Daily, trillions of dollars are transferred worldwide in funds and securities through financial systems. The magnitude of this exposes the financial institutions and their customers to a very high risk of deliberate and accidental fraud. Many government and industry regulations and standards such as the IFRS (International Financial Reporting Standards), Basel II, Basel III, PCI and Sarbanes-Oxley require compliance by these financial institutions to take steps to mitigate risks and protect them from fraud. These strict regulations were unable to prevent the big slide in the stock markets in September. Future solutions to the financial meltdown must include raising security standards in the financial industry, such as the use of biometric systems.
A brief look at regulations and standards
International Financial Reporting Standards (IFRS): These standards are becoming global standards for preparing companies’ financial documents. They are developed by the IASB (International Accounting Standards Board) and are adopted by more than 12,000 companies in more than 100 countries globally. (Reference 1)
ERP systems such as SAP ERP financials provide compliance solutions for IFRS. (Reference 2)
Basel II & III: These are issued by the Basel Committee on Banking Supervision, which is composed of representatives and senior authorities from the central banks of the G-10 countries. These accords are recommendations on banking laws and regulations. (Reference 3)
PCI DSS: This is a security standard developed to facilitate adoption of data security measures on a global basis and mitigate payment security risks. It includes requirements for security management, software design, network architecture, policies, procedures and other critical protective measures. (Reference 4)
Sarbanes-Oxley Act (SOX): The Sarbanes-Oxley Act became law in 2002 in response to major corporate and accounting scandals. Congress created SOX to increase transparency in financial accounting and to mitigate fraud. Originally, its focus was on issues surrounding accounting and finance. In 2005, its focus expanded to include human resources, supply chain management and information technology. (Reference 5)
Banks and financial institutions may have risk control procedures in place that comply with the above regulations, but they are still exposed to fraud. This vulnerability is due to dependence on passwords for security and negligence in carrying out the security procedures diligently. According to an April 2008 survey of 185 IT professionals (“IT Departments on Data Security: A Research Concepts Survey”), one out of four organizations surveyed had a data breach in the past year. Most of these companies viewed security as a high priority. Even so, according to this survey, only one in every 100 employees consistently follows security policy.
New ISO security standard published
To increase security, biometrics is now being increasingly recognized as a method for authentication and a reliable identification method. The ISO (International Organization for Standardization) has published a new standard: the ISO 19092:2008 (Financial services – Biometrics — Security framework).
“This standard establishes the security requirements for the implementation and management of state-of-the-art biometric identification technology within the financial industry.” This standard will make transactions more secure in the electronic era for the financial sector. (References 6 and 7)
According to a Unisys survey, 66 percent of worldwide consumers preferred that banks, credit card companies, health-care companies and government organizations use biometric identification over passwords, smart cards and security tokens. Most consumers surveyed found biometric solutions extremely convenient and secure, as they would not have to remember passwords and also not have to deal with password misuse. (Reference 8)
There are many ways to gain access to passwords, which include simple means such as casual conversations to using more sophisticated software. Data and systems security cannot be dependent on passwords. In certain work environments, such as banks or financial institutions, multiple users share a computer with their individual log-in credentials to do their jobs. If a user forgets to log out of the system, the next user could misuse this to create fraudulent transactions or trades using the previous user’s log-in. The ERP system would only have the record of the transaction being carried out by the first user under his log-in.
Biometrics authentication: The reliable solution for security
SAP users can mitigate fraud by using bioLock (from realtime North America), the certified biometric solution using fingerprints. Even if log-in passwords were obtained, the fraudster would not be able to do anything with the passwords because the biometric authentication system would deny him access to perform transactions. Even if an ERP system uses multiple passwords for each user to control access to specific modules, that approach is no match for a biometric system able to control access even to the transaction, field or data level. The biometric approach is crucial for maintaining segregation of duties when employees gain new responsibilities.
Societe Generale Bank: A case study in what went wrong
The fraud at Societe Generale Bank is a classic example of how compliance with IFRS and Basel II was not enough to prevent the fraud that could have been prevented (had they used SAP and a biometric system such as bioLock to protect them).
Jerome Kerviel worked in the back office (and in the middle office) from 2000 to 2005, prior to becoming a trader. He had in-depth knowledge of their systems and procedures. (Reference 9 and 10)
The middle office monitored and managed the bank’s risk exposures. In 2002, Kerviel was promoted to assistant trader, managing risk analysis and hedging. In 2004, he was promoted to the elite Delta One desk as trader and market maker. His job was to make bets on small price differences between contracts. He needed to make the transactions in pairs by buying and selling similar assets and taking advantage of the minute differences which exist in markets.
Kerviel crossed his limits and made one-way bets by faking the other half of the bets. He also started making unauthorized bets on the market’s direction. Encouraged by the success of these bets, he continued betting on the direction of the market and making one-way bets and faking the other half. He was extremely successful doing this. For the year 2007, Kerviel generated a positive gain of 1.4 billion Euros. As he was not authorized to do these trades, he hid this from the bank by creating an offsetting fictitious operation. (Reference 11)
The winning streak ends
In January 2008, for the first time, Kerviel experienced an extended losing streak. He started making larger and larger bets that the market would turn around. He started doubling down, which is a strategy where he started doubling his bet after every loss. By Jan. 16, 2008, he had bet about 50 billion Euros–which was more than the bank’s total market capitalization. At this point, Eurex started sending inquiries to Societe Generale’s compliance people regarding Jerome Kerviel’s trading patterns. (Reference 12)
Kerviel went to great lengths to make sure his fraudulent trades were undetected by the system. He used fake e-mail messages for justifying missing trades, borrowed colleagues’ log-in credentials by using their passwords to conduct trades in their name, forged documents (he created a fictitious Profit and Loss statement for 2007, reflecting the bogus hedges he had created for this period), and he manipulated the bank’s proprietary system Eliot by deleting transactions and re-entering them after reconciliation.
Technologies Used by Societe Generale Bank
Societe Generale Bank used Eliot, a proprietary system for trading. Kerviel knew how to manipulate the system. He knew the timing for the reconciliation every night for the day trades. Hence, accordingly, he would delete his trades and re-enter these unauthorized transactions in Eliot without being detected.
The bank used Zantaz, a system for e-discovery and archiving software. The compliance team used RISQ/CMC, a trade-tracking dashboard which uses Accurate NXG (a reconciliation, exception management and workflow software package).
There were 75 warnings regarding Kerviel’s rogue trading. Yet the authorities failed to detect Kerviel’s rogue trading until it escalated to such a high level.
What should Societe Generale do in the future to prevent this? According to Diamond Management & Technology Consultants, this fraud was due to a deficiency in Societe Generale’s operational risk management. To avoid this situation, Societe Generale needs to have automated processes, an internal controls culture and strong IT access controls in place. (Reference 14)
Internal controls and risk management are key
Organizations must improve and strengthen their internal controls and risk management procedures. Banks and financial institutions need to build an internal controls culture which spans the business from top to bottom and also extends across businesses. They need to improve their controls for cancelled or modified transactions, their controls for transactions over certain limits and their procedures to act on alerts.
Banks can use an ERP solution such as SAP, which is a leader in the banking industry. Among the 30 largest banks of the world, 21 are SAP customers. The SAP for Banking portfolio includes compliance and risk management solutions. (Reference 15)
SAP’s partner, realtime North America, provides a biometric system, bioLock. This requires biometric authentication for users of the SAP system. bioLock is currently the only certified biometric solution for SAP R/3. One of the co-authors of this article has interviewed at a central bank that is using bioLock, and has received positive feedback about its simplicity and effectiveness.
IT Security Must Be Strengthened
To prevent a recurrence of a fraud like this, financial institutions can improve security by adding biometric systems to their ERP systems, or by replacing their legacy systems with SAP and bioLock. Most biometric systems are used for access control. Realtime North America’s bioLock is the only biometric system which goes beyond access control and is even able to control a field, function or value within the ERP system–such as the amount of an outgoing wire transfer.
The technology offers control for changes to transactions within SAP R/3 and will prevent unauthorized changes. The special committee for investigating Societe Generale’s fraud recommended that, to prevent traders from using one another’s accounts, the bank should use a stronger biometric authentication system. A system like bioLock could have prevented Societe Generale’s Kerviel problem for the following five reasons:
1. When Jerome Kerviel was promoted from middle office to front office, bioLock could have been used to change his role and deny him access to the backend systems in SAP R/3.
2. An SAP system requiring biometric identification using bioLock would not have allowed Kerviel to use others’ log-in credentials to post his fraudulent trades in their name.
3. bioLock would have also restricted access to Kerviel from deleting records of his trade transactions from the system before reconciliation.
4. There would have been high accountability, as the system would have shown that Kerviel tried to use others’ passwords to enter his trades in their name.
5. As a result, a technology such as bioLock would deter fraudster’s from trying to commit fraud since they would be uniquely identified.
Thus, a biometric system such as bioLock can protect SAP R/3 by restricting access and controlling who can make changes to transactions within SAP R/3. If SAP interacts with a trading system, and only SAP users can link to the trade system from SAP, then bioLock can be used to control that only authorized users log on to the user profile that connects to the trading system. The connection to the trade system would be established and ask for biometric authentication again. The bioLock log file will give a log of who connected to the trading system, and also prevent unauthorized users from connecting.
In today’s world, banks are required to comply with regulations and standards to protect the banks and financial institutions from fraud. To mitigate fraud, these banks and financial institutions need to supplement their internal controls compliance with biometric authentication. Biometrics will prevent data breaches of security. Fraudsters will not limit their fraudulent activities trying to perpetrate frauds using only an ERP system. Users of ERP systems must also secure e-mail systems and any trading systems interfacing with an ERP system. This would tighten security and improve accountability.