[PaulAJ]

> An internal review at the bank found humans manually operating the old software were ultimately at fault

Which is of course an entirely bogus cop-out. If a mistake can be made in a manual operation then sooner or later it will be. Lower down the article says that manual checks that were supposed to catch this error failed to do so. Ineffective checks are a management responsibility, and that responsibility goes all the way up to the CEO.

[sharken]

At least Citibank is trying to upgrade their ancient systems, but it sure looks as if previous or current CEOs failed to exercise due diligence.

Doesn't look like good risk management at all.

[HenryBemis]

Citi is one of them banks that spend a lot of their $$$$$$ in IT. They jokingly say that they are an IT company with a banking license.

Anyone related can please pitch in with a TA account. How bad/frequent are their Software Errors?

[leokennis]

I mean...if this were any other business, someone clicking the wrong button and then someone else not catching this error would maybe mean someone's account was accidentally closed, or someone receiving a free pizza, or whatever.

The IT systems within banks are more or less the same as IT systems anywhere. Just as advanced, just as crappy. The difference is that if there is a human error with banking software, you're not sending free pizza, you accidentally pay ouy $900,000,000.

[tumetab1]

Actually, banks risk management is easy.

Most in-bank or between banks transfers are reversible and usually a non-issue. That why the risk management probably says something like this:

  Risk: Incorrect transfer of funds to customer in another bank
  Mitigation: Manual review of all funds transfer above 5 million dollars
  Mitigation: Besides litigation issues, lost funds are easily recovered by asking the receiving bank
  Status: Risk accepted

Edit: Clarified "Mitigation: Besides litigation issues bank transfers are reversible" into "Mitigation: Besides litigation issues, lost funds are easily recovered by asking the receiving bank"

[elliekelly]

Nothing about bank risk management is easy. You haven’t accounted for a whole host of risks with this simple analysis, including the most important one: customer retention. The high-value customers sending high-value interbank transfers won’t be impressed that our systems let their wire go out the door incorrectly. Even if I can totally reverse the transaction (and it’s not nearly as easy or guaranteed as you’re assuming) I still have to tell the client about it in most cases. The client will, correctly, think “what if they can’t get it back next time this happens? I’ll find a bank that doesn’t have these kinds of issues.” And aside from crimes, losing a high-value client is perhaps the worst offense you can commit in banking.

Regardless of the dollar amount or outcome I also have to tell the audit committee, the board, the auditors, and all of my regulators. And exactly none of those groups would let me put your write-up along with the conclusion “risk accepted” in front of them.

[pieno]

Most bank transfers are actually not reversible, except for some limited retail client (including small companies) operations where specific terms & conditions allow the bank to reverse payments to the extent possible, which they really prefer avoid using as it looks really bad for a bank whose most important asset is the confidence of its clients and counterparties. Reversal may also no longer be possible if the money has already gone out in a system that does not allow reversal, or if the client is bankrupt in the meantime (depending on local banking and bankruptcy laws and circumstances).

For any other payment system for larger sums / corporate and institutional parties, settlement finality is a huge thing that is the subject of all sorts of specific legislation, as it would be a real issue for the health of the financial system if a settled payment can simply be reversed, as it would have a lot of unintended consequences further down the line. So banks actually do have strict risk management policies to avoid wrong payments, but there are so many complex transactions for which ultimately a human (actually at least 2 due to 4-eyes principles) must confirm whether conditions for payment are satisfied and whether payment details are correct, and humans are always prone to making mistakes once in a while.

[tumetab1]

I didn't make myself clear, I wanted to mean that transfer are reversible (with the cooperation of the other bank) not that the source bank can unilaterally do it.

The law sides with the banking making the mistake as discussed on https://news.ycombinator.com/item?id=24222045

With bank cooperation, which usually happens, settlement are non-issues. When an operation can be reversed by one of parties the settlement agreement usually mentions that the settlement is only final when the reversion period is over.

[gpm]

    Risk: An employee can transfer all of a customers funds to an oversees bank account
    Mitigation: Multiple employee must approve transfer of funds
    Mitigation: No individual employee can deploy modifications to the computer system actually doing the transferring.
    Mitigation: No team can both write code and access (the important) production systems
    Mitigation: Must stand on head while deploying code, because people standing on their head are more honest
    Status: Risk accepted, we'll have 10 more meetings to review this next month.

The idea that bank transfers are reversible is false. Some are, some aren't, the adversaries are interested in the ones that aren't. The idea that manual review is a trivial fix is very false. Even if there was a trivial fix, the idea that you could get this past the numerous gatekeepers with a simple and easy process is probably false in most banks.

[user5994461]

Bank transfers between banks are not reversible.

[netsharc]

Do you mean when the mortal clients of the banks are doing them, or when the banks are doing them?

I imagine bank CEOs know each other and can even call each other and say "Oh sorry old chap, that was a mistake!".

[zuppy]

you are reading an article about a case when the bank could not take back its money, I think this answers your question :)

[sukilot]

That's because the recipient didn't want to return it.