ISO 19092:2008

To increase security, biometrics is now being increasingly recognized as a method for authentication and a reliable identification method.  The International Organization for Standardization (ISO) has published a new standard ISO 19092:2008 Financial services-Biometrics-security framework.  “This standard establishes the security requirements for the implementation and management of state-of-the-art biometric identification technology within the financial industry.”  This standard will make transactions more secure in the electronic era for the financial sector. (Ref 6 & Ref 7)

According to a Unisys survey, 66% of worldwide consumers preferred banks, credit card companies, healthcare companies, and government organizations to use biometric identification over passwords, smart cards, and security tokens.  Most consumers surveyed found biometric solutions extremely convenient and secure as they would not have to remember passwords and also not have to deal with password misuse. (Ref 8)

Passwords Fail

There are many ways to gain access to passwords, which include simple means such as casual conversations to more sophisticated software.  Data and systems security cannot be dependent on passwords.  In certain work environments, such as banks or financial institutions, multiple users share a computer with their individual log-in credentials to do their jobs.  If a user forgets to log-out of the system the next user could misuse this to create fraudulent transactions or trades using the previous user’s log in.  The ERP system would only have the record of the transaction being carried out by the first user under his login.

Biometrics Authentication

SAP users can mitigate fraud by using a certified biometric solution using fingerprints.  Even if log-in passwords were obtained, the fraudster would not be able to do anything with the passwords because the biometric authentication system would deny him access to perform transactions.  Even if an ERP system uses multiple passwords for each user to control access to specific modules, that approach is no match for a biometric system able to control access even to the transaction, field or data level.  The biometric approach is crucial for maintaining segregation of duties when employees gain new responsibilities.

Banks can use an ERP solution like SAP which is a leader in the banking industry.  Among the 30 largest banks of the world, 21 are SAP customers.  The SAP for banking portfolio includes compliance and risk management solutions. (Ref 14)

Strengthen IT Security

To prevent a recurrence of a fraud like this, financial institutions can improve security by adding biometric systems to their ERP systems or by replacing their legacy systems with SAP.  Most biometric systems are used for access control.  bioLock, which is a biometric system developed by realtime NorthAmerica, is the only biometric system which goes beyond access control and is even able to control a field, function or value within the ERP system, such as the amount of an outgoing wire transfer.  The technology offers control for changes to transactions within SAP R/3 and will prevent unauthorized changes.  The special committee for investigating Societe Generale’s fraud recommended that to prevent traders from using one another’s accounts the bank should use a stronger biometric authentication system.

In today’s world, banks are required to comply with regulations and standards to protect the banks and financial institutions from fraud.  To mitigate fraud, these banks and financial institutions need to supplement their internal controls compliance with biometric authentication.  Biometrics will prevent data breaches of security.  Fraudsters will not limit their fraudulent activities trying to perpetrate frauds using only an ERP system.  Users of ERP systems must also secure email systems and any trading systems interfacing with an ERP system.  This would tighten security and improve accountability.  

In 1995, Baring Bank, the oldest merchant bank in London, the U.K., collapsed because of the fraudulent activities of a single trader.  The current financial meltdown provides evidence that many financial institutions have failed to change systems and people in order to mitigate fraud and to comply with regulations and standards.

The fraud at Societe Generale Bank is a classic example of how compliance with IFRS and Basel II was not enough to prevent the fraud which could have been prevented if they used SAP and a biometric system to protect them.

Jerome Kerviel worked in the back office and in the middle office from 2000 to 2005, prior to becoming a trader.  He had in-depth knowledge of their systems and procedures. (Ref 9 & Ref 10)

The middle office monitored and managed the bank’s risk exposures.  In 2002, he was promoted to assistant Trader, managing risk analysis and hedging.  In 2004, he was promoted to the elite Delta One desk as Trader and Market maker.  His job was to make bets on small price differences between contracts. He needed to make the transactions in pairs by buying and selling similar assets and taking advantage of the minute differences which exist in markets.  He crossed his limits and made one-way bets by faking the other half of the bets.  He also started making unauthorized bets on the market’s direction.  Encouraged by the success of these bets, he continued betting on the direction of the market and making one-way bets and faking the other half.  He was extremely successful doing this.  For the year 2007, he generated a positive gain of 1.4 billion Euros.  As he was not authorized to do these trades, he hid this from the bank by creating an offsetting fictitious operation. (Ref 10) In January 2008, for the first time, he experienced an extended losing streak.  He started making larger and larger bets that the market would turn around.  He started doubling down, which is a strategy where he started doubling his bet after every loss.  By January 16, he had bet about 50 billion Euros, which was more than the bank’s total market capitalization.  At this point, Eurex started sending enquiries to Societe Generale’s compliance people regarding Jerome Kerviel’s trading patterns. (Ref 11)

He made a lot of effort for his fraudulent trades to be undetected by the system.  He used: 

Fake email messages for justifying missing trades.

Borrowed colleagues log-in credentials by using their passwords to conduct trades in their name.

Forged documents.  He created a fictitious Profit and Loss statement for 2007 reflecting the bogus hedges he had created for this period.

Manipulated the bank’s proprietary system Eliot by deleting transactions and re-entering them after reconciliation.

Societe Generale Bank used a proprietary system, Eliot, for trading.  Kerviel knew how to manipulate the system.  He knew the timing for the reconciliation every night for the day trades.  Hence, accordingly, he would delete his trades and re-enter these unauthorized transactions in Eliot the banks proprietary system for trading, without being detected.  The bank used Zantaz, a system for e-discovery and archiving software.  The compliance team used RISQ/CMC, a trade tracking dashboard which uses Accurate NXG, a reconciliation, exception management, and workflow software package.  There were 75 warnings regarding Kerviel’s rogue trading.  Yet, the authorities failed to detect Kerviel’s rogue trading until it escalated to such a high level.  (Ref 12)

What can organizations do in the future to prevent this?  According to Diamond Management and Technology Consultants, Inc., this fraud was due to deficiency in Societe Generale’s operational risk management.  To avoid this situation Societe Generale needs to have automated processes, an internal controls culture, and IT access controls. (Ref 13)

Banks and financial institutions need to build an internal controls culture which spans the business from top to bottom and also extends across businesses.

They need to improve: