Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Businesses Software The Almighty Buck IT

UBS: Our Risk Systems Did Detect $2bn Rogue Trader 151

A few weeks ago, UBS employee Kweku Adoboli (universally described as a "rogue trader") ran up a $2 billion loss for his employer; many readers wondered how it is the systems which allow trades to happen at all aren't better tuned to catch such massive cash flows without triggering alerts. Now, reader DMandPenfold submits a report from Computerworld UK in which the bank claims that such triggers were in place — they were simply not acted on. From the article: "UBS has insisted its IT systems did detect unusual and unauthorised trading activity, Interim chief executive Sergio Ermotti, who is running the company following Oswald Grubel's resignation last month, sent a memo to employees saying the bank is aware that its systems did detect the rogue activity. In the memo, Ermotti wrote: 'Our internal investigation indicates that risk and operational systems did detect unauthorised or unexplained activity but this was not sufficiently investigated nor was appropriate action taken to ensure existing controls were enforced.'"
This discussion has been archived. No new comments can be posted.

UBS: Our Risk Systems Did Detect $2bn Rogue Trader

Comments Filter:
  • It can only be attributable to human error.

    • Re: (Score:3, Informative)

      by TheLink ( 130905 )
      The other explanation is they were hoping the trader would make money, in which case everyone would share the profits etc.

      He lost money so he's a rogue trader.
  • Called it (Score:2, Interesting)

    From my comment on the original article [slashdot.org] :

    "Let's face out out on the terrain no-one is holding these guys accountable. IT may set up the system, Risk Management may generate the reports and they'll be either modified to say what management wants to say or just plain ignored because like all gamblers these guys think they have a system which lets them keep on winning even as they are betting their house (or in this case our houses.)"

    This "blame IT" crap has gone on long enough. It's time we stood up for ourse

    • How exactly do you do that?

      Either you write a report that is just plain ignored or you get pegged as a HaxorTerrierist.

      I swear, this is just that old childhood playground stuff all over again, where the jocks in the board room and Gov are blaming the geeks.

      • In my case I pulled out the bug report that showed the VAR reports total field was being overflowed when a customer ran it. Bug had been fixed 6 months prior to customer going into bankruptcy (then being made whole by the ratepayer.)

        Of course they weren't trying to blame us. They were claiming it was because they couldn't do long term deals. Which is true, but it's true because they had previously engaged in incestuous, non-arms length, long term deals with their open market corporate cousin.

        I shouldn'

      • by AK Marc ( 707885 )
        No, you go walk up to a reporter and say "Hi, I work for UBS and woudl like to get IT's story on the record." Then you paint a picture where IT is told to "detect" such things but never block them. Report them to the people who would then authorize blockage (but never do in a timely manner) and then the system, enforcing bad business processes, is blamed for a business process problem that lies with the upper management not wanting to enforce reasonable rules, knowing they can always blame it on some othe
    • 'Blame IT' is a shallow description of what happened. The original discussion was all about: 'didn't they have risk management in place?' Not: blame the IT guy that wrote the VAR report.

      Sounds like they are blaming their risk officer (who should be the CFO or at least report to the CFO).

    • Re:Called it (Score:4, Insightful)

      by ackthpt ( 218170 ) on Thursday October 06, 2011 @01:54PM (#37629936) Homepage Journal

      From my comment on the original article [slashdot.org] :

      "Let's face out out on the terrain no-one is holding these guys accountable. IT may set up the system, Risk Management may generate the reports and they'll be either modified to say what management wants to say or just plain ignored because like all gamblers these guys think they have a system which lets them keep on winning even as they are betting their house (or in this case our houses.)"

      This "blame IT" crap has gone on long enough. It's time we stood up for ourselves instead of allowing ourselves to be used as a convenient scapegoat all the time.

      How often have you seen an IT representative in front of the cameras say, "Well, we see this behaviour, the lights are flashing, the klaxons are going like a cat with its tail in a wringer, but the people who collect 7 figure salaries haven't been taking an interest so far."

      Should be criminal charges for management negligence -- and I don't mean just giving the the sack. Those protesters on Wall Street have a point, everyone gets hurt when the bank CEOs screw up, but those most responsible. Thanks to their stalwart defenders in the US Congress no stronger regulation get passed. If that's not sign that government is in the bank's pockets, I can't imagine what could be more clear.

      • Re:Called it (Score:4, Informative)

        by Wansu ( 846 ) on Thursday October 06, 2011 @02:18PM (#37630364)

          Those protesters on Wall Street have a point, everyone gets hurt when the bank CEOs screw up, but those most responsible.

        Herman Cain says it's the protester's faults if they don't have job. After all, this is 2011 and what the bankers did was in 2008.

        • Re:Called it (Score:4, Informative)

          by Doc Ruby ( 173196 ) on Thursday October 06, 2011 @03:53PM (#37631890) Homepage Journal

          Actually, what Cain said yesterday [nydailynews.com] was "Don't blame Wall Street, don't blame the big banks, if you don't have a job and you're not rich, blame yourself."

          While it's arguable that not having a job is a person's own fault (a losing argument with the economy, but arguable), saying it's the fault of everyone not rich that they're not rich isn't just insane. It's the kind of institutional insanity that is driving the country into nothing but the madhouse, with a corporatocracy of Cains at the wheel.

          • by AK Marc ( 707885 )
            There's a class war in the US. The "conservatives" (not actually conservative, but self-label as such, so I'll use the tag they put on themselves) firmly believe that in the Land of Opportunity, the inability to succeed indicates a personal flaw, proving the person is inferior and deserves poor treatment. That's simply insane. I can't argue with it any more than someone who insists the sky is red. It's provably not true, but only if they will open their eyes and look at the facts, and that just doesn't
        • After all, this is 2011 and what the bankers did was in 2008.

          What bull. The financial crisis is ongoing, the dominoes are still falling.

      • Actually in this case, the CEO resigned, and much of the rest of senior management involved has been also compelled to resign. The losses have been absorbed by the shareholders and employees of UBS, which is exactly as it should be.

        The 2008 crisis was a completely different animal, and everybody should be angry the giant banks are relatively unchanged since then. But even then almost all the senior management of those organizations was kicked out.

      • How often have you seen an IT representative in front of the cameras say, "Well, we see this behaviour, the lights are flashing, the klaxons are going like a cat with its tail in a wringer, but the people who collect 7 figure salaries haven't been taking an interest so far."

        I'd love to see someone do that, they'd never work in the industry again though.

        Should be criminal charges for management negligence -- and I don't mean just giving the the sack. Those protesters on Wall Street have a point, everyone gets hurt when the bank CEOs screw up, but those most responsible. Thanks to their stalwart defenders in the US Congress no stronger regulation get passed. If that's not sign that government is in the bank's pockets, I can't imagine what could be more clear.

        Thanks to the revolving door between Goldman Sachs [nytimes.com] and the US government the banks are the government. The barbarians aren't at the gate, they're manning the walls.

  • I guess it forgot to 'pick up' the job cuts and absolute chaos this would ensue while it was at it.
  • by Chris Mattern ( 191822 ) on Thursday October 06, 2011 @01:15PM (#37629314)

    A risk system that nobody pays attention to is no different from not having a risk system at all, except that you're paying for it. As UBS found out.

    • Actually, it's worse because it lulls you into a false sense of security.

      I wonder if this was a case of the boy who cried wolf/car alarm problem; a system that isn't calibrated well and that people learn to tune out due to all of the false alarms.
      • by mikael ( 484 )

        Nick Leeson worked in the IT department before he became a trader. He learned all the phrases traders used when a false-positive alarm was triggered; "Oh, I'm just clearing up a wrong transfer", "Just rolling through some accounts", "sorry, the other guy was logged in at my terminal", "Just tidying up an old account".

        Then when he became a trader, he knew about the test accounts to store his losses, as well as how to smooth over the tripwire alarm system whenever IT called him up.

        • Then when he became a trader, he knew about the test accounts to store his losses, as well as how to smooth over the tripwire alarm system whenever IT called him up.

          Well there's your problem.

          Why would IT call him? Wouldn't the alarm go to someone managing the people who manage the trades?

          • by mikael ( 484 )

            First level contact was to ask the trader to recheck their transactions, then escalate to supervisors.

            • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Thursday October 06, 2011 @02:06PM (#37630184)

              Sorry for repeating a meme, but in this case it is extremely valid.

              First level contact was to ask the trader to recheck their transactions, then escalate to supervisors.

              IT should NEVER be involved at that level. The alerts should go to the manager (or the manager of managers) who SHOULD have more insight into the situation than IT.

              Having IT in the loop means one more failure point (and an additional delay).

              • You are supposing they want to stop these traders. In reality, the "rogue traders" look very profitable prior to the crash - just like someone who is driving way to fast on the race track is out front till he crashes. There is no way they are going to stop their "star".

                The entire system if fundamentally flawed. The banks are expecting to make more money than is in the system to make. Of course the world economy is still screwed. "Its the bankers, stupid!"

              • by dintech ( 998802 )

                Yeah, which is why compliance and middle-office departments exist. Really it is these people that questions should be asked of and ultimately where heads will roll.

        • How about, after 10 or 100 or whatever over-rides, somebody does some poking around just to see if anything's up?
        • he knew about the test accounts to store his losses

          Security by obscurity raises its ugly head again

        • by quarterbuck ( 1268694 ) on Thursday October 06, 2011 @02:04PM (#37630144)
          Nick Leeson did not work in IT according to his biography [nickleeson.com] or according to Wiki.
          He used an error account, which he realized was unaudited, but that is something you pick up from being a trader or an auditor- not necessarily IT. These things are common in investment banks/brokerages which have a lot of accounts and client trades and errors need to be isolated in an account that does not belong to a client. ie. if a client asked to buy 100 pork belly contracts and you bought him lean hogs instead, you need a place to dump the pork bellies you bought. It does not mean a "test account" in the IT sense.
          • Prior to working on the trading desk they worked in operations. While Operations may be the kissing cousin of IT, it is not exactly the same. But in either case, (Leeson or Adoboli) knew what would trigger the compliance office (In those days “Risk Management” tended not a separate department).

            In Lesson case, he was head of both trading and operations (which is a no-no - but it was Singapore – a small desk – why can’t one person do both jobs?). So on side he present it as a e

    • A risk system that nobody pays attention to is no different from not having a risk system at all, except that you're paying for it. As UBS found out.

      Boy are people going to be surprised when they find out the government has all these regulations and very few employees to monitor compliance and initiate enforcement actions.

      • Not surprised. Why do you think they pass most of the useless regulation? So the useful regulation is not enforced, just like the limits on feeding cows cornflakes.

        Also helps their donors, no better way to preempt competition then put in volumes of regulations and crooked regulators.

        • The most important part is where the government stops collecting taxes, guaranteeing that even agencies with oversight orders and staffing budgets are underfunded and so understaffed. It helps even more to block the appointment of top managers in the agencies, so the whole office is crippled, overburdened, and unfocused without a leader.

          Guess who is responsible for undertaxing and blocking agency appointments? Don't strain - it's the Republicans, and maybe enough fellow "Conservatives" in the Democratic Par

      • Boy are people going to be surprised when they find out the government has all these regulations and very few employees to monitor compliance and initiate enforcement actions.

        That will come as a surprise to precisely no one. The SEC has been purposely underfunded for decades. You think that is by accident? The financial firms and their, ahem, elected representatives want it that way so they can't cause too much trouble. Hard to monitor wrongdoing when you don't have enough manpower. Congress can effectively neuter any regulatory agency simply by cutting their budget. Doesn't matter what laws are actually on the books if they can't be enforced.

        • by AK Marc ( 707885 )
          Don't forget, "independent" auditing firms, like Accenture and PWC, actively solicit bribes to certify compliance for those not compliant. The accounting firms approved Enron's activities long after the illegal stuff started. Auditing firms are leaches who lie for a living (because if they don't lie, the other firms will come in and get the big account and lie). Die PWC die.
          • Don't forget, "independent" auditing firms, like Accenture and PWC, actively solicit bribes to certify compliance for those not compliant.

            Accenture is not an auditing firm. They are a consulting firm which has nothing directly to do with auditing. They used to be part of an auditing firm but have not been for some time. Furthermore having actually worked with big accounting firms myself, they generally are actually pretty honest, albeit flawed. They serve a very useful purpose which is to verify that the financial statements are a reasonable (not perfect - that is impossible) representation of the financial situation of a company. For th

            • by AK Marc ( 707885 )

              Accenture is not an auditing firm.

              Arthur Andersen committed a number of felonies while "auditing" Enron. It was so bad that they changed their name immediately after to "hide" from being linked to Enron. Whether they sold off a business unit here or there to be able to deny being the auditing firm that signed off on Enron's cooked books doesn't change the fact that they were. And the feds gave them a free pass for the felonies because the feds didn't want to increase the trouble of the bubble bursting that was going on at the time by und

    • Maybe the risk system worked so many times that they stopped taking it seriously. Maybe they have a risk assessment guy who has gotten used to clicking "Allow" all day long. Sound familiar?
    • "yeah, we knew about it, but we didn't fucking care until he lost a bunch of money. Then we sorta cared, but pushed all the losses off onto our customers, so no, we still don't fucking care.

  • You must test (Score:4, Insightful)

    by TheSync ( 5291 ) on Thursday October 06, 2011 @01:22PM (#37629418) Journal

    Whenever you have a monitoring or backup solution, it must be regularly tested to ensure a responsive psychology (as well as proper device operation).

    They should have had 1 or 2 fake funny trades per month, and if the people who got the alert messages didn't respond, they should have been punished or fired.

    • by TheCarp ( 96830 )

      Whenever you have a monitoring or backup solution, it must be regularly tested to ensure a responsive psychology (as well as proper device operation).

      They should have had 1 or 2 fake funny trades per month, and if the people who got the alert messages didn't respond, they should have been punished or fired.

      Nah, you don't need to punish or fire them in the traditional sense.

      All you need is to have some mandatory meetings that kick off to investigate, document, etc. Just make missing them a pain in the balls for the people who should have caught it, and they will make sure it doesn't happen again. Getting fired sucks.... facing repetitive ball busting hell is much worst and an excellent motivating factor.

      But also.... thats not enough, and might not even be the right problem. You have to ask, why did they miss t

      • You set up the monitoring system ... and you investigate the events it is reporting.

        Then you tune it to get rid of the junk ... and you monitor it again ... and you investigate the events it is reporting.

        Then you tune it blah blah blah blah blah.

        Once you have it to the point where it isn't reporting junk you start testing it by setting up fake scenarios you want to catch. And investigate the events it is reporting (and the cycle continues).

        Not to mention just going through ALL the events on a regular schedu

        • The problem is traders see what you did to 'get rid of all the junk' and hide their fun in with the junk. That is exactly what happened here.

          The other part is that Traders should not see the risk management system directly. They will still be able to game it (with small test trades to see what gets noticed) but it will be more difficult. Gaming risk management should be fire able.

        • by TheCarp ( 96830 )

          Exactly. However, not everyone understands that and a lot of people who don't get this.

          Its also nearly impossible to get to this point if management doesn't understand the process that is needed and buys in to making everyone play ball.

          I remember seeing presentations by a specific monitoring team of positions past. They presented how the decision was made to "just turn everything on". After several years they had hundreds of alerts a day... way too many to even think of turning on paging... and it was anoth

          • After several years they had hundreds of alerts a day... way too many to even think of turning on paging... and it was another 4 years before they got to the point that they had management buy in to take it seriously, turn on paging, and make people work with the monitoring group to tune down the alerts.

            One place I worked had a problem with an average of 1 alert A WEEK. Because it almost always turned out to be some stupid non-issue ... eventually everyone started ignoring it. Even to the point of ignoring

      • This is worse, as a "rogue" trader is, at least to this speaker of english as a second language, someone who deliberately did wrong.

        He was not "making mistakes" he was trying to game the system.

        As I posted earlier in this thread, at the very least, he should have been sandboxed/honeypotted, with someone replaying any transactions he made that had value(so he'd NOT know he was being audited for being a crook and facing jail time).

        • by TheCarp ( 96830 )

          Thats interesting and points out something that I missed...

          Monitoring is great for looking for broken systems.... however.... it will never be enough to catch an intelligent adversary, who is actively gaming it (unless he doesn't understand the game he is playing, or makes a mistake).

          You are always limited by manpower, because someone has to act on alarms. Humans can and will act according to how the environment dictates. You either have enough people to investigate and log evidence on every single alert, o

      • Nothing pains the balls as much as being fined your share of the rulebreaking losses. Which should exceed the annual pay.

        Unless it's being fined and fired, which implants the pain instrument in the balls. Better yet, fined, fired, and convicted of a crime. That'll put "balls pain" right at the top of your resume.

      • by tlhIngan ( 30335 )

        You missed other reasons.

        Perhaps said trader got annoyed at all the alerts and simply told them "I'm a hot shit super trader. if there's any odd trades coming from me, it's because I know stuff you idiots don't so screw you and let me do my trades!" This is espeiclaly true if the trader has a reputation of oddball trades but makes tons of money back.

        The other possibility is said trader simply causes alarms constantly but they're small ones and they up the threshold for his alarm. Eventually the threshold is

  • Am I the only one who was really confused when these stories were not about the kind of Rogue Trader [fantasyflightgames.com] I expected them to be?
    • by blair1q ( 305137 )

      No. But you are the only one who still thinks that's funny. So you got that going for you.

  • I've actually had leadership-types ask me, straight-faced and very upset, "Why did you let me ignore those warnings you've been sending me?"

    There is, of course, no answer. (Well, there are answers, but they're pretty dickish: "I tried mind control, but apparently you have no mind." Or "I'm not your mommy, Major." And by "dickish", I mean "likely to get my uniformed ass into correctional custody." To quote Coulton, "Code Monkey not say it out loud; Code Monkey not crazy, just proud")

  • Exec: "Eh, it's still running, probably just a glitch or something."

  • It's all CYA tactics.
    if the loss alone was 2billion imagine how much money was on the table. I don't see how a trader could have access to such obscene amounts of resources without any authorization and oversight.
    I am sure that the management knew about everything and was very happy because the bets on rising swiss franc were extremely profitable and pretty much printed money. They had to be smiling at the thought of fat christmas bonuses coming their way. Everything was peachy... until the swiss central b

    • by Orga ( 1720130 )
      Very very true. You know they made a lot off of those trades, everyone was into it. If this guy likely had some authorization since this profitabel trade sprang up on short notice. If they had made billions you'd have never heard about it, but they lost it and needed a scapegoat. Enter "rogue trader".
    • The stories at the time of arrest indicate that it was Equity Index [nytimes.com] linked securities that the trader was gambling on, not Swiss Franc like it was widely assumed.
      That was also the time when European indices, emerging market stocks and to a lesser extent US stocks crashed. But otherwise you are right - apparently Adoboli had done hidden trades starting as far back as 2008 and they were generally profitable. http://www.guardian.co.uk/business/2011/sep/17/kweku-adoboli-ubs-fraud-charges [guardian.co.uk]
      • by hughk ( 248126 )
        Not hidden trades. The guy was making perfectly reasonable trades on the FDAX and EuroStoxx indices. Allegedly, he was hedging the futures with ETFs (Exchange Traded Funds) which should be comparable to an exposure to the underlying shares. However it seems that the hedge trades were being entered as OTC deals but in reality were never happening. As some banks weren't apparently sending confirmations, this was not spotted. Of course, there would be no cash flows but that would not be spotted immediately.
    • He was on a ETF desk, which is supposed to be a low risk, low margin place. The only way to make a profit on those desk is to squeze out every penny and make it up on volume. Such a desk can very easily be dealing with billions and yet only have exposure of less then a million - if it's run the way it supposed to.

  • by Torodung ( 31985 ) on Thursday October 06, 2011 @01:52PM (#37629898) Journal

    Paraphrase: "We had (have) severe operational problems. Kweku Adoboli is a scapegoat. We can't explicitly say that because of liability issues."

  • Not a rogue trader (Score:3, Interesting)

    by steamraven ( 2428480 ) on Thursday October 06, 2011 @01:59PM (#37630054)
    If they detected it, and didn't do anything about it, doesn't that mean they approved of it?
  • This is what I said in the previous article about this situation when commenting about someone who said they couldn't monitor every trade:

    Yes, they do. Every trade is supposed to be monitored. Even if it means a few bad trades get through, they can and are supposed to review the accounts, timing, etc that go in to every trade to determine legitimacy and adherence to trading rules.

    It's one thing to say you can't check an instantaneous trade. It's quite another to say you can't look at multiple trades your tr

  • We're not idiots, we're incompetent.

  • Comment removed based on user account deletion
  • Yeah, yeah, yeah. We detected the unusual activity. But it was a measly 2 billion dollars. Our high and mighty CEO is not going to break his golf game for such a trivial thing. Heck, forget the CEO. The underling to the assistant deputy sub vice president would not break his Angry Birds practice to take a look at it. If you want these things to be attended to quickly you need to raise their pay enough to motivate them.
  • " they were simply not acted on"

    Likely cause UBS was trying to figure out how to make money for themselves from the transaction. So typical of these banks.

    Why stop a transaction when you can also skim/make some cash on the side as well. That's the name of the game and why self-regulation failed in the financial industry the last 10yrs.

    Unfortunately what applies here, someone once said, don't blame the player, blame the game.

    • Blame the player, too. They don't have to play that blameworthy game. In fact, banks as big and influential as UBS are the best positioned to change the game. During the past few years since UBS helped crash the world's economies, UBS has been playing the same game as the other banks in keeping the same reckless risk game running, interfering with efforts to regulate the game. Instead it could have helped regulate the game in a way that let it do legitimate business without overwhelming competition from ban

  • I'm not sure who to blame here, but I've seen something like this several times in my career: Someone sets up a big elaborate system to detect security threats, monitor their systems, or enforce a workflow. Then the people in charge cheer how this system is going to solve all of their problems, and they cede all responsibility to the computer. They don't check whether the system is working the way it should. They don't pay attention to the alerts the system kicks out.

    Having seen it so many times, I've l

  • And again, a basic software axiom has again been proved true:

    "When you build a piece of software to be idiot-proof, your user base will find a way to build a better idiot."

    They weren't brought down by anything as prosaic as a bug... they lost money because they completely ignored the output from a system specially designed to warn them of activity like this.

  • UBS and the rest of its banking industry crippled the global economy by doing exactly this: IT systems and business rules showed unsupportable risks were being executed by their traders, but the execs did nothing to stop or slow it.

    Something like 2-10 $TRILLION in losses later, after years of the worst recession possible since the reforms installed after the Great Depression, UBS hasn't changed. There is no reason to believe any of these banks have changed, since they all act the same way to compete with ea

    • by jafac ( 1449 )

      Well, I think you're right.

      This is precisely why there are tens of thousands of Americans on the streets protesting at this very moment.

      After the Silverado/S&L crisis of the 1980's, the IPO bubble and Enron scandal of the late 1990's/early-2000's, and then the housing market/derivatives bubble of the late 2000's, each time, we've patiently asked for market reforms, or even an equivalent "justice" so that there would be an obvious moral "penalty" for those charged with this responsibility (and those who

  • If you have a rogue trader who games the system, you can look at UBS and say "geez, I guess you'll be investing in a better risk management system!"

    But if you have a good risk management system that throws alarms and nobody looks at them, or follows up on them, then it's all on their heads.

    They only had to look over one of their borders into France to see what a rogue trader could do. This isn't a novel problem, rogue traders taking positions, then losing money and then taking crazier positions to get back
  • There is no other way to put it. This is even worse than not having any triggers at all.
  • $2B in losses. There had to be an agenda there. Kill the company? Maybe. Funnel money to someone else is quite likely too. Friends? Terrorist? I think they should look more into where the losses went. Not just how they were lost.

  • Blessed with 20/20 hindsight, any failure such as this people react like it's something that was glaringly obvious. Controls can be very difficult to design, implement and monitor effectively. They have to be sensitive enough that they trip when something goes wrong, yet rare enough that they're taken seriously. When they do trip, the response has to be appropriate. They have to be effective yet also not be an endless cycle of bureaucratic red tape.

    Generally the best controls are ones that almost prevent an

  • It's easy to detect anything: you just always say it's there. In order for detection to be useful, it needs to be traded off against error, you need low false alarms. UBS's system must have had too many false alarms, otherwise this alarm would have been acted upon.

  • There must be something wrong with this new radar thing sir, the screen is full of blips over the Pacific.

    • "They must be that flight of B-17s we're expecting in." And the lieutenant in charge didn't bother to tell anyone else. (True! The B-17s in question got a helluva shock, too; they actually showed up in the middle of the attack.)

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...