UBS Blames Internal Gaps for FraudAudit: Fraud-Prevention Measures Didn't Detect Rogue Trades
In a statement issued this week, UBS says certain internal controls were not effective on Dec. 31, 2010. That's when 31-year-old Kweku Adoboli, a former UBS director who oversaw electronic funds transfers and Delta1 Trading for the investment bank, pushed through $2 billion in fraudulent trades UBS later said would likely result in a third-quarter loss for 2011.
London City Police in September arrested Adoboli. He later appeared before City of London Magistrates, facing one count of fraud by abuse of position and two counts of false accounting.
UBS is required, as an institution operating in the U.S. under the Sarbanes-Oxley Act, to annually evaluate internal controls used for financial reporting, disclosure and procedures. UBS says it has identified two controls that were not effective on Dec. 31, 2010: one requiring bilateral confirmation for trades and the other used in the inter-desk reconciliation process to ensure internal transactions are valid. The gaps have been reported to the Securities and Exchange Commission.
UBS also says financial statements included in its 2010 annual report were not affected by the control gaps. "The financial effect of the unauthorized trading activity is fully reflected in UBS's third quarter 2011 financial report," the bank says. "Investigations are ongoing, and management may become aware of facts relating to the Investment Bank that cause it to broaden the scope of the findings."
Risk Management Strategy
The internal fraud gaps at UBS should serve as warnings to all institutions. Robert Stroud, vice president of innovation and strategy at CA Technologies and a member of the ISACA Strategic Advisory Council, says banks are not going to catch everything, but well implemented risk management strategies ensure certain gaps are less likely to expose huge risk. "Risk management is going to identify primary and fundamental risk," he says.
The UBS incident, unfortunately, rang strikingly familiar to the trading scandal at Societe Generale, where rogue trader Jerome Kerviel got by with $7.2 billion in fraudulent deals.
Eric Fiterman, a former special agent for the Federal Bureau of Investigation and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics, says organizations are learning that simply collecting information is not enough. "You actually need to look at it, interpret it and identify actionable intelligence from the data," he says.
But most organizations, financial institutions included, have difficulty interpreting and analyzing the data they collect. IT auditing applications have, in essence, created a new problem: "I have so much information I can't find what I need to know," Fiterman says. How well organizations shield themselves from internal losses like the one suffered at UBS will rely on their abilities to quickly identify and execute responses, despite of all the data.
"Most organizations have too few people trying to chase too many phantoms," he adds. "You need to have a strategy for filtering out the background noise and getting to the alerts and actionable information hiding in this mountain of data."