Why controls exist, audits pass, and fraud keeps happening: an exclusive article by Diogo Ferreira.

On August 11, 2020, a Wipro contractor in India opened Citibank’s loan processing system, Oracle’s Flexcube, and entered an instruction. His supervisor approved. A senior manager at Citibank in Delaware gave the final sign-off.

Six eyes on the transaction. In compliance terms, the standard protocol for high-value wire transfers.

The intent was to pay $7.8 million in interest to lenders on a Revlon loan. What left the bank instead was $893.9 million: the entire principal of the loan, three years before maturity.

The next morning, during reconciliation, Citi’s Delaware manager messaged the team with two words: “Oh my.”

Citibank had a six-eye protocol. It didn’t have a single brain reading the context.

The controls that failed weren’t primitive. They were modern on paper. Maker, checker, approver. Field validation. Wash account configured. Confirmation prompt before any funds leave the bank.

But everything those controls validated was a number. Correct destination account? Yes. Amount within authorized range? Yes. Three approvals? Yes. Wire executed? Yes.

None of the six eyes looked at the scenario surrounding that transfer.

And the scenario was screaming.

Revlon was insolvent. Its debt was trading in the secondary market at 30 cents on the dollar, a clear signal that lenders no longer believed in full repayment. Four days earlier, the company had launched an exchange offer on its 2021 Notes, a desperate move to avoid acceleration. There was no prior notice of prepayment, although the credit agreement required one. And the lenders about to receive the money were at war with Citibank itself, preparing a lawsuit that would be filed the day after the error, accusing the bank of rigging lender votes in Revlon’s favor.

In other words, Citibank was about to execute a near-billion-dollar payment, with no contractual basis, to hostile creditors, three years before maturity, in the middle of one of the loudest disputes in the syndicated loan market that year.

All of it was public. Court filings. Rating agency reports. Bloomberg headlines. None of it entered the wire approval flow. Because the flow reads fields, not reality.

The other side of the story: nobody called back.

When the $894 million landed in 315 lender accounts, most acted as if they had received a legitimate near-billion-dollar payoff from an insolvent company, with no notice, three years before the loan was due.

About $390 million came back in the first days. Another $504 million did not.

Look at the behavior of those who held the money.

Symphony Asset Management actively confirmed with administrators and custodians that each client had received the payment, and instructed the custodians to record it as a loan paydown. When Citi sent the recall notice the next afternoon, Symphony told its custodians not to comply.

Brigade Capital received a cash flow statement from a fund administrator that morning. Its bank debt manager messaged colleagues internally: “Revlon full paydown?” Soon after, he read Citi’s recall notice stating, in plain language, that the principal had been “released erroneously.” He still froze the funds.

Allstate raised the question internally: “Could this be a mistake?”, and chose not to investigate. It didn’t call Citi. It didn’t check with Revlon. It only verified that the payment had reached its clients’ accounts.

This isn’t carelessness. It’s the opposite of carelessness. It’s reading the scenario in reverse: the sophisticated creditor reads the window, reads the legal doctrine that might protect retention (discharge-for-value, codified in New York since 1937, which under specific conditions allows a recipient to keep funds paid in error), read the size of the opportunity. Calculated that there was a defensible chance to retain. And stayed quiet.

Citibank spent two years in court. It lost at trial. It won on appeal. The case settled in December 2022.

Citi’s controls saw a valid wire. The lenders saw a legal opportunity. Nobody saw the scenario — because nobody had been trained to.

A case from my files. Same anatomy.

I once investigated a corporate fraud in which an employee diverted several million reais over the course of years.

The company had everything you’d expect from a mature operation. Internal audit. External audit. Documented controls. All passed.

The transactions were right there in the records, in a form the auditor could check — and did. Reconciliation matched. Numbers added up.

What no one read, for years, was the behavior.

She didn’t take a vacation. When she did, it was a short stretch. She didn’t delegate. She insisted on running the entire cycle herself. Her lifestyle changed without a visible explanation.

The fraud only surfaced because an anonymous tip reached the company, and that happened during one of her rare absences. With her away, someone could finally look at what she had been concealing. Without her sitting there, the engine of informal control “leave it with me” stopped running.

The employee who never takes a vacation. The employee who never delegates. The employee who insists on controlling every step, from data entry to reconciliation. The employee whose lifestyle changes without a plausible explanation.

Each of these has been in fraud audit textbooks since the 1980s. All were visible. The company had auditors. It didn’t have readers.

Same screen. Two readings.

The difference between the Citibank case and that Brazilian fraud isn’t size, geography, or financial sophistication. It’s the same failure at two scales.

Controls look at fields. Correct account, amount in range, three signatures, entry within template. All necessary. None sufficient.

Those who operate against the system learned long ago to read windows. To read behavior. To read who is watching and who isn’t. To read the doctrine, process, audit cycle, week of the month, and supervisor’s absence. The internal fraudster doesn’t study the ERP. She studies who touches it, when, and which part nobody reviews.

As long as controls only watch data, they will always be one step behind those who read scenarios. No matter how many layers of six eyes exist. No matter how many audits pass.

The contractual fix isn’t a fix.

After Revlon, the loan industry produced a contractual response. The Loan Syndications and Trading Association drafted a model “Erroneous Payment Provision”, quickly nicknamed the “Revlon Blocker.” It now appears in nearly every U.S. credit agreement. Under the new clause, lenders must return mistaken payments within two business days. The agent’s determination of error is conclusive absent manifest error. The discharge-for-value defense is contractually waived.

It’s a useful patch. But it patches the legal hole, not the operational one. Three people still approved a $894 million wire without reading the scenario. Ten asset managers still calculated whether silence could be defended. Citibank still sat under regulatory consent orders, paid $400 million in penalties to the OCC, lost its CEO, Michael Corbat, to early retirement, and four years later was fined another $135 million for insufficient progress on the very controls the Revlon error exposed.

In April 2024, Citi credited a customer’s account with $81 trillion instead of $280. Two employees missed the error. A third caught it ninety minutes later. Same bank, same architecture, same logic. The Revlon Blocker doesn’t help when the controls themselves are reading fields.

Read the scenario. Read the behavior. Not just the numbers.

That’s what separates those who detect from those who are detected.

Because crime isn’t random. It follows patterns. And patterns are behavior, not numbers.

---

Key Points

• Citibank mistakenly transferred $893.9 million instead of a $7.8 million interest payment in the Revlon loan case.
• The payment passed multiple operational controls despite obvious contextual red flags surrounding Revlon’s financial distress.
• Several lenders recognized the unusual nature of the payment but evaluated whether they could legally retain the funds.
• The case exposed how many AML and operational controls validate transactional data without assessing behavioral or commercial logic.
• The incident accelerated industry adoption of “Revlon Blocker” clauses but did not fully solve broader contextual risk weaknesses.

---

Related Links

• Federal Reserve Consent Orders Against Citigroup
• OCC Enforcement Action Against Citibank
• LSTA Erroneous Payment Provision Guidance
• FATF Guidance on Risk Based Approach
• New York Court of Appeals Discharge for Value Doctrine

Other FinCrime Central Articles About Operational Risks

• The Hidden Operational Cost of PEP List Failures
• Why AI Driven SAR Explosion Is Quietly Breaking Financial Intelligence
• Cracking the AML Target Operating Model Challenge

Some of FinCrime Central’s articles may have been enriched or edited with the help of AI tools. It may contain unintentional errors.

Want to promote your brand, or need some help selecting the right solution or the right advisory firm? Email us at info@fincrimecentral.com; we probably have the right contact for you.