French banking giant Societe Generale issued a report Friday into how a rogue trader carried out more than $7 billion in fraud and ways the bank is bolstering security and internal control procedures to prevent future problems.
The Societe Generale report, written by PricewaterhouseCoopers and a special committee of the bank's board of directors, found that security system upgrades and new procedures were being deployed on schedule. The design phase of the program is nearly complete and the upgrades are expected to be rolled out over the course of two to three years.
Societe Generale acknowledged in January that Jerome Kerviel, a 31-year-old trader, used his knowledge of the bank's processing and control procedures to conduct fraudulent trades that wound up costing the bank more than $7 billion. Kerviel allegedly used stolen passwords and other means to conceal his illegal activity.
The bank's investigation also found that Kerviel had an assistant who entered a large number of fraudulent trades into the bank's systems. The bank calls the assistant a "middle office operational assistant," and said that the person entered at least 15% of Kerviel's fraudulent trades. The person had knowledge of the bank's operations division and was able to turn off any triggered alerts as a result of Kerviel's trades. An email message between Kerviel and his assistant was also discovered referring to the fraudulent trades.
Since the discovery of the fraud in January, the bank began bolstering its internal controls starting with security training for traders and support staff. The bank is also revoking traders' write-access rights to middle office IT applications.
According to the report, Kerviel's fraudulent activity began in 2005 and took on massive proportions beginning in March 2007. The report characterizes oversight by Kervie's trading manager and direct supervisor as "weak," resulting in little accountability of all the trades he conducted.
"His new manager did not carry out any detailed analysis of the earnings generated by his trades or of their positions, thereby failing to fulfill one of the main tasks expected from a trading manager," according to the committee's findings.
In addition to internal processes, the bank said it was making "significant investments" in IT security to bolster applications and network infrastructure to detect problems and track actions carried out by the end-user. The bank will roll out a system designed to control and monitor the consistency of a user and the workstation used in a given day. A flaw discovered in the bank's Equities division transactional system is also being patched.
End-users have too many passwords for various applications and systems, according to the report. Some users were saving their passwords within spreadsheets and automatically logging into systems. The IT department will bolster management of user accounts and deploy a new authentication system to address the security gap. To reduce the number of passwords that one person needs to access sensitive applications, a software package will be rolled out and in place by 2009 so users can save their passwords securely.
A Societe Generale board of directors concluded that the bank's IT department would be under great pressure to implement internal control procedures and deploy security technologies.
"The capacity of the information technology department to respond to all of the demands will be a determining factor in the program's success," the committee said. "The bank will therefore have to recruit, train and integrate experienced employees."