Here’s a classic lesson in Compliance 101: Don’t delete anything under a government subpoena.

Financial services giant Citi learned that lesson the hard way when on Monday the Commodity Futures Trading Commission (CFTC) announced it hit three Citibank affiliates with a collective $4.5 million civil monetary penalty to resolve charges for failing to “diligently supervise” the audio preservation system the bank operated and maintained, including on behalf of its affiliated North American swap dealers Citibank, Citigroup Energy, and Citigroup Global Markets.

The preservation system was Citi’s primary means of ensuring audio recordings were maintained as required by CFTC regulations. According to the CFTC order, because all the Citi entities relied on Citibank to operate and maintain the audio preservation system, they all violated CFTC Regulation 166.3.

CFTC Enforcement Division staff issued a subpoena to Citibank in December 2017 related to an ongoing investigation for, among other things, audio recordings of certain Citi traders on one particular day. In February 2018, “Citi represented to Division staff that a hold notice had been issued to Citi staff and confirmed that responsive audio recordings would be preserved,” the order stated.

“Relying on these representations, Division Staff agreed to Citi’s request that Citi be permitted to prioritize production of electronic communications and defer production of the requested audio recordings until a later date,” the CFTC noted. In October 2018, Division staff requested that Citibank produce the responsive audio recordings.

In December 2018, Citibank notified Division staff the recordings had been deleted roughly three weeks earlier due to what one Citibank employee warned was a “design flaw,” which he reported in a 2014 memorandum to the Global Voice Operations (GVO) group responsible for overseeing the audio preservation system. According to the employee, “if the system was not configured correctly, there was a ‘ticking time bomb effect’ that could—and, here, did—lead to the automatic deletion of audio recordings,” the order stated. The system deleted more than 2.77 million audio files for 982 users, including recordings that were responsive to the December 2017 subpoena, the CFTC said.

Internal control failings

The CFTC order described numerous failings in Citi’s internal controls, including that:

  • Citi failed to adequately staff the GVO group, including by failing to employ individuals with adequate technical knowledge;
  • GVO management did not take timely and appropriate steps to mitigate the risk posed by the audio preservation system’s design flaw after being on notice of the problem as of 2014;
  • Citi did not have adequate procedures in place to document, understand, and test changes to the audio preservation system; and
  • Citi did not have adequate procedures in place to ensure that personnel—including legal and compliance personnel who relied on the audio preservation system in responding to regulatory requests—were apprised of important risks to the integrity of the information contained on the system that were known to the GVO group.

“Registrants have obligations to diligently supervise all aspects of their business related to their duties, including all systems used to comply with CFTC record-keeping requirements, document requests, and subpoenas,” said Division of Enforcement Director James McDonald in a press release. “These regulations exist to promote the integrity of the marketplace. When registrants fail to meet their supervision obligations, they will be penalized.”