A Rogue Trader Strikes Again! Taking Advantage of the Lack of Basic Internal Controls 

Download Article

On 24 January 2008, the global financial markets were in the midst of an ongoing crisis triggered by the looming woes of a troubled US economy, the ongoing fallout from the subprime crisis and the spiraling increase in commodity prices. On that same day, Société Générale, a widely respected global French bank, made a shocking annoucement that it had lost a staggering €4.9 billion (about US $7.2 billion) from the unauthorized trades of a single trader at its Paris Head Office—by far the biggest loss of its kind in the history of banking.

"Unbelivable. Frankly, I can't explain it," said Christian Noyer, governor of the Bank of France, on being asked by the French parliamentry finance committee how Société Générale had failed to detect the multibillion euro fraud.1

One can understand the reaction of the governor of the French central bank. The unfolding drama at the giant French bank had come as a huge shock across the world. Société Générale had long been known for its savvy in complex derivative trading, the quality of its people and the capabilities of its risk management systems. Yet, what it had announced was a colossal fraud in the relatively simple business area of trading on European stock indices—supposedly a low-risk venture where traders with small limits place modest bets, with near matching trades in the opposite direction to offset any downside. What had gone wrong? How could this happen?

Although this was by far the largest loss caused by a rogue trader in the history of the financial services industry, it was only one of a few major cases over the last dozen or so years:2

  • In 2004, National Australia Bank, one of the biggest banks in Australia, booked a pretax loss of AUS $360 million, after it discovered that one of its dealers (in collusion with three others) had engaged in fictitious trades in foreign exchange options.
  • In 2002, a currency trader at US bank Allfirst, based in Baltimore, Maryland, and then a subsidiary of Allied Irish Bank, pleaded guilty to fraud amounting to US $691 million.
  • In 1996, Sumitomo Corp., the giant Japanese trading company, reported a loss of US $2.6 billion in unauthorized copper trading by its chief copper trader on the London Metal Exchange.

None of the above cases, however, comes even close to the drama at Barings Bank in 1995—so vividly captured by Hollywood in the 1999 movie "Rogue Trader." This is a case that is worth revisiting.

The Barings Bank Meltdown

The collapse of Barings Bank in 1995 is a textbook example of the damage a rogue trader can cause. Over a period of three years, Nick Leeson, a Singapore-based British manager of London's Barings Bank, lost US $1.4 billion, primarily on futures contract speculation and, by manipulating records, hid his actions until February 1995.

Leeson's initial responsibilities had not included trading, but it appears that he just assumed control over both the trading floor and the back-office settlement functions soon after arriving in Singapore. He then started his ruinous run of speculative trades, hiding mounting losses in a spurious error account. He claimed that the early trades were conducted to hide genuine losses of his junior traders that he was determined not to report. Later losses, it seems, were concealed in the hope that they would be offset, eventually, by future gains, as well as the desire to protect his job and newfound lavish lifestyle.

Unfortunately, he was not a good trader—far from it—and the losses started to mount beyond any sensible loss limit. In the final days of the saga, almost all the players in the market appeared to know about his speculative trades and were successfully betting against him. He was, however, an accomplished liar and succeeded in duping his superiors in London on what was really happening.

When the losses were finally disclosed in early 1995, Barings Bank—the oldest merchant bank in the City of London, the Queen's personal bank, and the financier of the Napoleonic Wars and the Louisiana Purchase—was forced into insolvency and an ignominious end to its proud and long history.

So how was this tragic ending possible? The report of the inquiry into the collapse of Barings makes it abundantly clear that a few fundamental control failures enabled Leeson to both initiate and conceal his unauthorized activities. This preliminary report identified, among others, the following glaring causes of the debacle:

  • Failure of the bank's management to understand the business they were managing
  • Lack of clear lines of responsibility
  • Inadequate segregation of duties
  • Inadequate internal controls, including independent risk management for all business activities
  • Failure to ensure the quick resolution of significant weaknesses identified to management by internal audit or others

Clearly, the rogue trader was guilty of unauthorized trading that resulted in massive loss, but the other failures in internal controls, of the most basic kind, it seems, created an environment where such a fraud, was made possible. As was noted in the debate on the report in the House of Lords:

...The collapse was brought about by the three factors...: firstly, unauthorized and concealed trading by Mr. Leeson; secondly, a total management failure at Barings; and, thirdly, a serious regulatory failure by the Bank of England. The collapse would not have occurred without each of those three ingredients to the fatal brew. The report demonstrates that this unbelievable mess was brought about not just...by a rogue trader, but also by a rogue management and a rogue regulatory system. All three were necessary for the collapse; only one of them is still in place.3

Société Générale and the Biggest Trading Loss in History

In 2000, fresh from business school, Jérôme Kervial joined Société Générale, France's second largest bank. For about five years he toughed it out in the unglamorous back office of the bank, learning, no doubt, of the bank's many control practices applied to the trading room and, quite possibly, ways around them.

In 2005, he was promoted to the trading floor, albeit in the relatively low-risk and unfashionable area where European stock market indexes are traded. His work as an arbitrager consisted of the parallel management of two portfolios of broadly similar size and composition, each covering the other and allowing for just marginal positions and modest profits.

Like Leeson before him, Kervial almost immediately engaged in irregular trades by taking open positions and covering them with fictitious matching trades. The size of these unauthorized trades was initially small, but by the end of 2007 the fraudulent trading portfolio had reached around €30 billion. In November 2007, these abnormally large positions prompted one of the clearinghouses to ask Société Générale about the trading strategy of Kervial, but the errant trader was able to explain away these annomolies to his superiors with relative ease. Indeed, his trading positions caught the attention of his supervisors several times in 2007, but he was always able to convince them that the underlying trades arose from an error that could be resolved easily. Ultimately, when the alarm was raised belatedly by the bank's risk management function on 18 January 2008, the size of the unauthorized positions had reached €50 billion—in excess of the market value of the bank itself! Over the next few days, these unauthorized positions were rapidly liquidated but with a staggering loss to the bank of €4.9 billion—about US $7.2 billion.

Kervial was accomplished, quite clearly, in hiding his deception. Indeed, as one of the senior excutives of the bank noted, because the real and fake transactions balanced each other out, "we could not see anything."4

Although not quite as damning as Barings, the Société Générale case, when fully investigated, will no doubt reveal a similar and troubling breakdown in some relatively fundamental internal controls that should have been in place in any bank's trading room, such as have been identified in a preliminary government report:5

  • Failure to set and monitor gross trading limits held by each trader; apparently, Kervial did not even have a defined gross exposure limit
  • Inadequate follow-up by management as and when alarms were raised, particularly when the German-Swiss-operated Eurex alerted the bank about the unusal positions in Kervial's book
  • Lack of independent confirmation of both external and (worryingly) internal counterparties to the trades that had been made
  • Failure to review all transactions, or at least voided transactions, executed by each trader
  • Breaches in the access control mechanisms—It is alleged that Kerviel sometimes used the login and passwords of his colleagues to conduct fictitious trades.

The bank's own internal investigation into the massive trading loss "highlights a systemic breakdown in the human chain of control."6

Lessons Still to be Learned

The initial media coverage on the massive Société Générale loss has focused, understandably, on the rogue trader. Yet, over time, a more considered perspective will show that as much of the blame should rest with the bank's management and, perhaps, other related parties (such as risk managers and auditors), who collectively failed to implement a robust internal control framework or identify glaring weaknesses. Were such a framework in place, it would have mitigated against, if not precluded, any potential rogue trader from conducting unauthorized and undisclosed trading activities.

The Société Générale fiasco illustrates that the current preoccupation with governance and risk management frameworks may be superfluous, if even basic internal controls are not in place. This is not to say that there will be no rogue traders in the future. Far from it—there will always be misguided and doomed attempts to surreptitiously outperform the markets. What is necessary, however, is the religious implementation of fundamental internal control policies and practices to guard against this type of errant trader.

Perhaps it is time for those in a position of authority to refocus the risk managers and auditors (internal or external) on the less glamorous, but critical, need for a regular assessment of the adequacy of internal controls, particularly in highly vulnerable areas, such as the trading room of a financial institution. If not, I fear it is only a matter of time before history repeats itself somewhere else, as these types of control flaws are by no means unique to the Société Générale. Otherwise, as a noted 20th century Spanish philosopher wrote: "Those who cannot learn from history are condemned to repeat it."7


1 The Rogue Rebuttal, The Economist, 9 February 2008

2 InfoMina, "Société Générale: The Anatomy of a Fraud," February 2008

3 Lord Eatwell, House of Lords, Daily Hansard Text, 21 July 1995

4 The Wall Street Journal Asia, "Société Générale Says It Missed Chances to Stop Trader," 28 January 2008

5 Abstract from an unofficial translation of the "Report to the Prime Minister of France" concerning the lessons from the recent events at Société Générale (publishing source not available), February 2008

6 The Wall Street Journal Asia, "SocGen Report Blames Lapses in Control," 21 February 2008

7 (Common adaptation from) Santayana, George; The Life of Reason, The Project Gutenberg eBook, www.gutenberg.org

© 2008 Deepak Sarup. All rights reserved.

Deepak Sarup, CISA, FCA
is a past international president of ISACA (1991-1993). He currently serves as the senior executive vice president and chief financial officer (CFO) of Siam Commercial Bank, a leading bank in Southeast Asia. His specific responsibilities include managing the bank’s ambitious transformational change program as well as its group finance function. Immediately prior to assuming the CFO responsibilities, he served as the chief information officer and head of the group information technology function of the bank. He is a fellow of the Institute of Chartered Accountants in England and Wales and a fellow of the Wharton School, University of Pennsylvania (USA). He has served on the IT committee of the International Federation of Accountants (1995-2001). In 2005, he was nominated as one of Asia’s most influential IT leaders by MIS Asia.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.