Features : The Threat From Within


Despite the increasingly sophisticated solutions deployed to prevent it, rogue trading is still a serious problem in the banking industry.

features-f1 Every year banks spend billions deploying sophisticated filtering and electronic “perimeter fence” technologies to try to maintain their security. Yet another more insidious threat lurks within banks’ perimeter walls. While financial services providers have been busy fending off external threats, the incidence of internal fraud by employees has risen steadily.

According to the 2008 “Report to the Nation on Occupational Fraud and Abuse,” by the US-based Association of Certified Fraud Examiners (ACFE), occupational fraud losses constitute a remarkable 7% of companies’ annual turnover, which equates to approximately $994 billion. “Occupational fraud schemes frequently continue for years before they are detected,” ACFE writes in its report, adding that the typical fraud identified in its 2008 study began two years earlier.

Even more alarmingly, for all the sophisticated technologies and anti-fraud measures companies have put in place in the wake of the Enron and WorldCom corporate scandals, ACFE’s report indicates that occupational fraud is more likely to be detected by a tip-off rather than internal audits and controls. The most high-profile internal fraud cases tend to be those that result in big losses for the companies concerned, and by this measure some of the most memorable and biggest frauds have occurred in banks.

The banking world is still haunted by the collapse of the UK’s Barings Bank in 1995, which was triggered by the activities of a single trader, Nick Leeson in Singapore, whose apparently unauthorized speculative bets on the futures market cost the bank more than £800 million ($1.4 billion). Contrasting the world of trading in 1995 with today, Bruno Piers de Raveschoot, head of Actimize Europe, a provider of anti-fraud solutions, says controls back then were a lot less efficient than today, as a number of procedures were manual.

Frédéric Ponzo, managing director of capital markets technology consultant NET2S, says the major lesson learned from the Barings crisis was that banks need to have different people in charge of back-office and risk controls and trading. “Leeson was in charge of trading activities and back-office, so he was basically controlling himself,” Ponzo explains. “Front-office trading activities are more dedicated now. There is someone watching trading activity, and there is separation of duties.”

In fact, it is probably fair to say that the activities of securities traders today are more closely scrutinized than employees within other organizations. There are systems monitoring trading positions and market impact, and telephone calls are recorded. That makes the events that unfolded at French bank Société Générale (SocGen) in January this year, which cost the bank $7.1 billion, even more baffling. Jérôme Kerviel’s rogue trading activity may not have brought SocGen to its knees; however, it resulted in losses totaling 20% of the bank’s annual revenue, which forced it to recapitalize in the midst of a credit crunch.

It is easy to think of Barings and SocGen as isolated events. After all, there was a 13-year gap between the two. But since the SocGen blow-up, there have been other incidents, such as Morgan Stanley’s admission that a London-based credit derivatives trader had hidden losses of $120 million. In the wake of the US subprime mortgage crisis, two former Bear Stearns hedge fund managers were arrested on securities fraud charges, and more recently, in an indication that regulators are taking an increasingly dim view of inappropriate trading practices, the UK’s Financial Services Authority (FSA) fined the UK operations of Swiss investment bank Credit Suisse £5.6 million ($10 million) following identification of “mismarking and pricing errors” by traders on certain asset-backed securities.

According to Actimize, incidences of rogue trading are not as isolated as bank CEOs might like to think. In its recent “Rogue Trading Peer Review,” 50% of investment firms surveyed estimated that thousands to millions of dollars of rogue trading activities go unreported every year at their firms, and 24% said that they had experienced a case of trading fraud at their firms in the past year. There is likely to be another $100 million rogue trading loss in the next 12 months, 75% of respondents said.

Anatomy of a Fraud
With electronic trading and anti-fraud detection systems growing increasingly sophisticated, it is hard to imagine how an incident like SocGen’s, which entailed more than 1,000 fraudulent transactions dating back to 2004, can go undetected. Analysts say Kerviel’s in-depth knowledge of the bank’s computer systems and procedures enabled him to bypass the bank’s internal controls. Part of the problem appears to be that banks’ internal IT systems are becoming so complex that, instead of assisting in the detection of fraud, they can make it more difficult to discover. “It is not like the 1980s,” says Ponzo. “These days you need to be fairly tech-savvy to be a trader.”

Ponzo says warning systems put in place to detect suspicious activity are also generating too many alerts, which sometimes means alerts are ignored. De Raveschoot says another problem is that the compliance and operational risk aspects of a bank are often separate. “Mid-office systems check the position of a trade and that the trader is operating according to the internal regulations of the bank,” he says. “That is reasonably sufficient, but they have a lot of back-office systems checking concentration of specific instruments and compliance systems checking trade flows and that the trader is not manipulating the market. There are also IT security systems checking whether someone is coming in and working on weekends.” These systems do not necessarily talk to one another. “Typically, rogue trading involves manipulation of market trading or payment processes across multiple functions and organizational units,” explains Tony Clark, director, investment banking, at technology consultancy Detica. “The challenge for banks is to link all of those processes together and identify the behavior before it causes a loss.”

But that is difficult when fraud detection solutions are different from one business unit to the next. “Anyone who has worked in the systems landscape in investment banks will say it is a little complex in terms of the myriad of different systems and interfaces,” says Clark. “In this particular environment, trade surveillance and monitoring is difficult, but the biggest challenge is sourcing the correct data.”

Actimize found that more than 50% of financial institutions did not use the latest integrated investigative tools, which can detect sophisticated financial crimes and unknown patterns across many databases and applications. “It is about monitoring it correctly,” de Raveschoot continues. “The next big challenge the banks face is OTC [over-the-counter] transactions. That is something that is open to abuse because it is a less regulated and transparent market.”

Ponzo believes rogue trading highlights fundamental flaws that do not necessarily lie in the technology deployed but in banks’ risk management methodologies. In the case of SocGen, he says the bank was looking at its net position instead of its gross position.

At the end of the day, rogue trading perhaps says more about the human element than the efficiency of risk systems banks have in place. “In the end it is down to people,” says Ponzo. “All the systems will do is throw figures at you, saying it is legitimate or not legitimate.”

Anita Hawser