Slashdot Mirror
UBS: Our Risk Systems Did Detect $2bn Rogue Trader
A few weeks ago, UBS employee Kweku Adoboli (universally described as a "rogue trader") ran up a $2 billion loss for his employer; many readers wondered how it is the systems which allow trades to happen at all aren't better tuned to catch such massive cash flows without triggering alerts. Now, reader
DMandPenfold submits a report from Computerworld UK in which the bank claims that such triggers were in place — they were simply not acted on. From the article: "UBS has insisted its IT systems did detect unusual and unauthorised trading activity, Interim chief executive Sergio Ermotti, who is running the company following Oswald Grubel's resignation last month, sent a memo to employees saying the bank is aware that its systems did detect the rogue activity. In the memo, Ermotti wrote: 'Our internal investigation indicates that risk and operational systems did detect unauthorised or unexplained activity but this was not sufficiently investigated nor was appropriate action taken to ensure existing controls were enforced.'"
Hey......dont do that.
Tax payer funded bailouts are far more profitible the sound management or ethics.
It can only be attributable to human error.
Sure we saw the murder, but we were busy chowing down!
From my comment on the original article :
"Let's face out out on the terrain no-one is holding these guys accountable. IT may set up the system, Risk Management may generate the reports and they'll be either modified to say what management wants to say or just plain ignored because like all gamblers these guys think they have a system which lets them keep on winning even as they are betting their house (or in this case our houses.)"
This "blame IT" crap has gone on long enough. It's time we stood up for ourselves instead of allowing ourselves to be used as a convenient scapegoat all the time.
If all else fails, immortality can always be assured by spectacular error.
I guess it forgot to 'pick up' the job cuts and absolute chaos this would ensue while it was at it.
A risk system that nobody pays attention to is no different from not having a risk system at all, except that you're paying for it. As UBS found out.
How exactly do you do that?
Either you write a report that is just plain ignored or you get pegged as a HaxorTerrierist.
I swear, this is just that old childhood playground stuff all over again, where the jocks in the board room and Gov are blaming the geeks.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Whenever you have a monitoring or backup solution, it must be regularly tested to ensure a responsive psychology (as well as proper device operation).
They should have had 1 or 2 fake funny trades per month, and if the people who got the alert messages didn't respond, they should have been punished or fired.
I used to work on a NASDAQ trading floor, and once in a while (especially when trading bonds) someone would put the amount of shares in wrong into the Profit & Loss monitoring system. If it was us, we would get a 'friendly' visit from floor manager as to why we were 2 billion dollars in the red. We would just calmly explain that the mark on the bonds was entered wrong and give him a more accurate estimate of our position, and it was good enough. Unless you are bleeding money day in and out for a month, you could usually get by with a simple conversation.
Am I the only one who was really confused when these stories were not about the kind of Rogue Trader I expected them to be?
The point of those systems isn't to actually stop anything ... it's to give the impression that the company has some sort of safeguards and place the blame of something going wrong on some unfortunate employee. I'm sure there was some sort of alert. I'm also sure there's 30 alerts a day and the guy who's eventually going to be blamed for this had absolutely no possible chance of actually stopping Adoboli, but he's going to be blamed for this anyway and prevent any lawsuits from ever actually punishing the company for negligence.
I've actually had leadership-types ask me, straight-faced and very upset, "Why did you let me ignore those warnings you've been sending me?"
There is, of course, no answer. (Well, there are answers, but they're pretty dickish: "I tried mind control, but apparently you have no mind." Or "I'm not your mommy, Major." And by "dickish", I mean "likely to get my uniformed ass into correctional custody." To quote Coulton, "Code Monkey not say it out loud; Code Monkey not crazy, just proud")
Welcome to the Panopticon. Used to be a prison, now it's your home.
I like to put cover letters on my reports stating something to the effect of "please note the parts marked in red, as I am officially informing you that bad shit is happening. If you do not act on it, it is no longer my problem, it is your fault."
Usually the recipient ignores that, too, and I am under no illusions that it covers my ass at all.
But on the plus side, the places the recipient has read it and gotten pissy about it instead of acting on it, I've been able to plan my exit from those companies before they collapsed.
Exec: "Eh, it's still running, probably just a glitch or something."
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
The question is- why had IT not got a monitoring device that checked to see if people received warnings acted on the warnings.
It seems to me if you send a report out- there needs to be a report that reports on whether or not anyone read the report. If management had such a tool- they would have known they received a report and didn't act on it.
"That's the way to do it" - Punch
So you knew about it and didn't act on it? You deserve every cent you lost.
In my case I pulled out the bug report that showed the VAR reports total field was being overflowed when a customer ran it. Bug had been fixed 6 months prior to customer going into bankruptcy (then being made whole by the ratepayer.)
Of course they weren't trying to blame us. They were claiming it was because they couldn't do long term deals. Which is true, but it's true because they had previously engaged in incestuous, non-arms length, long term deals with their open market corporate cousin.
I shouldn't be discussing this, but my former employer is long gone.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
It's all CYA tactics.
if the loss alone was 2billion imagine how much money was on the table. I don't see how a trader could have access to such obscene amounts of resources without any authorization and oversight.
I am sure that the management knew about everything and was very happy because the bets on rising swiss franc were extremely profitable and pretty much printed money. They had to be smiling at the thought of fat christmas bonuses coming their way. Everything was peachy... until the swiss central bank intervened and announced pegging to euro at fixed 1.2 : 1 rate (6th of September). Nobody saw that (and the subsequent instant 8% drop) coming so bets placed to earn on rather minute upward movements blew up with full force when such a massive change occured.
Well there's your problem.
Why would IT call him? Wouldn't the alarm go to someone managing the people who manage the trades?
Paraphrase: "We had (have) severe operational problems. Kweku Adoboli is a scapegoat. We can't explicitly say that because of liability issues."
I love it when these stories happen, for several reasons, no. 1 being - I don't mind banks loosing money, 2 - I think it is pretty cool that someone can "lose 2 billion dollars", as the flip side is someone might have made 2 billion dollars, 3 - it just sows again how bad the system as a whole is when several people control the wealth of nations.
what more do you want?
You set up the monitoring system ... and you investigate the events it is reporting.
Then you tune it to get rid of the junk ... and you monitor it again ... and you investigate the events it is reporting.
Then you tune it blah blah blah blah blah.
Once you have it to the point where it isn't reporting junk you start testing it by setting up fake scenarios you want to catch. And investigate the events it is reporting (and the cycle continues).
Not to mention just going through ALL the events on a regular schedule to see if there are circumstances / situations / edge-cases that you did not anticipate.
If they detected it, and didn't do anything about it, doesn't that mean they approved of it?
This is what I said in the previous article about this situation when commenting about someone who said they couldn't monitor every trade:
Yes, they do. Every trade is supposed to be monitored. Even if it means a few bad trades get through, they can and are supposed to review the accounts, timing, etc that go in to every trade to determine legitimacy and adherence to trading rules.
It's one thing to say you can't check an instantaneous trade. It's quite another to say you can't look at multiple trades your traders make and not pick up on improprieties.
This comes down to willful ignorance. So long as the guy was doing well, it didn't matter if the both internal and external rules were being violated. It is only when trades go bad that, "Oh my! How could that have happened?" comes into play.
For a short time I worked at a brokerage firm and I can tell you, everything you do is watched.
So yes, UBS' systems did detect the trades (as I said they would). It was the people who failed.
It's the same thing where I work. When people turn off their PCs at night, rather than restart as they've been told, our CIO talks about getting Wake-on-Lan implemented. When she and our Security head couldn't remember two passwords to sign on to their laptops (SafeBoot first then domain sign-on) she had us change to autoboot.
In both instances she was advocating a technical solution to resolve an issue of human failure. Same with UBS. The technical side worked as planned. It was the human side that failed.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Sorry for repeating a meme, but in this case it is extremely valid.
IT should NEVER be involved at that level. The alerts should go to the manager (or the manager of managers) who SHOULD have more insight into the situation than IT.
Having IT in the loop means one more failure point (and an additional delay).
We're not idiots, we're incompetent.
Well.. maybe. Or Maybe not. But Definitely not sort of.
When I worked for a bank, we had human review of any large transaction that would move money out of the bank. Sure, IT was involved in that, but the process was 90% policy and human activity.
Dumping risk management practices on automated IT systems is just plain lazy and stupid.
Yeah, yeah, yeah. We detected the unusual activity. But it was a measly 2 billion dollars. Our high and mighty CEO is not going to break his golf game for such a trivial thing. Heck, forget the CEO. The underling to the assistant deputy sub vice president would not break his Angry Birds practice to take a look at it. If you want these things to be attended to quickly you need to raise their pay enough to motivate them.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
" they were simply not acted on"
Likely cause UBS was trying to figure out how to make money for themselves from the transaction. So typical of these banks.
Why stop a transaction when you can also skim/make some cash on the side as well. That's the name of the game and why self-regulation failed in the financial industry the last 10yrs.
Unfortunately what applies here, someone once said, don't blame the player, blame the game.
I'm not sure who to blame here, but I've seen something like this several times in my career: Someone sets up a big elaborate system to detect security threats, monitor their systems, or enforce a workflow. Then the people in charge cheer how this system is going to solve all of their problems, and they cede all responsibility to the computer. They don't check whether the system is working the way it should. They don't pay attention to the alerts the system kicks out.
Having seen it so many times, I've learned a valuable lesson: there is no replacement for a smart and diligent person who is paying attention and exercising good judgment. I don't care how advanced your computer system is, it won't do your job for you.
And again, a basic software axiom has again been proved true:
"When you build a piece of software to be idiot-proof, your user base will find a way to build a better idiot."
They weren't brought down by anything as prosaic as a bug... they lost money because they completely ignored the output from a system specially designed to warn them of activity like this.
UBS and the rest of its banking industry crippled the global economy by doing exactly this: IT systems and business rules showed unsupportable risks were being executed by their traders, but the execs did nothing to stop or slow it.
Something like 2-10 $TRILLION in losses later, after years of the worst recession possible since the reforms installed after the Great Depression, UBS hasn't changed. There is no reason to believe any of these banks have changed, since they all act the same way to compete with each other: ignore risk, because they're too big to (be allowed to) fail.
UBS should forfeit every penny of the public money given it to bail it out. And face the stiffest penalties possible under the laws we now have. And cause new laws to be passed that actually prevent, not just promise to punish after the fact, this reckless risktaking - with frequent audits and financial requirements to continue operating. Once slamming UBS is up and running, that government office should go after the rest of the banks that are surely guilty too.
--
make install -not war
If you have a rogue trader who games the system, you can look at UBS and say "geez, I guess you'll be investing in a better risk management system!"
But if you have a good risk management system that throws alarms and nobody looks at them, or follows up on them, then it's all on their heads.
They only had to look over one of their borders into France to see what a rogue trader could do. This isn't a novel problem, rogue traders taking positions, then losing money and then taking crazier positions to get back what they lost isn't a new problem.
Yes Francis, the world has gone crazy.
One place I worked had a problem with an average of 1 alert A WEEK. Because it almost always turned out to be some stupid non-issue ... eventually everyone started ignoring it. Even to the point of ignoring the follow-up emails about WHY the alert was happening.
This supports my belief that security is easy.
But no matter how easy it is, NOT doing it will always be easier.
And somewhere in the chain will be an individual who is lazy enough to break the security.
It's curious how we never hear about rogue traders caught _earning_ 2B$. The hedge traders are supposed to run balanced trades that do not have large downside risks, but consequently aren't supposed to earn fantastic profits---so a trader who suddenly earns a lot of money was likely to have violated his guidelines, and the risk management people in theory should police it just as vigorously. In practice, I can't remember anyone being fired for extra earnings, so I suspect that those controls are purposedly kept vague and/or easy to circumvent.
Prior to working on the trading desk they worked in operations. While Operations may be the kissing cousin of IT, it is not exactly the same. But in either case, (Leeson or Adoboli) knew what would trigger the compliance office (In those days “Risk Management” tended not a separate department).
In Lesson case, he was head of both trading and operations (which is a no-no - but it was Singapore – a small desk – why can’t one person do both jobs?). So on side he present it as a error account and on the other a client account (loss not to the firm.)
And as somebody who has worked in a similar posistion (Operations / Risk managment) - it's hard. Give me a simple and clear rules with a robust report, and I know it can be gamed. Traders tend to be optimizers. Be careful when you play magic or poker against them. They will test every last loophole and push every last inch.
Good risk management requires human judgment and subjectivity. Alas, the money and the fame goes to the traders who earn the money, not the referrers that keep people safe.
Boy are people going to be surprised when they find out the government has all these regulations and very few employees to monitor compliance and initiate enforcement actions.
That will come as a surprise to precisely no one. The SEC has been purposely underfunded for decades. You think that is by accident? The financial firms and their, ahem, elected representatives want it that way so they can't cause too much trouble. Hard to monitor wrongdoing when you don't have enough manpower. Congress can effectively neuter any regulatory agency simply by cutting their budget. Doesn't matter what laws are actually on the books if they can't be enforced.
There is no other way to put it. This is even worse than not having any triggers at all.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
UBS guy: So our systems -were- actually in place, but they weren't. If that makes any sense.
Reporter: That doesn't make sense, sir.
UBS guy: .... (runs off stage)
$2B in losses. There had to be an agenda there. Kill the company? Maybe. Funnel money to someone else is quite likely too. Friends? Terrorist? I think they should look more into where the losses went. Not just how they were lost.
As I said of-course this is nonsense.
Earlier it was reported that $2 Billion was lost in some shady trading transactions by Kweku Adoboli, a UBS trader. This of-course ran all sorts of alarm bells, having worked in banking it's difficult to imagine that it would be possible for a single trader to be able to trade with so much money without anybody noticing. It's much more likely that there is higher management involved in this and the poor sap, who will be set up for this will receive a few years of jail time, just like Jerome Kerviel of Societe Generale, who supposedly singlehandedly lost 4.9 Billion Euro in unauthorized transactions. Well, Jerome is serving a 3 year sentence, and it's unclear what will happen to Kweku, but what is clear is that what is being reported is just not the reality.
A bank does not just allow a trader to lose billions of Euro or Dollars. The most likely scenario is a robbery, likely done with knowledge (or at initiative of) one or more of banks' managers. I believe we are coming to a point, where it will become more dangerous to hold one's money at a bank, we are at a point in time that has never been tested before in history of human civilization, where all of the countries are on fiat currencies that are being devalued all at the same time. Anybody with real bank deposits (gold and otherwise), may want to think what is the most likely scenario that is going to play out when the proverbial fecal matter hits the rotary impeller device. It's likely that people closest to the funds will simply dump them into a truck and skip town, that is my contention.
Another interesting point to mention: in the same comment from 15 September, 2011, it is noted that 4 national banks (US Fed, UK, Swiss and Japanese national banks), have announced that they will devalue their currencies further to buy all sorts of short term sovereign debt (mostly 3-month US bills), and as was mentioned, DOW went up on these inflationary news, while the monetary commodities (gold/silver) took a sharp dive. As was explained, the commodities were most likely depressed on that day based on selling related to margin calls and leveraged trading, so it was predicted that the prices of these monetary metals are now going to go up higher on these bullish news (bullish for real money), and now the results are clear: gold and silver are sharply up. Obviously the traders realize what is in the bag - more inflation.
All of this combined together with more "weaker than expected" news on employment (who are these so called 'economists', that can never expect what is so obvious?), is yet another indication and proof that the fiat money based economies, and especially vendor financed economies are moving closer to the edge of the proverbial cliff.
Watch out and watch those banks, if you have real deposits, don't leave them there thinking that they are going to be safe.
You can't handle the truth.
No, you go walk up to a reporter and say "Hi, I work for UBS and woudl like to get IT's story on the record." Then you paint a picture where IT is told to "detect" such things but never block them. Report them to the people who would then authorize blockage (but never do in a timely manner) and then the system, enforcing bad business processes, is blamed for a business process problem that lies with the upper management not wanting to enforce reasonable rules, knowing they can always blame it on some other department or such.
Unusual activity was discovered and reported to the appropriate management, who then elected to do nothing and then later blame it on the people who detected it and had explicit orders to never block it for not blocking it. The problem is that nobody ever goes on record to explicitly point to the non-IT business decisions as the actual cause of the issue, as the IT people don't understand people, just systems.
Learn to love Alaska
He was on a ETF desk, which is supposed to be a low risk, low margin place. The only way to make a profit on those desk is to squeze out every penny and make it up on volume. Such a desk can very easily be dealing with billions and yet only have exposure of less then a million - if it's run the way it supposed to.
Blessed with 20/20 hindsight, any failure such as this people react like it's something that was glaringly obvious. Controls can be very difficult to design, implement and monitor effectively. They have to be sensitive enough that they trip when something goes wrong, yet rare enough that they're taken seriously. When they do trip, the response has to be appropriate. They have to be effective yet also not be an endless cycle of bureaucratic red tape.
Generally the best controls are ones that almost prevent and detect fraud as a by-product of helping people do their job properly. The bank reconciliation isn't just a check for missing money, it helps ensure all the sales ledger receipts have been recorded and thus the sales ledger clerk keeps on track. The comptroller doesn't just authorise the bank reconciliation to catch the cashier stealing, the cashier is the one first in line to demand the comptroller reviews and authorises the bank rec because otherwise people are looking at him if there is a problem that he missed.
Most of all, controls are about culture. You can design all the effective controls you want, if the day-to-day mentality is that "detect[ed] unauthorised or unexplained activity... was not sufficiently investigated" then you might as well not have any. Again, take 100 people nodding their heads in hindsight and find 99 who were moaning about red tape and cutting corners the day before.
It's easy to detect anything: you just always say it's there. In order for detection to be useful, it needs to be traded off against error, you need low false alarms. UBS's system must have had too many false alarms, otherwise this alarm would have been acted upon.
There must be something wrong with this new radar thing sir, the screen is full of blips over the Pacific.
"You were supposed to be watching the factory!"
"I was watching! First it started falling over, and then it fell over!"
Ermotti wrote: 'Our internal investigation indicates that risk and operational systems did detect unauthorised or unexplained activity but this was not sufficiently investigated nor was appropriate action taken to ensure existing controls were enforced.' so they let him play with $2 billions and this is what their Security Dude said "hey, lets see whats going to happen, whoooops - it did not work, my bad, my bad... sorry!"
...for a shareholder lawsuit against UBS.
Every rule has more than one consequence.
Don't forget, "independent" auditing firms, like Accenture and PWC, actively solicit bribes to certify compliance for those not compliant.
Accenture is not an auditing firm. They are a consulting firm which has nothing directly to do with auditing. They used to be part of an auditing firm but have not been for some time. Furthermore having actually worked with big accounting firms myself, they generally are actually pretty honest, albeit flawed. They serve a very useful purpose which is to verify that the financial statements are a reasonable (not perfect - that is impossible) representation of the financial situation of a company. For the most part they succeed in this endeavor. However sometimes greed, incompetence or plain old fraud manages to get by. Sometimes that is the fault of the auditor, sometimes it is the fault of the company being audited, sometimes both.
The accounting firms approved Enron's activities long after the illegal stuff started.
Which was primarily the fault of the partners charged with that account and a failure of Arthur Anderson's audit control procedures. Arthur Anderson was basically executed for the corrupt/incompetent actions of a relatively few individuals. If you have ever looked at Enron's financial statements (I have), they were made intentionally so complex that it was extremely difficult to determine that anything illegal was happening. I truly pity any honest auditors that were trying to provide an opinion on the financial statements of Enron. It was a hopeless task. On top of an engineering degree I have a masters in finance and am a certified accountant and I barely follow much of what they did.
Furthermore Arthur Anderson was not remotely alone in their complicity in the Enron matter. The banks were probably more guilty if anything since they were the ones funding Enron and theoretically should have been casting the most jaded eye at their activities. They really shouldn't have been funding Enron but greed overwhelmed good sense and they put money into something they could not have possibly fully understood.
Auditing firms are leaches who lie for a living...
Since you don't even know which firms actually are accounting firms I'm going to ahead and say you probably don't know what you are talking about.
i want to be a rogue trader
Exactly what kind of system that involves this kind of money allows "unauthorized transactions"?
Where do I apply?
UBS execs are asking IT why they haven't already altered either cocaine or hooker's asses such that the straight lines of cocaine change shape to spell out the word "warning" while flashing red.
Alot of good comments on this board with a variety of perspectives which I enjoy reading. Most trading shops trade with OTC, Affiliates and Clearing Brokers. Each evening the Clearing Brokers send its several thousand pages statements to its clients who pay / receive the initial and variation margin requirements. Most companies do not reconcile to its Risk Management positions and fair value to the Clearing Brokers due to technology and intellectual capital constraints within the organization. However, the few that do, can identify a position, fair value or deal element variance(s) from its system to the Clearing Broker down. As for the OTC trades, each counterparty would have a master buy sell (bilateral) agreement in place with an established credit limit and margin activity provisions based on the counterparty's credit rating. Each day the Credit Department would call the counterparty or would receive a call from the counterparty to margin or receive a margin call on the OTC fair value that exceeded the established credit limit. When they are on the phone/email/instant messanger with the OTC counterparty they call out the estimated fair value exhibited in its Risk Management system. If its a material disparity, one of the Credit departments would reconcile the position/fair value. If a deal is missing then the fair value "may" be materially mis-stated. Thus, 2-control objects are established to monitor the Risk Management systems' fair value each day to an independent source.
However, if the staff is in lean management style and the support staff are not innovative or creative in delineating its Risk Management systems and work processes to its optimal potential, then its hard for the organization to get in front of the beast that lingers deeply below.
I hope this helps puts things into a different perspective.