Next rogue trader could hit banks anytime

"All of the things that make a great trader make a great fraudster too," says Mark Rasch, a consultant with FTI Consulting who previously ran the U.S. Justice Department's computer crimes unit.

Even the regulator who helped calm U.S. financial markets after the 9/11 attacks worries about the terror a lone trader might wreak on the world's biggest banks and security houses.

"There are no foolproof systems," says Harvey Pitt, who was chairman of the U.S. Securities and Exchange Commission in 2001-2002. "You always worry about the possibility of rogue traders."

There's reason to worry: bankers, regulators and investors are shocked at how a mid-level employee's unauthorized stock trading led to a $7.2 billion loss at French bank Societe Generale and sent European markets into a tailspin.

It's impossible to root out all potential troublemakers, say former regulators and risk management consultants. But banks can take preventive steps. These include regular reviews of credit files and other easily accessible reports, such as real estate purchases or even divorce papers.

"It ought to include a whole variety of checks -- even if somebody has (previously) passed whatever kinds of reviews," Pitt says.

Many frauds require constant attention by the perpetrators so they can maintain the appearance that nothing unusual is going on. That is why the banks with the best controls require employees to take one or two full weeks off per year where they have no contact with the office. Auditors have a chance of identifying long-term fraud if the perpetrator is not around to cover it up.

The SocGen trader, Jerome Kerviel, hardly took any time off.

There are also measures that do not work. Many experts agree that includes psychological testing, because rogue traders often share a mathematical genius with brilliant money makers, and the tests can be overly intrusive and demoralizing.

It's impossible to identify the very best criminals because they are so good at hiding what they do, says Louise Borke, a former State Street Corp risk management executive who now teaches banks how to spot fraud.

Moreover, given the right circumstances, nine out of 10 employees might commit fraud at some point in their careers, Borke says. Factors that boost the chances include pressure to succeed on the job, financial problems, and gambling and drug addictions.

"The same person might be at risk for fraud in different environments and at different times in their lives," Borke added.

If routine reviews turn up red flags, the bank can follow up with whatever measure seems appropriate: from more thorough trading oversight to a full investigation.

Full-scale probes costs more than $100,000, so they are reserved for cases where it is almost certain there is something going on. That is when computer experts are called in to examine the suspect's PC and Blackberry, and dig up evidence.

"If you want to survive, you better make sure you are trying to stay at least one step ahead of the bad guys," Pitt says.

As the details about what happened at SocGen emerge, many banks will check their systems for weaknesses.

They have to act quickly because crooks learn from each other's mistakes. The wires light up with more people trying to emulate what has happened, said Sandeep Vishnu, managing director of enterprise risk management at consulting firm BearingPoint Inc.

Banks should also thoroughly review computer systems designed to identify unusual trading. These may need to be recalibrated to make them more sensitive to unusual behavior.

The system may also be vulnerable to abuse by insiders who know how they work. Kerviel, for example, worked in the bank's back office before becoming a trader, giving him knowledge of the computer systems used to audit his trading.

One options trader at a New York bank who has a background similar to Kerviel said he knows of cases where employees did not lose access to computers used to audit trades, even after moving to trading floors from the back office.

Even when stripped of those credentials, it can be easy to hack into supposedly secure computer systems.

"I could probably do it," he added.

Those are the loopholes that many banks are desperately trying to find and plug. They spend millions of dollars on risk management systems -- and the computer systems to implement them -- to identify potential fraud.

They mostly do it on their own, with advice from a select group of consultants, to make it tougher for outsiders to learn about their operations. They also consider risk management part of the secret potion that gives them an edge over rivals.

"There will be people who say: 'We have confidence in our controls. That happened there and not to us,'" Vishnu said. "In our mind, they are the more naive performers."

(Editing by Jack Reerink/Andre Grenon)