This would be almost boring except for the numbers involved. The Economist writes:
TROUBLE had been expected but nothing like this. Widespread concerns that Société Générale, a large French bank, had more subprime-related problems to reveal were proved right on January 24th with the announcement of a €2.05 billion ($3 billion) write-down on its exposure to mortgage-related investments and to creaking bond insurers. But those numbers were a side-show to something far more shocking.The bank also disclosed that a single trader, Jérôme Kerviel, had racked up a further €4.9 billion loss by taking unauthorised bets on futures linked to European stockmarkets. Trading in SocGen's shares was temporarily suspended on January 24th, but punishment was bound to be severe.
How did this happen? For that we have to see what the FT wrote:
The trader joined the bank in 2000 and worked in Paris. The first three years of his career were spent in the bank’s so-called “back office” and “middle office”, where trades are settled and risk is managed. Though it did not name Mr Kerviel, SocGen said he had never worked directly in its risk control section, but remained in contact with people in those areas so he could be updated with the bank’s risk controls.“The reasons he could succeed was because the trader knew intimately the bank’s risk controls and swiftly shifted positions to evade detection at each level of control,” Mr Bouton said.
The fraud was discovered after the trader made an error with a fictitious counterparty. Its extent became clear over the weekend, when the bank‘s management interviewed Mr Kerviel.
OK, so rule #1 in governance is to separate the decisions from the implemention. Those on the decision side (in this case, traders) can not touch the money. Those on the money side (in financial lingo, back-office) cannot make any decisions. Seems simple, right?
The flaw here is that separation of roles also has to be backed up by more than mere words. Those in the back-office are supposed to check for valid trading by some metric or other, and supervisors are supposed to watch everything and make judgement calls. Those in the front-office (traders) are supposed to be rewarded for successful trades, and those in the back-office are supposed to be rewarded for safe trades.
As we know from the Barings case (and a thousand years of history) if a person crosses the border between front and back-office, there is trouble. Nick Leeson not only traded, he was also the guru that fixed or ran the accounting system in the Singapore branch. So he knew the back-office commands to create special or secret accounts, like 88888, which came in handy to hide losses.
The same will be true here: Kervial was trained in the back office, so almost certainly he knew how to do things that were under the covers. Which points to a crazy state of affairs: how is it at all possible to do things that are below the covers?
If you need a systemic reason, it would be because the system has evolved through centuries and is full of obscure rules, quirks, paperwork, oversights and so forth. It is too complex for anyone but a few to understand, indeed, it is quicker to build a complete new governance system from scratch than it is to understand a modern trading system (I know because I've done it). We can conclude that the modern systems are opaque, by history if not by design, and that therefore the real question to ask is whether it is plausible to even understand what happens under the covers, and to stop this weakness?
We know how to solve these problems in financial cryptography. My results were confirmed by others; but we all faced the same systemic blockages in getting systems deployed. Those same blockages will probably also work to save Société Générale from the real solution, which is sacking of the entire board at minimum and sacking of the shareholders at maximum.
Top tip from anonymous observer: watch Société Générale slide in a lot of other hidden losses into this one, so as to combine all the losses into one efficient hit. This is good news for shareholders, and bad news for everyone else, but that sort of high stakes poker playing with assets can also backfire if the losses threaten real closure.
Posted by iang at January 24, 2008 03:14 PM | TrackBackLast week I had a post that in the early 80s, the state-of-the-art was starting to handle a lot of "insider" fraud with things like roles .... and then there was starting to be problems with "collusion" ... so there were starting to be some number of collusion countermeasures.
http://www.garlic.com/~lynn/2008b.html#26
and things are still waiting to get back to the what the state-of-the-art was working on 25yrs ago.
recent comment on this particular topic
http://www.garlic.com/~lynn/2008b.html#82
re:
http://www.garlic.com/~lynn/aadsm28.htm#13
There are all sorts of barriers to introducing new systems ... frequently involving disastrous past attempts. I've pontificated recently about disastrous, ill-fated attempt to deploy consumer chipcard operation with personal readers early in the decade and the chilling aftermath on any further attempts.
A lot of the current "online" transaction infrastructures started out as purely batch operations. In the 70s&80s, many of these infrastructures added front-end transaction interfaces ... but still relied on batch to complete the operations (commonly associated with "settlement") in what frequently came to be known as "overnight batch" windows.
In the 90s, there were billions spent on failed attempts to upgrade these facilities ... frequently with "object" oriented and parallelized implementations for something called "straight through processing" ... to eliminate the increasing bottleneck of the overnight batch window (globalization was decreasing the size of the window and any workload increase was frequently banging up against the limits of the window).
recent references
http://www.garlic.com/~lynn/2008b.html#3 on-demand computing
http://www.garlic.com/~lynn/2008b.html#74 Too much change opens up financial fault lines
I'm still puzzled where the system spending has gone though. For the past ten years, at every financial services event I've been to, bank guys have been complaining that they have no money for innovative new systems because all the money is going on compliance. They can't possibly have wasted all of the money on management consultants: some small fraction must have eventually gone on some actual controls. Somewhere in SocGen there must have been a line of code like "if value-at-risk > banks-total-capitalisation then sound-alarm" or something.
Posted by: Dave Birch at January 26, 2008 05:25 PMDave Birch wrote:
> I'm still puzzled where the system spending has gone though. For the
> past ten years, at every financial services event I've been to, bank
> guys have been complaining that they have no money for innovative new
> systems because all the money is going on compliance. They can't
> possibly have wasted all of the money on management consultants: some
> small fraction must have eventually gone on some actual
> controls. Somewhere in SocGen there must have been a line of code like
> "if value-at-risk > banks-total-capitalisation then sound-alarm" or
> something.
re:
http://www.garlic.com/~lynn/aadsm28.htm#13 Break the rules of governance and lose 4.9 billion
http://www.garlic.com/~lynn/aadsm28.htm#14 Break the rules of governance and lose 4.9 billion
i was at a financial conference in europe a couple of yrs ago ... one
of the main topics was that sox compliance costs was starting to creep
into european companies (and some companies were starting to move off
american exchanges attempting to avoid sox compliance)
i took the position that much of sox was more of the same kind of
auditing ... and there was a lot of fraud which was getting by the
kind of auditing ... and more of the same kind of auditing wasn't
going to catch it; it was going to require different approaches.
a couple recent articles on the socgen subject:
Government report alleges risk and security failures at SocGen
http://www.finextra.com/fullstory.asp?id=18037
Neglected IT Tasks May Have Led to Bank Meltdown
http://www.pcworld.com/businesscenter/article/142137/neglected_it_tasks_may_have_led_to_bank_meltdown.html
Poor password management may have led to bank meltdown
http://www.infoworld.com/article/08/02/04/Poor-password-management-may-have-led-to-bank-meltdown_1.html
and some related comments
http://www.garlic.com/~lynn/2008c.html#76
misc. past posts mentioning sox:
http://www.garlic.com/~lynn/aadsm19.htm#10 Security as a "Consumer Choice" model or as a sales (SANS) model?
http://www.garlic.com/~lynn/aadsm22.htm#26 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm23.htm#10 PGP "master keys"
http://www.garlic.com/~lynn/aadsm25.htm#12 Sarbanes-Oxley is what you get when you don't do FC
http://www.garlic.com/~lynn/aadsm25.htm#13 Sarbanes-Oxley is what you get when you don't do FC
http://www.garlic.com/~lynn/aadsm25.htm#14 Sarbanes-Oxley is what you get when you don't do FC
http://www.garlic.com/~lynn/aadsm25.htm#15 Sarbanes-Oxley is what you get when you don't do FC
http://www.garlic.com/~lynn/aadsm25.htm#26 Fraudwatch - how much a Brit costs, how to be a 419-er, Sarbanes-Oxley rises as fraud rises, the real Piracy
http://www.garlic.com/~lynn/aadsm25.htm#43 Audit Follies - Atlantic differences, branding UnTrust, thunbs on Sarbanes-Oxley, alternates
http://www.garlic.com/~lynn/aadsm26.htm#2 Audit Follies - Atlantic differences, branding UnTrust, thunbs on Sarbanes-Oxley, alternates
http://www.garlic.com/~lynn/2006h.html#33 The Pankian Metaphor
http://www.garlic.com/~lynn/2006h.html#58 Sarbanes-Oxley
http://www.garlic.com/~lynn/2006i.html#1 Sarbanes-Oxley
http://www.garlic.com/~lynn/2006j.html#28 Password Complexity
http://www.garlic.com/~lynn/2006o.html#35 the personal data theft pandemic continues
http://www.garlic.com/~lynn/2006u.html#22 AOS: The next big thing in data storage
http://www.garlic.com/~lynn/2007b.html#63 Is Silicon Valley strangeled by SOX?
http://www.garlic.com/~lynn/2007j.html#0 John W. Backus, 82, Fortran developer, dies
http://www.garlic.com/~lynn/2007j.html#74 IBM Unionization
http://www.garlic.com/~lynn/2007j.html#75 IBM Unionization
http://www.garlic.com/~lynn/2007o.html#0 The Unexpected Fact about the First Computer Programmer
http://www.garlic.com/~lynn/2007r.html#61 The new urgency to fix online privacy
http://www.garlic.com/~lynn/2008.html#71 As Expected, Ford Falls From 2nd Place in U.S. Sales
http://www.garlic.com/~lynn/2008.html#78 As Expected, Ford Falls From 2nd Place in U.S. Sales