The Lesson of Societe Generale
The investigation into how Jerome Kerviel, Société Générale (SOGN.PA)'s rogue trader, managed to lose $7.2 billion before being caught is beginning to reveal how he sidestepped the bank's many layers of fraud detection—and how cutting-edge technologies might have plugged some of the holes the Frenchman exploited.
Société Générale's rude awakening, combined with the U.S. mortgage meltdown and a global credit crunch, underscores just how vulnerable companies can be to market misjudgments and inadequate internal oversight. It's little surprise, then, that the financial industry's misery is becoming a boon for providers of risk and fraud detection technology. "Risk management software is a very hot area right now, it's one of the strongest growth areas in 2008," says Julio Gomez, analyst at researcher Financial Insights.
E-mails Trick Detectors
Kerviel apparently used his experience working in Société Générale's compliance department to exploit both human and technological weaknesses. A key element of his alleged scheme was creating fake futures trades to offset the investments he was making in European index funds. To deflect a supervisor's questions about whether he might be hedging his own trades, Kerviel reportedly says he crafted fake e-mails detailing order requests from supposed clients. While Société Générale is said to be using state-of-the-art risk management software, it doesn't appear to have the most advanced detection technologies, say some consultants.
Still, even the latest technologies are designed largely with past breaches in mind, and will always be vulnerable to new schemes concocted by knowledgeable insiders like Kerviel. Indeed, better technology wouldn't have been of much use if, as Kerviel reportedly claims, his Société Générale managers were simply turning a blind eye because he was making more money for the company.
The standard risk management technology used by most banks will monitor trader e-mail, searching for keywords that might point to criminal activities. Less commonly, some banks also use software to alert them to changes an employee might make to an e-mail being forwarded. That might have prevented a trader from altering the content or address on an e-mail to make it look like an order, says Avivah Litan, an analyst at Gartner (IT). To uncover that kind of deception, banks need sophisticated technology from companies such as Actimize, Norkom (NORK.I), and Memento, Litan says. Their wares could have tracked the keystrokes on Kerviel's computer, checked the memory of specific programs to reveal unsent e-mails, and detected efforts to delete fake investment positions.
Getting More Sophisticated
Other advanced software can profile the different actions a trader takes over time, rather than simply flagging breaches of certain restrictions such as a $1 million trade limit or moving money to countries such as Iran. This technology creates profiles of traders' habits, including the types of trades a trader typically makes and what time they typically log in and from which workstations. Such a system might have helped establish when and how often Kerviel might have been logging in with co-workers' accounts. Actimize says about half its clients use its technology to check when traders overstep trading parameters, but that less than 8% use its analytical profiling tools.
Then again, even less sophisticated measures might have prevented Kerviel's alleged fraud. Société Générale might have simply programmed its computer trading systems to set restrictions on the types, size, and volume of trades that specific employees are supposed to be engaging in, says Rob Hegarty, managing director of the Securities & Investments practice at TowerGroup. "Creating fictitious trades is pretty common," says Hegarty. "There's no technology that can prevent people from stuffing the drawer." But technology can impose simple controls, he says.
While basic risk management technology is already a staple at many financial institutions, the market's financial crises are prompting firms to consider how they can use more sophisticated analytical tools. The idea is to continually comb a company's data, breaking down silos between departments to assess risk across an entire organization more effectively. "Most of the big systemic events that roil the market and that were considered extraordinary are becoming more common," says Sean Culbert, who leads IBM's (IBM) risk and compliance practice. "If your system doesn't allow you to model these events, you have a problem."
Still, technology on its own isn't a cure-all. Late on Jan. 29, the French publications Le Monde and MediaPart released portions of a transcript from an interview that police conducted with Kerviel. The 31-year-old reportedly admits that he falsified documents and hacked into the bank's computer system to quiet suspicions by internal control units, external counterparties, and authorities about his fake trades. But he contends the bank's managers must have known what he was doing, because the volume of his trades and his profits were higher than a trader in his department typically made. "As long as we were making money and it wasn't too obvious and was working, no one said anything," Kerviel told the police.
If he's telling the truth, then even the best security software might have failed. Similarly, good technology can be no match for human shortcomings: Kerviel's actions did raise some red flags, but bank officials apparently put more faith in their employee than the warnings.
It's also worth noting that, just as antivirus software is better at defending against known threats than new hack attacks, today's risk management software may not be prepared to detect new modes of fraud or the next big market frenzy after the subprime mortgage fiasco. And as history shows, there will always be more.