In-Depth

Rogue Trader Highlights Need to Mind Your Controls

In an age of Sarbanes-Oxley and similar regulatory measures, how could a single rogue trader have racked up more than $7 billion in losses?

• By Stephen Swoyer
• 02/05/2008

In an age of Sarbanes-Oxley and other similar regulatory measures, how could a single rogue trader have racked up more than $7 billion in losses?

That's an especially pressing and troubling question from an information technology perspective. After all, aren't both technological and process safeguards in place to prevent such an event?

Yes and no, according to experts. For one thing, it looks as if the alleged perpetrator of the fraud, Jérôme Kerviel, a junior trader with French investment banking firm Société Générale, used his knowledge of the system (and his background in risk management) to avoid detection.

Furthermore, and contrary to many media reports, Kerviel doesn't sound like an especially gifted IT hacker. His "hacking" consisted primarily of manufacturing phony e-mail messages and using the passwords of coworkers -- which he obtained without subterfuge -- to gin up more trades.

Finally, there's speculation that Kerviel's activities weren't exactly a secret to Société Générale. If that's the case, all the controls in the world couldn't have kept him from doing what he did -- and that's the salient point. A rogue insider with knowledge of an organization's existing controls can be a determined -- and decidedly undetectable -- foe.

Kerviel is alleged to have incurred $7.2 billion in trading losses for Société Générale, one of the most respected banks in France.

He did so by ginning up phony trades, which -- through most of 2007 -- were actually profitable. (According to his attorneys, Kerviel managed to generate $2 billion in profit for Société Générale by the end of last year.)

Kerviel was an arbitrageur: he bought and sold offsetting portfolios of stock index futures; the difference (if any) in price between the two is recorded as profit or loss. That's how Kerviel operated, according to reports: whenever he initiated a "real" trade, he also created a phony hedge trade. (Ideally, Kerviel's "hedge" trades would have offset the risk of his portfolio investments.) If his fake trades were questioned, news reports say, Kerviel would say they were mistakes and cancel them.

Circumventing the Controls

According to bank officials, Kerviel had to circumvent a number of technological and process safeguards to rack up his profits and losses.

Officials say he used the passwords of other traders, for example, to avoid detection and to ring up enormous trading volumes. "Our controls identified from time to time problems with this trader's portfolio," Jean-Pierre Mustier, chief executive of Société Générale's investment banking division, told the New York Times last week.

In most cases, Kerviel simply schemed within the context of the bank's existing controls. He consistently closed his trades in just two or three days, for example, which enabled him to avoid detection by his employer's automated controls, which would have alerted regulators had the trades remained open longer. For his second (phony) portfolio, Kerviel opted for unregulated over-the-counter derivatives that don't require a down payment, enabling him to fly under the radar of Société Générale's controls.

Elsewhere, according to the Times, Kerviel manufactured fake e-mails to convince bank authorities that the trades were legitimate.

There's ample speculation that Kerviel didn't act alone or wasn't quite as "rogue" as Société Générale would have him be. The New York Times, for example, cited skepticism from "French financial experts" that "one unremarkable low-level trader" could have pulled off such a coup, which experts say is the most expensive fraud ever perpetrated by a rogue trader. What's more, according to a story that appeared in the prominent French daily Le Monde, Kerviel claimed that exploits such as his were widespread among traders.

Blogger and armchair economist Kevin Drum, who writes the Washington Monthly's "Political Animal" blog, was one of several skeptics who suggested that Kerviel got busted because he got caught. If Kerviel's trades had continued to make money for Société Générale -- as they did through much of 2007 -- that bank might never have "discovered" his activities.

"[W]hat if Kerviel's friskiness had been discovered at the end of December, when he was 'massively in the money,' instead of two weeks later? Would we ever have found out about this?" Drum asked. "Or would Société Générale have announced massive fourth quarter trading profits and invented some smooth story about how they had cleverly outsmarted the market?

The Lesson: Mind Your Controls!

Ironically, just a couple of weeks before Kerviel's deeds came to light, the SANS Institute warned of the threat posed by rogue insiders, citing their ability to both bypass internal controls and gain physical access to vulnerable resources.

"Insider-related risk has long been exacerbated by the fact that insiders usually have been granted some degree of physical and logical access to systems, databases, and networks that they attack, giving them a significant head start in attacks that they launch," says a research note from SANS.

"More recently, however, security perimeters have broken down, something that allows insiders to attack both from the inside and from outside an organization's network boundaries. Insider-related risk … has thus skyrocketed. Organizations need to put into place substantial defenses against this kind of risk, one of the most basic of which is limiting access according to what users need to do their jobs."