AdSlot 1 (Leaderboard)

Trade secrets

The extraordinary story of how a very ordinary French trader managed to incur
an unauthorised e4.9bn (£3.6bn) loss and force Société Générale to go cap in
hand to the equity markets for a cash injection has gripped the imagination of
the financial community.

New details continue to emerge, helping to shed light on how a junior trader
like Jérôme Kerviel could perpetrate such an enormous fraud for two years
without being detected. What is clear is that there must have been problems at
every level of the investment bank’s controls.

Kerviel was working as a junior trader on SocGen’s equity futures trading
desk. His job was to make money out of the miniscule differences in the value of
stock markets. He did this by buying futures contracts to take a view on the
direction of the market. This was offset by an almost equally sized contract
which would pay if the market moved the other way.

There should be minimal risk involved in such a trading strategy. But Kerviel
took large, unauthorised bets on the markets, as soon as he joined the desk in
2005. By the end of 2007, he had notched up a profit of e1.4bn – more than half
the revenues of the bank’s equities division.

David Malone, manager at the fraud services unit at BDO Stoy Hayward, says,
“The accounting systems cannot have been be functioning properly. He was making
significant sums of money that were simply not being picked up.

“There does not seem to have been a great deal of concern about the size of
his positions, even though he was a very junior trader. The risk management
system seemed to be geared towards ensuring the positions were hedged and, as
long as this was the case, the bank was happy.” Or, ignore the gross positions,
just look at the net.

According to SocGen, Kerviel appears to have manipulated the system by
creating fake hedging contracts that he removed from the system before they
settled and then put new ones in place.

Kerviel got away with this for so long because he hedged his positions with
fake over-the-counter derivatives, which take much longer to confirm than
exchange-traded instruments.

Jennifer Moodie, head of operational risk at Business Control Solutions,
says, “It is possible for a trader to write on the back of the ticket, ‘no
confirmation required’ and if the back office staff have not been properly
trained or if they are in awe of the front office staff, they might not pursue
the issue.”

But there should have been layers of controls in place so that if he managed
to evade one or two, he should have been picked by the next level. “He may have
got past the market risk controls by making it appear that he had the right
hedges in place, and he must have entered enough information to pass the
company’s credit risk controls. But it is surprising he was able to get past the
product controllers,” says Moodie.

Product controllers should check that the right profits and losses were being
entered into the bank’s accounting systems. “The product control department
should be checking with the traders every day to make sure they have the right
bank positions, the right market values and the right P&L,” says Moodie.

Many wonder how Kerviel was not tripped up by the margin calls obligatory
with any futures contract. But it could be that the volume of business SocGen
was doing with exchange traded futures, made it tricky to stay on top of this.
“It can be a very complex process to untangle the way that netted margin calls
from the exchange tally up with the individual transactions,” says Moodie.

It’s likely that the risk management teams did not share information,
otherwise Kerviel’s actions could have been spotted earlier. “There is no way to
look across all the control functions and down an individual product processing
flow from the trade capture to booking it in the ledger,” she says.

Covering his tracks
Kerviel had joined the bank in 2000 as a member of the middle-office support and
control unit and was one of the lucky few who made the transfer to a trading
desk. Not only did he use multiple log-ons, he still had access to the back
office systems through his old log-ins. This allowed him to manipulate his trade
data.

Jean-Baptiste Gaudemet, professional services manager at IT risk management
company Sophis, says, “The front-office activity is controlled by the middle
office. They are supposed to make sure that the traders stay within their risk
limits.”

Kerviel’s knowledge of the back and middle office systems allowed him to
disconnect these systems from one another, says Gaudemet. Each system has its
own database and it is the bridges joining them that make them vulnerable.
“Using one database would make the system safer, but, given the huge volumes of
data that a bank generates that might be impossible to implement. The links
between the systems have to be made as secure as possible,” says Gaudemet.

Aside from the IT security issues, there must have also been inherent
problems with SocGen’s business culture. Like every other company, SocGen has to
have an internal auditing team to ensure that everything was being properly
accounted. But it can be a difficult job to do well.

“Internal auditors are often very junior staff that would not have had the
authority to stand up to the revenue generators in the business,” says Malone.

“If they do raise a query, then the revenue producing part of the business
will fob them off with a quick answer and the company management will support
the revenue producers,” he adds.

There is intrinsic conflict in the culture at investment banks. Effective
risk management means that a certain level of restriction must be imposed on the
traders. But traders need to take risk to make money for the bank. Management
attention also tends to be focused on their revenue generators, not the back
office.
The complexity of financial instruments today means there is a danger that inv
estment bank bosses often do not understand the intricacies of every trade made
on their dealing floors, making it harder to police the traders.
Sandy Kumar, partner in the business risk financial services group at Grant
Thornton, says, “It’s often the case that the traders are some of the smartest
guys around and their ability to outwit the control systems is something that
might have to be more closely regulated in the future.”

The back and middle office functions are not as well-regarded as the traders,
so they struggle when it comes to confronting a trader. So the head of the desks
have to been willing to challenge a trader if a problem has been flagged.

Even if Kerviel’s bosses had not been completely on top of the trading
activities of their dealing desk, his unwillingness to take any holiday should
have been a big clue that something was seriously wrong.
Malone is amazed that the bank’s managers did not pick up on this. “This is a
classic signal that an employee could be involved in defrauding a company,” she
says.

Take a break
His decision not to take any holiday was raised by human resources, but like so
many areas, Kerviel managed to deflect the issue. “They just didn’t keep on top
of it,” says Malone.

Most investment banks insist that their traders take two consecutive weeks of
holiday, which is long enough to identify any trading positions that may have
been stealthily built up.

Kumar thinks that the regulatory environment could well benefit from being
tightened up. “There are lot of grey areas where the regulations expect the
firms to put the right risk management systems into place but no one checks that
this has been done.

“Does it really make sense, for example, to have only two internal auditors
when there is a staff of 3,000? It’s often left to the banks to come up with
their own benchmarks.”

An interim report into this fiasco by the French government, presented by
France’s finance minister, Christine Lagarde in February, suggested that other
banks could be susceptible to similar problems and also urged for greater
controls.

Lagarde said that it was very clear that internal control procedures in the
bank had clearly not worked. Inspections by the French banking commission in
2006-07 had led to recommendations seeking to strengthen the security of the
operations, the report said.

Lagarde said the maximum fine for breach of banking rules, currently e5m,
should be “substantially increased”.

After the Barings crisis and the implosion of Enron, and the warnings from
the French banking commission, it seems extraordinary that SocGen did not step
up their risk controls.
“There have been so many recent scandals that you really would expect the
financial services sector to be on top of their risk management systems,” says
Kumar.

The French government report is available at
www.tinyurl.com/yogqae

Related reading

/IMG/372/201372/marksandspencer2
/IMG/496/287496/euro5454
/IMG/964/194964/money-mountain949
/IMG/420/232420/cashflow76