There has been a lot of ink printed about Jérôme Kerviel, the trader at Société Générale who cost the Bank US$7.2 billion. This is a classic case of failure of controls, which shows that there was a culture of lax oversight and enforcement.
Two recent articles caught my eye -- from the Wall Street Journal, and The Register. The former is a cogent analysis of what went wrong with the controls, and how the bank was forced to unwind the position, possibly contributing to the recent global hiccough on the world markets.
Especially noteworthy is the old chestnut of an employee who fails to take holidays -- the classic danger sign which every auditor is trained to look for. How could SG's internal revision department not see this as a red flag? It's a clear indicator that an employee doesn't want their position to be too closely inspected -- especially in one where such huge risks are being taken. Ostensibly, however, Kerviel's position was one of arbitrage, which should eliminate risk -- however, for reasons which have yet to be revealed, his counter trades were not covered, or were fictitious.
It was also interesting that the Deutsche Börse's Surveillance unit was the first to alert SG to the volume of trades -- but Kerviel himself blocked this, and it wasn't until a month later that in order to cover a masive profit! (which turned into a loss in a matter of days), a brokerage house was involved in the cover-up, which triggered a credit check, which forced his back office to investigate further, and led to his recall from holiday and eventual dismissal (which even now, isn't yet formalized due to French corporate culture.)
The Register's take is even more interesting, suggesting a number of ways that the trades could be masked. Once again, the classic techniques of "borrowing" passwords from colleagues, and the triviality of fudging the figures in Excel sheets used for reporting, highlight just how vulnerable most major Banks might be in this area. I especially recommend reading the comments from industry insiders, that suggest such abuse of systems and lack of formal oversight is endemic.
The Risks are clear -- any employee who is granted privileged access needs an appropriate level of oversight and relevant controls, however tedious, which are required to prevent similar events from unfolding in even the most reputable of institutions. And despite the progress of industry regulation and self-policing in the past dozen years since the collapse of Barings' Bank, not enough is being done.
The remedies are not very difficult -- clear segregation of duties, independent risk management, enforcement of policies, and regular rigorous audit -- but they are not being adequately applied, and until European Bank Managers experience personal liability (as their cousins in the USA are starting to feel with Sarbanes Oxley), we will continue to see collapses, possibly even larger than the latest fiasco.
