Investment banks have been advised to strengthen
controls over staff use of automated trading systems following
themassive fraud at French bank Société Général
(SocGen).
Banks should involve senior business managers in all changes to
trading control systems and enforce password management to limit
staff access to technology, experts said.
The warning came after
SocGen revealed losses of £3.6bn as a result of a rogue trader,
Jerome
Kerviel, allegedly using his knowledge of back-office systems
and built-in checks and balances to evade detection of unauthorised
trading activities.
There are parallels between Kerviel and Nick Leeson, who in 1995
lost Barings Bank more than £800m through unauthorised trading.
Like Kerviel, Leeson had back-office expertise and used his
knowledge to avoid checks and balances.
The Kerviel case highlights the failure of SocGen's anti-fraud
systems and procedures, which has put at risk billions of pounds
and the bank's reputation.
Investment banks typically use exception profiling software to
identify anomalies in trading behaviour. But it is common for
traders to adjust systems manually, said TowerGroup analyst Ralph
Silva.
"The traders sometimes ask IT to change the boundaries of
systems, and IT usually do it because they think traders are
important," he said. "There needs to be a separation between IT and
the traders they should not even be friends."
John Bertrand, director at internet bank Admertec, said every
change made to its trading systems had to be cross-checked by
people in the business. "You need somebody to check who has no
interest."
SocGen alleges that Kerviel used the passwords of other
individuals to commit the fraud. "He misappropriated IT access
codes belonging to operators to cancel certain operations," claimed
the bank.
But Calum Macleod, European director at security supplier
Cyber-ark, said the bank's failure to put in place an effective
policy for password management had left it open to fraud. He added
that financial organisations often had trouble managing passwords
because they had so many applications and authorised staff.
"The rogue trader would not have to be an IT expert to get the
passwords because they are not regularly changed, and often use the
defaults set by the suppliers," he said.
One investment banking source said it was not uncommon to find
passwords stuck to the wall next to machines for general use.
Silva said firms should use biometrics, such as fingerprints,
instead of passwords.
David Clark, director of the Institute of Operational Risk, said
financial services firms would have to look at different ways of
using IT. "There is not a magic piece of kit out there, it is about
how you use technology," he said.
Clark said linking middle office and senior management was
essential so that IT could manage access in line with business
requirements and compliance.