The primary control framework in which Kerviel operated had a number of serious deficiencies:
• There were no limits on notional transaction volumes or cash movements.
• Trade cancellations, modifications, deferred start dates, and provisions were not subject to exception treatment.
• There was inadequate separation of duties between DLP's front office and middle office: Kerviel was able to modify and cancel trades at will in GEDS's transaction system and create provisions that concealed his unauthorized profits.
• Policies and procedures for escalation of concerns were either unclear or nonexistent.
• There was no policy dictating minimum consecutive days of vacation.
The secondary control framework supporting DLP also had serious deficiencies.
• GEDS's back office support for DLP was separated into four different operations groups, which did not communicate with each other and whose procedures required them to raise and resolve but not to question trade-related queries.
• Societe Generale's counterparty risk management group was required to raise and resolve exposure issues but not to validate the cause or solution. This group raised 20 queries that they considered resolved by Kernel's explanations and amendments.
• Societe Generale's market risk management performed a risk reporting and advisory role, but did not exercise trading oversight; consequently they were not involved in monitoring the alerts and unusual activity created by Kernel's unauthorized positions and fictitious offsetting trades.
• During 2006 and 2007, GEDS's back office was chronically understaffed due to high employee turnover, while DLP's trading volume doubled, its range of traded products multiplied, and the number of traders increased from four to 23.