Top 10 op risks 2018: unauthorised trading

It’s notable that, despite a year free from big losses from rogue trading incidents, almost all senior op risk bankers who spoke to Risk.net for this year’s Top 10 Op Risks said they were steeling themselves for the next major violation: whatever controls a bank has in place, most agree it remains a matter of when, not if.

“Unauthorised trading is a risk for any firm with an investment banking business of any size, and it always will be – it’s as simple as that,” states the head of op risk at one European bank.

But the definition of unauthorised trading has also continued to evolve, in line with changing market structure. Rogue algorithms are now considered an equivalent, if not greater, source of potential losses than rogue traders purposefully circumnavigating the controls, or fat-finger error.

Malfunction of trading algorithms has been under intensive study since the flash crash of 2010, with early warning tools now being tested by both buy-side firms and regulators. These tools aim to identify and respond to an event once it has happened. But legislators are also enacting measures to prevent these failures from occurring in the first place. The EU’s Markets in Financial Instruments Directive revises and formalises control over trading algorithms, and the UK Prudential Regulation Authority has followed up this year with a draft statement that lays down basic principles on algo regulation.

In the UK, the Senior Managers Regime mandates clear ownership by named individuals of the development, testing and oversight for each trading algorithm. It also highlights that algorithms should be re-validated before being deployed in a different market, and asks for documentation of the differences between testing and real-world environments – both measures aimed at the risks involved in deploying algorithms in unfamiliar trading conditions.

The SMR also calls for clear documentation of algorithmic kill switches – the last-ditch safeguard against a trading algorithm running out of control. As the regulator points out in its February consultation, a failure in the system architecture could cause “trading to stop or to continue but in an uncontrolled way… Such risks could include… risk exposures rising beyond their limits and the firm’s risk appetite.”

Like all sizable op risk losses, the impact on a bank’s capital from an unauthorised trading incident lingers long after the initial breach has occurred. And banks can find wrangles over their losses continuing for years after the event: Societe Generale is currently fighting the French government over a €2.2 billion ($2.73 billion) tax writeoff it took on losses inflicted by the rogue trader Jerome Kerviel in 2008.

Still, there are hopeful signs that banks and regulators are getting smarter when it comes to balancing carrot-and-stick incentives to encouraging good behaviour among traders. In the US, Citi has made much of its recent bonus scheme overhaul, intended to change the bank’s culture by linking compensation explicitly to ethical conduct as well as bottom line performance.

In the UK, op risk heads report the SMR has already led to a marked decrease in the numbers of traders breaching their risk limits, something they attribute to the greater awareness of the potential for reprimand under the regime – including the ultimate threat of criminal prosecution for senior managers whose conduct is found to have recklessly endangered a bank.

Traders who went rogue

Name: Nick Leeson
Year: 1995
Institution: Barings Bank
Trading losses: $1.3 billion

Name: Toshihide Iguchi
Year: 1995
Institution: Daiwa Bank
Trading losses: $1.1 billion

Name: Jerome Kerviel
Year: 2008
Institution: Societe Generale
Trading losses: $6.7 billion

Name: Kweku Adoboli
Year: 2011
Institution: UBS
Trading losses: $2.3 billion

…and a rogue algo

Year: 2012
Institution: Knight Capital
Trading losses: $440 million

Banks, too, have made big efforts to beef up controls over the past few years in a bid to detect and prevent rogue trading. For instance, after a series of risk management failures that saw rogue trader Kweku Adoboli lose billions in its London office in 2011, UBS overhauled its operational risk function sufficiently to win Operational Risk’s Bank of the Year award in 2016.

However, some fear prudential regulators’ recent upending of the op risk capital framework could have a detrimental impact in this regard. The standardised measurement approach removes banks’ freedom to factor in the impact that changes in internal controls would have in preventing future breaches from the capital calculation process – a tactic many banks were successfully able to employ to reduce requirements under the own-models approach. Practitioners have argued this could take away the incentive to improve controls in the first place, engendering a new source of operational risk. Most regulators, including the Prudential Regulation Authority, have made clear they will consider the effectiveness of a bank’s conduct risk controls when setting its Pillar 2 capital requirement, however.

Many also warn that one of the difficulties in defending against the risk of unauthorised trading losses is that they may depend as much on extraneous factors as on banks’ conscious precautions against them. For instance, the long years of a low-rate, low-return environment provide unwanted incentives for unauthorised trading by those unable to make their targets in any other way – and their activity may go unobserved until a market correction reveals it, as was the case with Nick Leeson.