UBS: Our Risk Systems Did Detect $2bn Rogue Trader

A few weeks ago, UBS employee Kweku Adoboli (universally described as a "rogue trader") ran up a $2 billion loss for his employer; many readers wondered how it is the systems which allow trades to happen at all aren't better tuned to catch such massive cash flows without triggering alerts. Now, reader DMandPenfold submits a report from Computerworld UK in which the bank claims that such triggers were in place — they were simply not acted on. From the article: "UBS has insisted its IT systems did detect unusual and unauthorised trading activity, Interim chief executive Sergio Ermotti, who is running the company following Oswald Grubel's resignation last month, sent a memo to employees saying the bank is aware that its systems did detect the rogue activity. In the memo, Ermotti wrote: 'Our internal investigation indicates that risk and operational systems did detect unauthorised or unexplained activity but this was not sufficiently investigated nor was appropriate action taken to ensure existing controls were enforced.'"

They didn't have adequate risk systems

[Chris+Mattern]

A risk system that nobody pays attention to is no different from not having a risk system at all, except that you're paying for it. As UBS found out.

Re:They didn't have adequate risk systems

[thepainguy]

Actually, it's worse because it lulls you into a false sense of security.

I wonder if this was a case of the boy who cried wolf/car alarm problem; a system that isn't calibrated well and that people learn to tune out due to all of the false alarms.

Re:They didn't have adequate risk systems

[mikael]

Nick Leeson worked in the IT department before he became a trader. He learned all the phrases traders used when a false-positive alarm was triggered; "Oh, I'm just clearing up a wrong transfer", "Just rolling through some accounts", "sorry, the other guy was logged in at my terminal", "Just tidying up an old account".

Then when he became a trader, he knew about the test accounts to store his losses, as well as how to smooth over the tripwire alarm system whenever IT called him up.

Re:They didn't have adequate risk systems

[quarterbuck]

Nick Leeson did not work in IT according to his biography or according to Wiki.
He used an error account, which he realized was unaudited, but that is something you pick up from being a trader or an auditor- not necessarily IT. These things are common in investment banks/brokerages which have a lot of accounts and client trades and errors need to be isolated in an account that does not belong to a client. ie. if a client asked to buy 100 pork belly contracts and you bought him lean hogs instead, you need a place to dump the pork bellies you bought. It does not mean a "test account" in the IT sense.

You must test

[TheSync]

Whenever you have a monitoring or backup solution, it must be regularly tested to ensure a responsive psychology (as well as proper device operation).

They should have had 1 or 2 fake funny trades per month, and if the people who got the alert messages didn't respond, they should have been punished or fired.

Re:You must test

[tlhIngan]

You missed other reasons.

Perhaps said trader got annoyed at all the alerts and simply told them "I'm a hot shit super trader. if there's any odd trades coming from me, it's because I know stuff you idiots don't so screw you and let me do my trades!" This is espeiclaly true if the trader has a reputation of oddball trades but makes tons of money back.

The other possibility is said trader simply causes alarms constantly but they're small ones and they up the threshold for his alarm. Eventually the threshold is pushed extremely high and while being detected, won't be acted upon as that sort of trade usually happens.

Either way, hiding a bunch of trades becomes easy. The system has to adapt to different trading patterns constantly so there's no real way to not hae false positive alerts, and prima donna traders who think they're above it al and think the alerts are just a nuisance as the trades they do will constantly trigger it.

Re:Called it

[HornWumpus]

'Blame IT' is a shallow description of what happened. The original discussion was all about: 'didn't they have risk management in place?' Not: blame the IT guy that wrote the VAR report.

Sounds like they are blaming their risk officer (who should be the CFO or at least report to the CFO).

Paraphrase

[Torodung]

Paraphrase: "We had (have) severe operational problems. Kweku Adoboli is a scapegoat. We can't explicitly say that because of liability issues."

Re:Called it

[ackthpt]

From my comment on the original article :

"Let's face out out on the terrain no-one is holding these guys accountable. IT may set up the system, Risk Management may generate the reports and they'll be either modified to say what management wants to say or just plain ignored because like all gamblers these guys think they have a system which lets them keep on winning even as they are betting their house (or in this case our houses.)"

This "blame IT" crap has gone on long enough. It's time we stood up for ourselves instead of allowing ourselves to be used as a convenient scapegoat all the time.

How often have you seen an IT representative in front of the cameras say, "Well, we see this behaviour, the lights are flashing, the klaxons are going like a cat with its tail in a wringer, but the people who collect 7 figure salaries haven't been taking an interest so far."

Should be criminal charges for management negligence -- and I don't mean just giving the the sack. Those protesters on Wall Street have a point, everyone gets hurt when the bank CEOs screw up, but those most responsible. Thanks to their stalwart defenders in the US Congress no stronger regulation get passed. If that's not sign that government is in the bank's pockets, I can't imagine what could be more clear.

Re:Many reasons why this was not detected.

[Oswald+McWeany]

He could be an Android they're electronic.

Not a rogue trader

[steamraven]

If they detected it, and didn't do anything about it, doesn't that mean they approved of it?

Well there's your problem.

[khasim]

Sorry for repeating a meme, but in this case it is extremely valid.

First level contact was to ask the trader to recheck their transactions, then escalate to supervisors.

IT should NEVER be involved at that level. The alerts should go to the manager (or the manager of managers) who SHOULD have more insight into the situation than IT.

Having IT in the loop means one more failure point (and an additional delay).

Re:Well there's your problem.

[Anne+Thwacks]

You are supposing they want to stop these traders. In reality, the "rogue traders" look very profitable prior to the crash - just like someone who is driving way to fast on the race track is out front till he crashes. There is no way they are going to stop their "star".

The entire system if fundamentally flawed. The banks are expecting to make more money than is in the system to make. Of course the world economy is still screwed. "Its the bankers, stupid!"

Re:According to the computer ...

[TheLink]

The other explanation is they were hoping the trader would make money, in which case everyone would share the profits etc.

He lost money so he's a rogue trader.

Re:Called it

[Wansu]

  Those protesters on Wall Street have a point, everyone gets hurt when the bank CEOs screw up, but those most responsible.

Herman Cain says it's the protester's faults if they don't have job. After all, this is 2011 and what the bankers did was in 2008.

Re:Isn't that part of the initial shakedown?

[TheCarp]

Exactly. However, not everyone understands that and a lot of people who don't get this.

Its also nearly impossible to get to this point if management doesn't understand the process that is needed and buys in to making everyone play ball.

I remember seeing presentations by a specific monitoring team of positions past. They presented how the decision was made to "just turn everything on". After several years they had hundreds of alerts a day... way too many to even think of turning on paging... and it was another 4 years before they got to the point that they had management buy in to take it seriously, turn on paging, and make people work with the monitoring group to tune down the alerts.

All the while management kept going on about what tools they were using, and looking at different ones etc.... all the time...it was a process issue and a lack of management buy in to work with the tool they had that really hamstrung the whole process.

Exactly.. And even worse.

[khasim]

After several years they had hundreds of alerts a day... way too many to even think of turning on paging... and it was another 4 years before they got to the point that they had management buy in to take it seriously, turn on paging, and make people work with the monitoring group to tune down the alerts.

One place I worked had a problem with an average of 1 alert A WEEK. Because it almost always turned out to be some stupid non-issue ... eventually everyone started ignoring it. Even to the point of ignoring the follow-up emails about WHY the alert was happening.

This supports my belief that security is easy.
But no matter how easy it is, NOT doing it will always be easier.
And somewhere in the chain will be an individual who is lazy enough to break the security.

Re:What was the security protocol?

[Anne+Thwacks]

The entire derivativves trading system is a giant Ponzi scheme - the value of fees charged by bankers for trading in derivatives based on on changes in the value of a security exceeds the value of the underlying security over a relatively short time. (it is MINUTES for gold!)

Someone then "looses" a great deal of money. In reality, the "missing" money has already been paid out in commissions to banks for trading - and "bonuses" for traders. (Anyone who understands differential equations can see that vastly more money is paid out to bankers than is actually invested in stocks and bonds, and the banks are sucking the life blood from the world's economic system).

You might ask "Why do people invest in such an obvious Ponzi scheme?" The answer is "Institutional investors do not care about the long term, and are quite happy to feed the system, so long as they get a percentage, and a "plausible deniability" get out clause when it goes wrong. (Why did people give all their money to someone who "Madoff" with it?

Why did the bank not stop him? Because prior to catastophic disaster, he seemed to be "on a roll", and was winning more than he was losing. Banks do not employ people who understand differential equations in a management role, and most bank directors have only a marginal grip on reality. They say "ooh, profit!" like Homer Simpson and doughnuts.

Re:Called it

[Doc+Ruby]

Actually, what Cain said yesterday was "Don't blame Wall Street, don't blame the big banks, if you don't have a job and you're not rich, blame yourself."

While it's arguable that not having a job is a person's own fault (a losing argument with the economy, but arguable), saying it's the fault of everyone not rich that they're not rich isn't just insane. It's the kind of institutional insanity that is driving the country into nothing but the madhouse, with a corporatocracy of Cains at the wheel.

Re:Called it

[Doc+Ruby]

No, the logic of that post is perfectly clear. Someone says bank CEOs screwing up hurts everyone but those CEOs. Like people who have lost jobs, or can't get one, after bank CEO screwups destroyed the economy's growth, and the jobs with it. Herman Cain says it's the jobless person's own fault for not having a job - and even their own fault they're not rich. The contrast is that Cain says it isn't the bank CEO's fault people don't have jobs, it's their own fault.

But that's obvious. Except perhaps to a Republican, er "Libertarian", like you. Who spent the entire Bush era telling us Chewbacca was on Endor whenever people complained that deregulation was killing us.

Re:stood up for ourselves

[AK+Marc]

No, you go walk up to a reporter and say "Hi, I work for UBS and woudl like to get IT's story on the record." Then you paint a picture where IT is told to "detect" such things but never block them. Report them to the people who would then authorize blockage (but never do in a timely manner) and then the system, enforcing bad business processes, is blamed for a business process problem that lies with the upper management not wanting to enforce reasonable rules, knowing they can always blame it on some other department or such.

Unusual activity was discovered and reported to the appropriate management, who then elected to do nothing and then later blame it on the people who detected it and had explicit orders to never block it for not blocking it. The problem is that nobody ever goes on record to explicitly point to the non-IT business decisions as the actual cause of the issue, as the IT people don't understand people, just systems.

Re:Called it

[AK+Marc]

There's a class war in the US. The "conservatives" (not actually conservative, but self-label as such, so I'll use the tag they put on themselves) firmly believe that in the Land of Opportunity, the inability to succeed indicates a personal flaw, proving the person is inferior and deserves poor treatment. That's simply insane. I can't argue with it any more than someone who insists the sky is red. It's provably not true, but only if they will open their eyes and look at the facts, and that just doesn't happen.

Re:What was the security protocol?

[Znork]

Yes, isn't it odd that we're only hearing about cases where 'rogue traders' lose money? Out of the group capable of bypassing the systems one would expect at least a few to be bright enough to actually make a couple of billions.

Of course, one would assume that those probably get a fat bonus and a promotion, which indicates a culture where acting outside the rules is accepted behaviour as long as money is made.

The day we see the headline 'Rogue trader arrested for making $2bn for employer' we'll know that the banks are actually taking security seriously. Until then, everyone, including their employees, will know that it's not gambling with other peoples money that's the problem, it's losing.