Monday, 23 June 2008

Is rogue trading endemic?

Traditionally, most companies at the frontline of fighting fraud secured their 'perimeter fence' using firewalls, secure passwords and access tokens. All of these measures were largely designed to thwart an external threat or attack.

However, in recent years, the threat from within or from employees, be it accidental or malicious, is increasingly keeping company CEOs, risk managers and security experts awake at night. Recent rogue trading incidents only serve to remind companies, particularly banks, that often the greatest threat when it comes to fraud is from a 'trusted' employee.

French bank, Société Générale, made headlines earlier this year when fraudulent trades totaling $7.1 billion were racked up allegedly by a single trader. There have been other rogue trading scandals, most notably Nick Leeson and Barings Bank in 1995.

But incidences of rogue trading are not as isolated as company CEOs would like to think. Recently, Morgan Stanley announced that a London-based credit derivatives trader hit them for $120 million, and just last week the subprime mortgage crisis in the US resulted in two former Bear Stearns' hedge fund managers being arrested on securities fraud charges.

According to anti-fraud and compliance vendor, Actimize, there have now been five major(more than $100 million)rogue trading incidents reported in 2008? According to its Rogue Trading Peer Review, 50% of respondents estimated that thousands to millions of dollars of rogue trading activities go unreported every year at their firms and 24% said that they had experienced a case of trading fraud at their firms in the last year.

The reputational risk from such events appears to be such that financial services firms are not even reporting these incidents. That makes it difficult for fraud, risk and security experts to do their job properly if there is not recognition at boardroom level that internal fraud is occurring.

The threat from within is perhaps the greatest challenge the financial services industry faces, and combating it is not as straightforward as thwarting an external attack. No amount of firewalls and secure passwords can prevent a determined bonus hungry trader from overriding internal controls to perpetrate a fraud, nor is it going to help prevent the rise of a corporate culture that has a tendency to turn a blind eye to traders looking to boost theirs' and the company's profits by 'gambling' with investors' money.

One company I spoke to recently about internal fraud, pointed to multi-factor authentication as a means of combating it. They said users could set up a policy that says once a user has securely authenticated to a network, or once they launch a particular application, it may ask for another form of authentication such as a fingerprint or biometric. So in this example, a trader would need to swipe their fingerprint whenever a trade is conducted. Even if the trader was able to create “multiple accounts,” the fingerprint would provide an audit trail.

That may be one way of combating rogue trading, but the question is how far do companies go in implementing effective anti-fraud measures that do not make it more difficult, time consuming or onerous for employees or traders to perform legitimate business activities. It is a delicate balance to strike.
Posted by Anita Hawser

No comments: