How to lose $7.2bn with just a few Basic skills
SocGen: it could've happened anywhere - and still might
Posted in Management, 31st January 2008 12:01 GMT
Watch Now : Virtual Machine Movement with Hyper-V
Assuming all of this, there are several classical ways he could have hidden what he was up to armed only with VBA, Walkenbach and the right passwords. Marking trades as having been done by someone else is the most obvious, yet not entirely trivial to stop. A critical requirement of trading systems is to allow others to handle your position when you are off sick or on holiday, creating a set of vulnerabilities. My information is that he may have exploited this, and avoided being away from the office in a way quite atypical for French workers to avoid being caught.
London firms have a rule that one is supposed to take a block of at least two weeks every year, but it's hardly enforced, and of course US workers hardly get any annual leave at all. SG is known to use SunGard risk management software; but as with all such systems, if you have the right passwords you can make it say what you want. SunGard is much like other risk systems - basically a big expensive reporting tool. It cannot stop you making trades, and although it is technically possible to hook up risk to trading systems to physically halt trading, I've never heard of this being applied across a bank because of the pain it would cause. So Kerviel's claim that other traders also broke their limits is entirely credible, since even the most careful traders accidentally do this occasionally, and of course admit to "temporarily" stepping over these boundaries.
His other claim that his bosses knew also makes some sense since they will have received limit reports, but in the blizzard of tick-box generated reports that infest banks, they may have missed it. However, it defies belief that they'd allow a position of this size by a junior trader, unless the systems were feeding them bogus numbers.
It is possible that he "upgraded" the report spreadsheets that would have caught him, since at most firms they are not secured, and can be changed by anyone in the department. Often this just results in ghastly errors , but they can be used for darker deeds. Some banks use products like Xenomorph to seal and manage spreadsheets, but most just hope for the best.
His VBA skills would have helped him a lot to keep the illusion alive. Traders hit spreadsheet problems so hard that I've helped a couple of banks build teams of thick-skinned Excel jockeys who can hack them into shape in real time under pressure - but most banks do not have these, so you have untrained people helping each other. Knowing Excel, he would have been asked to sort out his colleagues' spreadsheets, and left sitting at their PCs able to execute any number of misdeeds while his colleague went off for lunch. That covers the claims that he intercepted emails and carried out all sorts of technomancy on the risk systems without using a network sniffer or hacking the Windows kernel.
Could it happen here ?
France and Britain represent the opposite poles of regulation. Under EU tutelage Paris passes market laws which are policed "politically", i.e. not on important French companies, while the British FSA applies gold-plated regulations with a staff so underpaid that they can't hire the right level of people. But the technology and business logic is identical in London, NY, and Paris - so of course it is in no way limited to the French way of banking. ®
Watch Now : Virtual Machine Movement with Hyper-V
COMMENTS
@Cusco
Agree'd there are some *really* big players in the power industry that have appaling procedures for certain aspects and houses built on sand. The previous owner was no different and that one nearly went the same way as enron. probably the only reason it didnt was because it was just not found out.
i work at the station level and here we run a very tight ship but at the corporate level security is a joke, particularily within trading as they seem to think they are 'god' and tend to get away with whatever. the main trainin gpc's have postit notes with passwords on them stuck to the sides of monitors. we castrate people for doing that here but down there it's the norm to share and logon as others!
Could be you are right
Certainly Excel misuse is only part of the problem. Given his skillset it would have been in the mix, but you must be right that he used other tools. Indeed I think the access others PCs "helping" them with Excel may have been far more of a factor.
I hear what you say about entering the offsetting positions, but why weren't any cash flows noticed ? Certainly I stick to the point that either the reporting at SG is totally crap, or that he compromised it (or some combination of those two factors).
Over-emphasis on Excel/VBA
I doubt JK used VBA to hide his positions. More likely he entered false offsetting futures/forwards/swaps trades and/or made risk amendments (in my experience, risk systems allow you to manually "correct" your risk, which is intended for use where a position isn't feeding properly or a trade hasn't settled yet) to make his risk look overall flat. D1 traders' gross asset limits are often v.high (i.e. measured in the billions) - it's the delta (i.e. the sum of the net long/short positions) that's under far tighter limits - hence the name for this type of business, Delta One, which implies no risk.
To give an example, if I'm long £1bn worth of FTSE 100 stocks and short £995m worth of FTSE 100 futures, my gross asset value is £1.995bn but my net position is long £5m.
Rumour has it JK had taken large unauthorised index futures positions. To make himself look flat, risk-wise, all he had to do was make false entries in the opposite direction.
In my experience, Excel/VBA is more used for tactical risk modelling/calculation by traders/quants. The real risk management (i.e. what the controllers look at) are separate systems (either developed in-house or bought from a third-party vendor) which take dumps from the various position-keeping systems at the end of the day to compare against traders'/desks' risk limits and do the number-crunching necessary to calculate the company's overall VaR figure.
It's not at all surprising that a relatively intelligent individual who was both familiar with the risk systems and was determined to circumvent them, was able to do so.
-- The Accidental Trader
Great Article (and comments too)
Enjoyed this article, and it's good to see the author responding in comments too. I've been in banking quite a while and I agree, this could happen pretty much anywhere. What is surprising is that SocGen did not act on warnings from Eurex in Oct/Nov. Seems as though their award from Risk magazine went to their heads!
And I'd agree with The Pimp in stating that Investment Banking is full of very clever, very talented and very hard working people. It's just that some people use those talents in rather odd ways. And that the business demands simply don't tally with development reality.
Gweihir, a question...
Gewhir could you tell me how you teach your students to deal with senior staff telling them to break elementary security ?
I assume you teach social engineering, but what about advocacy skills ?
The new Office Garage series:
Enabling efficient data center monitoring
IT infrastructure monitoring strategies
