I just read the FSA publication, Market Watch 25,
which focused on the systems and controls trading banks should
implement in light of Societe Generale’s rogue trader incident.
since the SocGen incident, the FSA has had cosy little chats with about
fifty trading banks around London. The conclusion is that firms should:
- ensure “appropriate segregation of front office staff from middle and back office functions” … this means keep the wolves, lions and other beasts involved in trading away from the poor administrators who book this stuff (a lesson learned from 1995);
traders to take their holidays … this means that traders should have
a break before they burn out and, if they don’t take it, there’s
probably something fishy; and
- “elementary IT precautions, such
as whether access to systems is password dependent” … in other words,
the biggest exposure is that staff can just go willy-nilly booking
orders and deals that don’t exist because they can just access systems
without a bye your leave.
Now, come on. Surely it’s a bit
basic to think that we have systems that do not even require a password
to book an order.
Well, maybe true, as the FSA
adds that companies should review their access controls to make sure
they limit the potential for malicious activity by one unauthorised
trader; that traders should not be able to access systems beyond their
levels of authority; and that front-office employees should be unable
to logon from back-office computers.
In other words, the FSA
asks firms to separate front-office from back-office, and add a little
bit of basic security to their IT apps.
This seems so darned basic that it’s like trying to tell grandma how to suck eggs … and yet ma grand mere’s ouefs need instruction according to the example of Jerome Kerviel,
who is supposed to have nicked computer passwords, sent fake e-mails
and illegally accessed the bank’s computers to exceed trading limits.
Anyone would think he thought this was just virtual money!
Having said that, he claims that everyone knew. In fact, last week
came the revelation that "an assistant on his trading desk conducted at
least one large fictitious transaction last spring on their boss’s own
computer – as the boss himself looked on."
All very dodgy … le mauvais d’odeur de poissons et, pour la vraie vérité sur Jerome en français, clic ici.
real deal is maybe to lock up and separate systems using something
better than a password written on a post-it note, stored in the top
right hand drawer of a trader’s execution desk.
Maybe it means using something like a biometric? Now how complicated can that be?
This one ain’t gonna go away.