31 JulReconciliation. Not doing it properly is suicide and it is not painless
Suicide, or at least attempted suicide, is the inspiration for this week’s Blog post. Iowa in the mid-West of the USA is a long way from the financial capitals of the world, but a local tragedy provides a lesson for everybody who works in financial services.
PFGBest aka Pergrine is a small brokerage house. It is now being wound down after the attempted suicide of its CEO led to a discovery that there was a big hole in the customer accounts. Twenty years ago, the CEO started to falsify external statements to cover up his misuse of customer funds to shore up the firm in the face of losses. This has some amazing facets. Twenty years is a a long time, proving you can fool some people for a long time. The real shocker comes from the words “external statements”. The ingenious CEO apparently misdirected statements from the bank where his clients’ money was held, US Trust, directly to him and then basically re-created a statement using basic software such as Photoshop and a word processor. Basically, the CEO was stealing money out of the external account that held all of his customers’ cash and then falsifying the statement from the bank.
This is all about reconciliation. Internally there will be a ledger account called “Client Money at US Trust”, this ought to reconcile internally to the sum of the cash balances in the many client accounts. Externally that one ledger account ought to reconcile to a statement from the bank. If the ledger held securities rather than cash, then there would be an equivalent holdings statement from a bank or custodian. Reconciling “internal” vs. “external” is the staple diet of daily Operational work. For the most part, it is automated and pretty routine. Services such as SWIFT help move the data in a standard format and well established reconciliation tools such as SmartStream’s TLM or SunGard’s IntelliMatch automate the process.
There are a number of folk that were asleep at the wheel on this one:
The internal control function, or Operations Control as it is called in many shops. In the days of electronic feeds and SWIFT, there should have been alarm bells ringing when the statements were being hand delivered by the CEO.
Audit would be next in line for a good telling off, for the same reasons. Both internal and external auditors lost the plot here. Whilst Internal Audit cannot test everything every year, over a period of years they should have spotted this one, especially given the manual nature of the statement. Also, it is standard practice each year to get a formal statement sent directly to the external auditors, exactly to prevent just the type of fraud we see here.
Regulators. We should also spare a spoonful of venom for the watchers; client money is such a very sensitive subject, yet the regulators failed in the most obvious way.
Lessons Learned: There are plenty here. If you are a client, it might be that banks can’t be trusted. Unfortunately, in the Summer of 2012, there are enough cases of banks behaving badly on the table to support this conclusion. If you are on the inside wondering what you need to be doing to make your world a better place:
Single Point of Control: On a day-to-day basis there must be one and only one team that that performs this Account Verification, checking the internal ledgers to the external statement. Some shops do not follow this rule; a practice that I have encountered was that the Operations Control folks only dealt with accounts at custodians and Nostros, but not the other, albeit less numerous, accounts such as CCP’s or Collateral Accounts. For me this is plain wrong; the control function must be performed by somebody who has no role in production.
Electronic vs. Non: Divide and conquer. The gold standard is that for any ledger account that represents an asset held externally, be that cash, securities or collateral with a counterpart or CCP, a statement sent by SWIFT and input directly to your reconciliation software is the requirement. If you have that, then the yearly external audit control is the full extent of additional checking you need. Annual is not necessary for all accounts. The silver standard is an electronic feed of some kind that goes directly into the reconciliation software. Again a yearly check by external audit is needed, perhaps in all cases. The bronze standard are those accounts you cannot get SWIFT or electronic format reports for. Those are the ones that need very precise oversight and verification. They must be subject to at least an annual, if not semi-annual, verification by audit, either external or internal.
A personal request: If you find this Blog useful, please subscribe. There is an E-Mail tool and an RSS link on the right hand side of the main Blog page. If you like it enough to share, please share this with a friend or two and ask them to subscribe too. If I am wide of the mark and not offering anything of use, please comment or contact me directly via E-Mail.