Trading security: 'If I were to say it couldn't happen here, well, that's bullshit'

Banks across the City of London have launched urgent reviews of their security procedures in the wake of the Société Générale scandal.

It is understood that several have contacted the Financial Services Authority (FSA) during the last few days to inform the City regulator of their actions in the midst of growing alarm at the way in which SocGen trader Jérôme Kerviel was able to circumvent internal controls to place multi-billion- euro bets (although in interviews with police he has reportedly claimed that his superiors must have been aware of his activities).

Despite this, the FSA is known to have concerns that some London banks still fail to enforce a demand that traders take at least two consecutive weeks of holiday in a year. This is seen as a key security measure because it means their trading "book" will be taken over by another employee and the timeframe is long enough for any anomalies in their trading positions to be spotted.

The FSA has stopped short of calling for new rules to enforce this requirement, believing that too many regulations could allow banks to adopt a "box ticking approach" that they would be able to use as a shield in the event of a scandal. It prefers a "principles based" approach that requires senior management to be on the ball, and comply with what is seen as best practice.

But the two-week holiday is seen as "best practice" and it is not being adhered to in all cases.

The 31-year-old Mr Ker- viel is also reported to have told police during last week's interviews that: "The simple fact that I did not take any holidays in 2007 should have alerted the management. That is one of the primary rules for the internal controls."

One senior London-based risk manager says he agrees this is a key requirement, adding: "If I were to say it couldn't happen here, well, that's bullshit. You'd like to think it wouldn't – that the culture is strong enough to detect it. But no, you can't say it couldn't happen."

Typically, banks have compliance and risk managers "on the floor" and expect traders to talk to them regularly. These people, however, have a degree of independence from the trading business proper and their reporting lines are different – the former to a bank's compliance department and the latter to more senior risk executives.

The activities of traders are also scrutinised by "external" functions in banks, including human resources, who could enforce the two- week rule. The third line of defence would be internal audit, which could pick up discrepancies.

But the risk manager spoken to by The Independent on Sunday says: "What I would be asking in this case [Mr Kerviel] is what the head of his desk was doing. Ultimately, you can have all the checks and balances you want, but they are there all day and would have been best placed to pick up on anything that went wrong.

"I've seen that he's said people must have known what was going on. Well, he is being advised by his lawyers. But if they didn't know, then they were asleep at the wheel."

The FSA currently expects banks to separate the duties of front-line traders, risk managers and the back-office staff who will be involved in the clearing and settlement of trades. It has no objection to back-office personnel such as Mr Kerviel rising to become traders, but it does insist that security should be strict between departments.

That means measures should be taken to ensure passwords and access to secure systems for the back office, who process trades, are not available to people who move into the front line where the trades are struck. A knowledge of the back office, and access to its systems, could have been vital in helping Mr Kerviel to keep his off-book trades "secret", if indeed they were.

The regulator believes there are three key things banks could do that would minimise the risk of being attacked by a rogue trader (detailed in the box on the right). However, like the risk manager above, senior regulators privately admit that a really determined rogue could still cause chaos from London, just as Mr Kerviel did from Paris.

And with the increasing complexity of derivatives markets, rising volumes and the desire among traders to be seen as "big swinging dicks" who pocket multi -million-euro bonuses for fun, Mr Kerviel is unlikely to be the last to go rogue.

The risk manager says: "Ultimately, it is often about the culture. If you have a culture with a dominant individual in charge, who barks at staff and who people are afraid to take bad news to – well then its much easier for something like this to happen. And a sophisticated and determined individual can always find ways around the rules, particularly if there is collusion with others."

The measures needed to ensure security

The FSA guidelines say that banks should:

t Ensure the clear separation of duties between different parts of its business – such as traders, risk managers and the back office – with separate reporting lines. Staff on the trading desk should not have access to IT and passwords used by the back office.

t Have a system that checks trades entered against confirmation from the external counter party – be it a bank or an exchange. Be aware of trades entered on a provisional basis.

t Ensure that anomalies are identified and followed up, particularly odd looking trades, variations in a trader's usual pattern and breaches of trading limits.