The SocGen fraud scandal

Mike Tracy | February 1st, 2008 | Filed Under: Uncategorized

A lot has been made of the SocGen trading scandal as a case of someone cracking a computer system to defraud the bank.  I traded on the Chicago Board Options Exchange before getting into software testing and security full-time and anywhere the two intersect is interesting.

Reading the first outbreak of stories, you’d think the guy was slicing through the bank’s access controls causing all sorts of unauthorized mayhem (note the use of the word “unauthorized” for later on).  Sifting through the follow-ups I came across Reuters which put a whole different spin on it.  Rich Bejtlich at TaoSecurity has a good write-up, sums it up pretty well in his first graph and highlights some salient points. Paul Waldie has the most interesting article I have read on the subject.

So why bother writing about it?  Because, assuming the bank’s story is true, this is a teachable moment in authorization versus authentication.

So what happened Mike?

According to news accounts, a junior derivatives trader (Jerome Kerviel) who was recruited from the back office (what position he held isn’t clear) concocted an incredibly clever scheme to lose the bank $7.2 billion.  The motive wasn’t money as he wouldn’t have been able to profit if things had gone well.  Apparently he just wanted recognition as a star trader and a bonus.

Is getting into a trading position from the back office really so “unusual”?

In my experience with exchanges, no.  Getting onto a bank’s trading floor is a different matter.  The spin by the bank, however, provides fuel for their premise that Kerviel had inside knowledge that allowed him to bypass authorization in their system.

So what exactly is a “derivative instrument?”

The simplest definition of a derivative is a financial instrument that derives its value from another underlying financial instrument.  For example, a futures contract is a derivative that bases its value on the market price of the underlying commodity.  Specifically, a futures contract guarantees the buyer to the right to purchase a set amount of a commodity at a given price on a given date.  In this case we are examining “regulated stock market index futures” which base their value on an underlying index of stocks (DAX, EuroStoxx and FTSE to be exact).

A “regulated” derivative is normally referred to as an “exchange traded” or “listed” derivative.  Listed futures contracts differ from other types of forward contracts in that they can be bought and sold at any time before their expiration date in a regulated marketplace, have terms that are standardized by an oversight agency, are guaranteed by neutral clearing entities and have a standardized settlement procedure.  In the case of stock index futures, the settlement is normally in cash as opposed to taking delivery of bushels of oranges or ounces of gold.

So an “over the counter” derivative is just like an “Over the Counter” stock?

Not at all.  Over the counter derivatives are custom contracts priced and negotiated to suit the particular purpose of the entity initiating the contract.  They have no set parameters, are not subject to the same regulatory oversight and have no guaranteed clearing or settlement mechanism. Think of it as re-insurance or a bookie laying off one way action with another book to reduce his exposure. They are normally (if not always) traded between banks and used to hedge portfolio (forward contracts or options) or interest rate (swaps) risk.  A premium is normally written into the contract for providing the service.

If Kerviel’s job was to write over the counter forward contracts for the bank and hedge them with listed futures, then he was clearly authorized to enter the types of trades he allegedly entered into the bank’s system.

OK, but what if that wasn’t his job?

Then it’s unlikely that Kerviel was authorized to negotiate (and have in his position) over the counter trades.  It would also mean the over the counter contracts were the “hedge” against his long futures positions. Given the complexity of negotiating and premiums paid for over the counter forward contracts, the probability of this being a winning trading strategy asymptotically approaches zero.  In any case, it’s certainly not an “arbitrage”.

But obviously Kerviel was putting fake trades in the system.  He must have been hacking right?

Even lacking authorization by the bank to trade over the counter securities, Kerviel may still have been able to enter these types of trades into the bank’s order entry system without any other access to the system than what he walks into work with every day.  That some of his entered trades were fictitious and designed to hide the risk he was carrying is no more elegant than kiting a check.  It certainly doesn’t require any hacking skills.

So what’s the real issue here?

Simple.  The bank should have asked and answered one simple question, “Is this trader’s position authentic?”

There are only two possible theories for the fraud.  One, as pointed out in the Reuters article, is that Kerviel was removing the bogus over the counter trades from his position before being checked and then re-entering them.  This would have to take place on (at least) a daily basis and with very precise timing.  The other is that no such manipulation of the position took place.

If he were removing the “hedge” part of his position from the system, the incredibly large amount of market risk in his position would have been exposed.  If the position ended up losing $7.2 billion, how many contracts was he actually long?  If the position was never changed in the system, the bank apparently never got around to checking if the over the counter trades were valid.  All someone in the clearing or risk department had to do was pick up a phone and call the bank(s) on the other side of the trade(s).

I’m still not quite clear how this teaches us anything about authorization versus authentication…

Kerviel was obviously authorized to enter trades into the system.  He was allegedly entering (and perhaps removing and re-entering) bogus trades to cover the incredible amount of risk to which he was exposing the bank.  Whether the fraudulent trades were entered through unauthorized means is irrelevant.  The trades still appeared in (or disappeared from) his position.  Despite (ostensibly) having controls in place to either find the risk or expose the bogus trades, the bank utterly failed to make sure Kerviel’s position was what he said it was. “Trust but verify” takes on a whole new meaning.