The Risk of Rogues

A firsthand witness to rogue trading's devastating effects shares his experience and lessons learned from within the audit department.

Louis J. Slifker Jr., CPA, CFSA
Director of Internal Audit
Ferris, Baker Watts Inc.

In January 2008, the management of société générale bank in france announced that it had suffered a €4.9 billion (US $6.2 billion) loss due to the activities of a "rogue trader" named Jérôme Kerviel. The bank stated that Kerviel acted alone and had exceeded his trading limits by posting fake trades that offset the risks recorded by legitimate trades. It also stated that the trading unit involved conducted very conservative trading activities and was subject to modest trading limits. Pundits immediately questioned whether someone acting alone could have done so much damage and speculated that the company's internal controls must have been deficient. Société Générale's trading loss was the largest in banking history.

Unfortunately, these events sounded all too familiar to me. On a Monday afternoon in February 2002, I was summoned to an impromptu meeting in the executive offices of Allfirst Financial in Baltimore, where I managed a team of internal auditors that covered the organization's asset management, capital markets, and treasury activities. I arrived to find a group of senior executives, including several from our treasury area, with dour looks on their faces. The chief audit executive, my boss, brought me up to date, explaining that there were a few bogus options on the books.

Thus began a nightmarish series of events as management quickly formed a team to determine how much the company had lost and how the fraud was perpetrated. Working through the night, we soon identified several hundred million dollars of falsified over-the-counter currency options being carried as assets — ostensibly, the company had purchased these options and then marked them to current daily market value. Sometime later, much to everyone's dismay, we identified the first of several unrecorded options sold — also called written options — indicating the rogue trader had used fake trades to remove legitimate liabilities from the company's books. Unlike the bogus assets, where the total book of options purchased represented the limit to our exposure, there was no inherent limit to our exposure with unrecorded liabilities. For a few frightening hours, we had no idea how much the total loss would amount to. Ultimately, a greater portion of the loss existed in unrecorded options liabilities rather than in bogus assets.

How Rogue Trading Works

Rogue trading occurs when a trader in financial markets takes positions by buying or selling financial instruments in amounts well beyond the organization's risk limits and covers up his or her activity. The trader hopes to make a higher profit or recoup a previous loss from the unauthorized trading, but often incurs a loss far greater than what should have been possible if he or she had stayed within assigned limits. Typically these losses grow exponentially over time until their size leads to detection. Not only does the rogue trader need to conceal the trades over trading limits, but he or she also needs to conceal excess profits or losses - excess profits may be an indicator of trading over limits - and make sure any movement of funds is consistent with accounting records and counterparty expectations. Juggling these factors can be challenging, though several rogue traders have done it successfully. The most famous rogue trader was Nick Leeson, who brought down Barings Bank in 1995 with a loss of £827 million (US $1.4 billion).

Although rogue traders do not gain directly from their fraudulent activities - because funds are not stolen or embezzled from the employer - they may benefit through advancement, increased bonuses, or even just continued employment. Rogue traders seem to possess a gambler's mind-set - they expect that their accumulated losses will be recovered with the next large trade. Hence their losses tend to grow exponentially over time. This mind-set may also explain why rogue trading losses can be so large.

Two days after that initial meeting, the company announced that it had lost an estimated US $750 million (later reduced to US $691 million) due to the activities of a rogue trader named John Rusnak. It said that Rusnak had covered up large trading losses in the foreign exchange markets with fake options trades. The fraud received almost daily coverage by the local and international press. As reporters received snippets of information, articles alternated criticism of various areas of the bank, including internal auditing. Meanwhile I continued to work on the investigation, focusing on reconstructing the time period over which the fraud occurred and identifying the mechanism through which the fake trades had been processed. When the investigation concluded, I found myself among those unemployed as a result of the fraud.

Now, six years later, the Société Générale incident has brought rogue trading back into the headlines. Clearly this phenomena has not gone away, and it continues to be responsible for the world's largest fraud losses. For this reason I decided to share my experience, focusing on several key internal control implications — based on The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control-Integrated Framework — that would have the most value to the audit profession. Because other published materials have sufficiently examined proprietary trading functions from the perspective of control activities, one of COSO's five main components, I focus largely on the implications for other COSO framework components and recount lessons learned from my experience.

A RISKY ENVIRONMENT

Before the rogue trading incident, the fundamental controls in place at Allfirst's foreign exchange trading function would have seemed commensurate with the function's size and complexity, even though the company had not adopted some of the automated controls and additional layers of monitoring that often existed in much larger trading rooms. Management believed that risk in its foreign exchange trading activities was low, given the company's low trading limits and its full-time staff of just one proprietary trader. Its decision to limit the function's internal control resources would have constituted a reasonable course of action if the assessment of risk had been correct.

Relying on trading limits when assessing risk, however, presents a conundrum. If risk is low based on trading limits, then fewer controls are needed. But this causal relationship assumes that a series of controls — such as trade confirmation, limit monitoring, and position reconciliation — is operating correctly. In other words, the company must rely on one set of controls to determine the need for other controls. The inherent risk of Allfirst's trading function, then, was assessed based on the presumed performance of controls. Ultimately the function's risk was not low, as we eventually discovered. Ironically, risk actually may be highest in trading functions where it is perceived to be low — as with Allfirst — because management may be less likely to invest in robust internal controls.

When organizations hire a proprietary trader, they essentially open a portal to the financial markets for that individual. The portal comes with significant risks that mandate a high level of internal controls, regardless of trading limits, expected trading volumes, or how conservative the trading strategy is. Evaluating these risks involves several considerations, including:

  • Whether the trader can use derivatives to hedge positions.
  • The markets to which the trader has access (e.g., equities markets are more structured than foreign exchange markets, and exchange-traded
    markets are more structured than over-the-counter markets).
  • The types of transactions the back office is capable of processing (e.g., if the back office doesn't have the capacity to process a derivatives transaction, there is less risk).

Portals to certain derivatives markets seem especially prone to rogue trader frauds — the rogues at Allfirst and, allegedly, Société Générale both leveraged their access to these markets. Derivatives can be used to hedge — or, if fake, falsify a hedge. Because support staff often may not understand derivatives, they can become dependent on traders for explanations of how to process transactions and guidance on what to expect regarding accounting entries. Derivatives may also be more prone to fraud because some instruments require little or no initial cash movement, and they often require little capital relative to their risk impact. Moreover, many have delayed final settlement, which may give dishonest traders time to adjust the terms of the instrument (e.g., by stating that the initial trade was recorded incorrectly, and asking that
it be "corrected").

SEGREGATION OF DUTIES

One important lesson to be learned from past currency trading debacles is that, as a control, segregation of duties can fail — even without collusion. Internal auditors may need to readjust their thinking with regard to this concept, as most of us are trained to believe that segregation of duties can be defeated only by collusion, and that collusion is rare.

At Allfirst, most control activities for trading functions operated within two departments — the "back office," which comprised operations staff that processed and settled transactions, and the "middle office," consisting of risk control staff that monitored trading activity for conformity with trading limits and other trading directives. During the fraud investigation we realized that, while internal auditing had viewed these areas as serving to help police the traders' activities, the back office staff actually felt more like the traders' servants. Traders may often tell back office staff that "your job depends on me," or regularly utter similar comments that muddy reporting lines and make back office employees feel that, in some fashion, they report to the traders.

The compensation and educational disparity often found between the two groups can make this situation even worse. High-flying traders may intimidate back office staff by making them feel ignorant for not "understanding" the traders' point of view. At Allfirst, each of Rusnak's fake options trades comprised a pair of options (one purchase and one sale) for the same notional value (i.e., face value) with the same financial institution but different expiration dates and strike prices. The purchase and sale had exactly offsetting options prices — a situation that, mathematically, is highly unlikely. Because the transactions did not require any net funds to be wired, the trader convinced back office staff that the trades did not need to be confirmed with the other financial institution. As a result, none of the fake trades was confirmed — only the legitimate trades were confirmed. One can easily imagine how back office employees in this situation might yield to a trader, particularly when they perceive this individual as superior to themselves. This type of unwitting collusion often represents the key to a trader's ability to compromise segregation of duties control.

Still, a reasonable auditor would likely assume that back office employees would clear an exception to policy — such as a failure or inability to confirm a trade — with their supervisor. After all, the employees should know that violating policy may constitute grounds for disciplinary action. Yet that logic doesn't necessarily apply when segregation of duties is compromised in this manner. Back office employees may fear confronting a volatile trader, and traders who have something to hide can be especially volatile when confronted with a problem trade. Or, the employees may just want to avoid seeming ignorant in front of their supervisor.

THE CONTROL ENVIRONMENT

Ensuring back office staff members at least question the trader's instructions can be a difficult problem. In a weak control environment, traders can exploit their perceived advantage in authority more easily. At Allfirst, however, there was no reason to believe the entitywide control environment was weak. The company would likely have passed a rigorous control environment assessment, such as those now conducted for compliance with the U.S. Sarbanes-Oxley Act of 2002. Executive management's communications set a positive tone at the top and strongly emphasized the company's ethics policy. Still, the culture of proprietary traders, which can include aggressive behavior and a disdain for bureaucracy, can make trading functions prone to a weaker local control environment than other areas of the organization. For this reason, management needs to make sure the local control environment in the trading room, the middle office, and the back office is especially robust.

Management should also be sure to provide back and middle office staff with ample support. Staff members may often come into conflict with traders, such as when problems arise with trade confirmations, timing, or pricing. For example, trade terms may be entered incorrectly, causing the trade confirmation to fail. Or trading position calculations may be unclear, especially when position limit formulas or policies change, resulting in disagreement. Even if the problem results in only minor conflict, management's reaction leaves an impression on staff far greater than any platitudes of support for the control environment. When conflict occurs, management needs to maintain respect for support staff and ensure there are no negative consequences for anyone who raises an issue and stands his or her ground. Even if the trader's position is sustained, management should praise the support staff member for seeing the matter through, as long as he or she acted appropriately. Management support for the middle and back office staff is key to maintaining a strong local control environment and should be reinforced frequently — particularly if the traders treat staff members with contempt.

COMPARING NOTES

In addition to a strong control environment, information-sharing among those involved with proprietary trading functions is also key to the detection of irregularities. At Allfirst, and according to published reports on Société Générale, several individuals from the organization became aware of red flags pertaining to the rogue trader's activity but never shared that information with each other. I did not became aware of many of the red flags of rogue trading at Allfirst until during and after the investigation. Had I known about these issues earlier, the critical mass of concerns would have warranted an investigation. The warning signs that operations (the back office), credit, risk control (the middle office), accounting, internal auditing, and executive management encountered, individually, may not have been cause for significant concern, but collectively they would have indicated a significant problem. Unfortunately these various areas of the company did not compare notes adequately.

Organizations can address this communication issue by establishing quarterly or monthly trading controls meetings to discuss policy breaches, errors, statistical anomalies, and any other factors that may impact trading control. The meeting should include managers from each of the areas referenced above, as well as the trading manager (traders, however, should be excluded). To make sure the meeting comprises more than just a perfunctory discussion, each attendee should be required to state the most serious breach or trading-related problem of which they've become aware since the last meeting. The issue can be minor, but each participant area must state something. Using this approach may help counter any implicit pressure to avoid disturbing the status quo.

The controls meeting would not only represent an opportunity for risk owners to "connect the dots," but it can also serve as a key tool for continually reinforcing management's support for the back and middle offices' internal control mission. The meeting would thus reinforce segregation of duties among the traders, the middle office, and the back office. It would also bolster the local control environment by promoting continued awareness of control issues.

INTERNAL AUDITING'S ROLE

Internal auditors should consider the high-level risks involved in proprietary trading when performing their work. For example, while auditors often assess the control environment at the entity level only, high-risk areas such as proprietary trading merit a detailed assessment of the local control environment during periodic audits. In addition, auditors may need to strengthen their segregation of duties testing. And because segregation of duties control effectiveness is dependent on a successful control environment, auditors may want to combine segregation of duties testing with their local control environment evaluation.

Auditors often limit segregation of duties testing to casual inquiry with management or a review of organizational charts. Sometimes these assessments are supplemented by comparing sign-offs on various documents, or by reviewing system access for inappropriate authority. But given the ease with which segregation of duties can fail when rogue trading occurs, especially if the local control environment is not sufficiently robust, trading function audits should include discussions with individual staff members who actually process transactions. During these discussions, internal auditors should review examples of trading concerns that arose — as well as how they were addressed — and try to determine whether staff members are uncomfortable revealing information that may upset the status quo.

The most significant challenge for the auditor arises when he or she concludes that support staff is not sufficiently independent-minded to elevate concerns when necessary. In retrospect, I believe it would have been challenging to convince Allfirst management that support staff members were not independent enough to make segregation of duties an effective control.

Even in the post-Enron era, these types of audit conclusions can be difficult to put forward. The history of fraud perpetrators who have exploited weak control environments, however, can be a strong argument for change.

FUTURE PREVENTION

Since the Allfirst trading incident, many people have told me that stopping a determined fraud perpetrator is nearly impossible. Although their comments are sincere, and often intended to show sympathy, as an internal auditor I refuse to accept that this type of fraud cannot be stopped. With sustained diligence from management, risk control, operations, and internal auditors, rogue trading can be prevented. I sincerely hope that my experiences and suggestions will prevent or detect future rogue traders and help put an end to this often devastating form of fraud.

To comment on this article, e-mail the author at louis.slifker@theiia.org.

Editor's Note: Allied Irish Banks, Allfirst's former parent company, sued Citibank and Bank of America in 2003, alleging that the two u.s. banks aided Rusnak in the trading fraud. The company is seeking to recover approximately us $500 million in compensatory damages - the share of the losses it attributed to the banks' alleged wrongdoing. Litigation is still ongoing, and this article's author is expected to give testimony in the lawsuit as a fact witness.

 


Share This Article:    


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP