Citigroup fined $7m over software bug that misreported trading data to US regulator for 15 years

The US financial regulator has fined Citigroup $7m (£5.3m) for mistakenly sending incomplete information on trading data due to a software bug that existed for 15 years before being detected.

Electronic blue sheets (EBS) are information requests sent out by the US Securities and Exchange Commission (SEC) to brokers, market makers, clearing houses and other financial institutions. They ask for data relating to specific securities or transactions in order to determine if any illegal activity has taken place, or to figure out why a certain security is suddenly particularly volatile.

According to the SEC, Citigroup discovered the coding error in April 2014 when it was in the process of responding to a blue sheet request for trading data from the SEC, and the investment banking firm asked its technical support team to investigate and verify all of the data it planned to send.

Technical support figured out that a software error was responsible and fixed it in the same month, but it was soon discovered that the error was much bigger than previously thought.

Actual transactions mistakenly classed as test data

Because so many trades have been made, since the mid-1990s Citigroup has been using a reporting software that is designed to filter out any transactions that are used only for testing purposes, but are not actual securities transactions.

All the test trading transactions are assigned three-digit branch codes that range from "089" to "100". However, in 1998, Citigroup introduced alphanumeric branch codes in order to help it accommodate an expanding numbers of customer accounts, so the software got confused and could no longer distinguish between the testing branch codes and the actual branch codes.

Upon investigation, Citigroup's technical support team discovered that the software had been incorrectly filtering out transactions from actual branch offices that had a code beginning with the number 10 followed by a letter (e.g. 10B, 10C) between May 1999 and April 2014.

Because Citigroup didn't have a way of independently verifying that the software was doing its job properly when asked to gather data, this means that over the 15-year period, Citigroup mistakenly failed to produce records of 26,810 securities transactions that comprised of over 291 million shares of stock and options relating to 2,382 SEC blue sheet requests.

Software bug impacted 26,810 securities transaction records

Citigroup corrected the error immediately within days of it being discovered and introduced new controls over the software to make sure that all future data sent to the SEC was first verified to be correct, but it took until April 2015 for Citigroup to review and determine how many old blue sheet requests were impacted by the mistake, and to send the SEC the data that had been omitted over the 15-year period.

So despite the investment banking firm's efforts to rectify the problem and the fact that it admitted to and highlighted the mistake to the regulator as soon as it was discovered, the SEC still decided to fine Citigroup $7m.

"A broker-dealer's failure to furnish promptly true and complete records through the EBS system can undermine the integrity of Commission investigations and examinations, impede the Commission's ability to discharge its statutory obligations, and ultimately interfere with the Commission's ability to protect investors," said the SEC in its ruling.

"CGMI's failure to discover the coding error and to produce the missing data for many years potentially impacted numerous Commission investigations."