to an SEC trading suspension. These failures resulted from Interactive Brokers failing to implement a reasonable surveillance programme.
Story spotlight: Bank of Ireland, Capital One slammed by cyber fines
Two fines levied in recent months should serve as a warning to banks that regulators are taking a strong stand against inadequate cyber controls, which can have a major financial impact.
In the first case, the thieves’ means were modern, but the methods old-school, rooted in coaxing out sensitive information through successful phishing attempts.
In July, the Bank of Ireland was fined €1.66 million ($1.86 million) by the Central Bank of Ireland for breaches of Mifid regulations related to the bank’s former subsidiary, Bank of Ireland Private Banking Limited between November 2007 and January 2018.
The central bank’s investigation arose from a cyber-fraud incident in September 2014, where a fraudster impersonating a client made BOIPB make payments to a third-party account totalling €106,330. BOIPB’s procedures outlined steps to verify a client’s identity before processing a third-party payment instruction. However, BOIPB staff released confidential account details to the fraudster and did not ask security questions when taking transfer instructions. Nor did staff identify certain flags which could have been indicative of fraud.
The €1.66 million fine was not the only fine levied on inadequate controls against cyber fraud over the last few months. Capital One was fined $80 million by the US Office of the Comptroller of the Currency for failing to establish effective cyber risk assessment processes from 2015 (see above).
In Focus: Fattest finger first – clumsy digits make chance millionaires
Some make-up companies really can make you feel like a million dollars. In one of 2020’s largest op risk losses so far, Citi accidentally sent approximately $900 million to a group of Revlon lenders when making accrued interest payments on loans to the cosmetics giant. After notifying the lenders that the transfer had been a mistake, Citi was able to recoup some of the $900 million. But some refused to return the funds, leaving a gap of around $411 million.
The bank has blamed the fat-finger flub on a clerical error, which resulted in it making hundreds of payments to hedge funds for amounts roughly 100 times larger than they should have been.
Citi’s blunder is slight in comparison to other fat-finger errors. In total, ORX News has recorded 14 events where funds, often of more than a billion dollars, have been incorrectly transferred to third parties – the big difference being that most recipients played nicely and gave the money back.
The largest fat-finger transfer in the ORX News database occurred at Deutsche Bank, which accidentally transferred €28 billion to an account at Deutsche Börse’s Eurex clearing housing in March 2018 when conducting a daily collateral adjustment. The error should have been detected by an internal fail-safe system, known as a bear trap.
Ironically, the bear trap had been introduced after an internal audit resulting from another fat-finger error at the bank in March 2014. In this incident, an error occurred during the use of Deutsche Bank’s collateral management system. The bank’s control system at the time required transactions to be checked by a second employee, which failed. As a result, Deutsche Bank accidentally transferred €21 billion to Macquarie as collateral for an over-the-counter derivatives trade.
Luckily for Deutsche Bank, both amounts were reportedly recovered within hours and the bank suffered no major loss. However, such incidents highlight the need for enhanced processes and controls surrounding transfers. After Deutsche Bank’s 2014 incident, the bank introduced an enhanced fail-safe system to ensure that all payments exceeding a specified amount are subject to increased scrutiny. It was this control system that failed in March 2018.
Fat-finger errors have also rocked the stock markets. In October 2014, an anonymous broker accidentally entered an OTC trade on 42 stocks worth $617 billion. OTC trades are often made without an added level of scrutiny from an exchange, thus increasing the likelihood of fat-finger mistakes
So, what controls can be effective against these fat-finger errors? Controls often include pre-trade order size limits, which prevent block trades above a certain limit from being entered into a ledger.
The Markets in Financial Instruments Directive also sets out guidelines on systems and controls to prevent fat-finger errors in an automated trading environment. These regulatory requirements have been further strengthened under Mifid II, as requirements will apply not only to trading firms but trading venues.
Fat-finger errors in both trading and payment processing could have the ability to impact heavily on the stock market and cause huge losses to the responsible firm. And, as with Deutsche Bank, the controls put in place to prevent billions of euros from being mistakenly sent to the wrong counterparty can fail more than once.
In the case of Citi, when the controls against such mistakes fail, it is not always possible to recover the losses in their entirety, demonstrating the importance of strong controls to prevent large financial losses before they happen.
Editing by Louise Marshall
All information included in this report and held in ORX News comes from public sources only. It does not include any information from other services run by ORX, and we have not confirmed any of the information shown with any member of ORX.
While ORX endeavours to provide accurate, complete and up-to-date information, ORX makes no representation as to the accuracy, reliability or completeness of this information.