Figuring out FTX (Part 2): The Ten Days In November that Brought FTX Down

In our last post, we looked at the epic rise of SBF and FTX. In this post, we examine the Ten Days of November that shook FTX to its core and resulted in its spectacular collapse.

Post #1: The CoinDesk FTX Timeline

The best place to start is this timeline, which is taken from this CoinDesk post. I’ve also added the amount withdrawn from FTX, which was taken from this Reuters article:

Post #2: The Leaking of the Alameda Balance Sheet

What must be said, the much vaunted transparency of the blockchain did not bring down the FTX empire. Instead, it was classic journalism at CoinDesk. The killer quote from the article:

“That balance sheet is full of FTX – specifically, the FTT token issued by the exchange that grants holders a discount on trading fees on its marketplace. While there is nothing per se untoward or wrong about that, it shows Bankman-Fried’s trading giant Alameda rests on a foundation largely made up of a coin that a sister company invented, not an independent asset like a fiat currency or another crypto. The situation adds to evidence that the ties between FTX and Alameda are unusually close.”

As noted in the above timeline, this is what prompted Changpeng Zhao (CZ) to tweet this and then caused the billions to be withdrawn, as mentioned in the Reuters article.

Post #3: Prelude to the FTX Collapse

The first of Coffeezilla’s video on the collapse really captures not just the rivalry between SBF and CZ, but the killer-business logic that was potentially at play. Far from the crypto-utopian visions of an egalitarian ecosystem, we see the same sort of cutthroat competition in the banking world itself. For example, one theory holds that Bear-Stearns collapse was triggered in the 2007-2008 Financial Crisis. The reason? Payback. Bear-Stearns did not help out in the Long-Term Capital Management (LTCM) bailout and so Goldman-Sachs returned the favour almost 20 years to the day.  

Post #4: FTX and the Mystery of the Stolen Crypto

This video, published 3 days after the last, explores the complex web of relationships that is FTX (far more complex than Lehman), but zooms in on the entanglement between Alameda Research and FTX. The big reveal here is that an Alameda insider noted that “not only did they [Alameda Research] have access to FTX's back end [but] they [also] managed withdrawals for FTX and had a giant line of credit that they could draw on, which seems like partially may have been users funds something that no separate entity would normally have”.  The insider was corroborated by the Wall Street Journal.

Post #5: An Inside Look at the Chaos and Ineptitude at FTX/Alameda

Shout out to Tim Bauer for passing on this link from MilkyEggs! (Bloomberg’s Matt Levine, also referred to the post here with all the necessary caveats). It gives more details around the sheer chaos and ineptitude that existed at FTX and Alameda. With respect to the chaos, it gives some details around SBF’s mental state. It is quite the contrast to the image that was portrayed to the outside world, which we saw in the first video in the last post. With respect to ineptitude, it highlights the “farcically simplistic” accounting records the company kept.  

In terms of the top three takeaways, it firstly casts doubts on the origin story of SBF. The post alleges (based on an insider) that SBF quickly lost all the wealth he made from those bitcoin US vs Japan arbitrage trades. Secondly, it gives some insight into the inordinate amount of risk SBF was taking. Lastly, it attempts to breakdown the losses incurred by FTX-Alameda. That is, they attempt to piece together where the money - $15.5 billion in total – was spent. Also, do check out the postscript where they “found” another $3 billion in losses. Of course, this is not an official audit or anything like that. However, it’s nice to get a more wholistic understanding of the FTX-Alameda situation – beyond the puff pieces in the mainstream press.

In our next post, we will begin exploring the aftermath of FTX collapse.

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else.

 

BNY Mellon Software Glitch: Time to make SysTrust mandatory?

As was widely reported in the business press, BNY Mellon experienced a technical glitch that affected its ability to price mutual funds accurately. Based on the press release from one of the affected funds, the problems started on Monday August 24th, where one of BNY Mellon's system "InvestOne" managed by SunGard was pricing about 800 mutual funds inaccurately.

So what was the cause of this fiasco?

According to CNN, "BNY Mellon outage occurred after a SunGard accounting system it uses became "corrupted" following an upgrade. A back-up also failed."

Normally, this type of thing will force the party experiencing the breach intense scrutiny over what went wrong. However, as I went through the timeline posted by the company, I found (reading between the lines) that they did a number of things right, such as:

• Incident Management Communication Plan: One of the aspects of incident management is communicating to the public and making them aware of the issue. As it can be seen, the company posted details on estimates as to when the system would be ready as well as what was the source of the delay when they didn't meet their estimated deadline. 
• Contingency planning: BNY Mellon was able to get the Net Asset Values (NAVs) "using a secondary and more manual process" to the clients without the production system. According to WSJ, this involved "mobilizing more than 100 accountants to manually calculate the values of thousands of fund securities". The secondary procedure was not perfect as small differences were noted between the fund and, as reported the WSJ, this could expose the bank to "potential liability from the resolution of trades that may have been made during the pricing fog".  
• Effective Service Level Agreement (SLA) with SunGard: Based on the close coordination with SunGard, it appears that they were able to get SunGard to eventually rebuild the system "from scratch". 

That being said, there is always room for improvement. When I was reflecting on this, I speculated that this was another case of inadequate testing of the system upgrade. However, according to SunGard, this was not the case. As they noted on their website:

"The issue appears to have been caused by an unforeseen complication resulting from an operating system change performed by SunGard on Saturday, August 22nd. This maintenance was successfully performed in a test environment, per our standard operating procedure, and then replicated in SunGard’s U.S. production environment for BNY Mellon. This change had also been previously implemented, without any issues, in other InvestOne environments. Unfortunately, in the process of applying this change to the SunGard production environment of InvestOne supporting BNY Mellon’s U.S. fund accounting clients, that environment became corrupted. Additionally, the back-up environment hosted by SunGard, supporting BNY Mellon’s U.S. fund accounting clients, was concurrently corrupted, thus impeding automatic failover. Because of the unusual nature of the event, we are confident this was an isolated incident due to the physical/logical system environment and not an application issue with InvestOne itself."

Given my background as a CA, CPA and CISA, I have always thought it is an odd contradiction that we expect infrastructure (road, dams, bridges, etc.) to be certified by engineers to be in working order (key word is expect, as John Oliver notes in the video below, this is not exactly up to snuff!), but do not have the same expectations for the technology that runs the Information Age.

And that's where I have always proposed that it is necessary to have a framework like SysTrust (now SOC2 and SOC3) in place that requires companies to ensure that their systems are reliable: secure, available, and able to process information without messing it up.

Based on the experience between SunGard and BNY Mellon, I think it actually proves the case. Although companies, like SunGard, likely have such controls in place it is beneficial to others to have a second set of eyes on those controls, ensuring that they are in place, are designed effectively and are operating effectively. The reason is that with such mandatory audits in place, it will allow for the circulation of best practices through such audits. This occurs in the financial auditing world through "management letter points".

One other area that we should explore is the total impact of this error, as it will give insights into the "total impact of failed IT controls". This will be the topic of the next blogpost.

Auditing the Media: Was CNET's CES coverage complete?

As noted in the Tech News Today (TNT) report on Friday, CNET's parent CBS banned its staff from awarding Dish's "Hopper" an award as part of their reporting the Consumer Electronics Show that just wrapped up last week. As reported by CNN, the bottom of CNET's 'Best of 2013' page notes the following:

"The Dish Hopper with Sling was removed from consideration due to active litigation involving our parent company CBS Corp. We will no longer be reviewing products manufactured by companies with which we are in litigation with respect to such products."

Some may point to this as a legal risk management move: CBS had to stop CNET from awarding this to Dish to avoid it being used against them in court. However,  Ayaz Akhtar, a non-practicing lawyer and host of TNT, noted in his commentary on the issue that CNET awarding a prize would have little impact on the course of litigation  (but listen to the show for the proper context and for how he worded this. He's careful to avoid any misrepresentation and it's not an exact quote).

The real issue, in my humble opinion, is to looking at whether media be relied on to report on issues objectively. One could say that due to the lack of independence of CNET on the matter, makes their reporting of CES lack objectivity. This is the standard of care that a financial auditor is held to when auditing a company. For example, auditors are prevented from holding stock in companies that they audit. Should the media be held to the same standard?


For me this incident illustrates how the concepts of financial information integrity are portable to other arenas, such as understanding news coverage. Financial information produced by companies listed on stock exchanges is subjected intense scrutiny and regulation. Accountants/auditors were required to develop a framework to analyze how financial information can be provided to investors in a reliable that enables them to make effective investment allocation decisions. This financial “information production” process is essentially similar to the “information production” process produced by the media: data is gathered, summarized and presented to the user/reader to make a decision. The latter is the key difference. For example, if someone is going to rely on CNET's CES coverage to understand the best products out there, then they could make an erroneous decision because CNET did not cover dish's product.

The following is a list of audit objectives (i.e. completeness, accuracy, etc) that financial information must meet in order to reliable for decision making purposes.

• Completeness – is the information presented completed, i.e. everything that is out there is included in the medium
• Accuracy – is the information congruent with the original event
• Timely – was the information reported in a timely manner, to be useful to the user
• Validity – does the information faithfully represent the underlying reality that is presented

Another important concept, especially to media coverage, is the one  of "presentation & disclosure – is the presentation of the information impartial. In financial statements, companies may engage in transactions to alter the presentation of items, e.g. bury accounts payable into accounts receivable so the user won't be able to accurately assess the ratio of current assets to current liabilities. Media has a greater ability to do this. And I don't mean to pick on the CNET people because they at least tried to inform the reader about their bias, but the statement they mentioned is at the bottom and not at the top. That is, some readers may miss it.

Overall, it's hard to say whether that the coverage lacked integrity and more specifically was "incomplete". On the one hand, one could argue their analysis was in complete because they excluded Dish's product. However, they did provide full disclosure although it is buried at the bottom. But one can easily search for Dish's product on the Internet and see what other reviewers are saying (e.g. such as PCMag's review). But it does illustrate that media consumers need to be aware of such risks and do their best to understand where corporate conflicts exist and how such coverage can be biased.