The compliance lessons, so far, arising from the UBS rogue trader
LONDON, Sept. 23 (Thomson Reuters Accelus) – UBS’s loss of $2.3 billion has hit the headlines worldwide, and while full details of what went wrong are unlikely to be public in the near future there are already compliance lessons for other firms. UK and Swiss regulators have launched an investigation into:
- the details of the unauthorised trading activity;
- the control failures which permitted the activity to remain undetected; and
- the overall strength of UBS’ controls to prevent unauthorised or fraudulent trading activity in its investment bank.
Although the investigation is ongoing, and the regulators have expressly stated that they do not, as yet, have an expected timescale, there are a number of lessons or steps for other firms to consider.
The compliance function should ensure that the product suite map is completely up-to-date and accurate. This sits alongside the business and employee maps, where the responsibility for maintenance often sits outside the compliance function but to which compliance need unfettered access. An accurate product suite map is the prerequisite for undertaking a review of products and any and all associated systems, controls, procedures and risk processes.
Part of any review should include not only the usual suspects of risk and internal audit but also human resources, finance and the middle and back offices. Almost every fraud or other “rogue” activity takes place in the inadvertent gaps between functions and departments.
There may well be an element of having to rebuild relations with other functions. In the chaos that followed the financial crisis all risk functions in financial services firms were involved in major fire fighting and other survival measures. The dust has, at least in part, settled and it is incumbent on compliance officers to help to rebuild any potentially lapsed channels of communication. The product suite analysis can be used to ensure that there is universal agreement and understanding of what is traded where, and by whom.
The extension of this is a reiteration and, again, agreement, as to the specific roles and activities of all concerned in the lifecycle of a trade. This is not a question of compliance stepping in to carry out other functions’ roles, but more a reaffirmation of exactly where boundaries between roles are drawn and the detail of how the handover works in practice. A particular focus should be on any manual work-arounds or known exceptions to standard procedures.
At its simplest, a product suite review walks through each type of trade from start to finish but even the simplest of reviews can cast fresh eyes on areas of under- and overlap and provide invaluable help in highlighting issues before they can cause a problem.
Every experienced compliance officer has heard the complaint that their firm is much stricter than others, that lots of other firms do not need that confirmation or this level of detail, and that generally compliance is responsible for making life much too difficult and complicated. This is an area which is always worth tackling head on, particularly with regard to the need for trade confirmations for both internal and external deals. Internally, the processes can be built exactly as required to suit the firm’s own structure. It is self-evident, but there must always be effective procedures in place, which must be reconciled regularly, to ensure that all positions remain accurate on an intra- and inter-day basis.
It is a slightly different issue for external trade confirmations, the contents, methodology and style of which are often not in the firm’s control. That said, they remain essential. Any instances where confirmations have not been forthcoming or in which compliance or another function is told that the other side either does not need a confirmation or does not send one should be treated with scepticism.
A powerful way for compliance to deal with such issues is to speak directly to its counterpart at the other firm; more often than not it turns out that it has been fed the same line in reverse. Compliance officers making contact and agreeing an approach between firms has multiple benefits. Not only does what “good” looks like get agreed at an appropriate level, but the message soon gets back to settlements, trading desks and other areas that trying to play firms’ compliance procedures off against each other simply will not work. That, in and of itself, closes another potential route to fraud.
SEGREGATION OF DUTIES
Much has been made of the fact that the UBS rogue trader moved into the role from the back office. Part of the overall risk assessment of an area is inherently concerned with the people. This is as much the case if someone crosses a Chinese or firewall into a new role as a move from the back to the front office. The general rule of thumb is that people should not move between areas which are separate, due to the need to segregate duties. Back office staff can of course move to the front office but, as a matter of course, they should not move to that part of the front office for which they previously settled, cleared or reconciled.
If it turns out that someone has moved directly into the front office for which they previously settled, or if someone moves across a firewall into a related area, then three things must be in place:
- senior managers in all related areas must approve the move expressly;
- compliance must be informed; and
- consideration should be given to the implementation of additional risk control measures such as an additional level of sign-off or oversight.
At first sight this might look like overkill but the whole point of segregation of duties is to separate out any potential conflict between trading and settlement. As countless firms, from Barings to UBS, have found, the front and back offices must be kept separate or else potentially vast, firm-killing losses can arise.
For the foreseeable future UBS will focus on an investigation into the rogue trader. There are myriad elements involved in ensuring that any third-party investigation is well-run and that the investigation itself does not end up being worse for the firm than the problem which caused it. Elements of a well-run investigation include:
- Creation of a steering or other committee to manage the process, coordinate the required work, allocate resources and report internally. Ideally, a very senior non-executive should chair any such steering group.
- Copies of all documents and other materials provided to the investigators should be kept, indexed and archived. This should include copies of all interviews (tapes and transcripts) as well as trading desk phone recordings. All firms have a record retention period for phone recordings and immediate consideration should be given to suspending the usual deletion cycle in relevant areas to ensure that evidence is maintained for the investigation.
- Continuing observance of external disclosure obligations to regulators and exchanges where appropriate. Depending on the circumstances firms may need to make private disclosures to other regulators around the world and/or public statements though any exchanges on which they are listed.
- As the results of the investigation begin to come in, it will be important for the ongoing assessment to establish whether or not any of the failings or issues could be systemic, and if so which other areas of the firm might be affected. Firms will need to consider the potential need for past business and other types of review as a side effect of the rogue trader investigation.
- Last, but definitely not least, is the need to keep business-as-usual risk and compliance management on track. It is often the case with investigations that the brunt of the hard work falls on the risk functions, and while considerable risk and compliance time and effort will have to be devoted to the rogue trader work it is essential that the firm has sufficient skilled resources in-house to continue the day-to-day necessities of compliance.
One area which it might be tempting to let lapse is the ongoing analysis of regulatory changes. For almost all firms it would be a false economy to step back from the active consideration of regulatory change. It would be all too easy to find a business model compromised or that a regulatory change deadline had not been actioned if the ongoing focus on regulatory change is not maintained. Even in the teeth of a serious investigation, losing focus on the impact of regulatory change will make things worse and not better for any firm.
A distinctive feature of the UBS rogue trader case is the apparent use of Facebook as a source of background information. It is perhaps not surprising that photos were found online but it is a cause for concern that several quotes, purportedly from the trader’s Facebook account, appear to indicate serious issues weeks before UBS itself knew about the fraud. The whole area of the implications of social media for risk and compliance in financial services is a thorny one without any clear solutions. As a minimum, firms may well wish to consider reminding all staff of the need to maintain the confidentiality of all firm data, their obligations under insider dealing and other requirements, as well as simply the need for discretion when posting anything online.
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete (http://accelus.thomsonreuters.com/solut ions/regulatory-intelligence/compliance- complete/) provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 230 regulators and exchanges.)