Skip to content
AID-2022-0003May 2, 2022critical

Citigroup $444B Basket: Hard Blocks Caught ~$248B, No Notional Ceiling on the Rest

A Citigroup trader clicked through a single pop-up listing 711 warning messages — only the first 18 visible without scrolling — and released a $444B basket order instead of the intended $58M; ~$1.4B sold before cancellation and the FCA/PRA fined Citigroup £61.6M.

Unauthorized financial actionFail-closed limitsHigh-risk approval gateSegregation of dutiesNamed approval gate

What happened

On May 2, 2022, a Citigroup trader intended to sell a $58M basket but entered the figure in the wrong field of the manual execution UI, creating a $444B basket order. This was human operator error, not an action taken by an autonomous AI agent. The system did have hard blocks: two hard blocks that could not be overridden rejected about $248B, and various controls together prevented about $255B of the $444B before the rest progressed. The remaining path carried only soft, overridable warnings and no hard notional ceiling. That path triggered a pop-up presenting 711 warning and soft-block messages, of which only the first 18 lines were visible without scrolling; the trader dismissed the entire pop-up with a single click without scrolling through it. About $189B reached the execution algorithm and approximately $1.4B sold before the trader cancelled. The execution briefly crashed the OMX Stockholm 30 index by about 8 percent. The FCA and PRA fined Citigroup £61.6M in May 2024 for inadequate controls.

What the agent did

A human trader, not an autonomous agent, manually entered and released a basket order with notional value ($444B) orders of magnitude larger than intended ($58M). Hard blocks stopped about $248B and various controls together prevented about $255B, but the remaining submission path had no hard notional ceiling and no requirement for second-party approval of the over-threshold release, so about $189B proceeded to the execution algorithm.

The irreversible effect

Approximately $1.4B in securities sold before cancellation; OMX Stockholm 30 index dropped ~8%; regulatory fine of £61.6M; reputational damage and market disruption.

Root cause

The hard blocks that existed caught about $248B and could not be overridden, but the remaining submission path had only soft warnings. A single click dismissed a pop-up containing 711 warning messages, most of which were never seen. The gap was the absence of a hard per-invocation notional ceiling on that path, plus no second-party approval requirement for over-cap submissions and no segregation of duties preventing one operator from releasing an exceptional order. The over-cap release path had no approval gate required.

How a maker-checker control would have refused it

MakerChecker's proxy would refuse the $444B submission with `limit_violation` if citi-trade-submit-capped@2 carried a maxAmountPerInvocation limit (e.g., $1B). The only over-cap release path would be citi-trade-submit-uncapped@1 marked risk_tier: high, which the proxy refuses with `high_risk_requires_gate`, requiring the submission to route through a governed flow with a preceding approval gate (a named human sign-off that the requester cannot bypass or self-approve).

Runnable reproduction

This incident ships as a runnable scenario in the open-source repository. Point the enforcement engine at the policy and watch the action get refused, with the refusal written to a signed audit record.

examples/citigroup-444b-fat-finger-overridable-warning

View the reproduction on GitHub →

Accuracy and corrections

This entry describes a publicly reported incident and is compiled from the primary sources listed above. Where an account is a legal allegation rather than an established finding, the entry labels it as such. Summaries can still contain errors. If you can document a correction, email hello@makerchecker.ai and we will review and correct it, with the change noted, within 14 days.

See it for yourself

Reading is one thing. Watch it block an agent.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Designed against the rules your auditors already enforce.