When the incredible news broke, last week, that a trader at the third-largest bank in France, the Société Générale, had allegedly managed to over-ride the entire compliance mechanism of the bank, implemented at immense cost by a department of 2000 IT compliance 'officers', to cause a massive $7 billion loss, it sent waves of panic throughout the IT industry, as well as the money markets. So we sent our roving reporter, Richard Morris, to try to find out what went wrong.

'what people fail to realize 'is that when security systems are breached you don't automatically tighten security because it can in some ways make the problem worse'. '

Evil Kerviel?

Last week was a roller-coaster ride for Jérôme Kerviel, the 31-year-old Parisian. In four days, he went from being 'the shadowy IT genius' and the 'French Nick Leeson', to being dubbed 'the Che Guevara of finance' with an ever increasing online fan base and several proposals of marriage.

Support sites opposing his arrest, and groups calling for Kerviel to be awarded the Nobel prize for economics, an honorary doctorate in IT and pleas for a movie tracking his antics have been springing up on the Internet ever since the record loss-making rogue trader's name emerged on Thursday.

US sites are already selling T-shirts to his most ardent fans.

As is now widely known, the bank fired several other staff when the scandal emerged and encouraged Jean-Pierre Lesage, head of IT and human resources for the corporate and investment banking section to fall on his sword. But publicly all the blame has been heaped on Kerviel .

Early reports suggested that Kerviel had started out developing the intricate 'Compliance' computer systems used to control the positions that traders across the bank could take out in markets around the world. He was a member of a vast team of 2000 Compliance experts, designed to prevent precisely this type of fraud

The Société Générale compliance system was previously regarded as a very complex mechanism, the best in the business

The day after the scandal broke, the media reported that Kerviel knew exactly how to manipulate it. In early 2005 he moved from compliance to a trading job as a hedger - essentially paid to reduce the bank's risk by taking out opposite positions to the ones being run by the traders.

His salary was not in the stratosphere of high-flying City traders. He was on €100,000 (£75,000 or $150,000) . His trading limits would have been small, in the tens of millions of euros.

The bank maintain that Jérôme Kerviel had started taking one-way positions by faking the offsetting arbitrage positions about a year ago, and that he then, supposedly, faked necessary approvals through several levels of hierarchy. His positions were “in the money” (profitable) until December

Around December, he seems to have removed all the limits on his personal trading positions and created fictitious customer accounts. Through December he seems to have taken out a series of bets that the markets would fall - and closed them all out so that by the end of the month he was even.

In January, we are told, he decided to do the opposite, buying the markets through futures contracts in the expectation that the markets would rise. They did anything but and he seems to been got caught out. His position 'went negative' in January and 1.5B Euros by Sunday night; that loss was more than tripled by market conditions and Société Générale's handling of the affair, when the positions were hastily unwound on Monday.

Suspicions linger that Société Générale has not revealed the full story of Kerviel's massive $7 billion fraud. The story released by the bank is unconvincing. All transactions are required by law to go through security software and be double checked by another officer for fraud control and then again at the beginning of the trading day against some other factors to establish airtight control. Several people are involved in the auditing process in order to minimise any chance of fraud. Over the last few days the bank's chairman, Daniel Bouton, has admitted that some of Kerviel's deals had triggered warning signs in recent months but the trader had 'managed to convince the IT controllers that it was just a simple error on his part'.

It seems to be generally agreed that Kerviel was apparently able to unpick or switch off all control and counter checks. In addition, he master-minded a way of covering his trading. He apparently created fictitious trades designed to neutralise the big bets he was making so that the bank's systems appeared to show that everything was in balance. In banking-speak, his positions were outwardly 'hedged'.

According to some reports he changed his position often. He would input a transaction that would trigger a control in three days but before that happened he would replace it with a different one.

'He would admit he had made a mistake, the transaction would be cancelled and he would replace it by another one that would be controlled by another department,'' Bouton said. 'He wasn't making more mistakes than other traders.'

'He wasn't making more
mistakes than other traders.'

But other bankers wonder if Soc Gen had much looser management risk controls than it has admitted to. If these positions had been concealed for up to a year, the bank's risk-management and cash-position systems should surely have detected and reported this. European Central banks have already imposed regulatory rules including Basel II and IAS 39 and IAS 32 whose sole purpose is to build transparent systems that can measure and report the real risk and cash position of a bank. If the bank's story is true, there must have been long-standing fundamental flaws in their control systems, audits and computer security.

One British expert in the risk management systems of banks said candidly:

To pull off this kind
of fraud is not necessarily
that difficult

'To pull off this kind of fraud is not necessarily that difficult. Systems like Société Générale's make checks but they are only done on exceptional trades and by all accounts these were not exceptional trades.

If the management system believes that the trader is not doing anything out of the ordinary, then the system won't flag it. If you are not exceeding the account's limits, you will not be checked. That I would guess is what happened here.

'He could have hacked into the system in a number of ways. Look it like this - the answer is that all database management systems have functions that enable them to control lots of databases and of course they hold the information on all data in their own database tables.

'Every DBMS in the world has these tools for database administrators. I would guess that Kerviel stacked up a number of fake identities, added these to the database, and used passwords and log-ins to hack into the SocGen server to cover his tracks.

'Both the bank and the media point to Kerviel being a Machiavellian genius to have carried this out. Well, I don't think that is necessarily true. Different systems act in different ways. Each one can display its own vulnerabilities and strange quirks.

'The more complex a system the larger number of bugs it has - everyone with a little IT knowledge knows that .

'If the internal fraud technology software hasn't been updated regularly or is out of date and not bug-free, then it would be relatively easy for someone with good IT skills to do this.

' I think we may find that the system was 'deviant' in some way, that it only signalled things were wrong if large hedges were made. Kerviel may just have exploited that weakness.'

Another banker who wished to remain anonymous said that the greatest significance of this episode is that it shows the vulnerability of a mighty national bank (Société Générale was the third largest in France) to the mischief-making of a single rogue trader.

'It is eerily reminiscent of the Barings merchant bank disaster of February 1995 - something which was supposed to have prompted all banks to put into place better security, management control systems and better controls on the activities of their trading desks. That simply hasn't happened,' he said.

Losing one's Barings

For readers without a long memory what follows is a short recap of Baring's sudden and catastrophic loss which was primarily due to the unauthorized activities of its star futures trader Nick Leeson.

Leeson managed to deceive his employers for nearly three years by reporting fictitious profits while concealing huge losses which had virtually nothing to do with the shadowy world of derivatives trading but a systematic failure of technology.

Shortly after arriving in Singapore in the early summer of 1992 to work as the general manager of Singapore International Monetary Exchange (SIMEX,) Leeson's luck in the markets ran dry. To hide the losses from his bosses in London and keep his relatively well-paid job, he instructed a junior DBA to create an error account, number 88888 - a number considered very lucky in Chinese numerology.

He then asked a systems engineer to modify the security software so account 88888 remained off the system and away from internal security audits by other staff.

While at the face of it Leeson seemed to be a highly successful manager by obtaining discounted derivatives he was in fact deliberately mispricing trades and hiding the losses in the secret account.

From the autumn of 1992 he was made chief trader and began making un-authorised speculative trades that at first made large profits and then nose-dived. The bad debts were hidden in the 88888 account.

Had Barings investigated rumours that some of the bank's trades were suspicious Leeson would have been exposed before his losses brought down his bank. By the end of 1992, the losses were £2 million which ballooned to a massive £208 million by of 1994. Leeson attempted to recoup his losses but all his attempts failed.

After Leeson fled Singapore the losses escalated to £827 million ($1.5 billion) twice the bank's operational capital. It was declared insolvent on February 26 1995.

Suspicious Activities in your Breaches

Jeremy Hibbet, a forensic accountant and expert on risk management for PwC says that what people fail to realize 'is that when security systems are breached you don't automatically tighten security because it can in some ways make the problem worse'.

'Look, system security depends on not having the most elaborate or complex system in the world. That's fine for external threats when hackers can disable a server through a SQL injection but internally certain staff can always access passwords.

IT staff turn off the checks
to allow some trades to go ahead

It doesn't matter how complicated or highly functional a security tool is, all systems rely on good training, management and having a thorough knowledge on their inherent weaknesses.

'It's not always about spending vast amounts of money on clever software or hardware, it's more a question of learning more about the vulnerabilities of any one system, which why good DBAs are worth their weight in gold.

'Traders know that in some cases IT staff turn off the checks to allow some trades to go ahead. That is how any trader whether he is earning $150,000 or $7 million and upwards can evade risk controls.

Kerviel's ability to vaporize the bank's capital represents a massive dereliction of SocGen's responsibility to look after its customers money.

Regulators around the world will be seeking reassurance that the same flaw does not exist in their banks.

'But it will, of course. Where it might differ is that IT staff and regulators investigate any suspicious activity early on. Human error is the one thing that will let down any fraudster,' adds Hibbet.