Various people who ought to know better, such as the New York Times’ Joe Nocera, haven taken to playing up the party line of the banking industry and I am told, the SEC, that we should resign ourselves to letting senior financial services industry members get away with having looted their firms and leaving the rest of us with a very large bill.

It is one thing to point out a sorry reality, that the rich and powerful often get away with abuses while ordinary citizens seldom do. It’s quite another to present it as inevitable. It would be far more productive to isolate what are the key failings in our legal, prosecutorial, and regulatory regime are and demand changes.

The fact that financial fraud cases are often difficult does not mean they are unwinnable. And a prosecutor does not need to prevail in all, or even most, to serve as an effective cop on the beat.

Contrary to prevailing propaganda, there is a fairly straightforward case that could be launched against the CEOs and CFOs of pretty much every US bank with major trading operations. I’ll call them “dealer banks” or “Wall Street firms” to distinguish them from very big but largely traditional commercial banks like US Bank.

Since Sarbanes Oxley became law in 2002, Sections 302, 404, and 906 of that act have required these executives to establish and maintain adequate systems of internal control within their companies. In addition, they must regularly test such controls to see that they are adequate and report their findings to shareholders (through SEC reports on Form 10-Q and 10-K) and their independent accountants. “Knowingly” making false section 906 certifications is subject to fines of up to $1 million and imprisonment of up to ten years; “willful” violators face fines of up to $5 million and jail time of up to 20 years.

The responsible officers must certify that, among other things, they:

(A) are responsible for establishing and maintaining internal controls;

(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;

(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and

(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;

These officers must also have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function):

(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial

data and have identified for the issuer’s auditors any material weaknesses in internal controls; and

(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls

The premise of this requirement was to give assurance to investors as to (i) the integrity of the company’s financial reports and (ii) there were no big risks that the company was taking that it had not disclosed to investors.

This section puts those signing the certifications, which is at a minimum the CEO and the CFO, on the hook for both the adequacy of internal controls around financial reporting (to be precise) and the accuracy of reporting to public investors about them. Internal controls for a bank with major trading operations would include financial reporting and risk management.

It’s almost certain that you can’t have an adequate system of internal controls if you all of a sudden drop multi-billion dollar loss bombs on investors out of nowhere. Banks are not supposed to gamble with depositors’ and investors’ money like an out-of-luck punter at a racetrack. It’s pretty clear many of the banks who went to the wall or had to be bailed out because they were too big to fail, and I’ll toss AIG in here as well, had no idea they were betting the farm every day with the risks they were taking.

Not surprisingly, it isn’t difficult to find widespread shortcomings in risk management at major dealer banks. Risk management deficiencies most relevant to Sarbanes Oxley are related to pricing. The accuracy of the accounts, meaning the valuations, is the primary focus. Risk management weaknesses that impact reportable disclosures (in the accounts or the notes) have highest relevance. However, crappy risk management that leads to poor positioning may not be germane to the Sarbanes Oxley violations issue.

We discussed the issue at some length in ECONNED. Risk management was kept weak; if push came to shove, it was subordinate to the producers. Richard Bookstaber, a former chief risk officer, discussed at some length how most chief risk officers were engaged in what amounted to busywork. While they might indeed prevent particularly egregious excesses, their form over substance exercises also provided useful cover for the top brass and the board of directors. As he noted in 2007:

If you are the Chief Risk Officer and everything blows up, don’t you bear some responsibility?… In the CRO job 99% of the days there is nothing going wrong. The only test you get of how well you are doing – short of pouring out risk reports and looking ponderous and prudent in meetings – is what happens to the firm during times of market crisis. Every few years something calamitous happens in the market; if the firm gets blown away, that suggests you did not do a very good job.

Readers may have better suggestions of where to start, but I’d target Lehman. First, it already has a smoking gun: a May 2008 letter written by former senior vice president Michael Lee to senior management, including the CFO Erin Callan. It describes numerous accounting shortcomings, none of which look to be new and many of which look to be Sarbanes Oxley violations.

Second, its derivatives books were by all accounts an utter disaster at the time of its collapse: multiple non-intergrated systems, to the point where the bank did not even have a good tally of how many positions it had (bankruptcy overseers Alvarez & Marsal first said the bank had 110,000 positions; they later changed their tally to 120,000). This is important because despite all the efforts to identify why the Lehman losses were so massive, most analysts have focused on the asset side, and the numbers don’t add up. That means understatement of positions and/or gross understatement of risk on the liability side is the probable culprit.

This is an egregious accounting 101 control breakdown, It indicates that the most basic operatonal controls, reconciliation of accounts, were not effective (see here for further support). Lehman would have to take the position that its basic control weaknesses were all immaterial. At all times there’s an inventory of control weaknesses that exist. That inventory must be constantly monitored and reviewed (and attested to in the 404 internal control assesments signed by the responsible officers). Materiality determinations are decided by managers, internal and external audit and ultimately the CFO and CEO. Dick Fuld also made statements in Congressional testimony about his ignorance of his ignorance of Repo 105 and a failure to include commercial real estate in stress tests starting with the end of 2007 that also seems consistent with a lack of adequate risk controls.

At other banks, prosecutors will probably need to proceed in a bottom’s up manner. The structured credit and CDO desks are targets even now for criminal securities fraud actions (the statue of limitations has not expired). These units, as Bloomberg’s Jonathan Weil has pointed out, were also ground zero of misreporting at Citigroup. The bank’s defenders claim it has a free pass by virtue of a letter from the bank lapdog OCC that did not rise to the level that would force disclosure but its basis was that the valuations Citigroup used were with market ranges. This seems a dubious argument. The fact that a defective speedometer happened to provide a 60 mile per hour reading when the car was going 57 miles per hour does not prove the device was reliable.

Moreover, anyone with an operating brain cell knows “market prices” were being gamed by dealer banks passing small trades between them or with friendly clients, typically hedge funds who might also like to show high valuations, to establish flattering marks. If the marks Citi was relying on were the result of collusion, and the bank was either involved in or aware of the collusion, this undermines the OCC view of the validity of the marks at Citi and other banks. If yours truly knew of this practice, it had to be widespread and well known at the firms themselves.

My understanding (and reader input is welcome here) is that the authorities could file a civil suit for Section 302 certification violations. If they prevailed in that, a criminal case under Section 902 should be an easy win. The 906 certification basically says the reports are fully compliant with all regulations, including those specifically certified in the 302. (Note that the SEC initiated a criminal case against HealthSouth CEO Richard Scrushy which included Section 302 charges. Scrushy was acquitted in a jury trial, but having followed the proceedings a bit, and also seeing another example of a trail in Birmingham, I’d be careful of generalizing from Alabama courts to other jurisdictions. The deck, even more than in other jurisdictions, is stacked in favor of the local bigwigs).

Will any of this happen? Of course not. The decision was made at the time of the TARP, and reaffirmed early in the Obama administration when there was serious talk of resolving Citigroup and Bank of America, that no one at the helm of the senior banks would be subject to serious scrutiny, much the less actually expected to be held accountable for actions that wrecked the economy and have imposed serious costs on ordinary Americans. The case we described above is relatively simple to explain to a jury and has the advantage of being the sort where the plaintiffs could build on their experience in one action in subsequent cases.

But that sort of truth, that most, probably all, of the major Wall Street banks were engaged in the same sort of misconduct and the violations extended to the very top of the firms, would expose numerous other parties as complicit. So we’ll permit the cancer in our society to metastasize rather than threaten the power structure. But at least we citizens can make it clear, even if we cannot change the outcome, that we are not buying the canard that nothing can be done to fight this disease.