Poor IT security blamed for Societe Generale fraud

IDG News Service - Inadequate IT security allowed a trader at Paris-based bank Société Générale to make a series of unauthorized transactions that ultimately cost the bank $7.2 billion, an internal investigation has found.

To prevent a recurrence, the bank should immediately introduce stronger security systems, including biometric authentication of trading personnel, a special committee has recommended in its preliminary report to the bank's board of directors on Wednesday.

Between Jan. 18 and 20, Société Générale discovered that trader Jerome Kerviel had established trading "positions" -- bets that the price of securities and warrants would move in a particular direction -- worth more than the bank itself. He bet wrongly, and unwinding those positions over the following three days cost the bank billions as it sold the stocks into a falling market.

As an arbitrage trader, Kerviel should have been making transactions in pairs, buying and selling similar assets to exploit the minute and fleeting differences in prices that exist in markets. Arbitrage trading is considered less glamorous than the one-way bets he secretly made from time to time by faking one half of a pair of transactions.

Kerviel had previously worked in the bank's IT department and had in-depth knowledge of its systems and procedures.

Staffers mostly followed those procedures, the investigating committee found, but the procedures were not in themselves sufficient to identify the fraud before Jan. 18 -- partly because of the effort Kerviel made to avoid detection and partly because staff did not systematically conduct in-depth investigations when warnings flags were raised.

The bank's general inspection department highlighted Kerviel's use of fake e-mail messages to justify missing trades and the borrowing of colleagues' log-in credentials to conduct trades in their names.

Investigators identified at least seven occasions on which Kerviel faked messages between April 2007 and Jan. 18, four of them referencing trades that never existed. The deception was eventually uncovered when they could find no trace of Kerviel receiving the purported messages in Société Générale's e-mail archival system, Zantaz.

Between July 2006 and September 2007, internal control systems raised 24 alerts when the value of Kerviel's trades exceeded authorized limits, the general inspection department reported. At the time, the bank's risk-monitoring unit put the anomalies down to recurrent problems with the way the trading software recorded operations and asked Kerviel's superiors to make sure he didn't exceed limits again.

The special committee made a number of recommendations, including the use of stronger, biometric authentication systems to prevent traders from accessing one another's accounts and improved alert procedures so warnings reach the appropriate managers. In addition, it suggested the tightening of trading controls, which do not cover canceled or modified transactions -- two of the tricks Kerviel allegedly used to conceal his bets.

Auditors are still looking for suspect trades to make sure all have been uncovered, and investigators have yet to review Kerviel's use of an instant messaging service for evidence of his activities, the special committee said.

It will present a final report to shareholders at their annual general meeting on May 27.