Barbican Consulting Limited
Rogue Trading
Rogue Traders
A response to the FSA's Market Watch No. 25
Introduction
In March 2008 the FSA issued Market Watch No. 25. In this report the FSA highlights the measures firms should consider when reviewing systems and controls used to protect against the risk of a rogue trader.
Overall the newsletter is helpful and the FSA correctly identifies and comments on a number of issues.
Whilst not formal guidance the newsletter from Markets Division contains a number of surprising comments that if followed could lead to problems with the regulator.
I have answered the questions raised by the FSA. In some cases my response differs. Use your judgment to find out what suits your firm.
What can firms do?
Let's be clear about this. Controls and measures taken to detect rogue trading (fraud) will never be foolproof. But you can reduce the chance of it happening to you. If it does happen you need to detect it early before it causes irreparable financial and reputational damage.
What is the single most important factor that caused some of the largest losses? It is my opinion that senior management did not ask some basic questions. In particular how are we making money? Do the trades done in the front office fit our business model?
A regulator or auditor should be able to ask these questions at a senior level and get some sensible answers.
Remember there are three ways a front office can make money:
It is rewarded for risk taking
It has external customers who pay the bid-offer spread
It has internal customers who pay the bid-offer spread
What about arbitrage? A term used by both Leeson and Ruznak to explain their business.
Front office culture & governance
Q1. How does the firm make sure that the right incentives are in place to promote oversight and governance in the front office?
Firms should identify who has the responsibility of ensuring that the front office control environment is sufficiently robust (appropriately controlled). In my opinion this is not something that can be delegated to middle management. I would expect a senior executive to acknowledge ownership of this responsibility or the Board as a whole to recognise collective responsibility. After all rogue traders have led to the resignation of CEOs and the downfall of firms.
Front office culture has been considered a contributory factor in several rogue trading cases. If the front office is regularly breaking limits it is possible that the culture is at fault. Front office culture is set by the senior management of a firm.
Has the Board set a risk "thermostat"? Is this explained to the front office and does it affect the risk dealers take? Does senior management appreciate and understand the risk reports it receives?
A high number of cancelled or amended trades is a problem. They need to be escalated to senior front office management and control functions.
Traders should not do valuations. This is a breakdown in segregation.
For complex products this is problematic because the traders may be the only individuals who "know" the price.
If traders are valuing or marking their own books there should be a sufficiently knowledgeable challenge process.
Two weeks of continuous holiday per annum for front office staff should be mandatory. During this time traders should not be managing positions outside the office.
Trading mandates and limits
Q2. How does a firm make sure that appropriately specified trading mandates are in place, that they are up to date and are monitored against?
Whilst trading mandates for dealers potentially limit what they can do, emphasis on mandates to control risk is probably mistaken.
In many firms mandates can be avoided by dealers. How many times has a dealer done a trade and asked a colleague to authenticate it? In many rogue trading cases mandates would have made very little difference to the outcome, the trader would have circumvented the control.
More important is the verification that all deals are recorded and inaccurate or false deals identified. (More on this later).
Control functions: culture and challenge
Q3. How does the firm make sure that the control functions are sufficiently skilled and can provide effective challenge to the front office?
Q4. How does the firm make sure that the checks and controls work as intended?
Consider the process: Identify the risk and then find out where the control function is and how breach of the control is dealt with.
Here is an example. The risk identified is counterparty credit risk. You now identify how the firm monitors and limits this risk for different instruments. Then you ask how could the limit be breached and what would happen? Is this an automated process? What report is generated? Where does it go? Who acts on it? What are the escalation processes? Do they work? Have there been instances of this limit being broken? What happened? Is there an audit trail? At what level do senior management get involved? Do they treat this risk seriously?
Evaluate the level of skills: Do those involved in the control function have sufficient knowledge and understanding to carry out their duties effectively? You need to evaluate whether they understand the potential consequences of failed controls. If they don't in my opinion you have a serious risk that vigilance is lower than is acceptable. Staff turnover and retention are also important items.
Consider the challenge process: Without sufficient seniority the challenge process is fundamentally flawed because it will not be taken seriously. Individuals running the control functions should be sufficiently senior. Responsibility for weaknesses in controls firmly lies with senior management. The directors should be fully aware of their responsibility.
Risk Management & Limits
Q5. How does the firm make sure that all material, exotic and basis risks are captured?
Q6. How does the firm make sure that there are limits in place against all material risks and that they monitor all risks regularly to assess their materiality?
The firm needs to have a properly staffed risk department that uses third party systems or its own systems. Without this you will not capture these risks with any degree of confidence.
Knowledgeable risk managers will understand the basis and exotic risks being run and will indicate whether in their opinion the reporting is adequate.
The reports generated are normally sent to senior management in their information packs. It is essential that senior management understands these packs. They are produced as an aid to the decision making process. If management does not understand the information provided how are appropriate business decisions made? Is the information a regulatory cosmetic?
Management Information
Q7. Is the management information on key performance indicators sufficiently detailed and appropriate?
Q8. How does the firm pull together information across different middle office teams and control functions to make sure that poor performance and/or suspicious activity is spotted?
There are no simple answers. The FSA has correctly identified the problems of matrix management and reporting in the risk area. There have been several instances where third parties have approached a firm and indicated that they think the trading activity is suspicious only to be turned away. Later the activity turned out to be fraudulent.
Off-market rates
Q9. What controls are in place to make sure trades booked at off-market rates are flagged and challenged?
Trades should not be done at off-market rates. Off-market trades can be used to manipulate P&L. IT systems can flag certain off-market deals if they occur. Senior management should sign off on any off market transaction.
P&L Attribution
Q10. How does a firm make sure that it understands where all the P&L is coming from, including P&L from more exotic risk and basis risks?
Q.11 Does the firm understand where large day-one P&Ls movements are coming from and whether they make sense?
Senior management of a firm should be able to explain how the P&L is derived and what risks are being taken to generate the P&L. This explanation should match the firm's appetite for risk taking.
Large day one P&Ls indicate an exceptionally profitable client trade or the taking of a large amount of risk.
Large day-to-day P&L swings indicate risk taking, market volatility, weak hedging processes or an inaccurate mark-to-market process.
Reconciliations
Q12. How does the firm make sure it has the necessary reconciliations in place and that they operate effectively?
The FSA correctly identifies reconciliations as an essential control and that KPI should be used to enforce the robust implementation of reconciliation processes.
Confirmations
Q13. How has the firm organised its confirmations processes and controls to minimise the risks associated with unconfirmed trades?
Q14. How does the firm make sure that the management information it produces is sufficiently detailed to track adequately the risk profile of outstanding confirmations?
Confirmation processes vary but best practice does not. Confirmations reduce the chance of false trades or inaccurate trade details. There should notbe a build up of unconfirmed trades. A backlog increases risk and regulatory sanction. A firm should have a confirmation for each trade it enters into or a process that amounts to a confirmation.
The front office should not be involved in the confirmation process. There should be an appropriate escalation process for unconfirmed trades. Many firms use different criteria to identify the risk associated with unconfirmed trades. These criteria include days outstanding, counterparty risk rating, product type, size of deal and value of the trade.
Margining, collateralization and cash management
Q.15 How does the firm make sure that its margining process is working properly and that any changes are reconciled to the relevant positions on its book?
Margining and collateral management mitigate risk provided they are done properly.
Before collateral management starts with a counterparty a trade reconciliation with that party is considered best practice. This has the advantage of uncovering trades that are not properly booked.
A firm should be able to independently value trades and call for collateral or the return of collateral. There should be an escalation process for dispute resolution.
Trading book P&Ls and collateral calls should reconcile. Differences should be investigated.
Segregations of duties and IT security
Q16. How does a firm make sure that access controls are adequate and that its security measures are adhered to?
Q17. Does the firm have scope to enhance segregation of duties arrangements to limit the likelihood of malicious action by a single unauthorised user?
The FSA correctly identifies IT security and controls as being important in the segregation of duties. Indeed a number of large frauds have involved front office staff accessing and interfering with operations and risk reporting through the IT system.
Perhaps one further question should be raised? What risk do you have from a rogue IT manager?
Is there anything else?
There are several controls/issues that have been discussed in the industry that warrant further attention. In no particular order they are:
Increased use of thematic reviews at a much deeper level of understanding: This appears to be the favoured approach by many audit teams. These reviews drill down into the processes and risks in order to see that the controls are adequate or whether improvements are required.
Screen employees background: Is the information that you have been told by a new hire correct? Be certain, make the searches.
Desktop applications: Spreadsheets offer flexibility and speed, many firms are spreadsheet reliant. Spreadsheets are also a source of risk. They are outside central control, often poorly documented and may contain errors. They have also been used by rogue traders to manipulate P&L and risk. Is there an audit trail of spreadsheet alterations? Can you find complex spreadsheets with many feeds? Do spreadsheets from your front office feed into risk and pricing? Are you confident that the calculations do what you expect? Is the author of the spreadsheet still working for you?
High staff turnover and internal staff movement: Be aware that these potentially weaken a control function. They may lead to lack of continuity and responsibility and may indicate low morale.
Instant messaging communication systems: It is considered that they may offer a risk to firms and that a restriction is considered. Policing this is difficult.
Bypassing system controls: You can test for password changes, the complexity and sharing of passwords, the appropriate levels of segregation but do you talk to users? Employees who use a system every day often know its weaknesses and know how it could be bypassed.
Training: A vigilant workforce may help you spot the problems before they occur. How can the workforce be vigilant if it doesn't know why policies and procedures exist? Relevant and contextual training in risk and controls is important. Do you do it?
Audit reports should be followed up: If an audit report highlights concerns they should be acted upon. There should be formal process to acknowledge that the appropriate action has been taken.
Why do some traders end up being rogues?: Some consider a performance related bonus system coupled with greed create the motivation for some traders to act fraudulently. In some cases this may be true but in many cases the trader is covering up losses or a failure to perform.
How many rogue traders have not been uncovered because their trades have been profitable?
Finally, history shows that the recent Societe Generale case will be trumped. That's worrying!
First Published by Barbican Consulting Limited 2008