How To Lose $7.2B With Just a Few Basic Skills

Cityslacker recommends a Register piece speculating on how a lowly trader at the French bank SocGen was able to lose billions using only Excel VB. The author freely admits that his story is not based on hard sources, but his experience in the banking industry lends plausibility.

Insider knowledge

[Dan+East]

He pulled this off using insider knowledge. He worked previously in the back office, which oversaw all trading. The bank then moved him into trading, which according to statements I've read from other bankers, was practically a violation of policy.

Since he knew the flow of information through all parts of the bank, he was able to cover his tracks and employ creative accounting. He knew what types of accounts and trades would not raise flags, so he would flow money though those routes.

This type of security risk can exist in practically any business. If you're a developer or IT person, and suddenly find yourself working within the infrastructure you design and maintain, then guess what? You can most likely bend the system around some rules. The same type of rule applies for relatives and spouses. Most businesses will not let an employer be managed or supervised by a relative or spouse for the same reason. They can cover each other's tracks, and have more complete knowledge of the system.

Dan East

Re:Reliable?

[sam_paris]

Don't mistake the register's humorous undertones and brash site design to mean that site is unreliable. I personally know a couple of the journalists they are highly professional and yes, they tend to skew things to make them more humorous (which I like) but they don't bullshit or flat out lie.
 
I think some people get the impression they are the online equivalent of National Enquirer but it's simply untrue.

Now excuse me, the BOFH is screaming for my blood..

One thing rings true!

[Chrisq]

In a place (bank) I worked a branch had a new trainee employee start and forgot to notify the IT department. When they phoned up and let us know we said we would do it as soon as possible. The answer we got was "That's OK, the branch manager has let him use his password for now".

While this really was a clueless trainee someone with the manager's password could authorise over-limit cash withdrawals, reverse transactions, see all sorts of files and make queries on customers that ordinary staff cannot do.

what he did/how he did it

[mbaGeek]

What he did
Basically the guy was "gambling" on stocks and losing - then making bigger bets trying to catch up. He claimed that he was simply trying to get a big bonus and didn't have any malicious intent.

how he did it
He went largely "unsupervised" because he was considered unimportant (and hadn't taken a vacation in a long time - so he covered his own tracks until the whole thing collapsed).

Most financial institutions require mandatory "vacations" so they can check up on people (this guy would have been caught much sooner if someone else had a chance to look at his "trading desk")

the funny part
what I love is that they haven't fired him yet, he has been told to not come to work and they aren't paying him, but France's labor laws require a "sit down" before they kick him out the door.

In the short term he is being looked at as a "Robin Hood" type figure by some people (who think he just ripped off the greedy bankers, not that he committed fraud and stole) - so mark this up as an unintended consequence of ridiculously strong labor unions

Re:Stupid?

[Yvanhoe]

Quick summary : He was a trader at one of the biggest French bank, manipulating millions owned by the bank using the usual scheme : buy low, sell high. Except, he managed to fool controls to manipulate more money than he was allowed by several orders of magnitude, allowing him to have a very good overall performance. His objective was _apparently_ only to get higher raises, not to steal that money. So he traded billions in order to make millions of profits. He has been doing this for several months. A few weeks ago, bank officials discover his hidden account with ~50 billions worth of unauthorized stocks on it. They panicked, they sold this as discreetly as possible in a few days at loss (~ 5 billions of loss ), possibly causing a worldwide fall of stock exchanges. The trader admitted that he did something he was not authorized but called the selling a bad decision made in a hurry.

Of course there are many speculation about all that he could have done by bypassing usual controls.

Re:Stupid?

[The_Chicken_205]

What happened was that he was only "authorised" to make "safe" purchases - buy stuff that was undervalued, buy low and sell at normal price.
What he actually did was buy at normal price, and hope that the price would go up.
What then happened was that he bought at normal price, but the price went down.

To compound the issue, he was playing with more money than he was allowed to. e.g. He was allowed to play with [currency of your choice]100,000, but he was actually playing with [currency]10,000,000.

TFA suggests that he had been promoted out of the "lowly lowly trader" position, but was still playing with those accounts (that he shouldn't have had access to).

The IT angle was that he was using "creative" processes within Excel to hide this - devs hardcoding admin passwords into the spreadsheets.

Re:Seriously?

As someone who spent a long year at an unnamed investment bank:

1) they didn't bother using shadow password files (this was around 2000-2001)
2) they did everything with Excel and VBA - my line manager had a box dedicated to running VBA macros on spreadsheets to calculate tons of Equity Derivatives data throughout the day
3) nobody cared that much about telling each other their passwords

This was 8 years ago so they may be using Java for everything now - that was the way things were slowly, slowly heading when I left. But I do think VBA is overused and abused in finance more than some other sectors.

SocGen Credit Briefing

I don't post much on Slashdot (ever), but I read the site a lot. I work in the financial industry and got some feedback from senior Risk Management ppl at SocGen regarding this little fiasco.

This is what they said happened:

As is now well-publicized, JK was able to use his knowledge of SocGen's back office procedures and controls to subvert them. Somehow (SocGen still seems unsure how) he obtained the access passwords of 3 or 4 other middle/back office individuals; but not only that, because these are changed regularly, he obviously managed to keep "updated" with the changes; (*my theory is that he figured out that people use easy to remember passwords like MonthYear and change it every month).

JK was able to hide what would have been massive swings (because of the size of real gross positions he was taking, primarily on Eurex) in his P&L from SocGen's P&L and Risk Management systems;

An alternating pattern of 5 basic types of transactions was used. (I believe these were described in a press release last weekend);

One thing that JK was apparently doing (which gave us an instant "flashback" to Barings and the infamous 88888 account!), was that JK would fail to put the required broker reference on at least some of his transactions, which would cause them to go into an error or suspense account for subsequent reconciliation (i.e., not as part of the overnight routine), allowing JK the opportunity (presumably) to reverse out or cancel the trade before it was spotted and questioned;

JK was hiding a few fictitious transactions in the midst of a slew of real ones. When some of these were picked up by controllers, he was able to find excuses to allay suspicion- e.g., by saying that the size of transaction entered must be an error and he would rectify it

He would cancel forward starting transactions before SocGen's system generated the relevant Confirm; [If I understood JPM correctly, SocGen has stopped the practice of deferring sending these out];

SocGen has combed its books and it believes that it has found all the fictitious transactions; and does not believe there was anyone else acting with JK. JPM stated that the bank was "99% certain" that it knows the full extent of its losses;

There were clear weaknesses in trader management. The Delta One Desk was supposed to have small risk sensitivities and hence a modest net daily P&L movement. JK's superior "reconciled" the daily P&L on a net basis, but never appears to have looked at the gross positions- the clear inference from JPM was that, if he/she had the fact that something didn't add would/should have been spotted;

With regards to margin calls, most of these would have related to positions on Eurex. For administrative convenience, SocGen received a single consolidated account for the whole bank- i.e., no granularity. Given how big a player SocGen is on Eurex, this made it easy to miss individual movements {Altho' this begs the question about control over actual movement of cash/margin];

As JPM pointedly said, SocGen's Market Risk Management never failed, but its Operating Risk Management certainly did;

Boston Consulting Group is now helping SocGen with making changes to its controls and the bank has a number of immediate and short term fixes underway- including reviewing the use of biometric identity checks for at least key controls; looking at gross and not just net positions in reconciling daily P reconciling positions between internal counterparts daily (not monthly as before); tougher and more granular controls on deposit and margin calls and reporting; better enforcement of the holiday policy (e.g., JK was able to find an excuse not to take holiday last November);

As is public knowledge, when JK was found out, SocGen discovered that it had open positions on Eurex (EUR 30BN); DAX (18BN); and FTSE (EUR 2BN), aggregating EUR 50BN. JPM was adamant that SocGen had no choice but to close out those positions, while trying to avoid moving the market. In mitigation of the