Skip to content

Citigroup fat-finger fail: Are your controls and risk appetite aligned?

In May 2022, a trader at Citigroup in London suffered from butterfingers. The trader intended to submit trades to the value of US$58 million. Due to an incorrect field entry, the value initially submitted was US$444 billion. Some controls picked up the erroneous trades, but US$1.4 billion were still executed before being cancelled. This came to a head in May 2024, with final notices issued by the FCA and PRA regulators with fines totalling £61.6 million (US$78.7 million).

The good news? Your organisation can learn from this incident – without having to face a multi-million dollar payout. In this blog, we are going to cover:

  • What happened?
  • Why controls need to reflect your risk appetite
  • The importance of acting on control weaknesses

If you’d like to know more about best practice in controls management, download Protecht’s risk control frameworks eBook now:

Find out more

What happened?

The incident occurred on 2 May 2022 at Citigroup’s UK trading desk - a public holiday (foreshadowing). Due to a keying error by the trader, the intended US$58 million turned into US$444 billion. I know what you are thinking – surely there were controls in place to pick this up? Yes – though they did not all operate as intended. You can head over to the FCA’s and PRA’s Final Notices if you want the technical details[1][2], but here is a summary of the key events:

  • The trader was issued 711 limit warnings, but was able to (and did) close the pop-up and proceed without reading them all. Many were soft blocks, but two hard blocks could not be overridden which stopped US$248 billion being sent.
  • US$196 billion worth of orders were sent to be executed, and while a set of controls blocked or suspended many of these orders, US$1.4 billion in total were executed before the trader noticed the error and cancelled the remaining orders.
  • There was a failure in real-time monitoring. Due to the public holiday, the regular (and understaffed) team who monitored internal trades handed over to another team who were responsible for customer-initiated trades. This team did not escalate any of the alerts they received.
  • A third team who monitored trades post-completion had the majority of alerts filtered out of their system, resulting in failure to escalate appropriately. They did follow up, but only after the trades had already been cancelled.
  • As a result of the trades that were executed over a number of minutes, several European indices suffered a material short term drop.
  • The trading incident itself resulted in a US$48 million loss to Citigroup.

The PRA sums it up nicely:

‘The immediate cause of the trading error was a manual input error by the trader, however the Firm’s trading controls should have, but did not, prevent the basket of equities being transmitted to the market in entirety.’

Why controls need to reflect your risk appetite

For this type of activity, there will be a range of limits, metrics, and delegations. These are all in place to manage risk appetite for financial risks. Of course, this incident was not a financial risk – it was an operational risk.

Citigroup’s internal audit department called out the relevant risk in a 2020 report after assessing the trading desk’s controls, where a potential risk related to identified control deficiencies was “erroneous orders may be executed which may lead to transactions in excess of risk appetite and potentially cause market disruption”.

When setting risk appetite and related tolerances, you need to consider whether your control environment is sufficient to manage within that appetite. In this case, some of those controls did work – but the biggest reducer of impact was the trader themselves, cancelling the remaining orders after noticing erroneous market values. What if they hadn’t noticed?

Controls might be operating effectively, but the objective of the control (why it exists, not just what it does) must be reviewed alongside its design. Changes made to some control thresholds during COVID in 2020 had not been recalibrated, and some limits were set excessively high. One of the hard limits for individual stocks was set at US$2 billion, which was revised to US$250 million after the incident.

This highlights the importance of not just assessing whether the control is working, but whether it is actually managing the related risks.

Another observation relates to the sufficiency of testing. After the incident, an independent assessor identified that testing was inadequate, primarily because those tests were done on a system-by-system basis. However, trades flowed across multiple systems. This further highlights the need to test end to end processes which helps identify control gaps and weaknesses – once again aligning with the related risks, rather than reviewing controls in isolation.

Acting on known control weaknesses

The PRA is not backwards about bringing up dirty laundry in their report. They highlight internal audit reports, PRA findings and recommendations in their supervisory capacity, and incidents that occurred at Citigroup since 2018.

Many of the incidents point to control weaknesses themselves, while repeated internal audit reviews specify controls that provided limited assurance. Several internal audits included overall effectiveness ratings less than 70%. One of those reports highlighted the manual nature of many controls – 28 out of 31 (90%) reviewed were manual, which can increase operational risks due to potential for error or misapplication.

The lesson? Address known control weaknesses before they come back to bite you. If you’ve got ‘findings’ or ‘actions’ that have been sitting in a register for years with their due date continually being pushed out, you might want to dust them off and get cracking.

The PRA also noted that many controls were not linked and were documented in different systems for different processes. The inability to view controls in a single source of truth reduces the ability to identify control gaps or drive efficient control testing activity.

Conclusions and next steps for your organisation

So what can any organisation learn from this incident?

  • Review control objectives before assessing their effectiveness. Does the defined objective relate directly to risk?
  • When reviewing control design, pay particular attention to single points of failure such as clicking through pop-ups that could have major impacts if there are errors. Replace with dual-authorisation and escalations if appropriate, or add additional data validation.
  • While you may need to test controls individually, consider the end-to-end process and whether controls collectively address the related risks
  • Ensure your control environment reflects your risk appetite. Run scenarios to test your tolerance.
  • Adopt systems that enable a single source of truth for controls management to improve efficiency while enhancing your control environment

If you’d like to know more about best practice in controls management, Protecht’s How to get more intimate with your controls eBook covers best practice around the essential elements of controls, how a control modifies risk, the main types of controls, how to operate your risk and controls register, and control monitoring, assurance and reporting. Download it now and ensure that your controls framework is fit for purpose:

Find out more


[1] FCA, Final Notice to Citigroup Global Markets Limited, May 2024

[2] PRA, Final Notice to Citigroup Global Markets Limited, May 2024


Image credit: VV Shots -

About the author

Michael is passionate about the field of risk management and related disciplines, with a focus on helping organisations succeed using a ‘decisions eyes wide open’ approach. His experience includes managing risk functions, assurance programs, policy management, corporate insurance, and compliance. He is a Certified Practicing Risk Manager whose curiosity drives his approach to challenge the status quo and look for innovative solutions.