Investment banks have been advised to strengthen controls over staff use of automated trading systems following the massive fraud at French bank Société Général (SocGen).
Banks should involve senior business managers in all changes to trading control systems and enforce password management to limit staff access to technology, experts said.
The warning came after SocGen revealed losses of £3.6bn as a result of a rogue trader, Jerome Kerviel, allegedly using his knowledge of back-office systems and built-in checks and balances to evade detection of unauthorised trading activities.
There are parallels between Kerviel and Nick Leeson, who in 1995 lost Barings Bank more than £800m through unauthorised trading. Like Kerviel, Leeson had back-office expertise and used his knowledge to avoid checks and balances.
The Kerviel case highlights the failure of SocGen's anti-fraud systems and procedures, which has put at risk billions of pounds and the bank's reputation.
Investment banks typically use exception profiling software to identify anomalies in trading behaviour. But it is common for traders to adjust systems manually, said TowerGroup analyst Ralph Silva.
"The traders sometimes ask IT to change the boundaries of systems, and IT usually do it because they think traders are important," he said. "There needs to be a separation between IT and the traders they should not even be friends."
John Bertrand, director at internet bank Admertec, said every change made to its trading systems had to be cross-checked by people in the business. "You need somebody to check who has no interest."
SocGen alleges that Kerviel used the passwords of other individuals to commit the fraud. "He misappropriated IT access codes belonging to operators to cancel certain operations," claimed the bank.
But Calum Macleod, European director at security supplier Cyber-ark, said the bank's failure to put in place an effective policy for password management had left it open to fraud. He added that financial organisations often had trouble managing passwords because they had so many applications and authorised staff.
"The rogue trader would not have to be an IT expert to get the passwords because they are not regularly changed, and often use the defaults set by the suppliers," he said.
One investment banking source said it was not uncommon to find passwords stuck to the wall next to machines for general use.
Silva said firms should use biometrics, such as fingerprints, instead of passwords.
David Clark, director of the Institute of Operational Risk, said financial services firms would have to look at different ways of using IT. "There is not a magic piece of kit out there, it is about how you use technology," he said.
Clark said linking middle office and senior management was essential so that IT could manage access in line with business requirements and compliance.