One of the world’s foremost experts on computer security, Bruce Schneier, writes on his blog about the recent theft of 130 million credit card numbers:
Yes, it’s a lot, but that’s the sort of quantities credit card numbers come in. They come by the millions, in large database files. Even if you only want ten, you have to steal millions. I’m sure every one of us has a credit card in our wallet whose number has been stolen. It’ll probably never be used for fraudulent purposes, but it’s in some stolen database somewhere.
Years ago, when giving advice on how to avoid identity theft, I would tell people to shred their trash. Today, that advice is completely obsolete. No one steals credit card numbers one by one out of the trash when they can be stolen by the millions from merchant databases.
I had read in the past about online thieves selling credit card data for a few cents per thousand cards, but I did not realize that things were so bad.
What is also interesting is that you do not need to use credit cards in online transactions, or in some fraud prone South East Asian country for your card number to land up in a stolen database. The number gets stolen from large retail chains in the best of countries.
Of course, Schneier is talking only about credit card numbers, so with the increasing use of two factor authentication, it may take something more to actually use the card, but that something more is often surprising little.
Thu, 27 Aug 2009
The extent to which the Basel Committee on Banking Supervision has been captured by the banking industry that it regulates is clear from Guiding principles for the replacement of IAS 39 that it released today:
The new two-category approach for financial instruments should not result in an expansion of fair value accounting, in particular through profit and loss for institutions involved in credit intermediation. For example, lending instruments, including loans, should not end up in the fair value category.
There should be a strong overlay reflecting the entity’s underlying business model as adopted by the Board of Directors and senior management, consistent with the entity’s documented risk management strategy and its practices, while considering the characteristics of the instruments.
The new standard should ... permit reclassifications from the fair value to the amortised cost category; this should be allowed in rare circumstances following the occurrence of events having clearly led to a change in the business model
The IASB should carefully consider financial stability when adopting the timing of the implementation of the final standard.
The new standard should provide for valuation adjustments to avoid misstatement of both initial and subsequent profit or loss recognition when there is significant valuation uncertainty.
The new standard should utilise approaches that draw from relevant information in banks’ internal risk management and capital adequacy systems when possible (eg approaches that build upon or are otherwise consistent with loss estimation processes related to bank internal credit grades may be useful).
Is Basel saying for example that all through this crisis they have been quite happy with the robustness of “the underlying business model as adopted by the Board of Directors and senior management” of the banks as well their “documented risk management strategy and ... practices”?
Wed, 26 Aug 2009
The $850,000 fraud was carried out by a sales assistant, which as Norris points out, is about as low as you can be in a brokerage office. The critical element in the fraud as detailed in the press release was to change the address of the customer (using falsified documents) so that account statements showing the unauthorized withdrawals do not reach the customer. Of course, she was also smart enough to chose customers who were unlikely to monitor their accounts regularly and notice the absence of periodic account statements.
There is one thing here that I do not understand. The best practice in the financial industry while recording a change of address is to send a confirmation of the change to the old address. I am fond of saying that responding to a change of address request with a confirmation letter to the new address is a matter of courtesy, and nothing will happen if this confirmation does not go out. But sending a confirmation to the old address is an elementary fraud precaution and under no circumstances should this fail to happen. It is the last opportunity to the customer to stop the fraud.
So did Citigroup not have a process for ensuring this standard fraud control process? Or is sending a confirmation to the old address not as well understood and practiced in the industry as it should be?
Sat, 22 Aug 2009
While much has been made about the difficulty of winding up large and complex financial institutions, it appears that it is the simplest of structures that are the hardest to wind up. Giving some of one’s things to another for temporary safe keeping on “trust” is probably older than lending money (debt markets) or selling equity interests in assets (stock markets) – it is probably older than money itself. Yet it is the simple trust structure that is proving so difficult with Lehman Brothers International Europe (LBIE) in London.
The UK High Court has ruled that the normal scheme of arrangements in bankruptcy do not apply to trust property:
51. On analysis Part 26 is concerned with the general estate of a company. It cannot override ordinary trust principles. In the case of creditors, whether actual, prospective or contingent, it deals with persons who have claims which they can bring against the pool of assets which comprises the general estate of the company. A creditor’s claim ranks pari passu with other creditors’ claims against that general estate. It is perfectly comprehensible, therefore, that Part 26 should provide that if those creditors wish to rearrange or compromise their rights against the company, they should be able to do so, by the requisite majorities, because, at the end of the day, they all look to the company’s assets for satisfaction of their pecuniary rights.
52. By contrast with that is the person who has placed his assets with a trustee. There the position is totally different: the essential feature of so doing is that the owner knows that he can have his property, which remains his throughout, dealt with by the trustee in accordance with the terms of the trust. The property is not vulnerable to interference merely because the trustee becomes insolvent: the trust remains. The fact that the trustee is a corporate trustee is likewise immaterial to the integrity of the trust; no less immaterial is that the trustee happens to be a company liable to be wound up under the Insolvency Act 1986 (or the equivalent provision in Northern Ireland), these being the types of company to which the court’s jurisdiction under Part 26 applies where a compromise or arrangement is proposed between a company and its creditors or any class of them: see section 895(2)(b).
53. The fact that the proposed scheme is confined to persons who have a pecuniary claim, however prospective or contingent that claim may be (for example a claim for damages or compensation for the delay in returning that person’s property), does not assist the administrators. While the existence of that claim may provide the basis for a scheme of arrangement directed to that and other pecuniary claims against LBIE, it does not justify interference with the underlying property rights of the property owner. Aside from the fact that the property owner’s remedy (as beneficiary under the trust) for breach of trust is principally directed to securing performance of the trust, rather than to the recovery of compensation or damages, the existence of the pecuniary claims does not affect, and is certainly not the origin of, the owner’s property rights. To suggest otherwise and to ground the intention of the scheme to interfere with the owner’s property rights merely because that owner also has a pecuniary claim against LBIE in view of the possibility that LBIE has acted (or may yet act) in breach of trust is to invert the position. Indeed, the scheme, if it is allowed to proceed, risks turning the position of the beneficial owner on its head: this is because under a trust it is for the trustee to justify and account for his dealings with the trust estate whereas under the scheme the onus will be on the owner to come forward, as a dissentient, to explain and justify why that owner’s property rights should not be dealt with and varied under the scheme.
What I found most amusing was the idea that when a hedge fund gives collateral to a prime broker with unlimited right to rehypothecate, “the owner knows that he can have his property, which remains his throughout.” But then I am not a lawyer.
The court of course thinks that the absence of a scheme of arrangement does not matter. The court has enough powers to sort things out. By that argument, one does not need a scheme of arrangement for creditors either – the courts can sort that out too.
77. Establishing what client assets of any given client LBIE holds or controls, what competing claims there may be to those assets by other clients or by LBIE (or others) and how LBIE and the administrators are to discharge their duties in respect of those assets with a view to their due distribution to those entitled to them are all matters where the court has, in the exercise of its trust jurisdiction, well-developed processes to assist the accountable trustee or other fiduciary. For example, the court is well used to authorising a trustee to make distribution of a fund where there can be no certainty that all of the claimants to it have been identified and the trustee desires the protection of a court order in the event that a further claimant should subsequently appear or matters subsequently come to light which question the basis on which the distribution is made. In one sense, dealing with the matter by recourse to the court’s assistance in this way can be simpler (and less costly) than the often complex processes involved in the promotion of a scheme under Part 26.
78. At the risk of appearing glib, I do not consider that a structured approach of this broad kind is beyond practical achievement in the exceptionally difficult circumstances of LBIE’s administration.
In short, it appears that the legal system in the foremost financial centre in the world does not have a practical way of dealing with the simplest and oldest financial contract – property held under trust.
I wrote a column in the Financial Express today about the role of securitization.
The global financial crisis began two years counting from the first liquidity crisis in Europe and the US on August 9, 2007. Over these two years, we have found that many of the conclusions that we came to in the early days of the crisis were simply wrong.
In 2007, we thought that the problem was about subprime mortgages, that it was about securitisation and that it was about CDOs (collateralised debt obligations). Now we know that these initial hasty judgments were mistaken. Defaults are rising in prime mortgages, huge losses are showing up in unsecuritised loans, and several banks have needed a bailout.
In 2007, when the first problems emerged in CDOs, people thought that these relatively recent innovations were the cause of the problem. Pretty soon, we realised that a CDO is simply a bank that is small enough to fail and conversely that a bank is only a CDO that is too big to fail.
Both banks and CDOs are pools of assets financed by liabilities with various levels of seniority and subordination. As the assets suffer losses, the equity and junior debt get wiped out first, and ultimately (absent a bailout) even the senior tranches would be affected. In retrospect, both banks and CDOs had too thin layers of equity.
Over the last two years, our understanding of securitisation has also changed significantly. As global banks released their results for the last quarter, it became clear that bank losses are now coming not from securitised assets but from unsecuritised loans or whole loans.
The Congressional Oversight Panel (COP) set up by the US Congress to “review the current state of financial markets and the regulatory system” published its latest report a few days ago. The report focuses entirely on whole loans and paints a very scary picture. Losses on troubled whole loans in the US banking system are estimated to be between $627 billion and $766 billion.
The COP report also states that “recent reports and statistics published by the FDIC indicate that overall loan quality at American banks is the worst in at least a quarter century, and the quality of loans is deteriorating at the fastest pace ever. The percentage of loans at least 90 days overdue, or on which the bank has ceased accruing interest or has written off, is also at its highest level since 1984, when the FDIC first began collecting such statistics.”
It is becoming clear that what the US is witnessing is an old-fashioned banking crisis in which loans go bad and therefore banks become insolvent and need to be bailed out. The whole focus on securitisation was a red herring. The main reason why securitisation hogged the limelight in the early stages was because the stringent accounting requirements for securities made losses there visible early.
Potential losses on loans could be hidden and ignored for several quarters until they actually began to default. Losses on securities had to be recognised the moment the market started thinking that they may default sometime in the future. Securitised assets were thus the canary in the mine that warned us of problems lying ahead.
Until recently, it could be argued that securitised loans were of lower quality than whole loans and that at least to this extent securitisation had made things worse. But this statement is true only for residential mortgages and not for commercial mortgages, where the position is the reverse. Securitised commercial mortgages (CMBS) are of higher quality than whole loans.
The COP report states: “While CMBS problems are undoubtedly a concern, the Panel finds even more noteworthy the rising problems with whole commercial real estate loans held on bank balance sheets. These bank loans tend to offer a riskier profile as compared to CMBS, suggesting high term default rates while the economy remains weak.”
Two years into the crisis, therefore, we find that the initial knee-jerk reaction against securitisation was a big mistake.
Securitisation doubtless redistributed losses throughout the world so that losses from the US real estate emerged in unexpected places – German public sector banks, for example. But securitisation was not responsible for most of the losses themselves.
We must also remember the US home owner gets a bargain that is available to few home owners elsewhere in the world – a 30-year fixed rate home loan that can be repaid (and refinanced) at any time without a prepayment penalty. This is possible mainly through securitisation and deep derivative markets that allow lenders to manage the interest rate risks.
In India by contrast, the home owner gets a much worse deal: most home loans are of shorter maturity (20 years or less) and are usually either floating rate or only partially fixed rate. The few ‘pure fixed rate’ loans involve stiff prepayment penalties when they are refinanced. It would be sad if we keep things that way because of an irrational fear of securitisation.
Fri, 21 Aug 2009
Hanke and Kwok have written a paper in the Cato Journal estimating the hyperinflation in Zimbabwe in November last year. They conclude that the monthly (not annualized) inflation rate of 80 billion percent was the second highest in world history (next only to Hungary in July 1946).
I was at first skeptical about the methodology that they use. Since Zimbabwe stopped publishing inflation data during the period, Hanke and Kwok rely on the share prices of the South African insurance and investment company, Old Mutual, in the stock markets in Harare and London. This involves making two assumptions:
- that the relative price of the Old Mutual share in the two countries provides a reliable estimate of the exchange rate of the Zimbabwe dollar; and
- the depreciation of the exchange rate is a good estimate of the inflation rate in Zimbabwe via purchasing power parity (PPP).
I thought that both assumptions are highly suspect for reasons that I explain below.
We do know that, absent capital controls, the relative share price of the same company in different countries tracks the exchange rate very closely. This was true as early as the eighteenth century (Larry Neal, “Integration of International Capital Markets: Quantitative Evidence from the Eighteenth to Twentieth Centuries”, Journal of Economic History, 1985) and it is even more so today. Even the well known paper of Froot and Dabora (“How are stock prices affected by the location of trade,” Journal of Financial Economics, 1999) found problems with the pricing of twin stocks but not the prices of the same twin in multiple markets.
At the same time, exchange controls can play havoc with this assumption. For example, Indian ADR prices trade at large premia to the underlying Indian shares. The difference between Shanghai and Hong Kong share prices of mainland China companies reflects the same phenomenon. These examples suggest that relative prices could be off by nearly a factor of two in the presence of stringent capital controls.
In the kind of lawlessness that prevailed in Zimbabwe, the margin of error is I think higher. I would not be too surprised to find a deviation of prices by as much as a factor of ten.
The second assumption about PPP is even more suspect. Under normal conditions, PPP does not hold up too well except over the very long run. Lothian and Taylor needed 200 years of data to demonstrate that PPP does hold at all (“Exchange rate behavior: The recent float from the experience of the last two centuries,” Journal of Political Economy, 1996).
One would hope that to the extent that PPP is held back by sticky prices, the extreme flexibility of prices during hyperinflation would make PPP hold better. I think there is merit in this argument.
However, in situations like Zimbabwe, the US dollar would probably be valued more as a store of value than as a medium of exchange. The exchange rate is then driven by asset market considerations rather than goods market considerations. Extreme financial repression in which the real rate of interest on Zimbabwe dollar could be hugely negative (approaching -100%) would make the US dollar extremely attractive. People would then buy the US dollar not on the basis of what it is worth now, but on the basis of what it will be worth in future. At the same time, it is impossible for a foreigner to go long on the Zimbabwe dollar without assuming Zimbabwe sovereign credit risk and legal risk.
Under these conditions, I would not be surprised if the exchange rate undervalued the local currency by a factor of ten or more. Taken together with the earlier factor of ten for the stock price, this implies that Hanke and Kwok could be off by a factor of 100.
Surprisingly, this would make very little qualitative difference to the results of Hanke and Kwok. The monthly percentage rate of inflation in Zimbabwe that they estimate is roughly 80 billion. Revising it down by a factor of hundred would bring it down to 800 million. That is still higher than the third highest rate on record (Yugoslavia, January 1994) of 300 million. No plausible margin of error in the opposite direction will bring Zimbabwe within even shouting distance of the highest recorded hyperinflation (Hungary, July 1946) which was 4 followed by 16 zeroes.
Put differently, to push Zimbabwe down to third place, the Hanke and Kwok estimate would have to be off by a factor of 250. Much as I dislike the smug confidence that Hanke and Kwok seem to have in arbitrage relationships in a society where there is security of neither life nor property, I find it difficult to argue that the arbitrage relationships may be off by a factor of 250.
Thu, 20 Aug 2009
I realized a couple of days ago that many of the comments on my blog in June and July had disappeared into a black hole. I am still trying to figure out what the problem was with my blogging software (this did not affect the comments on the Wordpress mirror).
In the meantime, I have now recovered most of these comments and added them to the blog. I have also written some code to retrieve orphaned comments and bring them up for moderation so that hopefully this does not happen again.
As I have stated in the past, it is my intention to use moderation only to filter out spam and not to filter out comments that I do not like. So if you find your legitimate (non spam) comments not appearing on the blog within a few days, please do point it out to me by email.
Mon, 17 Aug 2009
There has been much alarmed discussion in the press about the counterfeit Indian rupee notes allegedly being smuggled into the country from across the border. As I see it, the barriers to counterfeiting currency notes are economic and not technological.
Introducing more and more complex features into the notes does not make counterfeiting impossible. What it does is to increase the scale economies in printing by requiring larger and larger initial investment and therefore larger and larger scale of production to make the printing of counterfeits economical. Scale economies are not a problem for the government itself because it anyway prints notes on a very large scale.
Scale economies need not deter the counterfeiter; it only requires the counterfeiter also to operate on a large scale. The problem for the counterfeiter is that the distribution of counterfeit notes is characterized by large diseconomies of scale.
It is pretty easy to distribute a few hundred counterfeit notes with very little chance of detection. Distribution of a million counterfeit notes however requires a distribution network that is very difficult to set up and operate without being detected.
This combination of scale economies in production and scale diseconomies in distribution imply that there is often no viable scale of operation for a private counterfeiter. The total expected cost of manufacturing and distributing the counterfeit note approaches the face value of the note itself.
Counterfeiting by a foreign government is only slightly different. To the extent that they can use the equipment used in their own note printing operations, counterfeiting may be economically viable for them at lower print runs. More importantly, if their goals are not purely economic, the profitability of the operation is not an issue.
However, the problem of the distribution channel is still an issue. The experience of German counterfeiting of UK currency notes during the second world war suggests that the technical quality of the counterfeiting is not the real problem. How to get the notes into enemy territory in large scale is the critical issue. The German experience suggests that using the espionage network to put the notes into circulation only compromises the espionage network itself.
Often, the goal of putting counterfeit notes into circulation in enemy territory is not to make a profit but to disrupt the enemy’s economy by making people distrust their own currency. The strategy of the Indian government and the RBI to deal with the problem of counterfeit notes quietly and without spreading panic is therefore a very sensible one.
For a profit motivated rogue government, the most attractive currency to counterfeit is the US dollar. An estimated 70% of US dollar notes circulate outside the US; many users of the currency are not very familiar with it; the design of these notes is relatively stable; and finally, dollar resources are very valuable in international trade.
Anecdotal evidence suggests a greater percentage of counterfeit US dollar notes (at least outside the US) than in most other currencies. Yet the percentage of counterfeit notes is still quite manageable. I think therefore that the fears that are being expressed in the Indian press about counterfeit rupee notes are excessive.
Thu, 13 Aug 2009
The brain behind Madoff’s huge fraud has been revealed – it was the well known IBM AS/400 minicomputer. Well, that is a bit of an exaggeration, but only slightly so. The SEC complaint against a key Madoff lieutenant, Frank DiPascali, turns out to be a long litany of the accomplishments of his AS/400.
Printing millions of pages of trade confirmations (one for each stock and for each account for every fictitious trade) was one of the major uses of the AS/400. DiPascali also used a random number generator program to break up the massive trades into orders of various sizes and prices and to randomly distribute the trades across different times. Apart from the AS/400, Madoff also had a fake computer trading platform set up in the office, just in case somebody wanted to witness real time trading.
For all its prowess, the AS/400 could not generate trade blotters and order tickets. Perhaps, doing this with credible execution times, counterparties and executing brokers would have needed more powerful machines (and tick level price feeds not to mention top quality programmers) of the kind employed by the hedge funds that do high frequency trading today.
I get the sense that while Madoff was an early adopter of technology, he did not keep pace with it in the later years. As investors started demanding faster trade confirmations, the amount of time that DiPascali could look back to construct the profitable phony trades became shorter and shorter. I suspect that even if the market crash of 2008 had not blown up the Ponzi scheme, it would have become harder and harder to keep the ruse going with the aging technology that Madoff and DiPascali had available to them.
Sun, 09 Aug 2009
High frequency trading is very much in the news these days with controversies about flash trades, rebates and so on. In this context, this paper by Foucault, Kadan, and Kandel is very interesting (hat tip Aleablog). It develops a model which explains why it may be optimal for exchanges to pay market makers for trading (in the form of rebates) while charging market takers for trading.
The paper discusses the determinants of what they call the make-take spread – the difference between the (possibly negative) fees charged to market makers and the (positive) fees charged to other traders. I found it more convenient to think in terms of the take-make spread (or the negative of the make-take spread) which can be interpreted as the subsidy to market makers.
The paper shows that a reduction in the tick size increases the optimal subsidy to market makers. They argue therefore that decimalization might have been an important factor in the emergence of rebates to market makers.
The subsidy for market makers is greater when there is a small number of market-makers relative to the number of market-takers. Quote driven markets tend to be dominated by a small number of market-makers and the rebates offered by these exchanges is in line with the predictions of the paper. The fact that order driven markets do not subsidize limit orders relative to market orders is also consistent with their model because these markets are characterized by large number of participants using limit orders.
While these are useful contribution, the paper still left me uneasy at the end. Why are quote driven markets unable to attract a large number of market makers when order driven markets have no difficulty attracting millions of limit order users? Is there something fundamentally wrong with quote driven markets that make them inherently anti-competitive leading to a cosy oligopoly of market makers?
Fri, 07 Aug 2009
I have been writing for some time now about better risk models (my SSRN paper is here and my blog post on that paper is here). Phorgy Phynance has a fascinating graph about the difference between the normal distribution and a fat tailed (stable) distribution in computing the 1% daily VaR for the S & P 500 going back 80 years (hat tip Felix Salmon).
His second graph shows that using stable distributions would not by itself have provided any better warning during the boom years of 2005-2007. But the early warning that it provides from early 2007 onward is truly impressive. During 2007-2009, the stable distribution VaR gives about 6-9 months advance warning about where the normal distribution VaR will be. In the world of financial markets, that is more than enough warning even if you were holding a bunch of illiquid stocks.
This also means (via the Merton model) that one would have had several months advance warning of corporate credit market stresses. That good models are better than bad models might look like an obvious statement, but too many people that I talk to seem to have convinced themselves (or let Taleb convince them) that all models are useless in times of crises.
But the performance of even the stable distribution during 2005-2007 highlights the need for using data going back several business cycles. This is also a point that I emphasize in my paper.