FX Dealings & Internal Controls, Compliance & Risk Management

FX Dealing and Internal Controls
Stephen Cheesewright
26 March 2010
ADVISORY
FINANCIAL RISK MANAGEMENT

Structure of the Presentation
What we can learn from history
Understanding the implications of control
failure
We can learn from these incidents but always with the
thought – “there but for the grace of God go I”
These are my personal views and don’t necessarily
represent the views of KPMG

What we can learn from History

A recurring history of disaster
Date Event or Company $ Loss Product
1987 Stock market crash Indeterminate Systemic
1987 AWA $50 million Foreign Exchange
1988 Hammersmith & Fulham 500 million pounds Swaps
1991 Allied Lyons 150 million pounds Currency Options
1992 European currency crisis,
Dell Computer
$8 million USD Systemic
1993 Showa Shell Shekiyu 165 Billion Yen Current Options
1993 Metallgesellschaft $1.3 Billion USD Energy Futures
1994 Gibsons Greetings $20 million USD Leveraged I/rate derivatives
1994 Dell Computer $35 million USD Options and leveraged products
1994 Glaxo 115 million pounds Mortgage derivatives
1994 Proctor & Gamble $157 million USD Currency Swaps
1995 Barings, Mexican Peso crisis 1 billion pounds Stock index futures
1997 Asian currency crisis Indeterminate Systemic
1998 Russian bond crisis/
Long Term Capital
Management
Stability of banking system Systemic
1999 Brazilian debt crisis Stability of banking system Economy wide
2000 Pasminco, Grains Board $1 billion AUD Currency hedges
2001 Enron, Andersen Indeterminate Accounting & corporate governance
2002 Allied Irish Bank $691 million USD Currency options
2004 NAB $360 million Currency options

Allied Irish Bank – Another Leeson?
AIB subsidiary in Baltimore incurred a $US 691m loss ($A1.2 billion) over 5 years
Governance – lack of management involvement in the business realities
No policy and procedures review
Cultural Issues – bullying, disdain for auditors and back-office staff &
“aggressive compensation”
Rusnak was able to “create at will assets on Allfirst’s books
Rusnak sold options to fund losses and keep trading
“The fraud was so inelegant….[but] nobody caught it”
Numerous control deficiencies

Audit issues detected but not followed through
Internal audit suffered from inadequate staffing , lack of experience and
did not focus on foreign exchange trading
Inappropriateness of risk reporting
Any challenge to status quo was met with aggression and resistance
Simple exchange traded products (ETCs) were tested by the auditors –
only 1 of the much higher error risk, over the counter (OTCs) products,
was tested

The Lessons
Understand and ensure fundamental controls are
effective and are complied with
Aggressive behaviour is an indicator of problems
Need to challenge unusual trading strategies
Be wary of sold option positions – why is cash being raised in this
way?
“The trades made no sense for a number of reasons” Ludwig
Report 2002

National Australia Bank – Another AIB?
The losses/overstatements occurred over a number
of years and appear to have increased exponentially
Analysis of losses / overstatements (AUD’s)
September 01 4 million
December 03 92 million
January 04 84 million
February 04 360 million

Aggressive profit targets linked to bonus structures
Traders were not honest
Use of false revaluation rates – independence of the source of revaluation rates
appears to have been compromised
Management ignored limit breaches and warnings
External warnings ignored
Limit breaches not sufficiently escalated
Financial control was poor
Back office lapses – cut off and confirmation procedures were deficient – false
transactions not detected because internal confirmations stopped

The Board was provided with incorrect and incomplete information
Audit Committee was provided with limited information and did not recognise the
implications of the control breakdown
Risk Committee was provided with incorrect information
Executive Committee not advised of breaches
Management disbelieved limit breaches
Risk escalation not pursued
Culture
Focus on processes rather than substance
Abdication of responsibility
‘It can’t happen to us’

The Lessons
Fundamental controls can’t be ignored
If the limit system continually reports breaches then activities may need
to be scaled down (lessening the risk) until the source of the continual
limit breaches can be ascertained
There needs to be a robust and independent structure for the escalation
of limit breaches
Reporting needs to also escalate issues to appropriate risk committees
Inculcating a compliance culture is important
Unlikely as it may seem – ‘it can happen to us’

Pasminco – No unauthorised activities or
fraud but:
Ambitious expansion plan - $5 billion market value goal
Hostile takeover of Savage – debt levels and value of legacy hedge book
significantly underestimated ( approx $300 million)
Planned and executed transactions that were designed around a view that
the AUD spot level would be 69c and the zinc price would be USD 1200 per
tonne over the next 12 months
Relied on a consensus view of 42 banks that forecast the AUD/USD spot level to be
69 cents - but over the next 12 months:
The $AUD dived to below 50 cents
The zinc price fell to $USD800 per tonne
6 month forecast
0.50
0.60
0.70
0.80
0.90
1.0
0
Jan-
84
Jan-
86
Jan-
88
Jan-
90
Jan-
92
Jan-
94
Jan-
96
Jan-
98
Jan-
00

fraud but:
Zinc price was not hedged
Policy allowed currency hedging – $2.3 billion of option ‘collars’ in a
3 cent band between 68 and 65 were eventually closed out at a $850
million loss
Sensitivity analysis –
Did not give due consideration to extreme outcomes which
subsequently eventuated
Poor cash management/information system – slowed reaction of
management
Domineering CEO – overrode the CFO, Management and the Board

fraud but:
The Lessons –
Impossible to predict future price movements – hazardous to
position a company to ‘take advantage’ of an unknown future
price movement
We need to do more than just understand the treasury policy
– could it potentially create an undesirable situation?
More sensitivity analysis - financial risk exposure profile of a
firm as a going concern
The need for corporate governance and moderation of
authority

Understanding the implications of control
failure

Type of Control : Policy
Board is aware of organisation’s
financial risks and has a process
in place to manage them
Organisation is caught unaware
of risks and suffers unexpected
loss
Board understands financial risk
management and the risks and
rewards
Approved risk management
approach results in an outcome
which the board does not expect
or desire
There is no ambiguity in
understanding the policy
Management has a different
understanding, of the approved
risk management approach, to
the Board
Rationale Implications of failure

Type of Control
Policy cont..
Specification of precisely which
financial instruments are being
used i.e. a bought option and a
sold option are significantly
different
Board and senior management
are unaware of the potential
outcome of some derivative
instruments/strategies
Clear delegations and limitations
of authority
If it is not ‘Black Letter Law’ it
can’t be tested, monitored or
discretion limited
Written policy means breaches
can be clearly defined
If breaches of policy are not
detected and reported there is no
point in having a policy
Rationale Implications of failure

Type of Control: Matching of Inward
Confirmations
Designed to detect errors in
interpretation of transactions
Transactions may have long
lives, rates may move
significantly and losses may be
severe if transaction errors take
a long time to detect or are not
detected until settlement
Designed to detect bogus
transactions
Where a transaction is bogus
and the back office does not
seek confirmation – then the
bogus transaction will not be
detected
Designed to ensure the data in
treasury and transaction systems
has integrity
The system has incorrect data
therefore the position is
misunderstood and settlement is
incorrect.
Rationale Implications of Failure

Type of Control: Protection of the Routing of
Inward Confirmations
Designed to prevent
interception by dealers
The dealer intercepts the
inward confirmation to prevent
detection of an erroneous or
unauthorised transaction.

Type of Control: Segregation of rights in
Electronic Banking Systems
Systems Administration
Separation of administrator rights
prevents uncontrolled operation of
users and authorizers
Non separation of administrator
rights allow unauthorised creation of
users and authorisers – thus
facilitating a fraud
Creation and Authorisation of
Payments
Segregation of payment duties
prevent the creation of
unauthorised payments
Non separation of payment rights
potentially allows the creation of
unauthorised payments
Locking of Payment Templates
Locking of payment templates
enables authorisers to rely on
payment templates
Non locking of payment templates
means that payment details
including account numbers cannot
be relied on by authorisers without
thorough checking

Type of Control : Prohibition of Facsimile
Payment Instructions
Receiver of facsimiles cannot detect
whether the payment instructions
originated from an authorised or
unauthorised source or whether they
has been tampered with
An external party sends
unauthorised payment instructions
to the organisation’s banker – which
it acts upon it
Ditto A fraud is facilitated by the ability of
officer or director of the organisation
producing an unauthorised payment
instruction to use previously
authorised transactions
Ditto The payment instructions may be
authorised but have then been
amended in an unauthorised manner

Type of Control : Standard Settlement
Instructions (‘SSI’s)
SSIs issued to counterparties ensure
that they only pay funds to accounts
properly controlled by your entity
Counterparties may receive
instructions (either within - or by a
party external to the organisation) to
pay funds to an unauthorised
location/beneficiary
SSIs received from a counterparty
means that officers authorising
payments to a counterparty can
verify beneficiary account details to
a ‘certified’ document
Payment instruction (whether
manual or electronic) may outwardly
appear to be made to the correct
counterparty – but may have
incorrect account details.

Type of Control : Outward Confirmations/Return of
Inward Confirmations
The sending of outward
confirmations ensures that your
organisation has confirmed its
version of events and that should
there be a bogus transaction
entered in the system – then this
may be confirmed by the
counterparty querying the
transaction
Absent an outward confirmation
– the organisation is potentially
reliant on the counterparties
view of events
Ditto Reduces error detection
Ditto A bogus transaction may not be
detected – there is no inward
confirmation

Type of Control : Independent Reconciliation
of ‘Nostro’/Bank and Suspense Accounts
Timely detection of ‘non –
system’ originated entries
Lose control of reconciliation
processes – inability to account
for transactions – inability to
reconcile the bank account to the
G/L
Detection of unauthorised
transactions
If reconciliation is undertaken by
staff initiating &/or settling
transactions then they may be
able to prevent detection of a
fraud by accounting staff
Detection and differentiation of
foreign exchange positions
versus asset and liability
positions
Inadvertent creation of
unintended foreign exchange
positions

Type of Control : Monitoring of Transaction
Activity by an Independent Party
Detection of unauthorised
transactions or unusual trading
patterns
Unauthorised transactions or
trading patterns may go
undetected

Type of Control : Control the establishment
of Bank Accounts and Facilities
Control over the opening of bank
account ensures that funds
cannot disbursed throughout the
organisation
Treasury loses control of the
organisations liquidity
Control over the opening of bank
account assist to ensure that all
funds are only banked to
authorised accounts
Fraud
Banking facilities should only be
Board authorised so that
unauthorised losses cannot be
hidden
Unauthorised losses are not
detected in a timely manner

Type of Control : Independent Sourcing of
revaluation rates
It is important that revaluations
rates are not tampered with so
that profit is correctly stated and
risk systems correctly reflect the
risk position
P&L is overstated disguising
unauthorised losses
Ditto Risk Metric System understates
the risks being run by the
organisation.

Contacts
Presenter’s contact details
Name: Stephen Cheesewright
Position: Director
Phone: (03) 9288 5645
Email: cheesewright@kpmg.com.au
www.kpmg.com.au

Disclaimer
The information contained herein is of a general nature and is not intended to address the
circumstances of any particular individual or entity. Although we endeavour to provide accurate
and timely information, there can be no guarantee that such information is accurate as of the date
it is received or that it will continue to be accurate in the future. No one should act on such
information without appropriate professional advice after a thorough examination of the particular
situation. The views and opinions contained in the presentation / paper are those of the author
and do not necessarily represent the views and opinions of KPMG, an Australian partnership,
part of the KPMG International network. The author disclaims all liability to any person or entity in
respect to any consequences of anything done, or omitted to be done.

FX Dealings & Internal Controls, Compliance & Risk Management

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (11)

Similar a FX Dealings & Internal Controls, Compliance & Risk Management

Similar a FX Dealings & Internal Controls, Compliance & Risk Management (20)

Más de Expoco

Más de Expoco (20)

Último

Último (20)

FX Dealings & Internal Controls, Compliance & Risk Management

Notas del editor