General Panic at Société Générale: Of Loopholes, FUD Machines and Gambiarras

Yond Cassius has a lean and hungry look
Rogue trader: “Yond Cassius has a lean and hungry look …”

LOOPHOLE: A way of escape, an evasion; a corruption of “louvre holes.” (See LOUVRE.)

Louvre boards in churches. Before chimneys were used, holes were left in the roof, called loovers or leuver holes. From the French l’ouvert (the open boards). –E. Cobham Brewer, Dictionary of Phrase and Fable (1898)

Kludge: patched solution; a makeshift combination of hardware and software put together to solve a computing problem that is effective but not suitable for manufacture.

Rogue trader costs Société Générale EUR5bn; back office controls skirted:

French banking group Société Générale SocGen is reporting a massive EUR4.9 billion in losses perpetrated by a rogue trader who used to work in its middle office division and who used loopholes in controls and risk management procedures to conceal fictitious transactions.

There will be a lot more interesting comments to read on this case than mine.

I personally plan to consult Financial Engineering News on the incident, because I think the “how” angle on this story is likely to be the most interesting: Why the loopholes existed, and how the “rogue trader” gamed them.

(Oops. FEN has ceased publication. Which is a shame. One of the best specialty business publications in any sector, I always thought. )

Everyone immmediately thinks of (Ewan “Ben Kenobi” MacGregor as) Nick “The Rogue Trader” Leeson, but it actually might be more interesting to compare the case to Enron’s “Fat Boy” and “Death Star” elecricity trading gambits, or Citigroup’s “Dr. Evil” German bond trading strategy.

The (shocking!) news immediately made me think of a technology audit project I once worked on for a flagship client of one of those Big X global consultancies, as a humble project editor.

The challenge, to put it bluntly, was to find a very diplomatic way of saying that the automation of internal controls — the global financial institution’s “policy server,” as the jargon goes — was deeply afflicted by the GIGO principle and, consequently, shot through with business logic that was likely to produce the workflow-automation and transaction-processing equivalent of that crayon Homer Simpson shoved up his nose into his brain as a child.

The bank says the junior trader – who hasn’t been named, but who earned less than EUR100,000 a year – had “in-depth knowledge” of risk control procedures from his previous position in the bank’s middle office, which enabled him to “conceal these positions through a scheme of elaborate ficticious transactions”.

The rogue trader has now been named:

According to a Financial Times report, the lone rogue trader that racked up the colossal losses at SocGen is Jérome Kerviel, 30, who joined the bank in 2000. Kerviel worked in the bank’s back office for three years before being promoted two years ago to SocGen’s Delta One trading desk in Paris, says the report.

What my audit team basically needed was to edit a bunch of contributions written in various styles of global English-like discourse — ranging from Bangalore geekspeak to New York City legalese — into a document that nodded in the direction of “plain English” and read like it had a single author.

A report that no one would ever read, of course, but for what the client was paying for the work product, they figured they might as well cross all the i’s and dot all the t’s.

One of the biggest issues that emerged was the need to think of no-fault language expressing the unavoidable fact: that the system for automating internal risk controls was crippled from the start by conflicting definitions.

Often drawn from dueling standards documents, when not simply made up off the top of somebody’s head.

In other words: Too many cooks were spoiling the broth.

Different functional areas were inputting policies that conflicted with policies input by other functional areas. That sort of thing.

The phrase I think I came up with, to be used consistently throughout the report, and in the executive summary was something to the effect that,

“in the absence of clear, unambiguous sourcing to the standards to be applied, system administrators could not be confident that the system of controls would identify exceptional cases it was designed to identify, with the degree of reliability called for in the system specification.”

Or some such gobbledygook.

In plain English, the thing was kludged together in such a way that its only output was likely to be fear, uncertainty and doubt.

The point of finding a neutral description was, of course, to find a way of avoiding telling the client that they had flushed a ton of money down the black hole of a project that was utterly deaf, dumb and blind to ISO 9000.

Avoiding the implication, at all costs, that somebody could or should be sued over this fact.

The point, in the bluntest and most practical of terms, was that it was very, very easy to log in as a user who was supposed to performed a very limited role and find ways of doing things you were not supposed to be able to do without proper authorization.

As far as I know, I hasten to add, the global financial institution took the results of the technical audit to heart and fixed the problem.

The image “” cannot be displayed, because it contains errors.

Remember when Homer Simpson decided to gain weight in order to take advantage of work rules defining obesity as a disability, which allows him to work from home?

Wikipedia summarizes the episode:

Mr. Burns gives Homer a stay-at-home work terminal. Homer is given simple duties that a child could perform, yet he still fails to understand his duties as a safety inspector. One day, he leaves his terminal, with a nodding duck to press ‘Y’ on the keyboard, and goes out to watch a movie. He returns home to find that, in his absence, the nodding duck fell over and that a nuclear meltdown will take place at the plant. As he is unable to stop it via the computer, Homer tries to run, skateboard and drive to the plant, all of which fails as a result of his obesity. He eventually gets to the plant by stealing an ice cream truck. Homer arrives at the power plant and climbs up to reach the shutdown button, but ends up accidentally falling onto the gas store, blocking the release tube with his behind.

The “nodding duck” refers to a novelty item more often referred to as a “thermodynamic drinking bird” or more simply a “drinking bird” — the original was issued U.S. Patent No. 2,402,463.

Some folks know is as the “dippy bird.”

We all had one as a kid, right?

The image “” cannot be displayed, because it contains errors.

Somewhere in that Simpsons episode — “King-Sized Homer” (3F05) — I bet you there is a useful “business process automation” metaphor for this incident.

I cannot quite work it out in my head at the moment, but let’s leave it noted down as a promising conceit for a future piece of finished writing.

Also on point, I thought, was the headline in the local paper here in São Paulo to the effect that a second catastrophic fire at the Hospital das Clínicas was caused by a gambiarra in the electrical system:

Gambiarra é o nome dado informalmente ao procedimento necessário para a configuração de um artefato improvisado. O termo também costuma ser usado para definir o artefato em si.

Gambiarra is the name given informally to a procedure neeeded to configure an improvised device (gizmo), and is often used to refer to the device itself.

Gambiarra — a good translation, I think, for EN ‘kludge’ — is my New World Lusophone word of the week.

I was trying to explain to a colleague earlier, for example, that ad hoc solutions to terminology management issues, for example, are just that: a gambiarra.

A gambiarra, or kludge, has its virtues, of course.

When it absolutely has to get done right now, the art of the gambiarra is indispensable.

The problem is when your acccumulated knowledge base evolves as a snarled tissue of such gambiarras.

Here in Brazil, where an alarming proportion of electricity users are officially off the grid and hooked up through gatos — creating an ad hoc hookup is known as “yanking a cat” — the gato provides a compelling visual metaphor for this process.

Walk with me down to the corner and I will show you what can result.

The other night, on the tree-lined Avenue of the Owls, for example, heavy rain sent a tree branch crashing into a transmission line hooked up to a junction box that was lousy with gatos.

The entire neighborhood awoke at four in the morning to a scene resembling the “shock and awe” smart-bombing of Baghdad.

The junction box exploded with the brilliance of a million suns.

Then exploded again. Then again. Then again. Every time the central office tried to reestablish power to the neighborhood, another spectacular, nerve-wracking freaking explosion.

Neighbors expressed concern about the risk of setting fire to the park.

But since the original cause of the problem was one of those pancadas that drops about 5 inches of rain inside of thirty seconds, our local park was not exactly what you would call a tinderbox.

Graças a deus.

They finally had to dispatch some poor bastard in a truck to dar um jeito.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s