Insider Trading: Kerviel Sentencing Reveals Gaps
Insider Trading Controls, Corporate Ethics Should Be No. 1I went to see "Wall Street: Money Never Sleeps" over the weekend. It's Oliver Stone's sequel to his 1980s production, "Wall Street," a tale of broker corruption, insider trading and straw buyers.
"Greed, for lack of a better word," so says antagonist and lead character Gordon Gekko, "is good."
In the real world, that infamous quote does not have such an appealing ring. It's greed that pushed the world into an economic recession and subsequently led to the federal government's bank and automotive bailouts. Those who let greed get the better of them are now being accounted for. Take this week's sentencing of 33-year old Jerome Kerviel as an example. He's the rogue French trader who cost his former employer and France's second-largest bank, Societe Generale, $6.8 billion in fraudulent transactions. A Paris court gave Kerviel three years for his crime -- a slap on the wrist, relative to the price other inside-traders have paid for similar offenses.
Remember Bernie Madoff? Kerviel's scam, as far as financial losses and the amount of money involved, trails only Madoff's. Madoff got 150 years for his $50 billion deception.
Kerviel's trading losses were made public in January 2008. Since then, he's remained free. In fact, while his appeal -- claiming Kerviel should be given some slack, since his superiors at the bank knew what he was doing -- is pending, he will remain free. He also gets to keep his job as a computer consultant, a role he took on after being fired in 2008 from Societe Generale.
Eric Fiterman, a former FBI special agent and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics services, says the case is an interesting one. "It's impressive how much one person can affect an institution," Fiterman says. "One individual was able to inflict massive losses on the financial institution he worked for, and that is unique."
The case highlights inconsistency in the punishment rogue traders face when they are caught. "The punishment does not fit the crime at all," Fiterman says. "He only got three years -- that surprised me about the French legal system." But it also highlights the need for institutions to have stronger internal controls -- controls to monitor and catch suspicious activity and behavior before it hits $7 billion in losses.
Fiterman suggests four approaches to curbing insider threats:
- Properly mine data in a timely manner;
- Insider threat detection must be tailored, not one-size-fits all. It requires knowledge of internal processes and a well-planned strategy for detecting anomalies;
- Whistleblowers: Encourage employees to report suspicious behavior;
- Use internal signatures, configuration and thresholds. Kerviel was able to manipulate internal workings because he knew the incident-response protocol.
So how could Kerviel get away with such a massive scheme, or did he merely have the misfortune of getting caught? "It only became a problem when the money was gone," Fiterman says. "For all we know, they did have controls in place and knew what he was doing."
Organizations and investment firms that have reclassified themselves from investment banks to more traditional banks, since the bailout, have not realigned their codes of conduct. "With investment companies, they kind of play a little lose with the rules," Fiterman says. "If you looked at Goldman Sachs, they have a code of conduct, and in that document, the terms can be waived on a case-by-case basis. I think that kind of a concept or culture is very different from what you see in traditional banks, or even government agencies."
Here's a suggestion: Let's tap SIGTARP for some help. Maybe more government oversight is needed here, to ensure investment banks aren't fudging on their ethics. SIGTARP, the Office of the Special Inspector General for the Troubled Asset Relief Program, a.k.a., TARP, is charged with overseeing how bailout funds are dispersed. "Right there, that gives them more than ample authority to look at practices and controls," Fiterman says.
But will SIGTARP take advantage of that authority? Does it even want to? Well, that's another blog entirely.