The Lesson of Societe Generale

With the bank's vulnerabilities exposed, technologies for risk and fraud management just got a lot more popular

Paris prosecutor Jean-Claude Marin (center) speaks during a press conference Jan. 28 after a Societe Generale statement the day before outlined the bank's allegations against Jerome Kerviel. Jacques Demarthon/AFP/Getty Images

by Heather Green

French trader Jerome Kerviel Fred Tanneau/AFP/Getty Images

Story Tools

• post a comment
• e-mail this story
• print this story
• order a reprint
• digg this
• save to del.icio.us

The investigation into how Jerome Kerviel, Société Générale (SOGN.PA)'s rogue trader, managed to lose $7.2 billion before being caught is beginning to reveal how he sidestepped the bank's many layers of fraud detection—and how cutting-edge technologies might have plugged some of the holes the Frenchman exploited.

Société Générale's rude awakening, combined with the U.S. mortgage meltdown and a global credit crunch, underscores just how vulnerable companies can be to market misjudgments and inadequate internal oversight. It's little surprise, then, that the financial industry's misery is becoming a boon for providers of risk and fraud detection technology. "Risk management software is a very hot area right now, it's one of the strongest growth areas in 2008," says Julio Gomez, analyst at researcher Financial Insights.

E-mails Trick Detectors

Kerviel apparently used his experience working in Société Générale's compliance department to exploit both human and technological weaknesses. A key element of his alleged scheme was creating fake futures trades to offset the investments he was making in European index funds. To deflect a supervisor's questions about whether he might be hedging his own trades, Kerviel reportedly says he crafted fake e-mails detailing order requests from supposed clients. While Société Générale is said to be using state-of-the-art risk management software, it doesn't appear to have the most advanced detection technologies, say some consultants.

Still, even the latest technologies are designed largely with past breaches in mind, and will always be vulnerable to new schemes concocted by knowledgeable insiders like Kerviel. Indeed, better technology wouldn't have been of much use if, as Kerviel reportedly claims, his Société Générale managers were simply turning a blind eye because he was making more money for the company.

The standard risk management technology used by most banks will monitor trader e-mail, searching for keywords that might point to criminal activities. Less commonly, some banks also use software to alert them to changes an employee might make to an e-mail being forwarded. That might have prevented a trader from altering the content or address on an e-mail to make it look like an order, says Avivah Litan, an analyst at Gartner (IT). To uncover that kind of deception, banks need sophisticated technology from companies such as Actimize, Norkom (NORK.I), and Memento, Litan says. Their wares could have tracked the keystrokes on Kerviel's computer, checked the memory of specific programs to reveal unsent e-mails, and detected efforts to delete fake investment positions.

Getting More Sophisticated

Other advanced software can profile the different actions a trader takes over time, rather than simply flagging breaches of certain restrictions such as a $1 million trade limit or moving money to countries such as Iran. This technology creates profiles of traders' habits, including the types of trades a trader typically makes and what time they typically log in and from which workstations. Such a system might have helped establish when and how often Kerviel might have been logging in with co-workers' accounts. Actimize says about half its clients use its technology to check when traders overstep trading parameters, but that less than 8% use its analytical profiling tools.