Many times safety and security mechanisms simply move risk from one place to another. Sure sometimes we manage to reduce risk, but sometimes we increase it. Perception of the problem we are solving and how we go about solving it has a lot to do with this.
A question comes to mind - how many legs does a three legged dog have if you call a tail a leg? Answer: three. Just because you call a tail a leg doesn't make it a leg. The "rogue" trader at UBS (whose actions spanned multiple years) exploited some interesting loopholes. It looks like the alleged hedge that went wrong used Exchange Traded Funds (ETFs) to hedge. The ETFs in the US are cleared the same way equities are, but in Europe ETFs are not traded on an exchange at all. So there is a loophole in the confirmation porcess
WSJ:
Despite their name, ETFs have been traded away from exchanges since the early days of the product, when ETF trading on exchanges was relatively illiquid. Over-the-counter trading is still significant, even though weekly turnover in ETFs on exchanges has risen as high as $15 billion world-wide. In Europe, 70% of ETF trading is done over-the-counter, trade-settlement service provider Euroclear estimates. By convention, European banks don't have to confirm ETF trades done bilaterally, or 'over-the-counter.'
The lack of a proper confirmation process means the kind of fraud allegedly perpetrated at UBS could happen again. It also means ETF ownership could be unclear—a major problem with other OTC derivatives during the financial crisis, particularly in the wake of the Lehman collapse. In Europe, the problem is compounded because market players aren't required to report over-the-counter trades in ETFs to a regulator, as they are with off-market trading in normal equities. That means regulators have no clear view of who holds what in the ETF market, or whether risks are building through large concentrations of ETF ownership
ETFs were introduced to be cheap and liquid (read: safe) alternative to equities, indices and funds. However at least in Europe the back end confirmation process were not aligned, leaving one part of the hedge difficult to reconcile. Imagine if you could tell your mortgage banker that you had purchased home insurance on your house, but you had not and she never verified it. Would be fine until you had a fire. Just because ETFs were introdued with the goal of safety, does not mean the implementation matched the goal.
People often say that complexity is the enemy of information security. Yet, security tools are often among the most complex parts of any system, how many things in your enterprise are more complicated than say Kerberos or PKI?
On a happier note good thing about market crashes is that this is when they happen that is what shakes a lot of bad actors out of the system. Bernie Madoff would very likely be in business today if the 2008 crash had not happened for example.
**
Secure Coding Training Class: Mobile AppSec Triathlon
Do you have what it takes to complete a triathlon on three vital topics in the mobile world: Mobile application security, web services security, and mobile identity management?
Come join two leading experts, Gunnar Peterson and Ken van Wyk, for the first Mobile App Security Triathlon, in San Jose, California, on November 2-4, 2011.
Comments