$7.1 billion loss at major European Bank due to fraud

By chrislim at 10:09 pm on January 24, 2008 | 3 Comments

I haven’t been able to thoroughly analyze this situation, but it seemed like something particularly germane to this blog (so I decided to post it with brief commentary). Basically, the French bank Société Générale (SocGen) recently revealed that single rogue employee was able to concoct “elaborate, fictitious transactions” that ultimately cost the company $7.1 billion dollars (€4.9 billion).

Jérôme Kerviel, the perpetrator, was able to breach 5 levels of controls and was called a “computer genius” by the governor of the bank. Apparently, he was allowed to move from a back office position to the trading floor, which removed the separation of duties that was intended to protect against this kind of fraud. The expertise in control procedures that he gained while working in the back office, enabled him to develop the complex scheme which covered his fraudulent actions until auditors discovered fictitious trades on the books of the bank’s risk management office.

As this story unfolds, it will be interesting to hear more of the details of the breach, particularly with respect to computer security. From a policy perspective, many questions have been raised about tightening controls and even if a single person was able to engineer the process, how a single person would be able to finance the fraud without detection. Why did the numerous financial safeguards fail at the hands of single person?

This must be quite a blow for an already tumultuous industry…

http://www.businessweek.com/globalbiz/content/jan2008/gb20080124_769729.htm?campaign_id=rss_daily

http://www.iht.com/articles/2008/01/24/business/socgen.php

http://www.iht.com/articles/2008/01/25/business/profile.php

UPDATE: apparently there are conflicting reports about Kerviel’s computer skills and it should be noted that SocGen has not accused him of personally profiting from the trades (though they may in the future).  This incident sounds like its going to be in the news for quite awhile.

Filed under: Current Events3 Comments »

3 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by mccoyt

    January 27, 2008 @ 9:57 pm

    This story is a great illustration of some of the more interesting aspects of the Trusted Computing Base concept that we’ve discussed in the last week. While one view of the model revolves around the trusted execution and manipulation of code, that paradigm can be extended to take into account more than just code on a machine. Indeed, it can include the entire user base and network environment of a computer system. The question of who to trust then becomes substantially more difficult to answer.

    In the case of this story, we see an example where a trusted element of Société Générale’s system clearly had more priviledge access than should have ever been allowed. As the International Herald Tribune reports in the links above, the risk management division of the company is still trying to figure out how Kerviel managed to gain access to the billions of dollars he misappropriated.

    Based on the initial reports, it sounds like the actions Keviel took were made possible by his somewhat unique position in the company as both a trader and a knowledgeable systems architect. Yet this incident cannot be treated as an edge case to be dismissed as anectdotal. One could argue that it is indicative of a common failure that companies make in determining who should be trusted, and to what degree. For years the commecial sector has been aware of the security threats facing it from outside the corporate firewall, but many forget to protect themselves from the potential of an insider threat within the company. Société Générale noted that Keviel broke through five seperate layers of security to carry-out his trades. Clearly, those layers of security were directed outward, and not toward those with inside access or significant knowledge of the system.

    This doesn’t seem like a particularly surprising result when you consider that Keviel was likely considered by the security infrastructure at SocGen as trustworthy. Indeed, it sounds as though he needed such deep access to perform his job. The matter of trust, then, cannot be thought of as black and white, trusted or not. Instead, a concept of degrees of trust might have served SocGen far better. Even those who are trusted must be audited, and those with full access to one system should not have it on another. By approaching security in that way, no one person gains sufficient access to undertake such a huge degree of criminal activity without being detected.

    It would seem there is a lot to learn from Société Générale’s mistakes. We can only hope that other institutions will consider the $7 billion price tag and take heed before they have similar problems.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by chrt00

    January 27, 2008 @ 10:09 pm

    It seems banks traditionally are concerned about being discrete with situations with fraud to reduce damage to company reputation. However with the advent of computer based systems, and the volume of transactions, an audit can take a long time before an intrusion or damage has been done.

  • 3
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Karen

    March 18, 2008 @ 1:01 am

    fraud is very alarming.. We must be aware of this. Tanks for sharing this. More power!

RSS feed for comments on this post