French bank Société Générale expects to have remedies in place by year end for the technical and procedural flaws that allowed rogue trader Jérôme Kerviel to build a fraudulent trading position that cost the bank €4.9 billion (NZ$9.85 billion).
The bank has published the final report of a special committee that investigated the fraud, along with a summary of auditor PriceWaterhouseCoopers' review of the new controls the company plans to implement, and another study by the bank's general inspection department.
That department says it has found evidence that points to Kerviel having an accomplice in the bank's middle office, but that it has been unable to question the employee concerned because of the ongoing criminal investigation into Kerviel's activities.
Kerviel's job as an arbitrage trader was to make transactions in pairs, buying and selling similar assets to exploit the minute and fleeting differences in prices that exist in markets. Instead, he took massive bets on the market moving in a particular direction, faking the paired transactions. He was discovered when those bets went wrong, exposing the bank to massive losses.
The special committee concluded that Kerviel was able to fake the transactions because he was inadequately supervised, and because his direct supervisor lacked the necessary trading experience: When challenged, Kerviel had been able to allay suspicion by producing what ultimately turned out to be faked email messages justifying his position.
Nevertheless, the bank's risk control, financial and compliance departments, and its middle and back offices, generally followed the required procedures, the committee found — although the procedures themselves were flawed, as they did not identify or stop Kerviel's activities. Kerviel, having previously worked in the back office, knew how to avoid many of the controls. For example, knowing that certain transactions were only verified at the end of the month, he would cancel the fictitious part of a pair of trades just before the check, replacing them with new ones before the bank's risk management system noticed the unpaired trades.
Within weeks of discovering the fraud, the bank put in place a 10-point plan to reinforce control procedures and has since decided on further steps to prevent a repeat occurrence. Many of these controls are now in place and the bank expects to have the others ready by the end of the year, according to the committee's report.
In the future, the bank will regularly change the passwords on sensitive applications and will reinforce access controls on the most sensitive. It will also introduce controls on the cancellation or modification of transactions and prevent front-office workers from changing the parameters of the middle-office applications that monitor them.
An early proposal to introduce biometric authentication of Windows log-ins has now been downgraded to a pilot exercise for one specific technology in the middle office, according to the PriceWaterhouseCoopers report.
Beyond the technology, the bank plans to improve training and recruiting to ensure that mistakes are not made again.
In April, Kerviel was reported to have started working at an IT consultancy on the outskirts of Paris, prompting the bank's lawyer to remark, "I'm glad he's found a job: That will help him to reimburse Société Générale."