Wall Street was dominated by 5 major investment banking firms at the beginning of 2008. Nine months later, only 2 of these investment banking firms remain. This is probably the worst financial turmoil since the Great Depression. Merrill Lynch posted losses of over $17 billion this year. These losses resulted in Bank of America striking a deal with Merrill Lynch for $50 billion in stock.
Analysts and investors have blamed Merrill Lynch’s losses tied to subprime loans to poor risk management. Former CEO of the New York Stock Exchange (NYSE), John A.Thain, joined Merrill Lynch to help them restore their reputation after the subprime mortgage problems. (Ref 3) Thain saw that the losses were due to poor risk management programs and poorly supervised trading practices. He saw that Merrill Lynch had a risk committee which did not function. Thain’s goal was to avoid undue risk taking which could bring down the house. To implement this he had mandated weekly meetings with heads of fixed income, equity and risk. He wanted to bring more accountability to risk management.
In spite of these efforts, Merrill Lynch’s shares dropped. Over the past year, Merrill Lynch’s shares dropped over 68%. To avoid a bankruptcy situation like Lehman Brothers, Thain initiated a deal with Bank of America. Bank of America bought out Merrill Lynch to create the nation’s largest retail bank. This cost Merrill Lynch its 94 years of independence.
Daily trillions of dollars are transferred worldwide in funds and securities through financial systems. The magnitude of this exposes the financial institutions and their customers to very high risk of deliberate and accidental fraud. Many government and industry regulations and standards such as International Financial Reporting Standards (IFRS), Basel II, Basel III, PCI and Sarbanes-Oxley (SOX) require compliance by these financial institutions to take steps to mitigate risks and protect them from fraud. These strict regulations were unable to prevent the big slide in the stock markets in September 2008. Future solutions to the financial meltdown must include raising security standards in the financial industry, such as the use of biometric systems.
REGULATIONS AND STANDARDS
International Financial Reporting Standards – (IFRS)
These standards are becoming global standards for preparing companies’ financial documents. They are developed by International Accounting Standards Board (IASB) and are adopted by over 12,000 companies in over 100 countries globally. ERP systems such as SAP ERP financials provide compliance solutions for IFRS.
Basel II & III: These are issued by the Basel Committee on Banking Supervision, which is composed of representatives and senior authorities from the central banks of the G-10 countries. These accords are recommendations on banking laws and regulations.
PCI DSS: This is a security standard developed to facilitate adoption of data security measures on a global basis and mitigate payment security risks. It includes requirements for security management, software design, network architecture, policies, procedures and other critical protective measures.
Sarbanes-Oxley Act – (SOX): The Sarbanes-Oxley Act became law in 2002 in response to major corporate and accounting scandals. Congress created SOX to increase transparency in financial accounting and to mitigate fraud. Originally, its focus was issues surrounding accounting and finance. In 2005, its focus expanded to include human resources supply chain management and information technology.
Banks and financial institutions may have risk control procedures in place complying with these regulations, but are still exposed to fraud. This vulnerability is due to dependence on passwords for security and negligence in carrying out the security procedures diligently. According to “IT Departments on Data Security: A Research Concepts Survey”, 1 out of 4 organizations surveyed last year had a data breach. Most of these companies viewed security as a high priority. According to this survey, only 1 in every 100 employees consistently follows security policy.
ISO 19092:2008 – To increase security, biometrics is now being increasingly recognized as a method for authentication and a reliable identification method. The International Organization for Standardization (ISO) has published a new standard ISO 19092:2008 Financial services-Biometrics-security framework. “This standard establishes the security requirements for the implementation and management of state-of-the-art biometric identification technology within the financial industry.” This standard will make transactions more secure in the electronic era for the financial sector.
According to a Unisys survey, 66% of worldwide consumers preferred banks, credit card companies, healthcare companies, and government organizations to use biometric identification over passwords, smart cards, and security tokens. Most consumers surveyed found biometric solutions extremely convenient and secure as they would not have to remember passwords and also not have to deal with password misuse.
Passwords fail – There are many ways to gain access to passwords, which include simple means such as casual conversations to more sophisticated software. Data and systems security cannot be dependent on passwords. In certain work environments, such as banks or financial institutions, multiple users share a computer with their individual log-in credentials to do their jobs. If a user forgets to log-out of the system the next user could misuse this to create fraudulent transactions or trades using the previous user’s log in. The ERP system would only have the record of the transaction being carried out by the first user under his login.
Biometrics authentication: The reliable solution for security – SAP users can mitigate fraud by using bioLock (from realtime North America), the certified biometric solution using fingerprints. Even if log-in passwords were obtained, the fraudster would not be able to do anything with the passwords because the biometric authentication system would deny him access to perform transactions. Even if an ERP system uses multiple passwords for each user to control access to specific modules, that approach is no match for a biometric system able to control access even to the transaction, field or data level. The biometric approach is crucial for maintaining segregation of duties when employees gain new responsibilities.
Societe Generale Bank case study – The fraud at Societe Generale Bank is a classic example of how compliance with IFRS and Basel II was not enough to prevent the fraud which could have been prevented if they used SAP and a biometric system like bioLock to protect them.
The middle office monitored and managed the bank’s risk exposures. In 2002, he was promoted to assistant Trader, managing risk analysis and hedging. In 2004, he was promoted to the elite Delta One desk as Trader and Market maker. His job was to make bets on small price differences between contracts. He needed to make the transactions in pairs by buying and selling similar assets and taking advantage of the minute differences which exist in markets. He crossed his limits and made one-way bets by faking the other half of the bets. He also started making unauthorized bets on the market’s direction. Encouraged by the success of these bets, he continued betting on the direction of the market and making one-way bets and faking the other half. He was extremely successful doing this. For the year 2007, he generated a positive gain of 1.4 billion Euros. As he was not authorized to do these trades, he hid this from the bank by creating an offsetting fictitious operation.
In January 2008, for the first time, he experienced an extended losing streak. He started making larger and larger bets that the market would turn around. He started doubling down, which is a strategy where he started doubling his bet after every loss. By January 16, he had bet about 50 billion Euros, which was more than the bank’s total market capitalization. At this point, Eurex started sending enquiries to Societe Generale’s compliance people regarding Jerome Kerviel’s trading patterns.
He made a lot of effort for his fraudulent trades to be undetected by the system. He used:
- Fake email messages for justifying missing trades.
- Borrowed colleagues log-in credentials by using their passwords to conduct trades in their name.
- Forged documents. He created a fictitious Profit and Loss statement for 2007 reflecting the bogus hedges he had created for this period.
- Manipulated the bank’s proprietary system Eliot by deleting transactions and re-entering them after reconciliation.
Technologies used by the bank
Societe Generale Bank used a proprietary system, Eliot, for trading. Kerviel knew how to manipulate the system. He knew the timing for the reconciliation every night for the day trades. Hence, accordingly, he would delete his trades and re-enter these unauthorized transactions in Eliot the banks proprietary system for trading, without being detected.
The bank used Zantaz, a system for e-discovery and archiving software. The compliance team used RISQ/CMC, a trade tracking dashboard which uses Accurate NXG, a reconciliation, exception management, and workflow software package. There were 75 warnings regarding Kerviel’s rogue trading. Yet, the authorities failed to detect Kerviel’s rogue trading until it escalated to such a high level.
What can organizations do in the future to prevent this?
According to Diamond Management and Technology Consultants, Inc. this fraud was due to deficiency in Societe Generale’s operational risk management. To avoid this situation Societe Generale needs to have automated processes, an internal controls culture, and IT access controls.
Improve and strengthen internal controls and risk management procedures
Banks and financial institutions need to build an internal controls culture which spans the business from top to bottom and also extends across businesses. They need to improve:
- Controls for cancelled or modified transactions.
- Controls for transactions over certain limits.
- Procedures to act on alerts.
Banks can use an ERP solution like SAP which is a leader in the banking industry. Among the 30 largest banks of the world 21 are SAP customers. The SAP for banking portfolio includes compliance and risk management solutions. SAP’s partner, realtime NorthAmerica, provides a biometric system, bioLock, requiring biometric authentication for users of the SAP system. bioLock is currently the only certified biometric solution for SAP R/3. One of the co-authors has interviewed at a central bank that is using bioLock and has received positive feedback about its simplicity and effectiveness.
Strengthen IT security – To prevent a recurrence of a fraud like this, financial institutions can improve security by adding biometric systems to their ERP systems or by replacing their legacy systems with SAP and bioLock. Most biometric systems are used for access control. bioLock which is a biometric system developed by realtime NorthAmerica is the only biometric system which goes beyond access control and is even able to control a field, function or value within the ERP system, such as the amount of an outgoing wire transfer. The technology offers control for changes to transactions within SAP R/3 and will prevent unauthorized changes. The special committee for investigating Societe Generale’s fraud recommended that to prevent traders from using one another’s accounts the bank should use a stronger biometric authentication system. A system like bioLock would be the solution.
a. When Jerome Kerviel was promoted from middle office to front office bioLock could be used to change his role and deny access to the backend systems in SAP R/3.
b. An SAP system requiring biometric identification using bioLock would not have allowed Jerome Kerviel to use others log in credentials to post his fraudulent trades in their name.
c. bioLock would also restrict access to Jerome Kerviel from deleting records of his trade transactions from the system before reconciliation.
d. There would be high accountability as the system would show that Jerome tried to use others passwords to enter his trades in their name.
e. As a result a technology like bioLock would deter fraudster’s from trying to commit fraud since they would be uniquely identified
Thus, a biometric system such as bioLock can protect SAP R/3 by restricting access and controlling who can make changes to transactions within SAP R/3. If SAP interacts with a trading system and only SAP users can link to the trade system from SAP, then bioLock can be used to control that only authorized users log on to the user profile that connects to the trading system. The connection to the trade system would be established and ask for biometric authentication again. The bioLock log file will give a log of who connected to the trading system and also prevent unauthorized users from connecting.
In today’s world, banks are required to comply with regulations and standards to protect the banks and financial institutions from fraud. To mitigate fraud, these banks and financial institutions need to supplement their internal controls compliance with biometric authentication. Biometrics will prevent data breaches of security. Fraudsters will not limit their fraudulent activities trying to perpetrate frauds using only an ERP system. Users of ERP systems must also secure email systems and any trading systems interfacing with an ERP system. This would tighten security and improve accountability.
In 1995, Baring Bank, the oldest merchant bank in London, collapsed because of the fraudulent activities of a single trader. The current financial meltdown provides evidence that many financial institutions have failed to change systems and people in order to mitigate fraud and to comply with regulations and standards.