$7.2 Billion Bank Fraud: Could it Happen Here?
"There are a lot of banks here in the U.S. breathing a big sigh of relief ..."There have been few answers since news of this record-breaking fraud emerged late last week. All we really know is that Jerome Kerviel, a 31-year-old futures trader, was armed with an exceptional knowledge of trading systems, as well as a good understanding of all of the processing and control procedures -- and his fraudulent trades went undetected by France's second -largest bank for months. The fraud and losses were revealed by Societe Generale last Thursday, before markets opened in Europe.
Yet, even those scant details are enough to send U.S. banking officials scrambling to ensure the security of their own systems - and the checks and balances that should tip off an inside fraud before it results in such catastrophic losses.
"There are a lot of banks here in the U.S. breathing a big sigh of relief that it didn't happen to them," says Brad Bailey, Senior Securities Analyst at Aite Group, the Boston-based banking consultancy. "First, the size of this loss is phenomenal; it exceeds anything to date -- any other trading fraud, it exceeds it by billions."
The largest single fraud prior to Societe Generale's was the Barings Bank loss of $1.3 billion in 1995.
"This stands out as the Academy Award winner in the category of 'the definition of failure' in operational risk," Bailey says. While French banks have worked hard to clean up their image as of late, and Societe Generale has been an outstanding risk controller, known for its use of sophisticated products, Bailey says, it failed to catch Kerviel, because "He knew how and when to avoid being spotted."
How it Happened
While Kerviel's fraud is stunning, what is possibly more incredible is how he was able to accomplish it.
According to Societe Generale's explanatory notes about the "exceptional fraud," these are some of the known facts:
- Kerviel worked at the bank since 2000 in different "middle-offices" departments that control traders;
- In 2005, he became a trader in the arbitrage department, developing a portfolio of futures on the European stock market indices;
- His trades in the portfolio were consistent with the volumes traded by a large investment bank;
- On a daily basis, these trades were subject to controls and margin calls that were checked and settled by or paid to the bank.
Sometime in 2007, however, Kerviel created a fictitious portfolio to offset the losses suffered by the first portfolio. Kerviel was then able to hide a very sizeable speculative position, something outside of his normal trading activities for the bank.
To keep these fictitious operations out of sight, the bank says, "the trader used his years of experience in processing and controlling market operations to successfully circumvent all the controls" that would allow the bank to check the characteristics of the operations of its traders, and hence, their actual existence. Societe Generale alleges Kerviel hacked computers and "combined several fraudulent methods" to build up positions worth $73.53 billion - more than the bank's market worth estimated at $50 billion.
According to published reports, Kerviel worked alone, kept his activity out of sight from colleagues and supervisors, and was caught only when he slipped up by failing to deactivate part of the bank's warning system. Observers speculate that Kerviel's motivation was to be seen - and compensated -- as a top-notch trader.
Subsequently, Kerviel has been arrested, questioned and released by French police. He now faces preliminary charges of "breach of trust" and unauthorized computer activity. If tried and convicted, Kerviel faces major fines and up to seven years in prison.
Could It Happen Here?
As this case plays out in the French courts - and stock market - security leaders are left to question operational risk within their walls.
"Until the case is heard in court, we won't the details of how everything happened," says Avivah Litan, distinguished analyst at Gartner. One thing Litan asserts: Kerviel should have been caught. "There are some good technology solutions, strong employee monitoring tools to look at everything an employee does. With the right access controls and monitoring controls in place, this would not have happened."
Controls may prove to be of little use with a very determined insider, says Doug Johnson, senior policy analyst at the American Bankers Association. "Regardless of how many controls you've got in place, if you have the person there who has the knowledge or skills to defeat those controls, that's a potential risk," Johnson says.
With Kerviel's auditing and back office IT background, he was able to overcome five or six different controls. "That's pretty heavy lifting to be able to accomplish that, and he did it because he was given the opportunity," Johnson says.
To mitigate such risk, he cautions, "Don't place people with unusually high ability to defeat controls in a position to do just that."
As the bank's forensic team sifts through this case, Aite's Bailey says they'll be asking themselves "How can we avoid this in the future?" Both Bailey and Johnson foresee a possible move to limit trading floor access to persons with back-office knowledge.
The big question remains -- Can a Societe Generale-level fraud occur at a U.S. financial institution? Bailey thinks it could. "The possibilities of finding a way around systems -- if a person has enough technological understanding of the trading systems, and computer skills, it could happen."
The possibility of this case spurring new legislation here in the U.S. is unlikely, analysts say, but risk management issues do need to receive extra attention at financial institutions.
The 'Recurring Fear'
As the Societe Generale news spread late last week, banking executives everywhere couldn't help but think "What if ...?"
"I believe everyone has that recurring fear of insider threat, although we sometimes do not want to admit it," says Jason Bawcum, vice president of security at Community South, a Tennessee-based bank.
Bawcum's bank has stringent controls in place that derive "from a very comprehensive, concise risk assessment that we consider the 'backbone' of our security program."
One way to better mitigate threats from issues like the Kerviel case, Bawcum says, is to keep informed of those issues and ask yourself and others in your institution if it can happen to you.
"Staying abreast of the issues should be the starting point for mitigation, whether you read daily newsletters, watch the news, or even listen to the radio -- you can always find a way to be better informed," Bawcum says. "You cannot successfully mitigate risk if you are not even aware of the risk.
"Awareness is key."