Biometric Security for Financial Meltdown Solutions
by Paul Sheldon Foote, Reena Hora - California State University, Fullerton - Monday, 6 October 2008.
Societe Generale Bank case study - The fraud at Societe Generale Bank is a classic example of how compliance with IFRS and Basel II was not enough to prevent the fraud which could have been prevented if they used SAP and a biometric system like bioLock to protect them.

What went wrong?

Jerome Kerviel worked in the back office and in the middle office from 2000 to 2005, prior to becoming a trader. He had in-depth knowledge of their systems and procedures.

The middle office monitored and managed the bankís risk exposures. In 2002, he was promoted to assistant Trader, managing risk analysis and hedging. In 2004, he was promoted to the elite Delta One desk as Trader and Market maker. His job was to make bets on small price differences between contracts. He needed to make the transactions in pairs by buying and selling similar assets and taking advantage of the minute differences which exist in markets. He crossed his limits and made one-way bets by faking the other half of the bets. He also started making unauthorized bets on the marketís direction. Encouraged by the success of these bets, he continued betting on the direction of the market and making one-way bets and faking the other half. He was extremely successful doing this. For the year 2007, he generated a positive gain of 1.4 billion Euros. As he was not authorized to do these trades, he hid this from the bank by creating an offsetting fictitious operation.

In January 2008, for the first time, he experienced an extended losing streak. He started making larger and larger bets that the market would turn around. He started doubling down, which is a strategy where he started doubling his bet after every loss. By January 16, he had bet about 50 billion Euros, which was more than the bankís total market capitalization. At this point, Eurex started sending enquiries to Societe Generaleís compliance people regarding Jerome Kervielís trading patterns.

He made a lot of effort for his fraudulent trades to be undetected by the system. He used:
  • Fake email messages for justifying missing trades.
  • Borrowed colleagues log-in credentials by using their passwords to conduct trades in their name.
  • Forged documents. He created a fictitious Profit and Loss statement for 2007 reflecting the bogus hedges he had created for this period.
  • Manipulated the bankís proprietary system Eliot by deleting transactions and re-entering them after reconciliation.

Technologies used by the bank

Societe Generale Bank used a proprietary system, Eliot, for trading. Kerviel knew how to manipulate the system. He knew the timing for the reconciliation every night for the day trades. Hence, accordingly, he would delete his trades and re-enter these unauthorized transactions in Eliot the banks proprietary system for trading, without being detected.

The bank used Zantaz, a system for e-discovery and archiving software. The compliance team used RISQ/CMC, a trade tracking dashboard which uses Accurate NXG, a reconciliation, exception management, and workflow software package. There were 75 warnings regarding Kervielís rogue trading. Yet, the authorities failed to detect Kervielís rogue trading until it escalated to such a high level.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th