Wall Street & Technology's Risk Management Weblog

Click iTunes icon or copy url below into your rss reader.

Brokerage MF Global has hired external risk consultants to review its order entry systems, after a rogue trader lost $141.5 million when he was able to exceed his limit order and place unauthorized trades.

The incident comes just weeks after Soc Gen revealed that a rogue trader lost more than $7 billion by placing unauthorized bets on European stock indexes.

In the aftermath of the CDO (collateralized debt obligation) crisis, for firms that are ready to dive into securitized credit products again, a new pricing model came out today for valuing exotic credit products such as options on tranches and forward starting CDOs (a forward starting CDO is a single tranche CDO with a specified premium starting at a specified future time).

Richard Bookstaber, author of the book Demon of Our Own Design, offered some unique advice last night to financial firms that want to survive future crises (like the current CDO fiasco): Be more like cockroaches. Not in the sense of living in drainpipes and scurrying out at night to scare unsuspecting apartment and office-dwellers, as New York City cockroaches do, but in a survival-of-the-simplest ideal. While many "super designed" insects in certain jungles that developed specialized adaptions for only one type of flower or seed pod are now history, the homely cockroach lives on and on.

Welcome. My name is Mike Ellison and I am the EVP at Corporate Insight. We’re a firm that looks at the retail experience at a number of brokerage, mutual fund, and banking firms. From time to time, I’m going to be blogging on subjects related to wealth management. Much of what I will be talking about will come from our experiences in maintaining live accounts at the firms we follow in our research. When we uncover something I feel would generate some lively discussion, I’ll post it and hopefully you’ll chime in with your opinions.

To open our discussion, we recently received an email from E*TRADE on identifying and avoiding fraud that I think should generate some dialog.

If you work for an alternative asset management firm, so much rides on protecting intellectual property, customer data and the reputation of your firm. That is the message from Raffi Jamgotchian, chief information officer at Canaras Capital LLC, an alternative asset manager specializing in credit markets that was founded in 2006.

With botnets and other dangerous forms of crimeware anonymously launching distributed attacks on companies, Canaras Capital set out to protect the firm’s reputation.

What'll the cyber crooks think of next? Well, this isn't a new idea and it certainly isn't the type of flashy heist you will see in this summer's sequel Ocean’s 13 with George Clooney, Matt Damon and crew. But hundreds of account holders have lost funds after a most likely phony firm named Equity First generated random routing and account numbers and tried to deposit one cent. If the one-cent deposit clears, the fraudsters know the account is active and they begin to withdraw funds. And for financial firms, it's just another risk to add to the list.

Marc Lackritz, CEO of the Securities Industry and Financial Markets Association, and the voice of the U.S. broker-dealer community, testified last week in front of the Senate Committee on Banking, Housing and Urban Affairs Subcommittee on Securities, Insurance and Investments. In his testimony, Lackritz reaffirmed SIFMA's support of a single-regulatory force and the adoption of a principle-s based regulatory approach. Being one of the most influential lobby groups on Capitol Hill, SIFMA has considerable sway in regulatory matters, and their staunch support of regulatory reform may yield meaningful change in the way securities firms are governed.

Read the full testimony here (PDF).

Costs to comply with the Sarbanes-Oxley governance law dropped last year for the third year in a row, largely because managers have been spending less time on reviews.

Not only do companies have to worry about stolen laptops, rogue employees and hackers -- now they also have to worry about fake SEC examiners.

The United States Government Accountability Office released a report (PDF) on its latest year-long study on the resiliency of U.S. financial markets last week, and the results were mixed. After examining seven critical exchanges, clearing organizations, and payment processors, the GAO determined that the financial industry's progress in ensuring resiliency in the face of disaster was promising, but there is still much work to be done. The report's discussion of communications between the GAO and SEC were intriguing, indicating that disaster preparedness in the U.S. may evolve from being a matter of common sense to being a matter of regulatory compliance.

Two disturbing reports of carelessness with customer data have surface out of JPMorgan Chase this week. The first is a video posted yesterday on YouTube which allegedly shows customers' in-tact personal financial information being fished out of garbage bags left outside of Manhattan bank branches.

New York's Attorney General Andrew Cuomo last week obtained the first settlement in court under the state's data breach notification legislation. While the punishment of the exposed company, Chicago-based claims management firm CS Stars, LLC, was relatively light, the development opens up new legal vulnerabilities for firms that do not follow proper procedure in the event of sensitive customer data exposure.

The leak potentially affected 540,000 New York consumers, according to Cuomo's office. New York law requires immediate notification in the event of a security breach involving customer data. CS Stars, complying with FBI instructions, did not announce the breach until 2 weeks after discovery.

One message that rang out loud and clear from some of the compliance discussions today at the SIFMA show was: broker-dealers take outsourcing lightly at their peril. Broker-dealers retain regulatory responsibility for the functions they outsource. One of the regulators scrutinizing securities' firms outsourcing relationships is the NYSE. "There's been controversy over the rule we proposed [NYSE Rule 340]," said Grace Vogel, executive vice president, member firm regulation at NYSE Regulation. "We don't object to outsourcing. Where we see problems is when something goes wrong and a firm says, 'We're not responsible' and points to the outsourcer and says, 'go regulate them.' The outsourcer is outside of our jurisdiction. Firms should outsource functions, not responsibilities."

If your firm is a counterparty to a hedge fund, invests in or partially owns a hedge fund or places clients' money in a hedge fund, it may be somewhat accountable if the fund commits fraud, losses money or goes bankrupt. Of course, not all hedge funds are run by crooks or mismanaged, but hedge funds do have an 8.5% failure rate, and that rate is growing. In 2005, hedge funds lost $1 billion, in other words one dollar out of every thousand.

Are you exposed to too much foreign exchange risk? Most companies don’t know the answer to this question, according to executives at FiREapps, who released version 3.5 of their eponymous corporate foreign exchange management software today. The software sends queries out to a company’s financial systems and analyzes its corporate-wide foreign exchange exposures, based on real-time currency data.

Did you know that when you create an application using Java or .net, anyone can drag and drop that executable to a free decompilation tool such as Reflector (for .net) and then be able to see all the source code behind it? Such examining of code and perhaps reverse engineering can be done for benign reasons – to debug the application, for instance, or to provide better training or support. But sneak-peeking at software code can also be done maliciously, by competitors, disgruntled employees or hackers who want to steal intellectual property or get into a computer system. Obfuscation software inserts additional code into an application to prevent a would-be IP thief or hacker from being able to reverse-engineer the code.

In a follow-up to the first e-discovery blog entry, it seems that the courts are starting to hear cases on the new e-discovery rules. The courts are starting to work. It’s not that the courts haven’t been busy, but just now, we’re starting to see rulings that take into consideration the new Federal Rules of Civil Procedure (FRCP).

On the heels of breaking off an agreement last November to merge with Chicago-based market data vendor HyperFeed Technologies, Exegy Inc., a St. Louis-based technology provider is launching a new ticker-plant service initially to 21 Wall Street customers. But when Wall Street firms consider Exegy’s new ticker plant, should they care that Exegy jilted HyperFeed at the altar? And should they be concerned about a lawsuit pending in Illinois?

If Barney Frank’s recently reported statements are accurate, banks and financial institutions may have a surprisingly friendly advocate on Capitol Hill. Frank, who also happens to be the influential chairman of the House Financial Services Committee, contends that banks should be exempted from SOX 404 compliance because they are already subject to similar provisions in an earlier law.

This past weekend, we passed a milestone -- 100 days since the enacting of the new Federal Rules of Civil Procedure as they relate to eDiscovery. In summary, those Rules attempt to give courts guidance for how to treat digital data and information, in whatever form and context it is in.

The Rules try to contain the ever escalating costs that plaintiffs and defendants. So spreadsheets, letters, contracts, e-mails and all of those files that are stored on disk and on tape, on and off the network can, should, and must be “discoverable” to all of the parties engaged in litigation.

On the list of forthcoming projects for CIOs is updating their systems to handle the changes in daylight savings time (DST) (DST). The Energy Policy Act of 2005 will cause DST to fall weeks earlier this year than in years past. With that in mind, industry analyst TowerGroup has issued recommendations on how financial institutions can deal with what they are calling "more a nuisance than the cause of any significant business outage."

A couple of weeks ago, we wrote about a study that seemed to prove that site-to-user authentication was a broken practice. Well, not surprisingly, the purveyors of such technologies took exception to the notion that their product was ineffective. What follows is a response written by Louie Gasparini, co-CTO of the consumer division of RSA, the security division of EMC that sells Passmark site-to-user authentication technology.

You would think that by now almost every user of the Internet would know not to click on links in emails supposedly from financial institutions -– especially a bank that you have never heard of or have never done any business –- and enter your username or password.

But as this podcast and article from National Public Radio (NPR) points out, Web-savvy individuals are also falling victim to online financial fraud as phishers use newer technology to stay ahead of financial institutions and users.

Buy-side traders that feel comfortable using instant messaging to communicate with and route order flow to the sell-side community can now use IM to sweep crossing networks and dark pools.

The cool technology comes as the result of a partnership between Pivot Solutions, the developer of IMTRADER and UNX, an agency brokerage specializing in direct-market access and algorithmic technology.

ING has implemented biometric fingerprint scanning technology on its trading floor workstations. Dutch biometric consultant BioXS developed an integrated solution using matching software from BIO-key International combined with fingerprint readers from Zvetco. The solution is designed to eliminate the need for multiple complex passwords that were formerly required for access to ING's dealer room workstations, and free up technology staff who were constantly changing and replacing access codes.

This morning I was invited to the Ernst & Young headquarters in Times Square to tour the firm's Advanced Security Center (ASC). The center, along with a location in Houston, employs a staff of 30 security professionals dedicated to performing assessments of companies' security infrastructure, and focusing on the financial services industry. Through the dually authenticated door-locks and under the concrete lined ceilings of the office were an impressive facility and a team of truly dedicated white hats, diligently probing the defenses of your bank or brokerage and mine.

The New York Times reports today (free subscription required) that a new joint study out of Harvard and the Massachusetts Institute of Technology claims that a popular authentication technique is failing its users. Site authentication images — user-chosen images that appear on a Web site when a user logs in to prove the authenticity of the site — are not an effective authentication method.

In the wake of sentiment expressed at the World Economic Forum that financial services firms (and all companies) must go greener, the U.K.'s Financial Services Authority has issued a warning about the dangers of climate change as part of its 2007 Financial Risk Outlook, while a U.S.-based consortium of institutional investors released a scathing report on how companies in the S&P 500 disclose climate-related risks to investors.

Today's Wall Street Journal provides a gruesomely fascinating account of Amaranth's final days ("Amid Amaranth's Crisis, Other Players Profited"). The mental image it conjures in the reader's mind is that of a pack of wolves, one of which has injured itself and lies dying of its wounds, the rest taking the biggest, juiciest hunks out of it they can while its heart still beats.

The Amaranth fiasco continues to affect the industry. In addition to the SEC's efforts to regulate hedge funds, the SEC, the Federal Reserve Bank of New York and the Financial Services Authority in London are investigating banks' and securities firms' lending practices to hedge funds.

Delegates are calling for global regulation that directly addresses climate change at the World Economic Forum in Davos. But can business, government and scientists agree on a solution that could actually have some impact on a global scale?

Not surprisingly, information and data security is one of the hotter topics in Davos among the attendees at the World Economic Forum. Logically, if there are regulators for the Internet, telecommunications and accounting, why don’t we have a standards in place for information and data security?

The Financial Crimes Enforcement Network (FinCEN), a division of the U.S. Treasury, released its paper today on the value of reporting on cross-border transfer of funds in fighting money laundering and terrorist sponsorship. According the document, such reporting would hold value, but would require that FinCEN implement a data warehouse architecture to manage the information submitted under any mandated reporting requirement.

Cory Levine, Wall Street & Technology

The cat-and-mouse continues, as researchers yesterday uncovered a new phishing technique being shared in the fraud community, which will enable criminals to bypass multi-factor authentication technologies. Analysts in the 24x7 Anti-Fraud Command Center operated by RSA discovered what they are calling the Universal Man-in-the-Middle Phishing Kit being sold in online forums. After analyzing a demo version of the kit, RSA concluded that this new user-friendly flavor of phishing could become big in the next 12 to 18 months.

Cory Levine, Wall Street & Technology

The New York Stock Exchange yesterday filed a letter with the SEC requesting an extension to the deadline of the Reg NMS trading phase. The current target date is February 5, and the Exchange is looking for an extra four weeks to roll out Phase IV of its Hybrid Market.

Mutual fund giant Vanguard has implemented the Knowledge Based Authentication (KBA) platform from Verid to reduce fraud risk. The firm will use KBA as part of the account opening process in the online and phone channels with certain types of accounts.

Cory Levine, Wall Street & Technology

A report from U.K. newspaper The Guardian reveals that financial institutions in the country are purposefully choosing not to report instances of online fraud and financial crime because they don't want to risk public exposure by law enforcement bodies that can do little or nothing about the crime — this from the mouth of a Metropolitan Police Detective Russell Day!

By Greg MacSweeney, Wall Street & Technology

Avoiding "reputation risk" is a common justification for increasing security measures, protecting customers' financial information and reporting security breaches in a timely manner. But now more than 18 months after the big ChoicePoint incident when 163,000 accounts were affected by ID thieves, the doom and gloom that financial services risk professionals have predicted has failed to come true.

Cory Levine, Wall Street & Technology

While I was eating leftover turkey last week, London's Financial Services Authority (FSA) completed a resiliency test of its financial markets and found that in the event of a bird flu pandemic, the backbone of the U.K. economy would be able to continue operating.

Cory Levine, Wall Street & Technology

In a speech at the Securities Industry and Financial Markets Association (SIFMA) launch event in Boca Raton, Fla, yesterday, NYSE Group CEO John Thain hinted at the future convergence of industry regulators. According to a Forbes.com report, Thane indicated that the current regulatory environment is less than ideal, and that overregulation of domestic markets is hindering their global competitiveness. “If we are not careful, we will in fact make the U.S. less attractive to the rest of the world,” he said.

Cory Levine, Wall Street & Technology

RSA, the security company acquired earlier this year by mega-vendor EMC, announced yesterday its Adaptive Authentication for Phone service, which provides automated, risk-based caller authentication for telephone banking services. In addition to developing a risk score for phone-based transactions and taking appropriate authentication measures, the service features what RSA is touting as the financial services industry's first voice biometric solution suitable to meet the FFIEC standards on risk-based authentication.

Cory Levine, Wall Street & Technology

The securities industry underwent a simulated business continuity planning (BCP) test last Saturday, October 14 conducted by the Securities Industry Association, the Bond Market Association, the Futures Industry Association and the Financial Information Forum. The test was similar to a BCP test held a year ago, but industry participation was up, with over 250 securities firms, exchanges, markets, service bureaus and industry utilities testing the functionality of backup data centers, work centers and communication links.

Cory Levine, Wall Street & Technology

E-mail communications on Wall Street are under considerably more scrutiny than those traveling through the London financial industry, according to new survey results from e-mail compliance vendor Orchestria.

The survey conducted earlier this month questioned 300 people working on Wall Street in New York and in the City area of London. Sixty percent of workers in New York believed that their employers were in the right by monitoring their e-mail. In London, only 38 percent of respondents believed that that their firm was within its rights to do so.

Cory Levine, Wall Street & Technology

NYSE Regulation today released its monthly roundup of disciplinary actions. Some notable firms made the hit list this month as a result of technology failures, and one can only wonder how these violations got past the firms’ various regulatory checks. All totaled six firms and nine individuals were fined. Here are the highlights, or should we say lowlights:

By Tim Clark, Wall Street & Technology

Financial services consulting firm Finetix recently announced its partnership with Cadence Capital Group LLC, a New York-based hedge fund specializing in options, aggressive long-short and delta-neutral strategies. According to Cadence cofounder Dmitry Babayev, the partnership was designed, in part, to avoid a hedge fund catastrophe of Amaranth-like proportions.

By Tim Clark, Wall Street & Technology

In an effort to help companies minimize the risks to business and information technology (IT) operations created by influenza pandemics and other catastrophic events, SunGard Availability Services and Satyam plan to release new solutions aimed at retaining business continuity in times of crisis. Also, to demonstrate some of its capabilities, Satyam completed a three-day mock drill that simulated a disaster in three Indian cities.

By Tim Clark, Wall Street & Technology

As federal regulators begin to investigate the catastrophic blowup of hedge fund Amaranth Advisors—whose $6 billion in losses resulted from bad bets on natural gas futures—the industry at large is scratching its head as to why the fund adopted such a risky investment strategy to begin with. This begs the question: Could technology, risk management or otherwise, have prevented the Amaranth debacle?

By Cory Levine, Wall Street & Technology

The much-discussed global derivatives market had the spotlight turned its way this week by an official from the U.K.'s Financial Services Authority (FSA). In a speech at yesterday's International Swaps and Derivatives Association regional conference, Thomas Huertas, director of the Wholesale Firms division and banking sector leader at the FSA called out the continued inefficiencies, risks and "sheer sloppiness" within derivatives markets.

By Greg MacSweeney, Wall Street & Technology

Despite the generally accepted belief that the user is solely responsible for his or her user name and password, at least one bank -- and probably many more -- has quietly refunded customers who were defrauded by phishing attacks.

By Cory Levine, Wall Street & Technology

Research and ratings authority Moody’s Investors Services has released the first of what it expects to be many ratings on the complex and opaque world of hedge funds. The ratings will be based on what Moody’s has dubbed Operational Quality (OQ), which addresses the internal and external aspects of the fund including valuation process, service providers, accounting controls, regulatory compliance, risk reporting and control, legal and financial structure, human resources, and other operational issues specific to the individual fund.

By Greg MacSweeney, Wall Street & Technology

Despite the approaching Federal Financial Institutions Examination Council's year-end deadline for the implementation of multi-factor authentication (MFA) at financial institutions, many FIs are still in the process of evaluating and selecting two-factor identification solutions. Some companies may still be in the evaluation phase of multifactor technology because the FFIEC's initial guidelines were purposely vague and have only recently been partially clarified with FFIEC's FAQ on its multifactor requirements.

By Sandeep Vishnu, BearingPoint

Technology continues to play an increasing role in risk management as instantiated by the recent entry on the SOX technology burden by Brian Mitchell of JPMorgan. ERM poses a challenge from an expense allocation perspective in that every investment could be directed towards an underlying risk, and it becomes hard to separate out incremental risk-related investments. Some investments are, of course, straightforward. For example, implementing two-factor authentication to reduce unauthorized access is clearly a risk-related investment and should be counted as such.

However, a platform upgrade to increase capacity to reduce the number of dropped transactions is a business decision that addresses the underlying risk of transaction failure. Should this be viewed as an expense for ERM, the business, a central infrastructure group, or some combination of these or others?

By Cory Levine, Wall Street & Technology

The financial services industry's effort toward secure authentication for online financial transactions was bumped up a spot or two on the old to-do list last week. The Federal Financial Institutions Examination Council (FFIEC) released a list of frequently asked questions, clarifying some of the lingering issues surrounding last year's guidance on risk-based authentication. Meanwhile, the Financial Services Technology Consortium (FSTC) announced its intentions to improve how financial institutions authenticate themselves to users, to curb phishing, pharming, spoofing and malware attacks.

By Brian Mitchell, JPMorgan

Why has SOX become such technology burden?

In year one, SOX was a burden for all. The business had to define all of the key controls associated with financial reporting and it had to identify the key systems on which the business depends to support these controls. Meanwhile, the technology group applied a typical general computing controls assessment to those systems. In subsequent years, the situation has not improved for IT controls.

By Greg MacSweeney, Wall Street & Technology

At first glance, the security flaw within HSBC's online banking system that has been exposed by two researchers working within Cardiff University's School of Computer Science looks like another black eye for financial firms, which are battling the growing perception that personal data risks aren't being taken seriously. However, as often is the case with press coverage, the hype surrounding the flaw is probably a greater risk to HSBC than the actual security flaw itself.

By Mike Everall, CISO, DrKW

Yes, we have all seen the seminars and training camps and white papers, such as: "This is how you manage risk!" The trouble is there are as many ways to "manage" risk as there are pundits and white papers. So, I say let's get back to basics and get the fundamentals laid out. What is risk? What are the types of risk? And when is a risk not a risk?

What is a risk?
A risk is when an active (or potentially active) exposure by your organization creates an adverse impact. This doesn't mean that passive risk doesn't exist: If you "passively" don't do something you can expose the organization just as badly as if you "actively" do something.

What are the risks?
There are many specific types if risk, but at the end of the day the four basic classes are: Financial, Operational, Reputational and Regulatory. Some argue that regulatory risk can be folded into the first three, but it makes it easier to explain regulatory risk to a non-professional colleague if you split it out.

By Greg MacSweeney, Wall Street & Technology

A survey of more than 200 governance risk and compliance (GRC) professionals, 37.8 percent of whom represent financial services companies, reports that the majority of respondents believe their IT departments aren’t meeting the GRC needs of the business. Fifty-five percent of respondents to the survey by the Open Compliance and Ethics Group and GRC solution provider Axentis indicated that their technology departments had a poor understanding of GRC technology demands. Participants with the least-favorable view classified themselves as legal, ethical or regulatory compliance professionals. Within this group, only 28 percent rated their IT departments’ understanding of GRC and its associated needs as above average.

In the financial industry specifically, however, IT might be doing a better job than the overall industry. In this survey, less than half of the respondents were from financial firms. With the financial industry being so focused on risk management, one can only hope that its IT community understands the importance of controlling technology risk.

The Wall Street & Technology Risk Management Blog is dedicated to risk management professionals in financial services who are looking for more information, latest trends, news and opinions on matters related to managing risk at a financial services organization. At the blog, updated frequently by WS&T's editors and special contributing bloggers from various Wall Street firms, readers will find an interactive forum to share ideas and comment on the latest news and trends.

May 2008 Sun Mon Tue Wed Thu Fri Sat         1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Weblogs of Interest Dark Reading: Firewalled Chief Risk Officer: New Era of Risk Management InformationWeek's Blog Digest Parry Aftab, the Privacy Lawyer

Categories Archives May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 February 2006 January 2006