|
Page 2 of 2
How Kerviel Created False E-Mails
To his interrogators, Kerviel explained his techniques for creating false e-mails. "I....used features of our internal e-mail systems—in particular, a function that allowed me to re-use the heading of an e-mail that had been sent to me, changing the content of the message. Then, I could retype the text that I wanted, and the e-mail looked just like an original." Typically, these e-mails were used to verify fictitious transaction and verifying through the bank's e-mail archiving system, ZANTAZ, that Kerviel had not received a message from the sender that might expose these transactions.
advertisement
Of the forged documents, the most significant was a fictitious profit & loss statement he created for 2007. All Delta One traders—the bank's elite—had individual P&Ls, which served as the basis for their end-of-the-year bonus. Kerviel's P&L reflects the bogus hedges he'd created for this period. The real P&L, which continues into the first two weeks of 2008, shows Kerviel's plus 1.4 billion euros at the end of the year. By January 15, 2008, the last date recorded, he's in the hole for 5 billion euros, but the phony P&L shows just the opposite.
The good news, according to the committee, was that in the three weeks or so after Kerviel was apprehended the bank had already taken steps to tighten controls to avoid repetition of such a massive fraud. "As soon as the fraud was uncovered, weaknesses were identified in the supervision and control system which required immediate corrective measures," the committee stated.
"Consequently, action plans were immediately implemented as part of a structured plan consisting of three priority areas:
"-Strengthening IT security through the development of strong identification solutions (biometry), the acceleration of current structural plans for the management of access security [access to the computer system], and targeted security audits.
"-Reinforcing controls and alert procedures....to ensure the appropriate circulation of relevant information between the different units and the appropriate management level.
"-Strengthening the organizational structure and governance of the operational risk prevention system to develop its cross-functional nature and better take account of the fraud risk, including from a human resources perspective."
advertisement
Although the bank refused to respond to questions from CIOZone and other media, it subsequently announced through press releases and various registration documents that it had addressed the major control and risk problems that had led to, "Kervielgate," as the scandal was being called in some of the French press, and was returning to business as usual. Jerome Kerviel, of course, has been fired from the bank and is free on bond pending of the outcome of an investigation by Paris magistrates. Should he face trial on possible charges of computer hacking, falsification of documents and abuse of trust, he will claim "corporate negligence by the bank," according to the Financial Times, which cited Keviel's lawyer, Guillaume Selnet. In other words, because his employers failed to act on 75 warnings regarding Kerviel's rogue trading, it was the bank's fault that he built up 50 billion euros in unauthorized positions, not his.
Not so, the bank's CEO Daniel Bouton told the French parliament's finance committee on April 9. Bouton, who had retained his post despite demands by many in the French government, including French President Nicolas Sarkozy, for him to step down, explained, "the fraud doesn't put into question our risk management systems because they were hidden positions.... The controls existed. What we lacked was cross-checking of controls, something manual that would have shown that one trader was annulling a lot of positions. That's something we lacked and now have."
If only risk management was that simple. Unfortunately, this two-month long study of risk management by CIOZone, indicates that even in the wake of massive losses and organization meltdowns in recent months, many financial institutions have not come to grips with underlying technology and management problems that must be addressed if risk management and controls are to be effective. In the next, and last, segment of this series, CIOZone explores what those problems are and what must be done to address them.
Only registered users can write comments.
Please login or register.
|
