Biometric systems make it more difficult for dishonest employees to repudiate in court the evidence against them. Companies need systems for detecting and holding accountable persons who are violating security and internal control system standards.
Following the billions of dollars of losses caused by dishonest or irresponsible employees, investors and voters should become suspicious in the future whenever executives or audit committees claim their companies cannot afford better security systems.
Biometrics authentication – The reliable solution for security
The International Organization for Standardization (ISO) has published a new standard ISO 19092:2008 Financial services-Biometrics-security framework. “This standard establishes the security requirements for the implementation and management of state-of-the-art biometric identification technology within the financial industry.” It will make transactions more secure in the electronic era for the financial sector. (Ref 1)
SAP users can mitigate fraud by using bioLock (from realtime North America), the certified biometric solution using fingerprints.
Even if log-in passwords were obtained, the fraudster would not be able to do anything with the passwords because the biometric authentication system would deny him access to perform transactions.
If an ERP system uses multiple passwords for each user to control access to specific modules, that approach is no match for a biometric system able to control access even to the transaction, field or data level. The biometric approach is crucial for maintaining segregation of duties when employees gain new responsibilities.
Societe Generale Bank – case study
The fraud at Societe Generale Bank is a classic example of how the fraud could have been prevented if they used SAP and a biometric system like bioLock for protection.
What went wrong?
Jerome Kerviel worked in the back office and in the middle office from 2000 to 2005, prior to becoming a trader. He had in-depth knowledge of their systems and procedures. (Ref 2 & Ref 3)
He made a lot of effort for his fraudulent trades to be undetected by the system. He used:
- Fake email messages for justifying missing trades. (Ref4)
- Borrowed colleagues log-in credentials by using their passwords to conduct trades in their name.
- Forged documents. He created a fictitious Profit and Loss statement for 2007 reflecting the bogus hedges he had created for this period.
- Manipulated the bank’s proprietary system Eliot by deleting transactions and re-entering them after reconciliation.
There were 75 warnings regarding Kerviel’s rogue trading. Yet, the authorities failed to detect Kerviel’s rogue trading until it escalated to such a high level. (Ref 5)
What can organizations do in the future to prevent this?
According to Diamond Management and Technology Consultants, Inc. this fraud was due to deficiency in Societe Generale’s operational risk management. To avoid this situation Societe Generale needs to have automated processes, an internal controls culture, and IT access controls. (Ref 6)
Improve and strengthen internal controls and risk management procedures
Banks and financial institutions need to build an internal controls culture which spans the business from top to bottom and also extends across businesses. They need to improve:
- Controls for cancelled or modified transactions
- Controls for transactions over certain limits.
- Procedures to act on alerts.
Strengthen IT security
To prevent a recurrence of a fraud like this, financial institutions can improve security by adding biometric systems to their ERP systems or by replacing their legacy systems with SAP and bioLock. Most biometric systems are used for access control, but bioLock goes beyond access control and is even able to control a field, function or value within the ERP system, such as the amount of an outgoing wire transfer.
The technology offers control for changes to transactions within SAP ERP and will prevent unauthorized changes. The special committee for investigating Societe Generale’s fraud recommended that to prevent traders from using one another’s accounts the bank should use a stronger biometric authentication system. A system like bioLock would be the solution.
- When Jerome Kerviel was promoted from middle office to front office bioLock could be used to change his role and deny access to the backend systems in SAP ERP.
- An SAP system requiring biometric identification using bioLock would not have allowed Jerome Kerviel to use others log in credentials to post his fraudulent trades in their name.
- bioLock would also restrict access to Jerome Kerviel from deleting records of his trade transactions from the system before reconciliation.
- There would be high accountability as the system would show that Jerome tried to use others passwords to enter his trades in their name.
- As a result a technology like bioLock would deter fraudster’s from trying to commit fraud since they would be uniquely identified.
In today’s world, banks are required to comply with regulations and standards to protect them from fraud. To mitigate fraud, they need to supplement their internal controls compliance with biometric authentication. Biometrics will prevent data breaches of security. Fraudsters will not limit their fraudulent activities trying to perpetrate frauds using only an ERP system. Users of ERP systems must also secure email systems and any trading systems interfacing with an ERP system. This would tighten security and improve accountability.