Skip to main content

UBS’s $2B fraud: Teachable moments for risk management, corporate governance & banking regulation

After the 2008 financial crisis, I wrote to Professor John Hull, a derivatives expert at University of Toronto’s Rotman School, and asked whether the boards of investment banks should have directors with derivatives expertise on them. His response was “There is no question in my mind that a large financial institution should have on its board people (perhaps 2 or 3) who understand derivatives and other complex financial products. They should also receive stress test results. One of the problems is that, although stress tests are carried out, their results are often ignored by senior management.”

We now are witnessing a stunning 2B alleged fraud by a 31 year-old so-called “rogue” trader – one Kweku Adoboli – at the Delta One desk (read: ETFs – Exchange-Traded Fund and index related trading) of UBS, who had intimate back-office booking knowledge of how trades are reconciled with counterparties. This is a teachable moment, namely that the risk management, corporate governance and banking reforms to date have been wholly inadequate. The 2008 crisis can occur again and “Too Big to Fail” has not been addressed.

We need to admit that most – if not the vast majority – of corporate directors simply do not understand complex derivative products, and we are demanding too much of them when we expect that they do. If we want directors to understand derivatives, they need to be chosen differently. A current or former CEO may not understand. And there is evidence that CEOs do not make better directors. A common refrain from directors I interview of large complex institutions is “Richard I don’t understand.” And these are very senior business people. In the words of one Chief Risk Officer of a bank, “Directors cannot possibly understand.”

Derivatives experts exist. They have narrow subject-matter expertise. What are the odds this type of person would be asked to serve on an investment bank board, pushing back on management all the time, when management and directors themselves select one another under the current system, rather than directors being selected by shareholders? The derivatives expert may not be asked because “they haven’t run anything.” As we move towards expert and diverse boards, these types of individuals need to populate boards to make them more effective.

Next, the trader, Mr. Adoboli, is not simply a “rogue” as UBS maintains. He is an employee operating within a system of deficient internal controls. The bank, the management and regulators are at fault.

Surveys and studies indicate that risk management is presently inadequate. There needs to be a significant restructuring of risk and assurance of risk. Risk management is a cost, and money spent on internal controls to mitigate risk does not contribute to the bottom line. CEOs resist, boards don’t understand, and regulators need to regulate.

The BP disaster resulted from flawed risk management according to expert reports. NewsCorp phone hacking is flawed risk management. The Canadian corporate governance guidelines on (National Policy 58-201) mentions the word “risk” twice in its entire set of guidelines, and the risk management provision is twenty-one words in length (section 3.4 c). Many governance codes addressing risk are similarly sparse and written at high levels, with rare exception. Without proper regulation, as a “stick,” boards have little to point to in insisting on robust risk management and internal controls.

When a CEO or CFO attests to a board of directors that the internal controls over risks are adequate, that attestation should be subject to external review, especially for operational risks such as environmental compliance, information technology, bribery, or complex derivatives – whatever it is that can materially affect – and if unchecked bring down – a company.

Internal controls exist – authorization of transactions, electronic safeguards, segregation of duties, control limits, and prevention of manual override. They cost money to implement and are often perceived by management as a “drag” on profit-making.

The rigor of internal controls over financial reporting for S-Ox needs to apply to all major business risks, not just financial. Companies will resist because of cost and distraction, so policy choices needs to be made. Are we willing to live with trusting a CEO?

More needs to be done as well in the governance context. Here is advice to the chairs of investment banks, in light of UBS:

The chair of the compensation committee should retain an independent compensation consultant to study the compensation for each material risk-taker, and report to the chair on how their remuneration is incenting adverse risk-taking. The compensation consultant must tailor risk-adjustment advice to suit that bank, and comply fully with all Basel Committee on Banking Supervision reports and recommendations. (Any blowback by management that we need to pay our people and traders this way or they will move to a competitor should be met by requests for empirical evidence, which, according to Ken Feinberg, the former US pay czar, does not exist.)

The chair of the audit committee of the investment bank should instruct internal audit to complete a thorough review of the design and effectiveness of internal controls over all trading activities, and report directly to the chair. The chair should approve the budget, resources and work plan. If the head of internal audit is not up to the task, the chair should fire him or her and find someone who is. If necessary, external assurance providers —not the external auditor— should be retained by the chair as well, and report directly to the committee not management.

Next, the chairs of these two committees, together with the board chair should meet with the CEO and CFO to inform them of the above two studies, and direct them to cooperate fully with all requests for information. Directors need to direct more, if and when required.

How many chairs have the fortitude to do this, I wonder? If directors are there to control management, then they must have the statutory authority and resources to do so.

Lastly, regulators need to regulate if and when required. Specifically, all regulators should separate, permanently, global wholesale/investment banking’s proprietary trading from retail banking. Otherwise taxpayers will be on the hook for a very dangerous industry, akin to “casino gambling” by critics. It is totally unacceptable that one person, reputed to have “bet $10bn,” can cause this much damage. If you multiply it, with contagion, the investment banking system is broke and dangerous. Regulators need to address this issue. It has been three years since the financial crisis. In the words of Martin Wolf, a member of the UK’s Independent Commission on Banking, “No sane country can allow taxpayers to stand behind such risks.”

Updated on September 20th, 2011.