The Société Générale affair has put renewed focus on banks’ risk management systems.
Despite the fact that the advent of Basel II should have tightened up risk controls, regulators and banks have been paying particularly close attention to the security of information technology and risk management systems in the wake of Jérôme Kerviel’s rogue trading.
SocGen last month set up an internal team of hackers to stress-test its IT and risk management systems as part of a €50m ($78m) bank-wide initiative. The project aims to increase IT security, including more frequent password changes and introducing biometric access control to sensitive applications.
Shaun Wainstein, head of BNP Paribas’ equities and derivatives platform in London, said: “Everyone is looking at systems security and control change at the moment. This is the bread and butter of any organization, it is certainly not a new area of focus. Recent events have, understandably, made people nervous and one would be unwise not to check.”
Wainstein said BNP Paribas would consider such an initiative. However, although it may improve certain aspects of a bank’s security systems, it is doubtful whether such a move would have prevented a case like Kerviel’s, according to analysts.
A rival banker said: “One has to bear in mind that the Kerviel affair did not involve sophisticated hacking. He just had a password to many systems. It shows that you have to be careful about the basics. A lot of these frauds are to do with very simple things.”
Anthony Belchambers, chief executive of the Futures and Options Association, agreed that it was impossible to mitigate all the risks in the financial system.
He said: “No matter how well you risk manage or what stress-testing you do there is always going to be some issue or problem that catches you out.”
Belchambers said that although it was significant that Kerviel knew about back-office processes, this was not a justification for the size of the losses, which were magnified by the huge increase in derivatives flows volumes.
The bank admitted in a report published in the wake of the scandal that one of the main reasons it failed to identify the fraud was “the fact that senior staff did not carry out more detailed checks” on the trader’s activities, rather than an absence of controls.
There were 75 red flags that were not picked up on by the bank’s officials. A risk management provider said: “It is surprising that you can build up that kind of position without alerting somebody unless you have that kind of culture.”
Stress-testing of systems might be one solution, but participants have said that of equal importance is looking at the broader risk management measures in place to deal with extreme loss events. One particular measure that has come under scrutiny in the wake of the Kerviel affair is value at risk.
Amir Khwaja, director of risk management at risk technology vendor Calypso, said SocGen’s VaR measurement severely underestimated the extent of loss that such an extreme event would incur. He said: “Banks don’t stress-test for this kind of loss occurring. The fact that they raised capital shows that they did not have the buffer to cover these kinds of losses. This was such a big position. It was not something they had envisaged that one trader could take and so wouldn’t have been factored into their VaR calculations.”
Frédéric Ponzo, managing director of financial markets at risk consulting firm Net2S, who headed SocGen’s exchange connectivity for equities (cash and derivatives) business in the 1990s, said that even with greater levels of risk management staff and stress-testing resources, it was impossible to guarantee there would not be a repeat of a SocGen-type scandal. |
