Rogue Traders, Fat Fingers, Behavioral Change, and the Future of Operational Risk
Can you spot the next rogue trader before the real damage is done? Radar interviewed compliance chiefs at some of the world’s biggest banks to understand how they are adapting to protect their institution, and what behaviors and signals they believe to be the real indicators of impending trouble.
Huge sums of money have been thrown at new surveillance systems and experts to run them in the last decade, as the largest institutions strain to reduce risk, appease regulators, maximize returns, but ultimately protect the institution, and themselves both collectively and individually.
Below are extremely candid studies of some of the most sophisticated approaches to operational risk control at Tier 1 global investment banks, with descriptions on approach, benefits, failings, challenges and plans (please note names have been changed to protect identities).
The power of information gathering and sharing
Alice is head of compliance at a global investment bank which, to be generous, has an extensive negative enforcement history. Until recently, her bank was not recording anything in its monitoring program as a breach unless it had crystallized, making it very challenging for a team tasked with finding people who are a risk.
“I have long believed in a ‘broken windows’ policing approach,” says Alice. “If you look through the big historic cases there are some common themes; on the whole the eventual miscreants were pretty good people, but there were always a few little indicators or signposts.’’ Often they had started bullying others, or had a few HR breaches to their name, or times that they entered the building changed significantly, or they had missed mandatory training.
The bank introduced the potential to rate incidents as ‘zero’ rather than just ‘one to five’ into its risk management system, based on severity. “We started to ask for more definition on when something should be recorded on the information system and what was being captured,” says Alice. “It was just compliance breaches but we could have included HR breaches and data from other systems in the bank where rudimentary recordkeeping was done on spreadsheets.”
GDPR, potential profiling and a proportionate approach looms large
After debating the General Data Protection Regime (GDPR), the rights of the employee, access to data and the theoretical limits on profiling under the regulation, the team was finally able to log things where there is a possibility there might be a breach. “This means we get a mass of breaches with a rating of zero,” says Alice. “We got a few early (although minor) wins which helped; one guy was automatically filing compliance notifications to their trash on email.”
These information points revealed other areas which led to the discovery of other interesting issues on his behavior. “It showed why this intelligence is important for people who are often adept at sailing under the radar,” says Alice. They added the Personal Account Dealing (PA) and Travel & Entertainment (T&E) team data; the big achievement was managing to get HR and Litigation involved, as their data tends to be more sensitive.
“We noticed that often it is the same people who while not directly involved, always seem to be connected somehow,” says Alice. “There has been lots of debate about who can access our system and who has rights to amend/ add to that data, but taken altogether we can type a name in and get most incidents across compliance and HR and litigation, and this helps us to get a picture of a record.”
The bank intends to combine that data with profit and loss (P&L) data and other indicators, such as those who are consistently high risk in both.
The bank launched network analysis on its e-communications to highlight significant relationships and also looked at swipe card access.
“We have found quite a few people who were either not in the building or indeed logged in when they allegedly ‘did’ their mandatory training.”
“It is a really strong conduct indicator as it shows a disregard for the rules and means we have severe limits on how we can get info to them if they game the training.” She views the front office as quite relaxed, and feels that all have known for some time that monitoring is occurring within the finance industry. “We do list the data sources we use and the risks we are looking for so the relationship is quite open; the front office often think we are doing a lot more than we are!”
Alice says it has been easy for the bank to carry out monitoring in the US as there are few privacy issues, and considers Asia-Pacific (APAC) the toughest. “We are not even doing ecomms surveillance in the rest of the EU because of data protection,” she says. “There is a very clear line between the surveillance and discipline process; none of the zero-rated hits would make it into the dismissal side, especially where it is a collection of minor hits.”
Compliance have had no requests yet from people asking what is happening to their data, and only a few about what is being recorded, says Alice. Being surveilled is part of their contract, she says, so there is no confusion. “One key issue is the fact that no decisions or outcomes are driven by machine-based decision making,” says Alice. “We feel that we have legitimate interest in our approach as we are operating to protect the firm from risk. Our focus is on groups rather than individuals; anyone being singled out has to have driven us legitimately to that level of scrutiny.”
The compliance team is also looking at things other than potential negatives, bringing in the positive, such as a person being very good at front office escalation. The bank will always be on the lookout for internal talent and accentuating the positives is a great springboard.
“Any career impact is balanced by looking at the whole picture,” says Alice. “Everyone starts as a good person and may become even better over time. Those working between the first and second lines are using [our system] and finding interesting metrics; they use it to steer people away from areas that might become actionable.”
A big bank gets serious about its fraud and conduct program after a big hit that must never recur
One major bank that Radar spoke with has overhauled its fraud and conduct program, and has created one of the more sophisticated control systems we have been exposed to as we have explored the market. Hats off to the team that put it together – it represents a model for others to aim at. Paul, a 2LOD (second line of defence) executive, saw it designed, created and tested.
“You somewhat sign your life away when you join the front office of an investment bank – you know you are going to be subjected to ecomms and acomms surveillance if you are in a client-facing or trading role.”
He outlines how the system has a global investment banking scope and looks across trading, risk, finance and HR. It takes in more than one million data points a week, and the bank has determined key risk indicators of problems.
Every trader and trade is scorecarded, the traders are then bucketed into sector/function specific categories, and then anomalies in that category are identified.
“While it is hard to compare a prop trader to a fixed income (FI) trader, we identify lots of things but generally none of them are fraud.” says Paul. “We do see weaknesses that damage profitability, such as poor trading and pinch points in resource, and we can correlate pressure on a desk where there are absences with spikes in error rate, which is interesting and rewarding.”
This feeds into the ability to measure conduct and conduct risk, he says, but also spot where people repeat mistakes and where training has not worked or has been clearly ignored.
“It helps us ask if this is the right person or if they are way out of their depth and have got into a position that they are not equipped to deal with,” says Paul.
Finding compliance professionals with the depth and breadth of knowledge to identify what really could be an issue, who can then tackle that effectively without being fobbed off, is a huge challenge, Paul says.
“Traders know their niche so well and that is how they make their money; you have to jump into that situation and be able at the least to hold your own logically and get to a comfortable resolution,” he says. “It might also be a fat finger situation that gets stopped by us, but it still has a knock-on effect to other systems.”
Some oversight across a number of programmes can be valuable. “An example might be a failure to do compliance training, as well as an audiocomms issue that was not an issue, some ecomms data leakage sent to a home email address,” says Paul. “This is all relatively low rated but three hits can mean further scrutiny kicks in.”
His main gripe is a lack of communication from the first line of defence.
“Often when we dig deeper, we get comments from them along the lines of ‘yes we know he is a bit of a villain!”
“But this needs to be highlighted earlier to ensure it doesn’t develop into bigger issues, as there have been precedents for this.”
Paul says it is near impossible for management to not sign off such a system and approach when a bank has a terrible enforcement record or has previously experienced a catastrophic trading hole.
“All of these things are very dependent on the people that manage them, and I cannot stress enough how hard it is for those going to the front office and applying scrutiny and trying not to be blinded by a million other things,” he says.
In terms of business sponsorship, he says that satisfying the stakeholder group is hard as everyone wants something different.
“But we aim to provide decent output with graphical representation and some view on where things are heading,” he says. “We think about who can use this in the first and second line but it really can help define our conduct risk. It is still not an exact science.”
How does the scoring really work?
Paul’s team has a number of indicators which are weighted, but generally traders end up in a certain bucket depending on how many risks they triggered.
They will tweak and add data points they consider relevant, and will also log good behavior as this gives the opportunity for someone to make an honest mistake, although Paul is cynical about the worth of this in the current risk environment.
“I am not sure anyone cares that much about good behavior right now; if you are driving around and driving well so be it, the only issue is if you drive recklessly or have an accident,” he says.
“It is unfair that we are judged on what we do wrong rather than right; the presumption is that all the data is available and accessible, but that is just not a reality.”
He said compliance has blown whopping budgets trying to improve that situation, before even adding sophisticated systems on top. “Data generally at these big banks is in a disappointing state despite the help that MiFID has brought,” he says. “We are all just about doing enough right now.”
Does tech offer any hope for increased security and efficiency?
Ryan is a global head of surveillance at a large European investment bank. It has huge resources, but as ever compliance isn’t often the recipient. He believes the current hype of full purpose artificially intelligent solutions is somewhat overblown; they are 10 years away at least.
“It is not realistic to think that everything can be caught.”
“Some of the bigger firms are closer to this than the rest of the market, but the budgets required are significant at a time when the Tier 2 banks are struggling.” Paying for existing legacy systems that are out of date leaves little appetite to invest in new, he says, as the bottom of Tier 1 and most of Tier 2 fall further behind.
“Predictive analytics requires perfection and an ability to look into the future that is so hard to trust,” Ryan says, adding that soft controls need to be included to cover any gaps.
While he praises the FCA for its huge conduct push as this puts more focus on individual trader behavior, there are limiters, not least GDPR. “Some of the more creative work based on hunches and speculative models might not be justified under GDPR as proportionate surveillance (eg GPS data throws up patterns to show certain individuals always leave the building together after certain events),” he says. “But there is value in trying to work out who is most likely to abuse their established position.”
This could even be the privileged employee with access to sensitive information who has a history of compliance breaches and is well connected across the market.
His approach is to tackle the problem layer by layer. Trade surveillance should, in his view, have sensible thresholds where outcomes and size of trade and hit rates are all ranked against that individual’s history and peers,” he says. While comms surveillance can reveal conduct issues, if these alerts are not controlled it can open the floodgates and become impossible to manage.
Does it take a wolf to catch a wolf?
“We need people with a blend of experience who are clear about, and comfortable with, their roles – sitting clearing alerts day-in and day-out can be tedious and needs a certain mindset.”
A trend is emerging where former traders who have tired of the market or even recognized the error of their ways, are becoming compliance officers. He says they often excel in the comms space in being able to follow a trail right to the end.
“They think the same way and understand the jargon and acronyms,” he says. “The new breed that completes the team is the data guy; we are all looking for that person right now and have used existing resource to some extent but we are hoping to supplement this externally.”
Ask Ryan to draw the perfect compliance skillset and they are culture aware, language aware, market aware, risk aware, understand products and jurisdictions, and have a knack for analyzing trading patterns. “We are looking for someone who does not exist,” he laughs.
Getting lucky with an imperfect science that is improved when silo mentality is broken down
Lucy is a seasoned compliance expert with experience in both the US and the UK, currently deep in the machine at a vast global investment bank.
“One of the main challenges of surveillance is that you can throw almost any amount of money at it. There is always more we could do and what is very disappointing for those funding it, is we cannot sit there and say we are absolutely going to catch everything.”
Echoing the views of her peers, it is more than just tech, more than just people; and often the best discoveries are down to luck as anything else.
She believes the gathering of intelligence needs to be improved, and it is too easy to blame GDPR. “With respect to GDPR and employment law we need to be assembling a lot of info about individuals, we need to be looking at trade surveillance alerts but also at conduct and HR issues; the challenge of fighting rogue trading is that responsibility sits in a number of places,” she says.
When Risk flags an individual for hitting limits, she says how that is combined with surveillance alerts and HR issues is key. “How do you join all those dots? I think that is still a big question as I am not sure that banks are doing this properly or at all,” she says.
Firms are behind the FCA in this respect, she believes, given the clearer legal mandate at the regulator.
“We are constantly being checked by the lawyers and the employment and data teams,” Lucy says. “They react with pure horror at our suggestions but there is a risk balance here and often the legal side is not 100 percent clear.”
It has to be proportionate, and there must be a clear reason for doing it. It also highlights the difference in quality between data regulators across the world and how they are going to become better followed under GDPR. As more trading desks move to the continent, to France and Germany, this will become evident.
“In Germany, you just cannot do the same level of surveillance there,” she says. “This could be a big problem as it will mean certain things just won’t ever get found; I am not aware of many banks doing comms surveillance on German employees, as I don’t think it’s legal there unless done with express consent, which is hard to get people to agree to.”
Ultimately intelligence gathering must go beyond compliance. The chief security office looks at data loss, HR looks at issues like bullying. “Doing the right sort of investigation on a system requires better reference; tying this data in with our other systems is vital as entity resolution is a big problem, so we actually log stuff against all of the relevant people.”
What is key to rolling this system out, she says, is ensuring lots of people can access and update it, despite being restricted to what they can see for privacy controls.
She says management have raised the profile of the system in the wider organization, which has helped. “It has started to pay dividends as everyone is now starting to use it to identify issues to the people in their respective teams and on their desks and all are now starting to join this stuff together,” she says.
“A lot of big organizations, if you look back at the main issues, have shown weakness where information has been in silos.”
She cites the Bernie Madoff ponzi scandal as evidence that the US Securities and Exchange Commission had not coordinated intelligence gathering. “The Philly office got a complaint, but there was no way of knowing if someone in New York had got a similar complaint,” she says. “There is no great art to this. It is just sharing and using the info and dealing with the legal issues.”
Lucy views APAC as generally behind the rest of the world mainly due to the regulators not being totally aligned, alongside a disparity in rules and data privacy regimes. “I cover Asia and I feel like I have to sign my life away to access Singapore data which makes it much harder,” she says. “You do get people moving between regions and data regimes so it is tougher to move data around.”
Putting the jigsaw together
The signals that put someone on ‘the list’ are usually a lot of minor signs that once assembled make the profile “uncomfortable”, she says, where big mistakes or major stupidity will result in a breach, which gets tagged but everyone moves on.
“If you are really determined to do something wrong, you are going to be a lot smarter, so we have to look for the little things where people slip up,” she says. “Sudden changes of behavior as well; I would not say there is any one type but if you look at past cases, individuals often change their habits by coming in at different hours or becoming isolated.”
Some regulators will often assume anyone consistently making too much money based on P&L analysis must be insider trading. This can roll into rogue trading, she says, as there should be a natural variance.
“If historically you have been an average trader but suddenly two months on the trot you are making it big, that is an immediate flag.”
The future looks bright
The culture is certainly changing, she says, as things that were market practice ten years ago are just not acceptable now.
“I would say the younger traders generally get it, and it all stems from how you view finance and when you entered the market,” she says. “The financial crisis has had that impact and it will be interesting to see markets progress when today’s VPs become MDs. I hope they don’t do an about-turn” She says the FX market got bashed up so much that the focus has had a distinct impact.
“I think they have looked in the mirror and asked themselves if their conduct is on the front of the Wall Street Journal, could they defend it?.”
The Radar view
From speaking to those at the coalface, the evolution in surveillance tactics is ongoing, being approached differently based on previous precedent (enforcement history and remediation has been a powerful catalyst), the alternative markets that the banks are playing in since the financial crisis, and where they sit in the market league tables.
While there is no accepted formula or regulatory prescription to follow, the emerging trends of a more holistic approach across the organization are noteworthy.
One interesting theme has been the feeling of general vulnerability despite significant investments in technology and personnel in the last decade. None of these seasoned professionals feel confident in identifying all types of risk at an early enough stage to avert loss, reputational damage and reportable infringements.
It is clear that the speed and global nature of markets, shifting market practice, tighter margins, regulatory uncertainty and data blindness are all contributing to making the supervisory challenge a continued recipe for sleepless nights.
Six takeaways from the chase to find the next rogue trader
- GDPR is a big challenge, and its use in future in key disciplinary actions will set precedent and reform the approach of the current monitoring units. But beware too conservative an approach to its interpretation.
- Technology is helping but it is still relatively untested, is not generally prescribed by regulators, and is still expensive.
- People are key and getting the right blend of experience and team are integral to being effective – they need to have access to the right data and systems and information too.
- Conduct is changing and the vast majority want to do the right things and protect their livelihoods, reputations and bonuses as well as their colleagues.
- The investment in approach and systems and intelligence is paying off in managing other risks beyond the headline-grabbing scandals of the last decade – some of these systems are in fact very sophisticated but have cost a lot to build.
- There are significant differences in approach, culture and conduct based on asset class, age, region and type of regulator.
To talk more about these issues and share best practice with like-minded professionals, our parent company Behavox hosts unique monthly closed door roundtables with a growing Compliance Community of senior risk executives. Details available at behavox.com