Citi Overlooked a Few Thousand Illegal Trades
Yesterday's $15 million Securities and Exchange Commission settlement with Citigroup over a grab bag of administrative violations is objectively boring and yet I find myself fascinated by it. Big banks, as securities dealers, trade public stocks and bonds, but as relationship banks, they also have lots of secret information about the companies that issue those stocks and bonds, information that is not allowed to fall into the hands of their traders. So a major job of banking compliance is just to keep those functions separate. Citi's subsidiary Citigroup Global Markets sometimes messed that up, in ways that probably didn't hurt anyone but that tell you a lot about banks and regulation. 1
The first problem mentioned in the SEC order has to do with Citi's loan trading. Loan trading is in some ways a weird relic. Back in the olden days, bank loans were, you know, bank loans. Companies went to banks, and the banks did lots of due diligence, and then the banks loaned the companies money. The banks had more information about the companies than the rest of the market did. Arguably the point of banks is to give money to companies based on information that the rest of the market doesn't have, and to monitor those companies more closely than the market would. And since bank lenders of course have material nonpublic information about their borrowers, as it became common to trade bank loans, the norm developed that it is fine to do so even if you have material nonpublic information about the borrower. 2 That's just how the market works.
But it's not fine to trade stocks or bonds or even credit default swaps 3 when you have material nonpublic information. That's called insider trading, and is illegal. And as bank loans became more commonly traded among hedge funds and other non-bank lenders, 4 this created a problem. If your hedge fund or bank trading desk had inside information, it could still trade bank loans, but it couldn't hedge those loans with CDS, or do relative-value trading between a company's loans and its bonds or stock. So the market responded by setting up two classes of loan investors: You can agree to be "public" for a given company's loans, and only get the same information that it gives stockholders and bondholders, or you can be "private" and have access to more detailed due diligence information. 5 But if you choose to be "private," you can't trade the company's securities; you can only trade its loans.
Citi has loan trading desks, which mostly trade loans but which also sometimes do hedging or relative-value trading using equities or bonds or CDS. If those desks want to be private on a company, they put it on the "Loan Watch List," and then they can get more information but are not allowed to trade its stock or bonds or CDS. 6 A group at Citi with the evocative name "Information Barriers Surveillance Group" 7 is in charge of making sure that the loan trading desks don't trade securities of companies on the Loan Watch List. That group gets a list of all the trades that the loan trading desks do, and checks to see if any of those trades are in (1) non-loan securities (stocks, bonds, CDS) of (2) companies on the Loan Watch List. If they are, that's bad.
But there was a wee problem:
In 2009, as part of an examination by the Commission’s Office of Compliance Inspections and Examinations, an issue was discovered with the trade reports that IBSG staff used to review trading by the loan desks: trade reports were populated by a data feed — called “LoansQT”— that contained only loan trades. Because the data feed was limited to loan trades, the reports did not contain the loan desks’ securities trades, swap trades, etc. — trades that could have been prohibited by CGMI’s policies. Instead, for certain issuers, the reports only contained trades in loans that were not subject to Loan Watch List trading prohibition. Upon review, it was determined that the problem had existed since 2002.
The rule is: If you are "private" on the company, you can only trade its loans, not its securities. But the way Citi checked that rule was by reviewing a list of only loan trades. So of course it never found a problem. 8 If you only review the trades that are allowed, you'll never find the trades that aren't. Bizarrely, "IBSG personnel never noticed that the reports did not include transactions in public securities and swaps." 9 For seven years.
So Citi committed insider trading 12,000 times:
Of the loan desks’ 3 million securities and swap (not loans) trades over a 42-month sample (January 2008 through June 2011), there were approximately 12,000 trades in the securities of 16 different issuers that were on the Loan Watch List at the time of the trades but were not subjected to surveillance at the time.
Oops! The SEC throws in a generous footnote pointing out that "in some of the instances, the Loan Watch List was overly-inclusive" because the desk was not in fact in possession of nonpublic information. And it didn't actually charge Citi with insider trading. I suspect that even where the list was not overinclusive, the violations would have been pretty light insider trading; it's not like private-side loan trading desks get tipped off to upcoming mergers or anything. 10 Still this is awkward.
The second bad thing that Citigroup did is a variant on the first. In addition to the Loan Watch List, Citi had a Restricted Trading List, which covered all sorts of restrictions on when Citi's trading desks could trade securities, including because of some investment banking mandates. 11 The Information Barriers Surveillance Group reviewed trades in Restricted Trading List companies' securities, based on two trading reports with the somewhat less evocative names "002" and "282." Those reports were incomplete, sometimes, due in part to design errors and in part to "a coding error that occurred as changes were being made in 2009 as a result of CGMI’s joint venture with Morgan Stanley." So IBSG didn't review lots of trades, and it's possible that some of them at least violated technical trading restrictions, though the SEC doesn't outright say that, and I guess it's possible that Citi's traders were angels even when no one was watching.
The third bad thing that Citigroup did was trade between itself as principal and its investment advisory clients, without those clients' explicit permission. Apparently you're not allowed to do that. 12 The way this happened seems to be that an advisory employee would want to buy stock for a client, and would enter the order into Citi's order management system, which would then route the order to wherever Citi bought stocks (exchanges, dark pools, etc.). One stop along the route was Automated Trading Desk, an electronic market-making firm that "executed the transactions as principal at or near prevailing market prices." The problem is that in 2007 Citi bought ATD, meaning that it could no longer route its advisory client orders there. Its update to its order management system to reflect this new reality was sort of underwhelming: "CGMI instructed its employees that all advisory orders entered into a certain front-end order-entry system should be designated as such by manually typing the code 'MMA' (meaning 'money managed account')." Unsurprisingly, "employees often failed to input the MMA code." There was also an automated process that checked orders against a database of advisory accounts, but it "was ineffective because the database did not contain all of the advisory accounts. For example, recently opened advisory accounts were often missing because CGMI did not regularly update the database." Ultimately the tally was "more than 467,000 principal transactions" that weren't supposed to happen. It seems unlikely clients were harmed much, or at all, but, you know, that's not supposed to happen, and it did.
Imagine if I came to you and said: Citigroup traded in a client's stock when it had inside information due to its lending relationship. Or: Citigroup illegally traded for its own account against a client who trusted it to manage her money. Those things sound bad. You could plausibly get mad at Citi for doing them. Citi did them. 12,000 and 467,000 times, respectively, give or take. And yet ... and yet the SEC order is boring and the fine is smallish and the news coverage is brief and not particularly outraged. And that all seems about right. It would be a stretch to say that Citi's many tens of thousands of violations of the law here represent, you know, a broken culture of lawlessness at the bank. They represent a handful of computer programming mistakes.
One thing that you sometimes hear is that the big banks, and especially Citigroup, are "too big to manage." There is a sense in which that is literally and unavoidably true. Citigroup is an organism that is too complex for any human to comprehend. You need software to even see what you're doing. If you get the software a little bit wrong, you will break the law thousands of times. 13 Oops! The SEC says:
The national market system is characterized by automated trading conducted through advanced computer systems. As market participants continue to rely on automated systems to conduct trading, reliable technology systems enable broker-dealers and investment advisers to fulfill effectively their compliance responsibilities. Technology oversight is a critical part of modern compliance, including management of the technology systems that compliance personnel use. Failure to oversee those systems adequately can lead to compliance failures and securities law violations.
It's saying this to scold Citi for those failures, but you can feel a little bit of sympathy too. The automation makes the compliance problems harder to detect, and magnifies their number. In a sense the computers are running the bank, and Citi relies on its computer systems to follow the law as much as it relies on its traders and bankers. With the systems, as with the traders, there's always the risk of a few bad apples messing things up for everyone.
The lesson of this case is that it's not easy for a big bank to follow the law. Bank compliance is an emergent property of a bunch of people and computers and systems working together in a carefully choreographed way. Banks break the law because individual bankers are evil or because software has bugs or because people forget to type "MMA" in a box on the order-entry screen. Some violations are evil and some are dumb and some are completely understandable. And when you read a case like this, it can seem like a miracle that it ever works at all.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
An aside: This is Citigroup's second SEC settlement this week. (The first, on Monday, was for some crisis-era hedge fund sales.) If you break certain securities rules, you automatically become ineligible to be a "well-known seasoned issuer" under the SEC's rules, which makes it harder for you to issue securities, a real hardship for a bank. The SEC can waive this automatic bar, and often does, which is endlessly controversial for reasons that I do not quite understand.
Not legal advice! The norm tends to be phrased in terms like "bank loans are not securities," and only securities are subject to insider trading rules. But that is not absolutely certain, and "the SEC’s interpretation of what constitutes a security remains boundless." It's "vexing."
Probably: "On June 25, 2010, a District Judge in the Southern District of New York held, in a case of first impression, that the federal insider trading laws apply to credit default swaps." Arguably they shouldn't.
And as banks started trading more securities after the demise of the Glass-Steagall Act, I guess, though that is pretty far back.
From the SEC order:
When CGMI owns a loan, the loan agreement generally permits CGMI (as loan owner) to access information about the borrower through web sites run by third-party vendors. These web sites can include both public and nonpublic information. The web sites typically separate the public information from the nonpublic information so the loan owners can choose to access only public information and avoid limitations on trading.
From the order:
Once a borrower is on the Loan Watch List, the loan desks may not trade securities of that borrower. Although the desks may not trade the borrower’s securities, they are permitted to continue to trade the borrower’s loans. A trader may request that a borrower be removed from the Loan Watch List if, for example, a loan desk trader no longer has access to the nonpublic portion of the website for the borrower and the nonpublic information that the trader previously accessed has become stale or the trader has been cleansed of the nonpublic information through a corporate event such as a securities issuance or bankruptcy.
Incidentally, Citi could still trade the securities. Other desks that didn't have the private information were not restricted. This of course relies on the loan traders not sharing the information with the stock and bond traders. Most of bank trading relies on similar enforcement of information barriers. Banks have lots of inside information! Keeping it from the traders is a big part of the job!
A related group at many banks is called "Control Room," and while it does not seem like a fun job exactly, it does seem like a very fun thing to say.
I mean, "for certain issuers," etc. The SEC doesn't say it never found a problem. But it never would have based on that feed.
As far as I can tell the reports were meant to include all trades by the loan desks, not just trades in names on the Loan Watch List. If it was just the latter then this wouldn't be so bizarre: The desks weren't supposed to trade securities of Loan Watch names, so it wouldn't be surprising that they never did. But apparently the system failed to report securities trades in even non-Loan-Watch-List names.
Obviously lender banks, in the form of their investment bankers, often do get tipped off to their clients' upcoming mergers! They're just not supposed to share that information with their trading desks. (And there's no suggestion that Citi did.)
From the SEC order:
The RTL prohibited or limited trading for reasons that include the following examples: Regulation M restrictions when CGMI was acting as an underwriter; Rule 14e-5 restrictions when CGMI was an adviser in a tender offer; and a business policy restriction when CGMI’s holdings reached a certain level and CGMI wanted to limit additional purchases.
Not on the list is "information restrictions when Citigroup had some sort of investment banking mandate," so I assume that sort of thing wasn't covered by the RTL. Which makes sense: If Citi's bankers are working on a merger for a company, its traders can still trade the company's stock. They just can't know about the merger, which is policed through means other than the RTL.
From the order:
Section 206(3) of the Advisers Act prohibits an investment adviser from, directly or indirectly, “acting as principal for his own account, knowingly to sell any security to or purchase any security from a client . . . without disclosing to such client in writing before the completion of such transaction the capacity in which he is acting and obtaining the consent of the client to such transaction."
Or, in the case of Goldman Sachs's Order Audit Trail System violations, 63 billion times.
To contact the author on this story:
Matt Levine at email@example.com
To contact the editor on this story:
Zara Kessler at firstname.lastname@example.org