A few years ago one of the leading global risk and security consultancies opened its doors to the press for the first time, for a one-off briefing to celebrate a corporate anniversary.
The consultants flagged computer security as a big growth area, and asked for a show of hands around the table: who had lost money through identity fraud? Of the two dozen people there, three had been victims, including the head of the risk consultancy.
Billions have been spent to make financial systems crime-proof, but fraud will not go away. It flourishes particularly in new technologies. The UK financial industry’s loss from cheque fraud has been cut to £30m in 2010, according to the Home Office. But online banking frauds rose to £60m — although still just a fraction of the £38bn of national losses to fraud.
The lesson is that technical progress has not eliminated crime, and never will. When it closes one avenue, it usually opens at least one more.
It is the same in investment banking. The alleged activities of Kweku Adoboli at UBS, like those of Jérôme Kerviel at Société Générale in 2008, do not show that those banks were particularly sloppy or devil-may-care. As many bankers admitted privately last week, “There but for the grace of God go we.”
It is particularly disappointing that at a time when front office bankers continually moan that they cannot use capital as they would like because “the risk managers are running the show now”, such grievous breaches are still going on under risk managers’ noses.
But it was always obvious that Kerviel would not be the last rogue trader — and his record as the worst may not last forever. Financial controls rely on procedures and passwords, defences that can be subverted by someone who is determined, clever and lucky. The Swiss authorities need to bear this in mind before taking decisions on the future of UBS (see separate EuroWeek View, "UBS Trading Scandal, Part II").
Don’t give up
Does that mean investment banks should stop bothering to improve their risk management? Not at all. Several things would help to make such failures less frequent and perhaps less severe.
The similarity of the SG and UBS episodes flashes a huge red light. Both involved staff who had worked in back office roles and later gained the power to make trades. Their knowledge of the control and administration side was probably better than that of their colleagues in the front office, and helped them to outwit surveillance. Banning such career moves is not the answer, but it surely makes sense to recognise the additional risk they might bring.
Adoboli is alleged, like Kerviel, to have made fictitious trades. It is shocking that such a thing is possible today. Clearing and settlement systems vary widely from one financial product to another, and checks are much stronger in some areas than others. Adoboli, it has been reported, took advantage of some banks’ habit of trading ETFs without proper confirms from counterparties.
If trading is done bilaterally rather than through a central settlement system, there must be proper systems for reconciling all trades with counterparties, at least at the end of each day. The people doing this must be as separate as possible from the traders — as is the practice in many markets already.
The more transparent such arrangements are, the better. Bernard Madoff was able to build his house of cards on non-existent trades because, with inadequate auditors, he was the risk management. Had regulators or third parties been able to easily look up the size of his actual positions, he could not have got away with it.
A third common feature of the SG and UBS cases is that both involved huge trades, allowed to pass because they were offset by hedges, which turned out to be false. As with triple-A synthetic CDOs, investment banks have got to learn that size matters. Thinking something is riskless — whether because it’s hedged, insured or rated triple-A — can blind risk managers to the size of position being accumulated. The bigger something is, the more you have to double and triple-check the validity of your hedge.
Another idea worth exploring is whether banks and regulators could get better at learning from near misses and small breaches — mistakes and transgressions that may go unreported, or if declared to regulators, are not examined or disclosed in a way that enables useful learning. Rewards could also be offered to staff who spot potential chinks in the armour.
Banish complacency
One hopes that all banks will heed the warnings from UBS’s woe. But that is not enough. The culture of risk management has got to change, from one of faith in new-fangled systems to one of permanent vigilance and scepticism.
Nor must living through one disaster be allowed to give rise to complacency. Staff that have had to clean up a mess in the past have occasionally commented that there is not much anyone can now teach them about risk management. Such things are said partly in jest, but there is also a risk that they are partly believed.
If there is one drop of consolation to be taken from the sorry litany of rogue trading scandals, it is that — right back to Nick Leeson at Barings — the protagonists seem to have been acting alone, and in a manner that ultimately proved to be professionally suicidal. False trades are always likely to get found out in the end — the trick is to find them out earlier than employers have done so far.
But at least, in these cases — unlike with Madoff, for example — investment banks are not suffering these massive losses because organised rings have found ways to cream off money from them in a sustainable way. The risk managers deserve credit for that, at least.