As more details emerge on the rogue trading scandal that caused a EUR4.9 billion loss, Société Générale appears more a victim of risk management failures than of a genius of fraud. But is this case a one-off, or are other institutions similarly vulnerable? Rob Davies reports
It is several years since the actions of Nick Leeson, John Rusnak and Yasuo Hamanaka respectively devastated Barings, Allied Irish Bank and Sumitomo Corporation, but their misdeeds continue to cast a shadow over the financial sector. Soon to join them in the rogue trading hall of shame is 31-year-old Jerome Kerviel, a junior trader whose unauthorised activity was enough to wipe out almost two years of profit from Société Générale's (SG) lucrative equity derivatives business.
Although there are those in the industry who view recent events as a one-off that could never happen to their own institution, others say the reoccurrence of rogue trading suggests this complacency is unwise.
"These situations happen too frequently: we should only see this once every 50 years," says Enrico Dallavecchia, Washington, DC-based chief risk officer at US government mortgage agency Fannie Mae. "In most circumstances, when you get a loss like this, it would be enough to take a company down. The industry needs to ask tough questions about why this kind of thing happens with relative frequency."
Kerviel is not the first and almost certainly will not be the last trader to take unauthorised bets with his employer's money, acknowledge bankers. "Every society has a police force and prisons, because you will always get people who don't follow the rules," says Hugo Banziger, Frankfurt-based chief risk officer and member of the management board at Deutsche Bank. "You can apply the same principles to the trading floor - no matter how sophisticated the technology, you will always get people trying to beat the system."
One commonality to the rogue trading scandals discovered to date is the banks involved are seen as victims. There is clearly validity in this, but an internal audit released on February 20 by SG raises questions about the quality of supervision, internal processes and, more broadly, the risk management culture in place at the bank.
On January 24, SG announced a trading loss amounting to EUR4.9 billion, which it attributed to unauthorised positions and fictitious trades built up by a junior arbitrage trader, later named as Kerviel, on its delta-one equity derivatives desk. Kerviel allegedly began the process of conducting fake trades soon after joining the desk in 2005. It was only when the bank called an external counterparty to verify a number of ultimately false trades that SG discovered Kerviel's unhedged positions had risen to a notional amount of EUR49 billion (see box).
However, in light of the SG report, it appears the bank had received repeated warning signs about Kerviel's trading activity, as well as regulatory calls to tighten its internal controls. On 93 occasions between June 2006 and January 2008, internal monitors raised alarms to the back/middle-office operations team, the global equity derivatives department, the accounting group and/or the group risk office, the report states. But whenever red flags were raised, the departments questioning Kerviel took his explanation of events at face value without further investigation, and chose not to pass the information up the chain of command. This is despite abnormalities with certain trades, including products scheduled to mature on a Saturday - logistically impossible.
This suggests - regardless of the lengths Kerviel went to conceal his trades - the bank was culpable of failing to supervise and allowing weaknesses to creep into its risk management practices. In the report, SG claims controls provided by the support and control functions were carried out in accordance with procedures, but did not make it possible to identify the fraud before January 18. But it concedes it did not properly respond to early warnings: "The failure to identify the fraud can be attributed firstly to the efficiency and variety of the concealment techniques employed by the fraudster; secondly to the fact operating staff did not systematically carry out more detailed checks; and finally to the absence of certain controls that were not provided and which might have identified the fraud."
Kerviel's remit was managing two portfolios of similar composition, conducting arbitrage trades to exploit slight differences between the two. Considered a low-risk business, delta-one trading proceeds are low relative to gross exposures. According to Paris court documents, the desk was not permitted to have aggregate net exposures exceeding $125 million. Yet, by mid-January, Kerviel had taken almost EUR50 billion worth of directional futures positions on European equity indexes, including the Dow Jones Eurostoxx 50, Dax and the FTSE 100.
The SG report - and one released by the Ministry of Economy, Finance and Employment on February 4 - detail Kerviel's method of creating fictitious hedges to conceal the true extent of his unauthorised directional trades. The ministry noted a repeated pattern of Kerviel entering fake hedges to offset real positions, cancelling them prior to their being picked up by controls or requiring confirmation or margin payments, before entering new (also fake) trades to replace them.
Specifically, Kerviel conducted advanced trades with fictitious counterparties of time-dependent securities, including warrants, which would only be confirmed a few days before expiry. He also entered into futures transactions where the counterparty was described as pending - meaning the name of the entity was omitted so it would not be transmitted to the back-office system.
Additionally, Kerviel conducted fictitious forward trades with counterparties within the SG group, which did not require margin payments. In the fake forward trades with external counterparties - used to close 2007 positions - Kerviel allegedly produced forged faxed confirmations to avoid suspicion.
SG says Kerviel's computer skills and five years' experience working in the bank's back office gave him intimate knowledge of how its controls worked and ways to get around them. The bank claims Kerviel would stay in the office late and - knowing the timing of the nightly reconciliation of the day's trades - would delete and then re-enter unauthorised transactions.
"He misappropriated the IT access codes belonging to operators in order to cancel certain operations," said the bank in a statement. This enabled Kerviel to eliminate credit and trade-size controls, so his giant trades did not show up to risk managers until the internal audit in January.
While Kerviel's unauthorised trades date back to 2005, it was only in 2007 that the size of his directional bets in index futures increased significantly - totalling EUR28 billion by the end of 2007 and increasing by EUR21 billion before his true positions were discovered.
The appeal court documents reveal the fluctuating fortunes of Kerviel's bets. By July 3, Kerviel was reportedly down EUR2.16 billion, but had managed to turn that around to amass a pre-tax profit of EUR1.46 billion by December 31, 2007.
SG officials stick to their initial claims that Kerviel's computer skills and previous experience in the back office was key to his ability to bypass controls. However, on top of the 93 internal red flags, an external party had drawn attention to unusual activity by the trader months before news of the scandal broke.
Eurex, the Frankfurt-based derivatives exchange and clearing house, contacted SG on November 7 and 26 following concerns about the abnormal character of several trades over a seven-month period. In particular, Eurex pointed to two large positions - one net short in Dax futures and one net long in the Dow Jones Eurostoxx 50 index - and enquired what Kerviel's strategy was and why so many trades were entered by Fimat Futures, SG's brokerage subsidiary (renamed Newedge in January).
On December 10, SG replied to the effect there was nothing suspicious about Kerviel's activities, and the details it provided to substantiate this claim seemed to satisfy the trader's employers. Despite this, Kerviel's links with a particular broker at Fimat - Moussa Bakir - came to the attention of the brokerage in September 2007, and the firm began investigating reasons for an increase in commissions for cash equities received by Bakir in the third quarter of last year.
The initial findings were enough for Fimat to launch a full investigation into deals conducted by the pair in November, which was ongoing when Kerviel's positions were discovered by SG. Bakir was subsequently questioned by police between February 7 and 9 and named as a material witness in the case against Kerviel.
In the registration document for a EUR5.5 billion rights issue, completed by SG in February to shore up its decimated balance sheet, the bank saw significance in Kerviel's relationship with Bakir. "It would appear an employee of a brokerage company, used to carry out the trader's transactions and offset his positions, had been informed by the trader some time ago of the large positions he had taken and the requests for information by Eurex," the bank said.
SG cannot claim it was not warned about the need to improve its internal systems. The bank was visited 17 times by Commission Bancaire in 2006 and 2007, with inspections particularly focused on the riskiest parts of the bank's business. In March 2007, the supervisor sent a letter to the chairman and chief executive of SG, Daniel Bouton, recommending SG strengthen its teams and resources dedicated to counterparties. The recommendation specifically pointed to the bank's structured equity derivatives business.
Commission Bancaire, currently conducting its own investigation, has pointed to several shortcomings. These include a failure to monitor nominal outstanding positions, as opposed to net positions, which reveal limited market risk. The watchdog added thwt improvements are needed in monitoring cash movements, including margin calls, responding to information requests, and scrutiny of trade cancellations and modifications by a single trader.
These weaknesses were confirmed in SG's own report. "There were no controls on cancelled or modified transactions, nor on transactions with a deferred start, nor on high nominal positions, nor on non-transactional flow within a month, which are all analyses that would have probably allowed the fraud to be identified," the bank acknowledged.
Additional recommendations from the regulator include ensuring confirmations with all counterparties, the strengthening of Chinese walls between the front and back office, protecting access codes and system security, and monitoring unusual behaviour by employees, such as not taking mandatory holidays.
Evidence presented so far reveals several areas where controls broke down. This is why losses were so large, and it is also what has stunned most observers. "The first thought that springs to mind is there must be a failure of basic operational risk controls," says James Lam, Boston-based president of risk management consultancy James Lam & Associates. "The three that come to mind are the confirmation process, cash management margin call processes and - above all - the failure to supervise." If any one of the controls was working effectively, it is unlikely this event would have happened, adds Lam.
Plenty of attention has focused on Kerviel's ability to use colleagues' passwords to hack into systems he was not supposed to have access to. Analysts see this as particularly surprising given security measures widely adopted across the industry. "This is extremely unusual - they don't get passed around the trading floor," says Mark Williams, a professor at Boston University and former examiner at the US Federal Reserve. "That shows how weak the control environment was."
A London-based head of European equity derivatives at a US bank adds: "At this bank, if somebody moves from one cost centre to another, their system access has to be renewed through a centralised, automated system that tracks this. Their manager would then have to revalidate that they are entitled to keep passwords to systems or not. If you build a system to do this, it should always work, and it makes the difference between having lots of people slipping under the net or not."
Kerviel was allegedly able to provide forged confirmation documents for his faked hedges. However, risk managers cannot understand why the back office seems not to have been called on to verify all Kerviel's trades the moment Eurex began asking questions. "If a trader conducted a fictitious deal that was technically within his own limits, we would uncover this quickly when the back office wrote to the counterparty to verify the trade," says Henning Giesecke, Milan-based chief risk officer for UniCredit Group. "This is something we do daily. Additionally, everything should be voice-recorded from the trading room. Regular checks of this would be able to pick up whether the trade was real or not."
Although Kerviel's apparent use of fake hedges meant his overall increase in exposures went unseen by risk managers, his constant cancellation of trades should have warranted investigation much sooner, say dealers. "If he was able to cancel a trade or book a new one before the confirm was sent out, the clock would start again," says a London-based head of equity derivatives at a European bank. "But at our bank, we actively monitor cancel-and-correct activity for each trader, which is standard practice at most institutions. It would stick out like a sore thumb if you had one trader who was perpetually cancelling and correcting trades."
In the view of risk managers, another point of weakness was SG's practice of monitoring net, rather than gross, positions. "In high-volume businesses, banks have to look at the gross as well as the net position," asserts Giesecke. "This allows an institution to look at each trader's book to see whether they are taking too much risk, regardless of whether the net position is neutral."
A London-based chief risk officer at a UK bank adds: "To effectively manage basis risk, you have to be able to see how the outright position - the notional - performs against the hedge. It is inconceivable such a sophisticated institution could have missed this. Modern systems are able to stress-test positions, and to do this you automatically need the notional amount. This is also your starting point for finding what the market rates are. And if their system is able to stress test, nobody could have been regularly running reports. That would be the fault of the line managers."
One key defence against rogue trading is mandatory time away. Essentially, traders have to take two consecutive weeks' holiday, during which time their books are looked at by a third party not associated with that business group. In 2007, Kerviel took just four days' holiday.
One risk manager says this is one control that has to be enforced, despite the unwillingness of some traders. "To do this effectively, you have to link holiday control systems to the access control system," he explains. "This is an automated system that makes sure when people are signed off to be on holiday, they aren't accessing the trading system - either from the office or remotely."
According to some observers, SG's apparent failure to comply with this industry standard indicates a breakdown in risk management processes. "One interesting point to note is he was at one point making sizeable profits, even though controls had been broken," says Richard Clarke, London-based director of internal audit at consultancy Resources Global Professionals. "If you have a culture where this is accepted on the upside, there has to be wider responsibility when markets turn the other way."
It is difficult to say for sure that a culture of excessive risk-taking had crept in at SG. In any event, marrying the goals of trading and risk management teams has never been straightforward. "Risk management and the trading operation have two distinct cultures: how those interact says a lot about the bank as a whole," says Rick Nason, associate professor of finance at Dalhousie University, Halifax, Canada, and partner at risk management consultancy RSD Solutions. "At some institutions, risk managers are seen as 'Doctor No', while the traders see themselves as masters of the universe."
That is particularly true given the remuneration structures at most banks. "Traders are compensated based on the returns they generate, so it is easy to see why traders could be tempted to take more risk than is desirable for the firm," adds Ali Samad-Khan, New York-based head of operational risk management consulting at Towers Perrin. "If the message coming down from the top of the organisation is not right and there are insufficient controls in areas where risks are biggest, agents will continue to take excessive risks as long as they are making money."
Incidents of large-scale unauthorised trading do not happen every week, which would indicate many firms have struck the right balance between risk management and risk-taking. According to Deutsche's Banziger, multiple lines of defence are critical to minimising risks. "This has to start with effective supervision and an independent price evaluation process," he says. "Routine IT controls can monitor unusual trades put on and cancelled - this is a particularly effective control mechanism. You also have to control when people take holidays and map password access against the job description. It is the combined use of these types of control that makes sure any fraudulent activity is picked up sooner."
Banks may have invested hugely in systems to measure risk, but Dallavecchia says human capital is just as vital a tool in managing risk. "You can put controls and technology in place, but if you don't have effective human interaction, you won't get adequate following up of strange confirmations, for example," he argues. "Human resource issues are as important as compliance: does the company do proper background or credit checks on key employees annually or look at whether employees have suffered stress in their personal life that affects their ability to work? Risk managers, compliance and regulators need to focus on these kinds of issues."
Most of the 93 alerts were sent to multiple departments. Some observers say the fact Kerviel was not caught sooner is indicative of a siloed organisation structure. "There is a human dimension to this, which is who decides where there is a trigger of a problem: how is it identified and who decides what subsequent actions must be taken?" says Cindy Levy, London-based director at consultancy firm McKinsey. "Quite frankly, these organisations are incredibly complex. There are so many desks, product areas and geographies, that some banks have struggled with the 'who's my boss' problem."
This is why some firms have or are looking to put in place a centralised enterprise risk management dashboard. "This would enable banks to connect different metrics and early warning signals that are related to one trader, office or counterparty," explains Lam of James Lam & Associates.
The regulatory response to events at SG, at least in the UK, will put the onus on banks to determine whether controls are up to scratch. "Rogue trading is not something firms can guarantee they can eliminate. We do expect them to have the right control culture, governance, systems and controls in place to actively deter unauthorised trading or, if it does take place, to detect it as soon as possible," says a Financial Services Authority spokesman.
Following the losses at SG, rival banks are likely to look very closely at their own controls, with the aim of plugging any weaknesses. In fact, many banks set up committees to begin the process of internal checks soon after news of the SG scandal broke. "You can't have an event like this go off without every single bank forming a working committee looking out for similar weaknesses in their own systems and lessons learned," says one London-based equity derivatives head at a European house. "It would be irresponsible not to."
CHANGED COUNTERPARTY TRIGGERED TRADER'S DEMISE
The chain of events leading to Jerome Kerviel's discovery apparently started on January 2, when the trader changed an internal counterparty - considered zero risk - on eight fake forward trades to an external bank counterparty on the bank's trading system, Société Générale stated in its internal audit report, released on February 20. On January 7, the change showed up on the group risk office's dashboard as representing extremely high counterparty risk. Calculation of regulatory capital requirements revealed an elevated Cooke ratio - capital to risk-weighted assets with respect to a counterparty.
When questioned on January 15, Kerviel assured his superiors the trades could be netted out and had been cleared using modelling. However, on January 16, the bank's accounting group began looking into documentation of the deals. The following day, Kerviel was questioned again. He now said the external counterparty was in fact a different bank to the one originally entered on the system, so the Cooke ratio would be fine. When asked to produce signed confirmation documents to verify the trades, Kerviel allegedly sent off a faked document signed by the new bank, and entered the trades into the trading system - six with the new bank and two marked pending.
Unfortunately for Kerviel, on January 18, one of his questioners called a friend who worked at the external counterparty. When the counterparty said it had no record of the transaction, Kerviel was brought in by SG for questioning on January 19, where it emerged the size of his unhedged positions had risen to a notional EUR49 billion.
More on Operational Risk
Heavy regulatory costs and fragile systems will be problems in 2015
Avoiding model failure will be a key issue in 2015
Tax evasion, corporate ownership and sanctions will all be concerns
Operational risk managers highlight repeat failures at firms
Sign up for Risk.net email alerts
Sponsored webinar: IBM Risk Analytics
Nominated for two technology awards
Nominated for post trade technology award
Sponsored webinar: Collateral and counterparty tracking
There are no comments submitted yet. Do you have an interesting opinion? Then be the first to post a comment.