Inadequate IT security allowed a trader at French bank Société Générale to make a series of unauthorized transactions that ultimately cost the bank €4.9 billion ($7.2 billion), an internal investigation has found.

To prevent a recurrence, the bank should immediately introduce stronger security systems, including biometric authentication of trading staff, a special committee has recommended in its preliminary report to the bank's board of directors on Wednesday

Between Jan. 18 and Jan. 20, the bank discovered that trader Jérôme Kerviel had established trading "positions" -- bets that the price of securities and warrants would move in a particular direction -- worth more than the bank itself. He bet wrongly, and unwinding those positions over the following three days cost the bank €4.9 billion as it sold the stocks into a falling market.

As an arbitrage trader, Kerviel should have been making transactions in pairs, buying and selling similar assets to exploit the minute and fleeting differences in prices that exist in markets. Arbitrage trading is considered less glamorous than the one-way bets he secretly made from time to time by faking one half of a pair of transactions.

Kerviel had previously worked in the bank's IT department, and so had in-depth knowledge of its systems and procedures.

Staff mostly followed those procedures, the investigating committee found, but the procedures were not sufficient to identify the fraud before Jan. 18, partly because of the effort Kerviel made to avoid detection, and partly because staff did not systematically conduct in-depth investigations when warnings flags were raised.

Among the tricks Kerviel used to hide his activities, the bank's General Inspection department highlighted the use of fake e-mails to justify missing trades, and the borrowing of colleagues log-in credentials to conduct trades in their name.

Investigators identified at least seven occasions when Kerviel faked messages between April 2007 and Jan. 18, four of them referencing trades that never existed. The deception was eventually uncovered when they could find no trace of Kerviel receiving the purported messages in the bank's e-mail archival system, Zantaz.

Between July 2006 and September 2007, internal control systems raised 24 alerts when the value of Kerviel's trades exceeded authorized limits, the General Inspection department reported. At the time, the bank's risk monitoring unit put the anomalies down to recurrent problems with the way the trading software recorded operations, and asked Kerviel's superiors to make sure he didn't exceed limits again.

The IDG News Service is a Network World affiliate.