Investment banks have been advised to strengthen controls over staff use of automated trading systems following the massive fraud at French bank Société Général.
Firms in the sector should involve senior business managers with all changes to trading control systems, and implement and enforce password management to manage staff access to technology, industry experts said.
The warning came after SocGen revealed losses of £3.6bn as a result of a rogue trader operating outside his authorisation.
SocGen trader Jerome Kerviel allegedly used his knowledge of his employer's back-office systems and built-in checks and balances to evade detection of his trading acivities, accumulating massive losses in the process.
The case has parallels with notorious rogue trader Nick Leeson, who in 1995 lost Barings Bank over £800m through unauthorised trading. Like Kerviel, Leeson had back-office expertise and used his knowledge to avoid checks and balances.
The Kerviel case highlights the failure of SocGen's anti-fraud systems and procedures, putting at risk billions of pounds and the bank's reputation.
Investment banks typically use exception profiling software to identify anomalies in trading behaviour. But TowerGroup analyst Ralph Silva said it was common for traders to adjust systems manually to allow trades that would normally be blocked.
"The traders sometimes ask IT to change the boundaries of the systems and IT usually do it because they think traders are important," added Silva. "There needs to be a separation between IT and the traders and they should not even be friends."
Senior managers from the business should have to approve any changes to the systems, he said.
This is the practice at internet bank Admertec. John Bertrand, director, said every change made to trading systems was cross-checked by people in the business. "You need somebody to check who has no interest."
He added where lax password management for legacy systems was often the cause of security breaches.
SocGen alleges that Kerviel used the passwords of other individuals to commit his fraud. "He misappropriated the IT access codes belonging to operators in order to cancel certain operations," claimed the bank.
Calum Macleod, European director at security supplier Cyber-ark, said the bank's failure to put an effective policy for password management in place had left it open to fraud. He added that financial organisations had trouble managing passwords because of the high number of applications and authorised workers.
"The rogue trader would not have to be an IT expert to get the passwords because they are not regularly changed and often use the default passwords set by the application suppliers," said Macleod.
One investment banking source said it was not uncommon to find passwords stuck to the wall next to machines for general use.
Silva said firms should use biometrics, such as fingerprints, instead of passwords.
David Clark, director and fellow at the Institute of Operational Risk (IOR), said financial service organisations would look at different ways of using technology post-SocGen. "There is not a magic piece of kit out there, it is about how you use technology."
Clark said linking middle office and senior management was essential to ensure that IT can manage access in line with business requirements and compliance.
Recommendations for financial services firms
- Regularly change passwords for systems.
- Ensure passwords are not shared.
- Cross-check security system changes with senior business.
- Ensure that access to systems is only given to the people who need it.
- Use biometrics to verify identities.
- Make sure monitoring software is up to date