Global banking major Citibank relies on a so-called “six eyes” protocol for high-value transactions. It simply means at least three people must approve large sums of money transfers. The extra pairs are deployed as a measure of precaution. Think of it like three scientists carefully examining a rocket before it is fired into space.
On August 11, 2020, Citi was set to transfer $8 million to lenders of cosmetics company Revlon in its capacity as a loan agent. There were ‘six eyes’ at hand to make sure everything went without a hitch. Of the three, two were in India. They worked with Wipro Technologies, the Indian technology partner of Citi.
Oops! The trio— the third person was a senior Citi manager— mistakenly paid Revlon’s lenders around $900 million. The incident—billed as the biggest blunder in banking history— expectedly made global headlines. It was back in the news earlier this month when Citigroup lost a legal battle in the US to recover the money it accidentally transferred.
So far Citi’s colossal blunder and its legal troubles received ink. But attention is swiftly turning to Wipro’s damaging role in the episode.
“It is bad optics for Wipro. While these human errors are common, the magnitude is not, ” an IT analyst who tracks Wipro closely told Moneycontrol.
There are larger questions. What impact will this incident have on the credibility of the Indian IT firm? Will this affect business relations and outsourcing by global banks to Indian IT services providers? Will Citi sue Wipro?
The Citi-Wipro partnership
Citibank’s partnership with Wipro harks back to at least 13 years. In December 2008, Wipro said it was buying Citi Technology Services, the India-based captive provider of IT services and solutions to Citigroup entities worldwide, for $127 million in an all-cash deal. It was a lucrative deal for Wipro that ensured $500 million of business for six years.
Two years later, in August, Wipro and Citibank unveiled an agreement under which the Indian company would take over the operation and management of Citi’s data centre at Meerbusch in Germany.
Wipro even now counts Citi as one of its top clients, accounting for over $250 million annually, said people who are familiar with the company’s business. The company provides Citi a range of services including IT, infrastructure management and business processing services (BPS).
Now, the gaffe could potentially derail a profitable business and cast a shadow on similar business arrangements, according to analysts Moneycontrol spoke to.
“Considering the amount of business banks do today, it is doubtful whether all banks invest enough in technology partnerships,” said Sidhharth Purohit, senior analyst at Mumbai-based SMC Global Securities.
“Citi like incidents can create a credibility issue for Indian IT firms. But to what extent the responsibility can be put on technology partners during such events is a question,” said Purohit who has been tracking banking sector for more than a decade.
What really happened?
The error was human, not a technical one as some in Citi initially thought.
The process of sanctioning a high-value fund transfer begins with a ‘maker’—typically a subcontractor (a Wipro employee in this case) —by filling in the information into Citi’s Flexcube loan processing system. A ‘checker’—again a Wipro employee— vets the transaction. The third and final step is when an ‘approver’, a Citibank employee, confirms the transactions initiated by the two Wipro employees.
Technology website Arstechnica reported that the subcontractor (Wipro employee) thought that checking the “principal” checkbox and entering the number of a Citibank wash account would ensure that the principal payment would stay at Citibank. “He was wrong. To prevent payment of the principal, the subcontractor actually needed to set the “front” and “fund” fields to the wash account (clearing account) as well as “principal.” The subcontractor didn’t do that,” the report said.
In other words, the maker made the wrong entry, the checker and the approver (the Citibank manager) failed to spot the error.
Could the mistake have been avoided? “The maker and checker are responsible for the transactions but the ultimate responsibility is with the approver,” said Naresh Malhotra, a senior banking consultant.
Indian banks also follow the multi-party authorisation model for high value-transactions, Malhotra said.
Citi upgrading its platforms
The initiation and approval of the transaction in the Citi case originated at Wipro’s BPS division. One of the employee’s LinkedIn profile showed that he continues to work in this division. It is not clear if both employees were re-assigned after the mistake.?
Wipro did not respond to email queries from Moneycontrol. Top executives Moneycontrol reached out to declined to comment, stating that matter is sub-judice.
In an email response to Moneycontrol, Citibank didn’t respond to specific queries on whether the incident will impact its relation with the technology partner.
The bank said it is in the process of upgrading the loan operations platform following a review conducted in 2019.
“As a result of a review undertaken last year (2019), we are in the process of upgrading our loan operations platform. We take pride in the role that we play as a global leader in financial services and recognize that an operational error of this nature is unacceptable. We have put significant, additional controls in place until the new system is operational,” said Citibank in the response.
“While many lenders have recognized the payment was in error and returned several hundred million dollars so far, other lenders have either refused to return or have not committed to return the funds. Those funds have been frozen by court order. We believe the law is on our side and that we will recover the outstanding funds,” said the bank in the email response.
Citibank will decide on its arrangement with Wipro only after the US court cases are settled, according to people familiar with the matter. If Citi were to seek a penalty or take Wipro to court, its US case could weaken, said one of the persons, asking not to be named.
“The fine print of the agreement between Citibank and Wipro will decide the culpability and responsibility of the parties involved,” said Malhotra.
Three senior industry executives said the blame primarily lies with Citi as it controls the entire process—right from determining the bespoke software from Flexcube to initiating and approving a transfer.
“Wipro just followed the process here. One can’t hold Wipro liable. It is Citi’s fault as there is a clear problem with their system,” said one of the person.
The second executive said while there have been instances of human errors by other vendors in the past, Citi and Wipro stand out for the sheer magnitude. “SLAs, or service level agreements, entered into between a client and a service provider have penalties for breach of risk. But in this case, it is not a data security breach or a malware. It is a costly oversight. While it reflects badly on Wipro, this is not an SLA breach per se.”
The third person said it will be difficult for Citi to claim the amount as there will be lots of clauses like liability limit. “The judgment (in the US court) may anyway get overturned.”
All three didn’t want to be named.
Some analysts said Citi could eventually either move more of its BPS business to Wipro rival TCS or invest more in technology and move more work inhouse. Citi currently has a captive arm in Chennai, that employs over 3,000 employees.
CHANDRA R SRIKANTH is Editor- Tech, Startups, and New Economy
News Source:- Moneycontrol