Citibank’s $81 Trillion Error
An error almost led to a Citigroup account being credited with $81tn (€77.8tn) - an amount that is about 5 times the total wealth of the UK, which was estimated at €14.7tn in 2023 by ONS.
[…]
The erroneous internal transfer, which occurred last April, was initially missed by two employees, one of whom was assigned to check the transaction.
[…]
The first employee had to go through a rarely-used back-up screen following another system’s fault to send $280 (€269) to a client’s account. One quirk of the rarely-used screen was that the amount field came pre-filled with 15 zeros, something that would have to be deleted but that did not happen[…]
Pre-filling the field sounds like such a terrible design that wouldn’t happen by accident, so there must be an interesting reason why that was done.
Stephen Gandel and Joshua Franklin:
A third employee detected a problem with the bank’s account balances, catching the payment 90 minutes after it was posted.
[…]
The bank said its “detective controls promptly identified the inputting error between two Citi ledger accounts and we reversed the entry” and that these mechanisms “would have also stopped any funds leaving the bank”.
[…]
A total of 10 near misses — incidents when a bank processes the wrong amount but is ultimately able to recover the funds — of $1bn or greater occurred at Citi last year, according to an internal report seen by the FT.
In the financial world, fractions of a second matter, but somehow 90 minutes after the fact is considered prompt. A good Mac app will preemptively warn the user if they do something that’s probably an error, like try to open 100 documents at a time. The G-SIB’s “detective controls” sound like the equivalent of killing the process after it’s used up all the RAM but before it brings down the whole machine. OK, that’s a good thing, but there’s really no input validation or sanity checking earlier in the process? I suppose that’s not actually necessary when there are legal means of undo.
Previously:
3 Comments RSS · Twitter · Mastodon
> Pre-filling the field sounds like such a terrible design that wouldn’t happen by accident, so there must be an interesting reason why that was done.
Maybe as a precaution to make sure the field is being checked, ironically...
> Pre-filling the field with 15 zeros sounds like such a terrible design that wouldn’t happen by accident, so there must be an interesting reason why that was done.
n000000000000000bs
> Pre-filling the field sounds like such a terrible design that wouldn’t happen by accident, so there must be an interesting reason why that was done.
It can just be people who don't know the difference between a placeholder and default values. Or that it's based on an old Terminal system where the 0s in the default value were overwritten.
What is more intriguing about the story is that none of the numbers (excluding the 0s) provided in the article seem connected to each other: 150, 280 81.
