Just as a reminder: A bank's business model usually is, to take risks and to get paid for doing so. If a bank takes the role to pay for risks taken, the business model is broken and this will let such an institution disappear from the market. IT infrastructures have to be built in a way that they flexibly support the business model. Therefore, a bank's IT-infrastructure should be capable of making risks transparent and manageable. External risks and internal ones. The case of Société Générale shows, how vulnerable financial institutions are against inadequate internal oversight caused by a missing end-to-end view on identities.
Jérome Kerviel, the Société Générale trade who caused losses of about 5 bn Euros, had been working in different parts of the bank within the last 5 years, before he actually became a trader. He started his career in the backoffice, where he precisely learned, how control systems were employed to control traders. And of course, he was authorized to execute such control tasks. When he then changed to the front-office and became a trader himself, he remained authorized to control traders. Through using different accounts, he was able to control his own trades and to create counter-positions using different identities. Kerviel is not a hacker. He didn´t need to invest a lot of criminal energy to "succeed", not even enough to be kept in prison.
I´m sure that Société has had sophisticated risk management software in place, maybe even profiling traders and their habits, searching email traffic for keywords which might be worth checking for fraudulent activities, and whatever else. But what sense would all that make, if authorizations and priviliges are not provisioned or, more important, de-provisioned in time, and if access to internal applications is not secured with strong authentication and even biometric identification? If they don´t leave the doors of their bullet-proof safes open - why do they leave access to applications open, where billions of Euros can be moved into some unknown pockets? The only good thing about it: Société Général´s money is not lost. It just changed ownership, hopefully to a place where it is safer.
While the amout involved in this rogue trading case hits a record for the moment, it would be an illusion to think, that it cannot happen to other banks. In a recent research we did at Kuppinger Cole, we found out, that 9 out of 10 banks asked were running SOA and Identity Management projects isolated from each others without any regular comunication in between. SOA without Identity Management again is like a safe without a door.
Will Basel II improve the situation? Unfortunately not. Basel II is a recommendation for banking regulators on how to make rules defining how much capital banks need to put aside to guard against the types of financial and operational risks banks face. Although Basel II compliant regulations would force banks to separately quantify internal and external risks - how could they quantify something they don´t know? What we need instead, is an independent forensic investigation of cases such as Société Générale resulting in a clear definition of the components which need to be in place in order to avoid a significant increase of the money a bank has to put aside.
We have dedicated a number of sessions on the 2008 European Identity Conference to the question, what these components are and which methods of "total risk profiling" lead to an overall picture of what needs to be done to avoid rogue trading and similar fraudulent activities.