Trading with restraint

There is evidence to suggest that 90% of 'unsanctioned' loss incidents never make it into the public domain. Most are 'managed out', with positions being absorbed or hedged. Others may never be detected. The typical loss profile of such incidents is highly dependent on the instrument and the organisation, but the majority are far smaller than media headlines would suggest. Only a small minority, where the losses are inescapably huge, emerge to become public knowledge.

Rogue traders can make temporary profits too. Jérôme Kerviel has alleged, for example, that others were aware of his dealings but, while they were in the black, oversight was benign. Clearly, unmanaged risk is always bad. It is up to the institutions to prevent rogue trading before losses occur.

To answer your second point, what happened at SG is extraordinary in size but not extraordinary in nature as the survey we undertook proved. We also found that about half of the banks use a technology to check when traders overstep trading parameters but less than 8% use analytical profiling tools.

I feel it is worth pointing out that Actimize is the only vendor with convergence solutions in fraud detection and market abuse that can detect this kind of fraud. Aside from this, you must have seen recently in the press articles about financial institutions being fined by the regulator for failing to exercise proper control over traders who inflated loss to their banks, so this activity is not at all uncommon.

Recent high-profile cases of fraud have received much media attention, perhaps due to the fact that organisations are under increasing scrutiny regarding fraudulent activity. However, publicising these incidents is no bad thing as it raises awareness of the fact that the risk of rogue trading is real and, more importantly, is a reminder that internal processes can and do fail.

The direct financial costs resulting from fines, penalties, lawsuits and credit ratings can cost firms millions. However, qualitative measures of loss such as damaged reputation, credibility within the industry and employee morale should not be underestimated. It can take years to build a credible reputation and just one rogue trader incident to destroy it. In recent years, SG senior management built an unrivalled reputation and professional respect within the French banking industry as it successfully fought off hostile takeover bids. Now the same management is tarnished by lack of governance, supervision and control in a key part of the business.

Instant messaging communication may come under some sort of restriction. Policing is difficult: how can instant messages be reviewed in the context of legitimate trades, particularly when slang is used (which constantly evolves) and can hide real intention? This makes oversight very difficult.

Regulators may look to banks to rethink how they go about devising and testing their controls for fraud. With Sarbanes-Oxley (Sox) there is a shift away from process-mapping controls to scenario-building.

Recent large-scale frauds have shown that specialist expertise (beyond auditors and operational risk) is needed to stress-test the control environment and identify schemes that circumvent the controls. Audit committees will have more confidence in the results of audit reports if the control environment has been stress-tested, improvements recommended and adopted.

Trade monitoring has evolved enormously since the Barings case. Recognising that operational risks generally arise from a confluence of factors across the enterprise, regulators are encouraging institutions to replace the isolated monitoring of trading activity with an enterprise-wide risk management approach. This is an applaudable recognition of a fact amply demonstrated by the Kerviel case; that factors such as information and corporate security - which have typically lain outside the jurisdiction of traditional trade monitoring processes - can be contributory factors in trading activity abuses.

We expect the SG case will speed up this shift. In future, regulators will require proof of an organisation's ability to identify and connect 'early warning signs' arising across their business that, though insignificant in isolation, collectively, pose a significant enterprise risk. Such early warning signs were clearly missed at SG and, as a result, its reputation, credibility and ability to do business has taken a serious blow.

These are technology problems and they require technology solutions. Software that can automate risk management for spreadsheets and other desktop-based information is available and in use today. These offerings can provide comprehensive, policy-based controls automation with functionality including the ability to discover new or changed spreadsheets, create detailed audit logs of changes to spreadsheets over time and perform automated risk assessment. They can detect control violations and notify the appropriate authorities, as well as conduct forensic analysis. And, crucially, they offer extensive reporting capabilities and management visibility, with dashboards that work with the risk management platforms that financial institutions already have in place.

When these technologies are widely adopted across the financial industry, a very dangerous fraud-control blind spot will be eliminated. Suspicious activity - for example, a junior trader with an unaudited spreadsheet that contains exceptionally large sums, unusually complex formulas or unexplained external data feeds - can be 'red-flagged' by these systems, simply, quickly and on a company-wide scale. The audit group can be notified of high-risk activity that violates the institution's established control policies and a secure copy of the spreadsheet can be created automatically for analysis. If the spreadsheet turns out to have a legitimate purpose, it can be placed under more direct control, with appropriate access security and version management. And throughout the process, documentation and a 'chain of accountability' can be maintained to ensure adequate record-keeping and satisfy the requirements of auditors and regulators.

Internal processes will come under increased scrutiny, particularly where back- or middle-office staff interact with the front office. Two-factor authentication will become a minimum standard for access to trade monitoring and other compliance systems, and we expect the use of biometric authentication to increase.

In addition, we expect institutions to review how they treat product risks. For example, Kerviel's work area was classed as dealing in 'low' or 'standard risk' products. However, the IT system that assessed the risk of trades in these products accepted manually entered bogus trades (from Kerviel himself), increasing the severity of the underlying operational risk.

Opportunity for fraud prevention is lost when businesses focus too much on the control process, and thereby fail to tap into their most valuable asset in a meaningful way: their people.

To understand how to bypass any control, speak to employees who use your systems and processes every day. They are guaranteed to know the loopholes. We help uncover the loopholes with experienced fraud risk professionals. Knowing how to ask the right questions, in a non-confrontational environment, will uncover the loopholes that will allow fraud to succeed in your business, both internal and external.

We have reviewed business units, including derivatives, securities, treasury, trade finance, equities, consumer banking and financial shared services centres. In every assignment we have uncovered large exposures. The largest is £1 billion.

We use a combination of direct interviews with staff and workshops to uncover how fraud could be committed against the business. The bank, in return, obtains a 'how to defraud' report along with immediate and strategic solutions to reduce the risks.

Implementation of recommendations will assist your operational risk staff to perform their jobs. It will also allow for your internal auditors to conduct audits and ensure compliance based on improved controls.

There are technology solutions (such as transaction monitoring and identity verification software) available to help prevent these kinds of incidents. Nonetheless, no single system will provide the solution. Having fraud prevention systems, policies and procedures in place can only truly be effective if they are properly supervised and audited and if managers and employees are trained to be aware of key controls and to understand how their behaviour can impact on them.

Training employees on your policies and procedures is an element of risk and compliance management that is often overlooked but one that can make all the difference in mitigating the risk of critical events. Fraud of any type is notoriously difficult to detect because it often involves concealment through falsification of documents or collusion among managers, employees or third parties. However, by making your employees aware of potential 'red flags' through effective training methods, you create a vigilant workforce capable of taking responsibility for minimising your organisation's fraud risks.

Starting in 2005, Kerviel began placing bets only in one direction, potentially to make far bigger gains while bets are supposed to mostly offset each other in what is typically a low-risk way of making a small profit.

Kerviel created a set of parallel fake bets in the opposite direction to give his supervisor the illusion his books were correctly balanced. He was using several fraudulent methods, among others, the misuse of the passwords of other employees (mainly for cancellation).

Kerviel inserted fictitious operations into portfolio B in order to give the impression that this portfolio offset portfolio A, which he had purchased. The main challenge of a case like this one is that the employee was using many techniques, such as circumventing controls, thereby limiting the effectiveness of other controls such as no cash movements or margin call, Identification shielding, common use of another employee's credentials to avoid detection, utilising internal/dormant or hidden accounts (account 88888), fake new counterparty accounts, cancellation of fictitious operations, utilising correspondent/omnibus accounts and so on.

In the SG case, we know that some systems and procedures actually detect suspicious activities, but the main problems were that some of these systems are not efficient and also that they are not communicating with each other.

Considered individually, some alerts or reports are not serious enough to generate an investigation but, if a central risk system had aggregated the signals into one case, the problem would have been avoided in the very early stages.So, to come back to the questions: the bank must have more efficient systems and have the ability to aggregate the problems and their warning signs into a single risk environment.

It is also crucial to have a system in place that can profile the traders against their past behaviour and against their peer groups. These are the various controls that Actimize so effectively applies.

Controls and key questions to be considered include:

• Information technology:

• Establishing and enforcing 'user profiles' for trading area personnel

• Promptly deactivating access for employees who depart the firm

• Monitoring user access to detect unusual activity for a particular user profile

• Tools for execution:

• Tool limitations for executing or processing trades, especially in highly manual environments or areas that lack preventive controls

• Spreadsheet use

• Opens up issues regarding manual errors and general spreadsheet controls

• When was the last time that spreadsheet controls were tested with similar rigor as the testing for a new trading system?

• Limit setting, monitoring and management:

• Limit setting, monitoring and change processes

• Are limits periodically reviewed for appropriateness?

• Who is authorised to change limits and under what circumstances can changes be made? Who actually p rocesses these changes and who is aware of these procedures?

• Daily and intraday position monitoring

• Volume limits

• Existence of rapid response systems (for example, mechanisms that provide immediate notification of limit breaches via email or other means)

• Operational controls:

• Trade confirmation process

• Efficacy of the control functions, (for example, internal audit)

• Influence/authority of traders over control functions (for example, does this hinder control function independence?)

• Segregation of duties

• Reporting:

• Reliability/effectiveness of book management (for example, are there dormant books that are not reconciled and could therefore be used for unauthorised activity?)

• Profit and loss or other financial analysis

• How is actual working capital projected and tracked?

• How are possible variations in future working capital needs estimated?

• Are trends in mark-to-market tracked and analysed?

• Risk culture and governance:

• Are the risk policies clear, understandable and consistent with the activities and risk profile actually being transacted?

• Are the transactions being executed and the level of activity consistent with the business profile publicly discussed at conferences and/or reported within financial statements/regulatory reports?

• Can more than a handful of employees understand the nature and risks of the transactions being executed?

• Do personnel in both management and the trading organisation have an appropriate perspective on the control environment and where risks are managed?

• Does management have a respectful, consistent and supportive attitude towards the control environment?

• Does the company view unexpected profits and unexpected losses with the same level of concern?

One key point to keep in mind is that often there are policies in place that govern desired behaviour. Too often, management relies on these policies as though they reflect actual behaviour. Aspirations and reality are often not the same, so having a sound policy can only provide a level of comfort that behaviour expectations have been articulated. It is not enough to prevent unfortunate incidents similar to what occurred at SG.

Similarly, management may rely on attestations to the existence of controls. Frequently, failures occur due to controls being ineffective in operation, despite being properly designed. Control effectiveness often depends on the people who execute those controls, and people are often the source of the most significant control weaknesses.

• Move towards enterprise-wide risk management to monitor the organisational weaknesses that allow rogue trading to occur. That includes monitoring information and corporate security systems and others, such as human resources, where, for example, unusual holiday patterns can be a leading indicator of illicit behaviour.

• Monitor the monitoring systems themselves, too, to identify the inappropriate use we have noted in the Kerviel case.

• Aggressively maintain clear division between front-, middle- and back-office operations and monitor the points at which they connect diligently.

• Review classification of product risk. In the Rusnak and Kerviel cases, the fraud occurred in areas judged to be standard risk, either because of the low-risk product (Kerviel) or the perceived small scale of the operation (Rusnak).

• Introduce multi-factor authentication to protect information assets and prevent even well-intentioned information compromises.

• Test operational risk, information and corporate security functions vigorously. In AML we are seeing good progress, where external teams are used to challenge and attempt to overcome their AML protection. This approach could wisely be adopted more broadly.

• Tighten internal audits to guarantee the vigour of case reviews and to ensure that sample documentation is checked with counterparties to expose fictitious trades.

Something else that is extremely important is remembering that the data on employees' desktops is constantly changing, which means that new risks can emerge rapidly. It's essential to maintain a continuously updated central inventory of all the spreadsheets in use. Identifying new and changed spreadsheets, as the changes take place, provides a basis for understanding them and the information they contain, and the types of controls that are needed for the risks they present.

And, of course, it is critical to use technology linked with sound policy to address this technology-based problem.

Employees are far more complex than the set of rules and controls that are written to guide them. Inherently there is a need for professional and personal recognition by the employees family, peers, colleagues and industry. Traders especially are risk takers by nature. They research and exploit opportunities in the market to make profit for their banks. Under the right conditions, opportunity can push anyone over the edge to do something they wouldn't ordinarily do.

Banks must look inward when considering whether their controls stack up. If they don't, external crime groups will. Even worse, it could happen from within.

Staff turnover and internal staff movement causes increased risk to the control environment. This can often make for unclear responsibilities or matrix reporting lines and lead to confusion around controls.

Many banks use various satellite systems either purchased or developed in-house that feed into a core trading system. Security is only as good as its weakest link. While new software is implemented to improve service delivery, and financial instruments and products are constantly evolving, controls in these areas also need to evolve to keep pace. However, it is employees who input trades, build relationships with clients, check net positions, do the reconciliations and interpret the data, so employees are the key.

Middle- and back-office failures to identify deception (such as the one at SG) are directly attributable to system loopholes that had existed for a long time and were already known to employees.

Middle- and back-office, audit, compliance and other oversight type of functions check according to the existing control environment. They often fail to recognise the various loopholes for fraud. Unless you understand how to manipulate the system, then you will not be able to properly check the various trades purportedly done.

Any experienced trader will know the controls used by middle- and back- office employees. They will know this from sheer experience.

Having policies and controls without stress-testing them in the actual operating environment is like driving at high speed on a motorway shrouded in fog. Eventually you will crash.

But some of these systems are not efficient, so how does the bank connect the dots? I think that the most efficient way to reduce the risk exposure of the bank is to have a three-pronged approach:

• A multi-dimensional analysis - for example, operational, compliance and security with efficient control electronic system.

• Profiling of trader activity - whatever the creativity of the rogue trader, at some point he will always behave differently from his own profile or the behaviour of the group he belongs to. In the case of SG, we would have detected very early on activities such as abusive cancellation, concentration into low margin call instruments, and so on.

• Score aggregation of alerts and reports coming from various control systems - this would have caught the various signals coming from systems and, by consolidating them, the fraud would have been avoided.

Having sound compliance risk policies, systems and internal controls in place to help minimise the risks of fraud is essential, however, having a knowledgeable and vigilant workforce is of equal importance. Many organisations have introduced whistle-blowing hotlines to encourage employees to report suspicious activities. Policies and procedures are only truly effective if you communicate these to your employees. After all, your employees can be your best line of defence against internal fraud but, left uneducated, they could be your worst downfall.

To educate your employees it Is important to keep the training engaging, relevant and context-driven rather than theory-led to bridge the gap between policy and practice. This way your employees will better understand the application of your fraud prevention requirements to their day-to-day work. Your training should aim to give your employees the confidence and knowledge to 'do the right thing'. Senior executives should be leading by example by helping to promote an enterprise-wide risk management culture for the organisation rather than a tick-box compliance culture.

Software industry veteran and pioneer in the spreadsheet governance, risk management, and control space. As CEO of Compassoft, Paul has built the company to a leadership position in the market-place and established strong ties with Big Four accounting firms.

Founder and managing director of the Insight Risk Group, Paul has over 25 years of experience in the area of fraud risk and specialises in banking. Before Insight Risk Group, he held director positions with a boutique and Big Four accounting firm specialising in fraud and forensics.

Senior compliance product manager responsible for developing and enhancing Norkom's product management strategy with over 15 years' experience in financial services, working in the areas of compliance and operational risk. Edward holds a masters' degree in technology and innovation management from the Smurfit Business School, University College Dublin. Global head of operational risk management, with responsibility for business continuity management, information security and risk support for operations.

Global leader of Protiviti's financial risk strategy and management practice. He oversees a team of risk professionals focused on improving clients' ability to manage credit, market and commodity and operational risks, as well as performing model validations.

Managing director of SAI Global's compliance division for Europe, Middle East and Asia. Over the course of his career, Iain has had significant experience of working with multinationals to deliver effective compliance, risk and ethics programs, a number of which have been recognised with industry awards.

Prior to Actimize, Piers was vice president European sales for Poet, a German software provider, where he successfully participated in the launch of Poet in the Neue Market in Frankfurt. Prior to this, he worked for Credit Suisse First Boston (project Mynewdeal.com) as head of business development.

A 23-year finance and technology veteran. Prior to joining Reveleus in September 2001, Ramakrishnan held leadership positions at Citibank, including chief information officer for the Citibank global consumer bank where he laid the foundation for global information standards, strategic analytics and database marketing.