By now we’ve all seen the headline—“French Bank Rocked by Rogue Trader!”—heralding the debacle at Societe Generale as the largest bank fraud in history.
Then come the details: A “mid-level” employee, unbeknownst to anyone else at one of the most venerated banks in France, bet $73 billion of the bank’s money, costing it $7.2 billion. The newspapers promptly dusted off all the familiar names in the annals of bank fraud, including Joseph Jett of Kidder Peabody and Nick Leeson of Barings Bank, among others. Societe Generale’s fraud tops them all, by far.
Having been involved in a number of the most high-profile frauds (let me rephrase that: having been involved in investigating and cleaning up after a number of such frauds), I’d like to share some thoughts on what went wrong. Because, clearly, a lot did go wrong.
What Happened
Basically, Jerome Kerviel, the “low-level employee” in question, made unauthorized trades and hid them. He was authorized to trade in the European stock indexes, so long as he hedged much of the risk. But he didn’t complete the hedge transactions, in effect placing what became bad bets that European markets would continue to rise. To cover his tracks, Kerviel fed false transaction data into SG’s computer system to make it appear that he carried out the hedges. According to one media report, Kerviel built “a multilayered way to hide his trades by hacking into the bank’s computer systems to eliminate controls” that would have caught the scheme.
When bank executives finally found out, they moved to unwind $73 billion of Kerviel’s bad bets. Rest assured, you’ll hear a lot more over the coming weeks and months about exactly what Kerviel did to carry out his scheme and how he got caught.
If the news reports are correct, the bank’s management’s responses are fascinating, representing what seems to be a rather defensive posture. Here are some of the more telling quotes:
“Societe Generale has been victim of a serious internal fraud committed by an imprudent employee.”
Kerviel “was mentally weak. I have no idea why he did that.”
Kerviel “is a terrorist.”
Kerviel “was a very junior trader, not a star … starting to work on a small portfolio. He’s more of a shy person than an extrovert.”
“Research has not shown any link with anyone else at Societe Generale.”
Kerviel “breached five levels of controls [and was] a computer genius.”
“Hiding it was a full time job, because you needed to know exactly what to do.”
“We have no explanation for why he took these positions, and we have no reason to believe he benefited from a financial point of view. We don’t understand why he took such a massive position.”
The last point is underscored by reports that the bank’s management was at a loss to describe Kerviel’s motivations, because “the trader didn’t earn a dime on his actions,” and apparently acted alone.
The Motivations Are Obvious
If you’re active in risk management and control, you’ve long known that identifying the motivations behind fraud is critical in establishing the controls needed to reduce the risk of fraud to manageable levels. And we know that major frauds of this type often have nothing to do with employees stealing money. They have everything to do with other motivating factors.
The statement by the bank’s executives that they’re at a loss to describe Kerviel’s motivations is hard to fathom. Anyone who’s been in the business world for more than five minutes should know there are two kinds of frauds: one to put money in somebody’s pocket, the other to make the performance of the individual, unit, or business look better than it is.
This column was written only about one week after news of the fraud broke, and it was already becoming clear that Kerviel wasn’t looking to steal money for himself. After an initial interrogation, he said he did what he did to be respected—in an organization where, because of his background, he had relatively little respect—and to earn a big bonus. This is not atypical of bank frauds, where the perpetrator wants to show he’s capable of doing great things for the institution and hopes to receive promotions and bigger compensation.
When you probe a bit deeper into these sorts of frauds, history shows that usually the individual doesn’t believe he (and I can’t remember any women ever involved in major bank frauds) will get caught. And even if he does, the fraudster doesn’t understand all the fuss about his actions—after all, he was trying to make money for his employer, not himself. When his trades start to go bad, he sees it as only a temporary situation, fully believing that more such trades will solve the problem; ultimately, he thinks, the trades will work out and demonstrate that he really is a smart, capable person.
And for some it seems there’s not much to lose. With difficulties in other areas of their life, it’s a case of “heads we win, tails you lose.” After all, they’re playing with someone else’s money, and of course they don’t intend to lose in the first place.
While it’s doubtful this next point is at the forefront of a fraudster’s mind, the reality is that for a number of them, after a stint in prison, they become sought-after consultants and stars on the lecture circuit, reaping more glory and money than they ever hoped to make when working for a living!
Where Was Risk Management at SG?
Let’s begin with how the fraud ultimately was found out. Reports say that Kerviel changed a tactic he had been using to conceal his trades. He took a position that prompted a possible margin call, which raised a red flag by the computer system and caught the attention of the bank’s risk control specialists. This happened on Friday, Jan. 18. An investigation of trading records the next day uncovered the extent of the fraudulent trading, and after about a week to unwind the open positions, Societe General disclosed the fraud publicly.
We’ve also learned that while the bank initially believed Kerviel engaged in his scheme “only” for less than a year, he apparently had been committing the fraud since early 2005—three years ago.
It’s worth remembering that internal control can only provide reasonable assurance against wrongdoing; when someone on the inside of an organization is determined to carry out nefarious deeds, he usually can, and potentially will do damage—but time frames and amounts of money usually are limited. With that in mind, let’s examine what has been reported so far to understand what might have been lacking. Kerviel:
Knew that other traders at the bank engaged in similar (though smaller levels of) unauthorized trades, but were never questioned about them;
Knew and used access codes and passwords of colleagues in the trading unit and IT department;
Was not required to take vacations, instead taking off only four days last year;
Several times accidentally triggered problems to the bank’s risk-management personnel, which were never investigated further than asking Kerviel about them and accepting his explanations.
As risk management and control goes, this is pretty basic stuff. Where was security over access codes and passwords, including procedures for maintaining privacy and frequent automated changes? Where were the mandatory vacations and thorough follow-up on signals of impropriety? And we can only wonder about other basic controls, such as automated application controls over trading patterns, supervisory controls (four supervisory executives at the bank have since been fired), and monitoring controls, including appropriate procedures performed by risk-management and internal audit functions.
Major frauds of this type often have nothing to do with employees stealing money … The perpetrator wants to show he’s capable of doing great things for the institution.
More specifically, one should ask whether the bank had satisfactory identification and management of the risks of unauthorized trades. Certainly other banks have been brought to their knees (or brought down entirely) by a so-called rouge trader. Clearly, these risks have long been well known. So, either these risks weren’t taken seriously at SG, or the right procedures and controls weren’t put in place to manage the risks to a reasonable level.
Two additional factors are critical. One is that even though Eurex’s surveillance office had noted irregularities in Kerviel’s trades, the bank’s risk control experts simply explained the irregularities away. And almost amazingly, it’s reported that the bank has a culture not only of allowing traders at Kerviel’s level to regularly exceed authorized limits; it seems there was an expectation that they conduct “proprietary” trades to make money for the bank –and the results were explicitly considered in performance evaluations! Major issues of culture were behind what brought the bank to its knees.
Further Response From the Chairman
Societe Generale’s chairman wrote clients that “control procedures have been revised and reinforced to avoid any recurrence of further similar risk.” On this note, three thoughts immediately come to mind. First, why weren’t those controls in place previously? Second, how is it possible, in the space of one week, to know the details of exactly what transpired and what specific controls need to exist to manage such risks? Third, what’s being done to deal with similar risks that could cost the bank billions of dollars?
It’s interesting how one can put a positive light on almost anything. The chairman also reportedly said: “Had we not acted swiftly, the loss could have been 10 times worse.” That’s an interesting position to take, considering the fraud had evidently been going on for years; the bank has been brought to its knees and is in need of a massive influx of new capital and is subject to an outside takeover; it’s being blamed as exacerbating the precipitous downturn in the capital markets in January; and the lawsuits against the bank are already being filed. It’s hard to imagine what “10 times worse” might have been.
No comments yet