Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Software

Software bug costs Citigroup $7m after legit transactions mistaken for test data for 15 years

10B or not 10B, that is the question

Kieren McCarthy Wed 13 Jul 2016  //  19:10 UTC

A programming blunder in its reporting software has led to Citigroup being fined $7m (£5m).

According to the US Securities and Exchange Commission (SEC), that error [PDF] resulted in the financial regulator being sent incomplete "blue sheet" information for a remarkable 15 years – from May 1999 to April 2014.

The mistake was discovered by Citigroup itself when it was asked to send a large but precise chunk of trading data to the SEC in April 2014 and asked its technical support team to help identify which internal ID numbers they should run a request on.

That team quickly noticed that some branches' trades were not being included in the automated system and alerted those above them. Four days later a patch was in place, but it wasn't until eight months later that the company received a formal report noting that the error had affected SEC reports going back more than a decade. The next month, January 2015, Citigroup fessed up to the SEC.

The error

It turned out that the error was a result of how the company introduced new alphanumeric branch codes.

When the system was introduced in the mid-1990s, the program code filtered out any transactions that were given three-digit branch codes from 089 to 100 and used those prefixes for testing purposes.

But in 1998, the company started using alphanumeric branch codes as it expanded its business. Among them were the codes 10B, 10C and so on, which the system treated as being within the excluded range, and so their transactions were removed from any reports sent to the SEC.

The SEC routinely sends requests to financial institutions asking them to send all details on transactions between specific dates as a way of checking that nothing untoward is going on. The coding error had resulted in Citigroup failing to send information on 26,810 transactions in over 2,300 such requests.

The SEC was not impressed and said in a statement announcing the fine that the "failure to discover the coding error and to produce the missing data for many years potentially impacted numerous Commission investigations."

"Broker-dealers have a core responsibility to promptly provide the SEC with accurate and complete trading data for us to analyze during enforcement investigations," said Robert Cohen, co-chief of the SEC enforcement division’s market abuse unit. "Citigroup did not live up to that responsibility for an inexcusably long period of time, and it must pay the largest penalty to date for blue sheet violations." ®
Send us news
62 Comments

SEC cleared to take securities beef against Coinbase to trial

Judge says watchdog can HODL four of its five charges against crypto exchange

Sun Microsystems co-founder charged with insider trading

Andreas Bechtolsheim is paying out less than $1M to SEC amid allegations he illegally bought options

Investment advisors pay the price for selling what looked a lot like AI fairy tales

SEC bags $400K in settlements

Lordstown Motors to pay $25M in SEC settlement over misleading investor claims

Feds allege EV maker talked up pre-orders for trucks it didn't have parts for

Elon Musk can't wriggle out of SEC Twitter fraud inquiry

Lawyers argue requests for more info are tantamount to harassment

Republican senators try to outlaw rules that restrict Wall Street’s use of AI

Everyone should be free to trust AI to make their financial decisions, without knowing if it's also used against them

Biden will veto attempts to kill off SEC's security breach reporting rules

Senate, House can try but won't make it past the Prez, says White House

SolarWinds slams SEC lawsuit against it as 'unprecedented' victim blaming

18,000 customers, including the Pentagon and Microsoft, may have other thoughts

Tesla hacks make big bank at Pwn2Own's first automotive-focused event

ALSO: SEC admits to X account negligence; New macOS malware family appears; and some critical vulns

Musk takes SEC 'Twitter sitter' consent decree appeal to US Supreme Court

Same old argument about free speech – let's see if it sticks this time

GitLab admits IT ineptitude in finance reporting is ongoing

Code shack has had two years since auditor's 'adverse opinion' to get house in order

Crypto crasher Do Kwon's extradition approved, but destination is unclear

Hey Google, are the jails nicer in South Korea or the US?