At this point, the volume of reporting about SocGen is getting deafening. My favorite came from a friend and former CISO (of a different global investment bank), who declared to me Saturday over a G&T, “They let themselves get taken by an utter muppet!”)

This introduction also sums it up pretty nicely:

By Friday, January 18, Jérôme Kerviel, a junior suit in the banking world, was on the hook for €50 billion - the equivalent of about half of all the gold and currency reserves held by France. The sum also exceeded the entire value of the bank at which he worked.

The 31-year-old trader at Société Générale, one of France’s most prestigious institutions, had secretly set up a series of deals that were going horribly wrong. So wrong that they threatened the survival of the bank and the health of global financial markets.

Yet senior executives at the bank, which initially claimed that it had no inkling of Kerviel’s activities, yesterday admitted that managers had missed several warning signs over many weeks that would have revealed the apparent fraud.

I’ll bet they did.

As the details come out, this story just gets more and more interesting. The Cheese had a nice excerpt from the Forbes article, which pointed out that

as long as traders had knowledge of back-office operations, the risks of abuse would always be there.

Now it’s been almost ten years since I lived in the world of High Finance, but back then I worked as a software developer implementing risk models for a bulge bracket investment bank, first for the market risk group and later on credit and collateralized trading risk management systems.

At my bank (not SocGen), the operational functions of the risk management group were sometimes used as a sort of bush league for traders who had a hard time staying under their risk limits–they either spent a year learning how to stay out of trouble and returned to trading, became permanent fixtures in the back office, or they left left the bank.

At the time, we had such a mish-mash of systems that we really had no good unified picture of what was going on, and we were better than any of our large counterparties. We knew what our positions were alleged to be, but had no good tie back to confirm the integrity (legitimacy) of the data. In retrospect, I won’t hesitate to admit that we were lucky we didn’t get hit with this sort of fraud.

Unfortunately, it sounds like thinks haven’t gotten much better over the past 15 years. In the fallout from the collapse of Barings’ Bank, we learned that two of the key metrics that Nick Leeson was reporting back to London, Profit & Losses (P&L) and Cashflow were wildly out of alignment. If they had had a unified view of things, the story he was telling to the head office would have summarized to, “We’re making huge profits, now send more cash.”

In this case, Kerviel was able to fabricate hedges which made it look like his risk was netted off, when in fact he was naked to the market. Did he simply create dummy trades and book them against the accounts for the other liquidity providers, where there are thousands of trades in both directions at any given point in time, counting on them to get lost in the noise?

I read something which indicated that his fraudulent hedges had to effectively be unwound and recreated every three days. Perhaps he was exploiting the window between expiration and settlement.

Or did he simply exploit broken deprovisioning and internal transfer processes to aggregate access as he moved between jobs in the middle office? Eventually, he might have had the ability to create trades at the necessary points in the workflow to make the risk look netted below his limit, then disappear them later before they flowed through to where they might have upset some other reconciliation or balance.

Or perhaps he well and truly “hacked,” as some news stories have said, the back-end, gaining unauthorized access and manipulating the systems directly from the operating system or database back-end.

As much as I’d love to know, I’m also really glad that I’m not standing close enough to the mess to have that good a view of what happened, because it’s probably not that the powers-that-be didn’t realize the fraud was possible, more that they didn’t think it was an unacceptable risk.

When you consider the multitude of mechanisms that he could have exploited, some of them internal weaknesses and some of them part of the structural nature of how capital markets work, you rapidly see that closing all the holes is impossible–there will always be some material level of residual risk.

As Stiennon said referring to his pen-testing days:

It would take about four days to get an insider’s feel for operations. And, in every case, I could discover ways to steal from the client company. In my opinion the only reason that most of these companies have *not* experienced a major theft is that people in general, and frankly IT staff in particular are trustworthy.

Companies must balance the risk of a loss against the cost of mitigating (or transferring or otherwise reducing the inherent risk). Evaluating and minimizing personnel risk through background checks on the front-end and ongoing supervision and management is another.

Risk Management helps the business determine how much control is enough to prevent a major loss or fraud, but not without cost. Thus, the business must also minimize the impact of risk management on operations, both direct cost (again) and externalities like increased transaction time or inefficiency for the business functions that the security protects.

Could SocGen have decreed that every trade must be explicitly pre-approved by multiple people before executing to prevent the risk of fraud? Sure, but it would have killed them as a competitor in the market even more surely than accepting the risk of a bad apple getting through their other processes.

At the bank where I worked, everyone at a certain rank or above in what were considered to be key positions were *required* to take an annual three-week holiday, in which they were not allowed to contact work at all. If SocGen had done this, they would have uncovered the fraud when someone else took over Kerviel’s positions.

I agree, and we were required to take a 10-day holiday with no contact, as well, but management did not rigorously enforce it, although we generally did try to take at least five days.

I seem to recall that, according to the WSJ write-up at the time, in the Sumitomo Copper scandal they had mandatory time-off rules which were also overlooked and otherwise worked around (he phoned co-workers and managed his positions through them), leading to that fraud lasting much longer than it should have, as well.