Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Architecture of a $7 Billion Loss: Causes and Remedies

Architecture of a $7 Billion Loss: Causes and Remedies

This item in japanese

The Société Générale released last week the "Green Report" prepared by PWC that details how a trader, Jerome Kerviel, lost 4.9 GEUR [1] (over 7 Billion USD) on behalf of the bank where he worked.

The Profit & Loss curve best summarize the debacle that led to such a loss:

The dash lines in the middle represent the "Official" P&L while the gray line represent the real P&L of the trader.

By the end of Q2 2007, the 2 GEUR loss (3 billion USD) was already undetected.

How could this ever happen?  Security? Processes? Or lack of control? Olivier Rafal, columnist at Le Monde Informatique, does not think so.  He reports that the trader was controlled 75 times during that period. He believes that Jerome's management simply looked the other way. The report talks about nearly 1000 faked trades that were used to cover his P&L.

Eurex had actually warned the Société Générale of unusual positions as early as November 2007 and stated:

the risk management at its exchanges had functioned correctly, "also in this case".

Jean-Pierre Mustier, the head of investment banking, responded:

When controls came up, most of the time he admitted that it was not a proper transaction and that it was a mistake. He was replacing it with another transaction of a different nature that would be checked by another department.

The report talks about an accomplice who entered compensating transactions to hide Jerome's real position. Since it is relevant to the judicial investigation the report cannot comment. It notes however that about 15% of the fraudulent transactions were entered by a trader assistant. 

From an IT perspective, the report explains (page 1):

The fraudulent activity resulted in a massive position [49 GEUR (roughly 75 Billion USD) in January 2008] which has been masked, as well as the risk and their P&L using three types of techniques:

  • Entry followed by cancellation of fake operations hiding the risks and the P&L. The trader entered one or several fake operations in the systems so that they could be taken into account in risk calculation and value of the portfolio.... we have identified 947 transactions of this type.
  • Entry of fake compensated transaction  (buy/sell) for identical quantities for different prices "outside the market", with the goal to mask the P&L when transactions become effective... we have identified 115 transactions of this type
  • Entry of provisions that would temporarily cancel his P&L. The trader used the ability to correct model biases, normally reserved to trader-assistants -without access rights to prevent traders to enter them-, to enter positive or negative provisions [in the middle-office system] to modify the calculated value [of a position] by the front-office system. We have identified 9 operations of this type.

The CEO of the Societe Generale explained last April that they uncovered a major design flaw in their processes

Controls were in place but we were missing something that we have been doing manually since January 24 and that we are currently automating. This is what is called the "cross-control" which allows to detect when someone is cancelling to many operations"

The PWC report recommends

  • using biometric authentication instead of Windows authentication for the most sensitive applications
  • forbidding any transaction from the front-office onto middle-office applications
  • considering forbidding any XL connection where the password is stored in the spreadsheet
  • secure reporting applications (the report notes that many reporting feeds have been insufficiently tested)
  • check if the workstation matches the potential user of an application

Some wonder if these fixes will have any effect on future frauds since the report explains that the trader was able to justify his fraudulent activities with seven fake emails.

[1] GEUR means "one billion Euros"

Rate this Article