Slashdot Mirror
UBS: Our Risk Systems Did Detect $2bn Rogue Trader
A few weeks ago, UBS employee Kweku Adoboli (universally described as a "rogue trader") ran up a $2 billion loss for his employer; many readers wondered how it is the systems which allow trades to happen at all aren't better tuned to catch such massive cash flows without triggering alerts. Now, reader
DMandPenfold submits a report from Computerworld UK in which the bank claims that such triggers were in place — they were simply not acted on. From the article: "UBS has insisted its IT systems did detect unusual and unauthorised trading activity, Interim chief executive Sergio Ermotti, who is running the company following Oswald Grubel's resignation last month, sent a memo to employees saying the bank is aware that its systems did detect the rogue activity. In the memo, Ermotti wrote: 'Our internal investigation indicates that risk and operational systems did detect unauthorised or unexplained activity but this was not sufficiently investigated nor was appropriate action taken to ensure existing controls were enforced.'"
Hey......dont do that.
Tax payer funded bailouts are far more profitible the sound management or ethics.
It can only be attributable to human error.
Sure we saw the murder, but we were busy chowing down!
From my comment on the original article :
"Let's face out out on the terrain no-one is holding these guys accountable. IT may set up the system, Risk Management may generate the reports and they'll be either modified to say what management wants to say or just plain ignored because like all gamblers these guys think they have a system which lets them keep on winning even as they are betting their house (or in this case our houses.)"
This "blame IT" crap has gone on long enough. It's time we stood up for ourselves instead of allowing ourselves to be used as a convenient scapegoat all the time.
If all else fails, immortality can always be assured by spectacular error.
I guess it forgot to 'pick up' the job cuts and absolute chaos this would ensue while it was at it.
A risk system that nobody pays attention to is no different from not having a risk system at all, except that you're paying for it. As UBS found out.
How exactly do you do that?
Either you write a report that is just plain ignored or you get pegged as a HaxorTerrierist.
I swear, this is just that old childhood playground stuff all over again, where the jocks in the board room and Gov are blaming the geeks.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Whenever you have a monitoring or backup solution, it must be regularly tested to ensure a responsive psychology (as well as proper device operation).
They should have had 1 or 2 fake funny trades per month, and if the people who got the alert messages didn't respond, they should have been punished or fired.
Am I the only one who was really confused when these stories were not about the kind of Rogue Trader I expected them to be?
I've actually had leadership-types ask me, straight-faced and very upset, "Why did you let me ignore those warnings you've been sending me?"
There is, of course, no answer. (Well, there are answers, but they're pretty dickish: "I tried mind control, but apparently you have no mind." Or "I'm not your mommy, Major." And by "dickish", I mean "likely to get my uniformed ass into correctional custody." To quote Coulton, "Code Monkey not say it out loud; Code Monkey not crazy, just proud")
Welcome to the Panopticon. Used to be a prison, now it's your home.
What if you were UP $2e9?
Exec: "Eh, it's still running, probably just a glitch or something."
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
The question is- why had IT not got a monitoring device that checked to see if people received warnings acted on the warnings.
It seems to me if you send a report out- there needs to be a report that reports on whether or not anyone read the report. If management had such a tool- they would have known they received a report and didn't act on it.
"That's the way to do it" - Punch
In my case I pulled out the bug report that showed the VAR reports total field was being overflowed when a customer ran it. Bug had been fixed 6 months prior to customer going into bankruptcy (then being made whole by the ratepayer.)
Of course they weren't trying to blame us. They were claiming it was because they couldn't do long term deals. Which is true, but it's true because they had previously engaged in incestuous, non-arms length, long term deals with their open market corporate cousin.
I shouldn't be discussing this, but my former employer is long gone.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
I used to work on a NASDAQ trading floor
A difficult job, considering NASDAQ is an all-electronic exchange.....
Where does the school board find them and why do they keep sending them to ME?
It's all CYA tactics.
if the loss alone was 2billion imagine how much money was on the table. I don't see how a trader could have access to such obscene amounts of resources without any authorization and oversight.
I am sure that the management knew about everything and was very happy because the bets on rising swiss franc were extremely profitable and pretty much printed money. They had to be smiling at the thought of fat christmas bonuses coming their way. Everything was peachy... until the swiss central bank intervened and announced pegging to euro at fixed 1.2 : 1 rate (6th of September). Nobody saw that (and the subsequent instant 8% drop) coming so bets placed to earn on rather minute upward movements blew up with full force when such a massive change occured.
Well there's your problem.
Why would IT call him? Wouldn't the alarm go to someone managing the people who manage the trades?
Paraphrase: "We had (have) severe operational problems. Kweku Adoboli is a scapegoat. We can't explicitly say that because of liability issues."
what more do you want?
You set up the monitoring system ... and you investigate the events it is reporting.
Then you tune it to get rid of the junk ... and you monitor it again ... and you investigate the events it is reporting.
Then you tune it blah blah blah blah blah.
Once you have it to the point where it isn't reporting junk you start testing it by setting up fake scenarios you want to catch. And investigate the events it is reporting (and the cycle continues).
Not to mention just going through ALL the events on a regular schedule to see if there are circumstances / situations / edge-cases that you did not anticipate.
He could be an Android they're electronic.
"That's the way to do it" - Punch
If they detected it, and didn't do anything about it, doesn't that mean they approved of it?
This is what I said in the previous article about this situation when commenting about someone who said they couldn't monitor every trade:
Yes, they do. Every trade is supposed to be monitored. Even if it means a few bad trades get through, they can and are supposed to review the accounts, timing, etc that go in to every trade to determine legitimacy and adherence to trading rules.
It's one thing to say you can't check an instantaneous trade. It's quite another to say you can't look at multiple trades your traders make and not pick up on improprieties.
This comes down to willful ignorance. So long as the guy was doing well, it didn't matter if the both internal and external rules were being violated. It is only when trades go bad that, "Oh my! How could that have happened?" comes into play.
For a short time I worked at a brokerage firm and I can tell you, everything you do is watched.
So yes, UBS' systems did detect the trades (as I said they would). It was the people who failed.
It's the same thing where I work. When people turn off their PCs at night, rather than restart as they've been told, our CIO talks about getting Wake-on-Lan implemented. When she and our Security head couldn't remember two passwords to sign on to their laptops (SafeBoot first then domain sign-on) she had us change to autoboot.
In both instances she was advocating a technical solution to resolve an issue of human failure. Same with UBS. The technical side worked as planned. It was the human side that failed.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Sorry for repeating a meme, but in this case it is extremely valid.
IT should NEVER be involved at that level. The alerts should go to the manager (or the manager of managers) who SHOULD have more insight into the situation than IT.
Having IT in the loop means one more failure point (and an additional delay).
We're not idiots, we're incompetent.
Well.. maybe. Or Maybe not. But Definitely not sort of.
When I worked for a bank, we had human review of any large transaction that would move money out of the bank. Sure, IT was involved in that, but the process was 90% policy and human activity.
Dumping risk management practices on automated IT systems is just plain lazy and stupid.
Yeah, yeah, yeah. We detected the unusual activity. But it was a measly 2 billion dollars. Our high and mighty CEO is not going to break his golf game for such a trivial thing. Heck, forget the CEO. The underling to the assistant deputy sub vice president would not break his Angry Birds practice to take a look at it. If you want these things to be attended to quickly you need to raise their pay enough to motivate them.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
" they were simply not acted on"
Likely cause UBS was trying to figure out how to make money for themselves from the transaction. So typical of these banks.
Why stop a transaction when you can also skim/make some cash on the side as well. That's the name of the game and why self-regulation failed in the financial industry the last 10yrs.
Unfortunately what applies here, someone once said, don't blame the player, blame the game.
I'm not sure who to blame here, but I've seen something like this several times in my career: Someone sets up a big elaborate system to detect security threats, monitor their systems, or enforce a workflow. Then the people in charge cheer how this system is going to solve all of their problems, and they cede all responsibility to the computer. They don't check whether the system is working the way it should. They don't pay attention to the alerts the system kicks out.
Having seen it so many times, I've learned a valuable lesson: there is no replacement for a smart and diligent person who is paying attention and exercising good judgment. I don't care how advanced your computer system is, it won't do your job for you.
And again, a basic software axiom has again been proved true:
"When you build a piece of software to be idiot-proof, your user base will find a way to build a better idiot."
They weren't brought down by anything as prosaic as a bug... they lost money because they completely ignored the output from a system specially designed to warn them of activity like this.
UBS and the rest of its banking industry crippled the global economy by doing exactly this: IT systems and business rules showed unsupportable risks were being executed by their traders, but the execs did nothing to stop or slow it.
Something like 2-10 $TRILLION in losses later, after years of the worst recession possible since the reforms installed after the Great Depression, UBS hasn't changed. There is no reason to believe any of these banks have changed, since they all act the same way to compete with each other: ignore risk, because they're too big to (be allowed to) fail.
UBS should forfeit every penny of the public money given it to bail it out. And face the stiffest penalties possible under the laws we now have. And cause new laws to be passed that actually prevent, not just promise to punish after the fact, this reckless risktaking - with frequent audits and financial requirements to continue operating. Once slamming UBS is up and running, that government office should go after the rest of the banks that are surely guilty too.
--
make install -not war
If you have a rogue trader who games the system, you can look at UBS and say "geez, I guess you'll be investing in a better risk management system!"
But if you have a good risk management system that throws alarms and nobody looks at them, or follows up on them, then it's all on their heads.
They only had to look over one of their borders into France to see what a rogue trader could do. This isn't a novel problem, rogue traders taking positions, then losing money and then taking crazier positions to get back what they lost isn't a new problem.
Yes Francis, the world has gone crazy.
One place I worked had a problem with an average of 1 alert A WEEK. Because it almost always turned out to be some stupid non-issue ... eventually everyone started ignoring it. Even to the point of ignoring the follow-up emails about WHY the alert was happening.
This supports my belief that security is easy.
But no matter how easy it is, NOT doing it will always be easier.
And somewhere in the chain will be an individual who is lazy enough to break the security.
It's curious how we never hear about rogue traders caught _earning_ 2B$. The hedge traders are supposed to run balanced trades that do not have large downside risks, but consequently aren't supposed to earn fantastic profits---so a trader who suddenly earns a lot of money was likely to have violated his guidelines, and the risk management people in theory should police it just as vigorously. In practice, I can't remember anyone being fired for extra earnings, so I suspect that those controls are purposedly kept vague and/or easy to circumvent.
Your monitoring system doesn't stop your web site from going down either... It's to give you a whack in the head at 3am so you're fired up to do something about it...
Same here, management didn't do anything, IT didn't do anything, risk management was either hamstrung incompetent or complacent or a mixture of all three...
Prior to working on the trading desk they worked in operations. While Operations may be the kissing cousin of IT, it is not exactly the same. But in either case, (Leeson or Adoboli) knew what would trigger the compliance office (In those days “Risk Management” tended not a separate department).
In Lesson case, he was head of both trading and operations (which is a no-no - but it was Singapore – a small desk – why can’t one person do both jobs?). So on side he present it as a error account and on the other a client account (loss not to the firm.)
And as somebody who has worked in a similar posistion (Operations / Risk managment) - it's hard. Give me a simple and clear rules with a robust report, and I know it can be gamed. Traders tend to be optimizers. Be careful when you play magic or poker against them. They will test every last loophole and push every last inch.
Good risk management requires human judgment and subjectivity. Alas, the money and the fame goes to the traders who earn the money, not the referrers that keep people safe.
Boy are people going to be surprised when they find out the government has all these regulations and very few employees to monitor compliance and initiate enforcement actions.
That will come as a surprise to precisely no one. The SEC has been purposely underfunded for decades. You think that is by accident? The financial firms and their, ahem, elected representatives want it that way so they can't cause too much trouble. Hard to monitor wrongdoing when you don't have enough manpower. Congress can effectively neuter any regulatory agency simply by cutting their budget. Doesn't matter what laws are actually on the books if they can't be enforced.
There is no other way to put it. This is even worse than not having any triggers at all.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
$2B in losses. There had to be an agenda there. Kill the company? Maybe. Funnel money to someone else is quite likely too. Friends? Terrorist? I think they should look more into where the losses went. Not just how they were lost.
No, you go walk up to a reporter and say "Hi, I work for UBS and woudl like to get IT's story on the record." Then you paint a picture where IT is told to "detect" such things but never block them. Report them to the people who would then authorize blockage (but never do in a timely manner) and then the system, enforcing bad business processes, is blamed for a business process problem that lies with the upper management not wanting to enforce reasonable rules, knowing they can always blame it on some other department or such.
Unusual activity was discovered and reported to the appropriate management, who then elected to do nothing and then later blame it on the people who detected it and had explicit orders to never block it for not blocking it. The problem is that nobody ever goes on record to explicitly point to the non-IT business decisions as the actual cause of the issue, as the IT people don't understand people, just systems.
Learn to love Alaska
He was on a ETF desk, which is supposed to be a low risk, low margin place. The only way to make a profit on those desk is to squeze out every penny and make it up on volume. Such a desk can very easily be dealing with billions and yet only have exposure of less then a million - if it's run the way it supposed to.
Blessed with 20/20 hindsight, any failure such as this people react like it's something that was glaringly obvious. Controls can be very difficult to design, implement and monitor effectively. They have to be sensitive enough that they trip when something goes wrong, yet rare enough that they're taken seriously. When they do trip, the response has to be appropriate. They have to be effective yet also not be an endless cycle of bureaucratic red tape.
Generally the best controls are ones that almost prevent and detect fraud as a by-product of helping people do their job properly. The bank reconciliation isn't just a check for missing money, it helps ensure all the sales ledger receipts have been recorded and thus the sales ledger clerk keeps on track. The comptroller doesn't just authorise the bank reconciliation to catch the cashier stealing, the cashier is the one first in line to demand the comptroller reviews and authorises the bank rec because otherwise people are looking at him if there is a problem that he missed.
Most of all, controls are about culture. You can design all the effective controls you want, if the day-to-day mentality is that "detect[ed] unauthorised or unexplained activity... was not sufficiently investigated" then you might as well not have any. Again, take 100 people nodding their heads in hindsight and find 99 who were moaning about red tape and cutting corners the day before.
It's easy to detect anything: you just always say it's there. In order for detection to be useful, it needs to be traded off against error, you need low false alarms. UBS's system must have had too many false alarms, otherwise this alarm would have been acted upon.
There must be something wrong with this new radar thing sir, the screen is full of blips over the Pacific.
"You were supposed to be watching the factory!"
"I was watching! First it started falling over, and then it fell over!"
Ermotti wrote: 'Our internal investigation indicates that risk and operational systems did detect unauthorised or unexplained activity but this was not sufficiently investigated nor was appropriate action taken to ensure existing controls were enforced.' so they let him play with $2 billions and this is what their Security Dude said "hey, lets see whats going to happen, whoooops - it did not work, my bad, my bad... sorry!"
...for a shareholder lawsuit against UBS.
Every rule has more than one consequence.
Don't forget, "independent" auditing firms, like Accenture and PWC, actively solicit bribes to certify compliance for those not compliant.
Accenture is not an auditing firm. They are a consulting firm which has nothing directly to do with auditing. They used to be part of an auditing firm but have not been for some time. Furthermore having actually worked with big accounting firms myself, they generally are actually pretty honest, albeit flawed. They serve a very useful purpose which is to verify that the financial statements are a reasonable (not perfect - that is impossible) representation of the financial situation of a company. For the most part they succeed in this endeavor. However sometimes greed, incompetence or plain old fraud manages to get by. Sometimes that is the fault of the auditor, sometimes it is the fault of the company being audited, sometimes both.
The accounting firms approved Enron's activities long after the illegal stuff started.
Which was primarily the fault of the partners charged with that account and a failure of Arthur Anderson's audit control procedures. Arthur Anderson was basically executed for the corrupt/incompetent actions of a relatively few individuals. If you have ever looked at Enron's financial statements (I have), they were made intentionally so complex that it was extremely difficult to determine that anything illegal was happening. I truly pity any honest auditors that were trying to provide an opinion on the financial statements of Enron. It was a hopeless task. On top of an engineering degree I have a masters in finance and am a certified accountant and I barely follow much of what they did.
Furthermore Arthur Anderson was not remotely alone in their complicity in the Enron matter. The banks were probably more guilty if anything since they were the ones funding Enron and theoretically should have been casting the most jaded eye at their activities. They really shouldn't have been funding Enron but greed overwhelmed good sense and they put money into something they could not have possibly fully understood.
Auditing firms are leaches who lie for a living...
Since you don't even know which firms actually are accounting firms I'm going to ahead and say you probably don't know what you are talking about.