How To Lose $7.2B With Just a Few Basic Skills

Cityslacker recommends a Register piece speculating on how a lowly trader at the French bank SocGen was able to lose billions using only Excel VB. The author freely admits that his story is not based on hard sources, but his experience in the banking industry lends plausibility.

it must be microsofts fault!

The solution is clearly to blame microsoft for it.

Re:it must be microsofts fault!

Do you really want to throw away $7,200,000,000?

          <OK> <Cancel>

lemme try

Give me $7.2B and I'll conveniently "lose" it for you. And I have no skills!

Easy!

Buy high, sell low!

How to make a small fortune.

Q: Want to know how to make a small fortune in the stock market?
A: Start with a large fortune.

thankyouverymuch. Don't forget to tip the waiter. No stock tips, please.

The code used

10 STEAL Money
20 GOTO 10

Insider knowledge

He pulled this off using insider knowledge. He worked previously in the back office, which oversaw all trading. The bank then moved him into trading, which according to statements I've read from other bankers, was practically a violation of policy.

Since he knew the flow of information through all parts of the bank, he was able to cover his tracks and employ creative accounting. He knew what types of accounts and trades would not raise flags, so he would flow money though those routes.

This type of security risk can exist in practically any business. If you're a developer or IT person, and suddenly find yourself working within the infrastructure you design and maintain, then guess what? You can most likely bend the system around some rules. The same type of rule applies for relatives and spouses. Most businesses will not let an employer be managed or supervised by a relative or spouse for the same reason. They can cover each other's tracks, and have more complete knowledge of the system.

Dan East

Re:Insider knowledge

...employ creative accounting.
Is that where they draw little faces out of the 0's and make 8's into eyes??

what he did/how he did it

What he did
Basically the guy was "gambling" on stocks and losing - then making bigger bets trying to catch up. He claimed that he was simply trying to get a big bonus and didn't have any malicious intent.

how he did it
He went largely "unsupervised" because he was considered unimportant (and hadn't taken a vacation in a long time - so he covered his own tracks until the whole thing collapsed).

Most financial institutions require mandatory "vacations" so they can check up on people (this guy would have been caught much sooner if someone else had a chance to look at his "trading desk")

the funny part
what I love is that they haven't fired him yet, he has been told to not come to work and they aren't paying him, but France's labor laws require a "sit down" before they kick him out the door.

In the short term he is being looked at as a "Robin Hood" type figure by some people (who think he just ripped off the greedy bankers, not that he committed fraud and stole) - so mark this up as an unintended consequence of ridiculously strong labor unions

The point of the article...

is that anybody with some VBA knowledge will sooner or later get access to other peoples Excel sheets in order to fix problems. This is just a form of social engineering. Once you sit in front of the PC, logged in as another user and telling that gratefull person you get nervous when other people look you on the fingers while you try to solve a complex problem...
Another interesting point is "Rights-creep". Often people are given acces rights as they move between functions, but these rights are never revoked when moving on to the next...

Bad banks

I interviewed for a senior IT management position at a fairly decent size bank several years ago. Maybe this bank is within the top 25 in the USA.

I met with the CIO, and we had a great discussion in terms of where they were in terms of their systems. The CIO seemed to be an honest, straight-shooting guy. He was new to the bank - he started perhaps 8-12 months earlier.

He stated that the systems of the bank were in danger of total catastrophe. There were internally-built programs without source code. The divide between production, QA, and development environments broke down. Production runtime was manipulated by developers in real time. Some hardware was so old that it was running obsolete operating system software. If the machines failed, recovery would be extremely difficult, at best.

Coming from another class of institution, I found these statements shocking and disheartening. I liked the CIO - he was certainly fighting a huge, dangerous battle... and it was clear that he knew how much trouble he was in.

I ended up turning down the position offered, as their financial compensation wasn't nearly commensurate with the career risks I'd be taking stepping into such a huge minefield.

The CIO said he understood, but his budget was constrained - the bank was in severe cost-cutting mode, looking for a merger.

Nice.

Startanairline

According to Richard Branson, the best way to become a millionaire is to start as a billionaire and found an airline.

Not guilty until proven

Here in France someone is not guilty until it has been proven.
Just let the justice do its work, we can then speak about it using some hopefully serious investigation to base our comments on.

Several things are unclear:
- Why and How can this man be responsible for a such thing ?
- What gives its employer the right to judge him ? (nothing according to French laws)
- Is it really a fraud or is it a professional mistake ? This point is still unclear according to the justice.
- How are the amount accounted ? According to the latest news the bank itself is responsible for the loss and it was determined by the bank strategy not the trader's.

I think this is a very complicated situation involving various interests (financial places, politics, justice...).
It is not obvious how things will be sorted out, speculating about it will not help.

I am giving up my karma on this one ;)

Look at the guy's CV

I hate to say it, but the Reg might be right. Assuming the linked CV is the real thing, he only claims to have experience with Excel macros and a smattering of VB.

The real part of his hack is probably social engineering and stumbling upon oversights in the trading system. How many IT folks, even the dumb ones, can say "I could take this whole system down if I wanted!" - this guy actually did.

Goes to show that there's a difference between checking off boxes for auditors and actual security. Auditors can make sure the proper safeguards are in place; auditors can't tell if everyone in the department uses the same password.

SocGen Credit Briefing

I don't post much on Slashdot (ever), but I read the site a lot. I work in the financial industry and got some feedback from senior Risk Management ppl at SocGen regarding this little fiasco.

This is what they said happened:

As is now well-publicized, JK was able to use his knowledge of SocGen's back office procedures and controls to subvert them. Somehow (SocGen still seems unsure how) he obtained the access passwords of 3 or 4 other middle/back office individuals; but not only that, because these are changed regularly, he obviously managed to keep "updated" with the changes; (*my theory is that he figured out that people use easy to remember passwords like MonthYear and change it every month).

JK was able to hide what would have been massive swings (because of the size of real gross positions he was taking, primarily on Eurex) in his P&L from SocGen's P&L and Risk Management systems;

An alternating pattern of 5 basic types of transactions was used. (I believe these were described in a press release last weekend);

One thing that JK was apparently doing (which gave us an instant "flashback" to Barings and the infamous 88888 account!), was that JK would fail to put the required broker reference on at least some of his transactions, which would cause them to go into an error or suspense account for subsequent reconciliation (i.e., not as part of the overnight routine), allowing JK the opportunity (presumably) to reverse out or cancel the trade before it was spotted and questioned;

JK was hiding a few fictitious transactions in the midst of a slew of real ones. When some of these were picked up by controllers, he was able to find excuses to allay suspicion- e.g., by saying that the size of transaction entered must be an error and he would rectify it

He would cancel forward starting transactions before SocGen's system generated the relevant Confirm; [If I understood JPM correctly, SocGen has stopped the practice of deferring sending these out];

SocGen has combed its books and it believes that it has found all the fictitious transactions; and does not believe there was anyone else acting with JK. JPM stated that the bank was "99% certain" that it knows the full extent of its losses;

There were clear weaknesses in trader management. The Delta One Desk was supposed to have small risk sensitivities and hence a modest net daily P&L movement. JK's superior "reconciled" the daily P&L on a net basis, but never appears to have looked at the gross positions- the clear inference from JPM was that, if he/she had the fact that something didn't add would/should have been spotted;

With regards to margin calls, most of these would have related to positions on Eurex. For administrative convenience, SocGen received a single consolidated account for the whole bank- i.e., no granularity. Given how big a player SocGen is on Eurex, this made it easy to miss individual movements {Altho' this begs the question about control over actual movement of cash/margin];

As JPM pointedly said, SocGen's Market Risk Management never failed, but its Operating Risk Management certainly did;

Boston Consulting Group is now helping SocGen with making changes to its controls and the bank has a number of immediate and short term fixes underway- including reviewing the use of biometric identity checks for at least key controls; looking at gross and not just net positions in reconciling daily P reconciling positions between internal counterparts daily (not monthly as before); tougher and more granular controls on deposit and margin calls and reporting; better enforcement of the holiday policy (e.g., JK was able to find an excuse not to take holiday last November);

As is public knowledge, when JK was found out, SocGen discovered that it had open positions on Eurex (EUR 30BN); DAX (18BN); and FTSE (EUR 2BN), aggregating EUR 50BN. JPM was adamant that SocGen had no choice but to close out those positions, while trying to avoid moving the market. In mitigation of the argument that SocGen actually caused the market slides seen when it was closing out the positions, JPM pointed out that markets plummeted in Asia, where SocGen had no positions to close out;

JPM stated that SocGen does not have any liquidity issues and has not seen any material cutting of lines. He did admit that SocGen was getting "questions" from a number of Asian counterparts "who did not know [SocGen] so well", and was trying to address those;

The bank is working with auditors from the Banque de France and a team from its own auditors in continuing its investigations.

While the bank appears to have been able to repair the immediate hole in its capital base by an underwritten EUR 5.5MM equity placing and expects to have eked out a profit of "EUR 600 to 800MM" for 2007 as a whole, quite clearly, as JPM admitted, it is "wounded" and now vulnerable to predators. Plus the sparring has already started between the French State and the European Commission on whether SocGen could be bought by a hostile [non-French] bidder.

Re:Reliable?

Don't mistake the register's humorous undertones and brash site design to mean that site is unreliable. I personally know a couple of the journalists they are highly professional and yes, they tend to skew things to make them more humorous (which I like) but they don't bullshit or flat out lie.
 
I think some people get the impression they are the online equivalent of National Enquirer but it's simply untrue.

Now excuse me, the BOFH is screaming for my blood..

Re:Reliable?

D'oh! Reading the wrong damned thread! We need an article about multitasking making you stupid.

One thing rings true!

In a place (bank) I worked a branch had a new trainee employee start and forgot to notify the IT department. When they phoned up and let us know we said we would do it as soon as possible. The answer we got was "That's OK, the branch manager has let him use his password for now".

While this really was a clueless trainee someone with the manager's password could authorise over-limit cash withdrawals, reverse transactions, see all sorts of files and make queries on customers that ordinary staff cannot do.

Re:Seriously?

It is? I have worked in IT at financial institutions in the last 10 years. Nothing what he said sounds even remotely improbable. If you knew the stuff, I have seen, you can be happy that a simple wire tranfer doesn't fuck up every time.

Re:Seriously?

Maybe you haven't spent enough years to recognize the author of the article Dominic Connor - a highly regarded individual in these circles.

I found $2.34x10^x dollars yesterday when I worked out that one of our manual data entry people forgot to put a minus sign in front of a trade. Happens all the time.

Re:Stupid?

Quick summary : He was a trader at one of the biggest French bank, manipulating millions owned by the bank using the usual scheme : buy low, sell high. Except, he managed to fool controls to manipulate more money than he was allowed by several orders of magnitude, allowing him to have a very good overall performance. His objective was _apparently_ only to get higher raises, not to steal that money. So he traded billions in order to make millions of profits. He has been doing this for several months. A few weeks ago, bank officials discover his hidden account with ~50 billions worth of unauthorized stocks on it. They panicked, they sold this as discreetly as possible in a few days at loss (~ 5 billions of loss ), possibly causing a worldwide fall of stock exchanges. The trader admitted that he did something he was not authorized but called the selling a bad decision made in a hurry.

Of course there are many speculation about all that he could have done by bypassing usual controls.

Not quite right

Better summary: he was a financial derivatives trader at a big French investment bank. Derivatives traders don't buy and sell stocks, but rather, more exotic financial instruments, whose value is tied to stocks. His job was to find mispriced trades when they momentarily occurred, and jump in quickly to make the bank a small profit of them. In general, the way this works is that you have two investments, A and B, whose prices are supposed to stay in the same relation regardless of whether they go up or down; if the prices of A and B are spread too far apart from each other, for example, his job was to spot this, and to simultaneously short sell the overpriced one and buy the underpriced one. This is a form of what's called "arbitrage," because it's supposed to be riskless; if the market goes down, the buy loses money, but the short sale makes you money, and vice-versa. The amounts of the transactions in the pair are set up so that if A and B move the same amount, the losses and gains cancel each other out exactly; you only make money in that example when the prices move relatively closer to each other.

So now, essentially, what he's accused of doing is two things:

1. Instead of making his trades in mutually canceling pairs as described above, he'd leave out one trade in the pair, and hide this by producing fake evidence that he'd made that counteracting trade.
2. Taking on very huge positions, and also concealing them by similar methods. (Faking counteracting trades is a way of concealing them, too, because what the bank really cares about is not the absolute size of the trades, but rather, the risk exposure of the trades. Two very large trades that mostly cancel each other out will have small risk, taken together.)

One further thing is needed to understand this: derivatives allow one to take huge positions with very little money down, because when you buy, say, a 3-month futures contract to buy on GOOG for $600 (more or less randomly picked number), you don't have to put in $600 for that contract; you only need to put in a fraction of it, as decided by the broker (this is called a "margin requirement"). For the sake of argument, let's say 10%; then with $600, you could buy one share of GOOG, or you could use that as a margin to buy 10 futures contracts on GOOG, that give you, over 3 months, the return of $6,000 worth of GOOG stock. If GOOG goes up, you make 10x as much with the futures contracts; if it goes down, you lost 10x as much.

This is relevant to this case because Kerviel's job was a futures trader. To take positions worth $50 billion USD, he didn't need to procure that much money from the bank; he only needed to obtain much less.

Re:Stupid?

What happened was that he was only "authorised" to make "safe" purchases - buy stuff that was undervalued, buy low and sell at normal price.
What he actually did was buy at normal price, and hope that the price would go up.
What then happened was that he bought at normal price, but the price went down.

To compound the issue, he was playing with more money than he was allowed to. e.g. He was allowed to play with [currency of your choice]100,000, but he was actually playing with [currency]10,000,000.

TFA suggests that he had been promoted out of the "lowly lowly trader" position, but was still playing with those accounts (that he shouldn't have had access to).

The IT angle was that he was using "creative" processes within Excel to hide this - devs hardcoding admin passwords into the spreadsheets.

Re:Beyond trusting sources, don't trust the author

Generally, the economy works better when money circulates...When it has "velocity", which is another one of those words like "multiplier" which I'm going to assume you understand. By dumping surplus money into commodities rather than banks, you're effectively hiding your money under your bed, and dampening the flow of money through the economy. People did this for a long time until a smart guy named Adam Smith pointed out that hoarding gold didn't make anyone especially wealthy; it was trade that built wealth, and that meant the movement of money and goods.

So that's why banks exist, and why we allow things like the multiplier effect to run our economy. The granddaddy of all multipliers (the Fed) has been active for the past few weeks, trying to pump some money into the economy. Bush is hedging his bets, and backing Keynes at the same time with a stimulus package. Historically, these actions have added velocity to currency, and fast currency tends to stimulate the economy.

The reason for the FDIC, and SEC, and Social Security and Welfare, and every other similar system is to basically keep the money in people's pockets. This is important for the reasons above; cash circulating through the economy creates jobs and stimulates the economy. A bunch of people losing all their money (for example, when a bank fails) means you have a bunch of people who suddenly can't buy groceries. Grocery stores start laying people off, because they have to cut costs, which means MORE people can't afford groceries, and so forth. People like you pull their money in and convert it to commodities, instead of putting it into banks, which means banks can't make loans to support people who are trying to start businesses or buy houses, which, again, slows the economy and costs people their jobs.

Basically your thoughts on this stuff fly in the face of all mainstream economic thought for the last several hundred years. I'm assuming you're a Ron Paul guy, because echoing his "economic" beliefs, and Gosh, we'd sure like to move back to the gold standard. I'd almost like to see him get elected, just out of academic interest in the economic chaos that would ensue.

Anyway.

Re:Beyond trusting sources, don't trust the author

Generally, the economy works better when money circulates...When it has "velocity", which is another one of those words like "multiplier" which I'm going to assume you understand. By dumping surplus money into commodities rather than banks, you're effectively hiding your money under your bed, and dampening the flow of money through the economy. People did this for a long time until a smart guy named Adam Smith pointed out that hoarding gold didn't make anyone especially wealthy; it was trade that built wealth, and that meant the movement of money and goods.

Yes, Adam Smith was correct, that wealth is built on trade. The problem with what you said is that there is a hidden effect from almost every transaction in said trade -- the profit made by the cartelized banks from each and every dollar that they create through the money multiplier effect. They don't actively "give" money out that they've created through the fraudulent fractional reserve banking standard, they loan it out. In fact, they loan out money based on previously loaned out and deposited money, so they're making money on nearly every loan transaction, even though the money doesn't physically exist. This hidden tax that only occurs with fiat money in a fractional reserve banking and monetary system is a form of wealth transfer from the economy as a whole to the cartelized banking institutions, and it actually causes a lag on the economy?

Don't believe me? Look at the GDP figures for the past, oh, 20 years. Subtract TRUE price increases over that time (don't use the ignorant and embarassingly fake CPI figures) from that GDP. We've been in a recession for 20 years, maybe 30 years, even though we may seem to have been strong for a few segments in that time. At almost no time in 30 years have we truly had GDP growth after subtracting the loss of the value of the dollar from the previous time-frame of GDP analysis. This means we're in a permanent recession, and the recession comes from the loss in value of the dollar, which is multiplied many times over due to the hidden tax the banking cartels have created from their money multiplier profit drain.

So that's why banks exist, and why we allow things like the multiplier effect to run our economy. The granddaddy of all multipliers (the Fed) has been active for the past few weeks, trying to pump some money into the economy. Bush is hedging his bets, and backing Keynes at the same time with a stimulus package. Historically, these actions have added velocity to currency, and fast currency tends to stimulate the economy.

No, it doesn't. That's a false statement, and one that a Keynesian spews regularly. Just because the economy may show growth in pure dollar totals, the value of the dollar is decreasing over that time, over and beyond any economic growth shown by more dollars spinning around. If the GDP grows from $10.00 to $10.75 in a year, but the dollar has lost 10% of its value, the actual growth in the economy in dollar terms is 7.5%, but the actual growth in value terms is -3.25%. This is a fact that is readily ignored by Keynesians and other pseudo-economists since these United States have withdrawn from backing the monetary notes with anything of current value. We are in a recession, and we've likely been in a permanent recession since Nixon's time.

The reason for the FDIC, and SEC, and Social Security and Welfare, and every other similar system is to basically keep the money in people's pockets. This is important for the reasons above; cash circulating through the economy creates jobs and stimulates the economy. A bunch of people losing all their money (for example, when a bank fails) means you have a bunch of people who suddenly can't buy groceries. Grocery stores start laying people off, because they have to cut costs, which means MORE people can't afford groceries, and so forth. People like you pull their money in and convert it to commodities, instead of putting it into banks, which means banks can't make loans to support people who are trying to start businesses or buy houses, which, again, slows the economy and costs people their jobs.

What a farce of a statement, on its face and on its rear. Would you rather lose 100% of your investment because of a bad investment over a year, or slowly lose 10% of your investment while believing you're gaining 5% of it yearly? They're BOTH bad, and they BOTH happen because of fractional reserve banking, pure and simple. If you deposit $100 into a bank, and the bank goes under, it is because the bank lied about how much money is loaned out versus what it could have loaned out (look at Northern Rock). Banks are allowed to loan out much more than they take in, this is fraud, but it is legal fraud. Losing that $100 is bad. Now, if you deposit $100 into a bank, and make $5 in the first year, but the dollar is 10% weaker over a year, you may have $105 in the bank after a year, but now you can only buy $94.50 worth of goods compared to last year's dollar. This is also a loss, but it is hidden because of the negative growth in value of an investment that shows dollar growth but does not account for value loss.

People like you pull their money in and convert it to commodities, instead of putting it into banks, which means banks can't make loans to support people who are trying to start businesses or buy houses, which, again, slows the economy and costs people their jobs.

No, people like me put our money into our businesses, which earn us a REAL profit (dividend) versus a FAKE profit (stock value increase without dividend) like in the stock market. My money really grows, and as it grows, I hire more people. I spend more on infrastructure, while still maintaining a true profit over the loss of value via monetary inflation. You put your money in the stock market by buying used stocks, not new ones. Those used stocks have gone up in value usually because the dollar has plummeted in value over the time since the previous used stock buyer purchased the very stocks they're selling. The stock market goes up not because the companies are paying bigger profits, but because the dollar has lost value, so you need more dollars to buy the same amount of company. Yes, some companies actually have expanded their infrastructure, acquiring more assets, etc, but in reality none of those things matter unless the company is sold. Stock values going up have nothing to do with company values going up -- they're purely a mirage caused by the fiat money system.

Fractional reserve banking is fraudulent, it is theft, it is a lie. The average labor producer (i.e. consumer) must understand this in order to make themselves wealthy. If you listen to the Suze Ormans, you can save $2000 a year and by retirement you'll be a millionaire. Yes, but you'll be a millionaire when a million dollars might not be worth more than $100,000 today. That's the truth with most investment advisors -- they want their income now, by showing you fake values tomorrow.

How are those 401Ks of yours doing versus the cost of living increases?