Monday, January 28, 2008

SocGen's Problem is Theirs Alone

As news trickles out about the details behind SocGen's $7B loss due to trading fraud (with recent articles here from: NY Times, Reuters, and Bloomberg), it seems to me that these are SocGen's problems and no one elses. Whatever the actions of the trader involved, SocGen has no one but itself to blame.

There appear to be three overall issues:
1) failure of management supervision
2) failure of control processes (including IT security training)
3) failure of control design

Below are several reported statements from SocGen and other reporting, and my comments:

NYT: Mr. Kerviel combined several different “fraudulent methods” to hide his activity — including using computer access codes of other employees and falsifying documents
My Comment: SocGen seems to have had a problem training staff on the prohibition of sharing user IDs and on holding all staff accountable. Anyone whose ID was used by Mr. Kerviel should also be considered culpable. It is everyone's responsibility to safeguard their own IDs. I am speculating that there were probably several other access control breaches that allowed Mr. Kerviel to hide transactions that traders should normally not be allowed to do.

NYT: controls identified from time to time problems with this trader’s portfolio,” Mr. Mustier said, although he declined to say when the first questions were raised by risk managers, saying that the bank’s auditors were still investigating.
Each time one of Mr. Kerviel’s trades was questioned, he would describe it as a “mistake” and cancel the trade, Mr. Mustier said. “But in fact, he then replaced that trade with another transaction using a different instrument” to avoid detection, he said.
Mr. Mustier also said that Mr. Kerviel’s fake trades did not fall into an identifiable pattern.

My Comment: There is a significant issue with failure to follow-up the concerns, particularly if they happened frequently. At a minimum. Mr. Kerviel's direct supervisors should have been informed that they had a trader who was making a lot of mistakes. Arbitrage traders deal in huge positions that net out to small exposures. If their are mistakes being made, then there is a risk that a position is "naked", i.e. not offset by a hedging position.
Furthermore, all good fraudsters vary their patterns. This is exactly why Anti-Money Laundering detection software specifically scans for the non-obvious so that further checks can be done.

Bloomberg: One of the first lessons to put in place is that we will do systematic controls on the nominal value, even if it doesn't show up as market risk,'' Jean-Pierre Mustier, chief executive officer of the Paris-based bank's corporate and investment bank, told reporters on a conference call yesterday.
My Comment: It is quite standard these days to do exactly that. It isn't clear why SocGen wasn't already looking at the maxium exposure and nominal value, in addition to the market risk and other standard value-at-risk measures.

Reuters: "Every two or three days, he was changing his position. He would input a transaction that would trigger a control in three days and before that happened he would replace it with a different one," Mustier was quoted as saying.
My Comment: This is a problem with control design. Why is the control trigger set at 3 days? There may be good reasons, but even then there should be reandom spot checks. At a minimum, this control needs to be changed going forward, because the whole world knows about it!

Bloomberg: He took only four days off last August and postponed a vacation at the end of the year, Societe Generale said. Banks often make trading staff take time off so any concealed positions will become evident in their absence.
My Comment: Absolutely. This is the one of the oldest controls in banking, i.e. mandatory block vacation at least once a year. The trend today is to also block system access from home, or at least track it. Trading, Settlement and Funds Transfer systems should generally not be accessible from home anyway.

Bloomberg: Kerviel was caught when he exceeded the recently changed counterparty risk limits on a trade, and the counterparty's e- mail confirming the transaction ``appeared suspect.''
My Comment: Interesting that he was finally caught when an internal control change that Mr. Kerviel was not familiar with. This was pretty much luck.

Still the key unanswered questions is how were the trades funded. Even if the trader was able to create fictitious trades to fool internal systems, this could not have fooled the external market and thus the reports back to SocGen from the various exchanges where these instruments were traded should have shown something unusual fairly early on. Even if the trading was done through an external shell company, that too would have had to meet margin call requirements, particularly for any large losing position.


But here's the really scary comments by French President Sarkozy as reported by Reuters:
SARKOZY DEMANDS REFORM
French President Nicolas Sarkozy demanded changes to the running of international financial markets in the wake of the fraud scandal at Societe Generale, saying it was time to restore a sense of proportion.
"We have to put a stop to this financial system which is out of its mind and which has lost sight of its purpose," Sarkozy said on Saturday while on a visit to India.
"If one can make profits in a few hours, one can also make gigantic losses in a few hours as well. And it is time to realize that (we need) to insert a bit of wisdom into all these systems."


Certainly French pride has been wounded by SocGen's failure, and their are no doubt red faces at SocGen's regulators and external auditors. But the failure is SocGen's and theirs alone. The only people hurt by this are SocGen managers, investors, and to some degree employees. It was their responsibility to put in place the controls, and more importantly a culture to prevent such events, or at a minimum mitigate such fraid exposure when it is discovered. No one outside was significantly impacted, at least in direct financial terms. Even SocGen itself appears to have mitigated the impact such that it survives as an institution with

Sarkozy, with whom I normally agree, is dead wrong. It is not for him to define the correct time frame for making or losing money in a well regulated market of willing and able participants (aside from the point that this fraud occured over months not hours). There could perhaps have been better escalation of the reporting of the incident within the French Government and to other central banks. But the speed with which SocGen acted after finally uncovering the problem is admirable, and anonymity in the markets may actually have helped prevent panic, allowing an orderly unwinding of the excessive positions.

It is perhaps inevitable that governments and regulators will review whether more controls are needed. The knee-jerk, Sarbanes-Oxley-style reaction is entirely predictable. Smart CEO's should anyway do their own internal reviews, and publicly state that they are doing so to ensure investor and public confidence. Josef Ackermann at Deutsche Bank is already on record with such a move. Good for him.

[Update 1/29/2008 2:00pm JST] Today on Reuters is further news that Eurex had indeed reported unusual trades to SocGen last year. This reinforces my point that trades may have been hidden internally, but could not have been hidden externally. SocGen failed to act sufficiently on the information that Eurex provided. SocGen's CEO has already offered to resign, which was rejected by the board, but that remains on the table. Despite SocGen's failures, the CEO has acted responsibly. He may still have to go, but he does appear to be the right person to see this crisis through at least for the next few weeks. It will take a new CEO, probably from outside, to restore confidence.