Coding Flaws Caused Moody's Debt Rating Errors

An anonymous reader writes "The Financial Times has the story that billions in incorrect AAA ratings given out by Moody's were the result of a coding error in its computer models. 'Internal Moody's documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower.'"

not err

[Anonymous Coward]

Cue the onslaught of economists and generally math-illiterate people saying that computer models just can't be trusted. They can, ya morons, just not when they're implemented by penny-a-day visual basic dolts.

Re:Likely a feature

[Bryansix]

Exactly because they need a reason why they rated securities backed by sub-prime negative amortizing loans at AAA. This in turn caused serious miscalculations of risk which led partially to the current economic downturn we are now facing.

The other part was that companies were all too willing to offer these risky products and buyers were all too willing to lie on their loan applications to get approved for them.

Good economy news go unchecked

[Denial93]

This is another example of how good news in the economic field can easily go unchecked because it is beneficial for everyone involved (in the short term) for the world to believe them.

My favorite, and perhaps the most drastic, example is how the US government grossly misrepresents employment stats, the consumer price index, and the GDP [shadowstats.com]. This creates another bubble; not for the New Economy or for the housing market, but for the US as a nation. As long as people keep believing in the "world's strongest economy", investments pay off much as they do in a pyramid scheme - but the point where they won't becomes ever more dangerous the longer the scheme holds.

I for one prefer investments in Europe if only for the seemingly more reliable numbers they have there. Investing in the US is a way too dangerous gamble right now.

Bullshit

[Anonymous Coward]

Total B.S. The ratings were wrong because various companies needed these AAA rating to stay in business. (And if you need a AAA rating to stay in business, you don't deserve a AAA rating.)

A bug management knew about for 2 years..

[WarwickRyan]

..isn't a bug, it's a feature. Of fraudlent behaviour from management.

Need for more stringent coding practices

[Neuroelectronic]

How about that, a coding error that makes lots of money. These are so rare so I think we can say this was a simple mistake.

Lying Through Their Teeth

[littlewink]

The corrupt bastards are going to "shoot the programmer" on this one?

I want a federal investigation.

monetary incentive to inflate ratings

[nickhart]

Suuuuure... a coding bug is to blame! Nevermind that the agencies selling this financial toxic waste *paid* Moody's, S&P and others to provide good ratings. Software bug or no, there is fraud all around within the US economy--and no one was complaining as long as people at the top were raking in billions of dollars in profits.

Re:Good economy news go unchecked

[Jeff DeMaagd]

Regarding the shadow stats site, I'm wary of the type of conspiracy proponent that tries to push a product, book or service. Especially for this, non-subscribers wouldn't be able to pick apart the results. In the same way, this is why I don't like the articles based on what financial analysts say, because you have to buy the original report in order to make sure they aren't pulling any shenanigans.

Calculated Risk

[ewhac]

Disclaimer: I am nothing more than a happy reader of the site.

This entry [blogspot.com] at Calculated Risk openly wonders if Moody's jiggered its model expressly so that it would line up with whatever the Standard&Poors ratings were.

Personally, I'm concerned this revelation will result in a concerted effort to blame the whole mess on a computer error, rather than the profoundly bad judgment exhibited by fund managers and investment banks. Expect some hapless programmer to be located and pilloried.

Schwab

Re:After the OpenSSL bug

[nomadic]

The competent have nothing to fear from formal verification and anyone who is not capable of doing such verification should not be writing software anyway.

This is Slashdot, where everyone just blames management. Because you know, there are no incompetent programmers in existence.

wouldn't someone notice?

[belmolis]

If the errors are as large as it seems they were, wouldn't one or more human analysts notice? When your software says "Buy SCO" you should know that something is wrong.

Re:not err

[jedidiah]

IOW, they are blaming the coders for generating results that should have
failed even the most basic sanity checking. All of their finance geeks
upon seeing these ratings should have been individually and collectively
scratching their heads.

I'm not sure I buy it really. It just seems like corporate blame deflection.

I dunno. I'm no MBA but I would imagine that the rating of any composite
security should be the lowest rating of the most risky component.

Re:After the OpenSSL bug

[Rakishi]

... and this bug.. is it not time we started acting like engineers and started building software in a way where we can show it is correct.

Well enjoy paying $200k per copy of MS Office, personally I'll take some bugs instead.

As an industry, we really need to start growing up and using the tools the mathematicians have provided us, just as other engineers do in other disciplines, to show our programs actually work as advertised.

Last I checked mathematicians can't even say if my program will finish running much less if it will work as advertised.

Blame it on the programmers

[Whuffo]

Moody's were a part of the substandard financing disaster that's led to the current (arguable) recession. Rather than face the music for their (maybe fraudulent) misrepresentations they decided to blame it on "a coding error".

They're depending on us believing their media stories to escape responsibility; anyone who thinks about this situation would quickly realize that for a company full of financial analysts to not realize that an error of this magnitude was happening - well, it beggars the imagination.

What almost certainly happened is that they played the same game that so many other financial institutions did during the real estate bubble. But when the bills came due, they chose to deny responsibility and pass the blame on to someone else. The real crime here is that they'll be allowed to get away with this...

BS

[zogger]

And I am not referring to Briggs & Stratton either.

Them boys at moodys need to open a farm, they sure got a lot of fertilizer on hand!

coding error..hehehehehehe...I think this story comes from the Jon Lovitz school of excuses...."ya...that's the ticket! It was a coding error!" uh huh

I don't think their story is going to fly with investors and lawyers around the world who are the proud recipients of all the creative "write downs" and other sorts of negative profits this year from all those wall street loons trying to push worthless junk paper on each other and actually *believing* their own fantasies that they can just keep coming up with different names for IOUs and keep reselling them back and forth to each other. You can't printing press your way to wealth creation, whether what you are printing up is called "money" or a "collaterlized debt obligation" or whatever other fancy crap term they think up. Not for very long anyway.

Re:not err

[Hemogoblin]

I dunno. I'm no MBA but I would imagine that the rating of any composite
security should be the lowest rating of the most risky component.

That's not correct in general. Many structured products and derivatives have components that cancel each other out. A really silly example is a portfolio that buys a stock and short sells it at the same time, which will net out to nothing (except lost transaction fees). Obviously CDO's and whatever are ridiculously more complicated, but you get the point.

Re:After the OpenSSL bug

[Rich0]

software engineering has a lot in common with circuit design and should borrow and modify principles and concepts from hardware side in terms of expressing their programming and math in a format akin to electricity flowing through a circuit

Ironically the hardware side has been going in the opposite direction. How many transistors in a modern dual-core processor do you think were actually put there by hand with manual checking of voltage/resistance/heat/etc? Somebody writes up some code essentially and a program creates millions of gates to do what the algorithm dictates.

The problem with this visual rendering of software you suggest is that any non-trivial program is going to turn into a monstrosity of flow charts that would probably require tens of thousands of pages to print on paper. A single line of code could potentially be a few different boxes in a language like C.

The reason software engineering isn't like civil engineering is that while a bridge has maybe a few tens of thousands of parts, a computer program has the equivalent of hundreds of millions of parts (if you were to express the software as the equivalent machine). The best you can do is at least develop libraries that can have some level of specifications and testing around them so that you minimize the amount of code that is unique to a particular application. Software is just a different kettle of fish...

Yep

[Sycraft-fu]

You can already buy systems like this. You can buy systems that absolutely have to work all the time, no downtime, no crashes, etc. However, there are some major stipulations:

1) It isn't cheap. There is going to me some major engineering to design it, and it will require some major redundancy in hardware to protect against faults. As such, you are going to pay a lot for it.

2) It isn't fast. No you can't have it today, you can't have it this month, you can't have it this year even. The development and testing will take a long time. This can't be rushed, it simply takes lots of time and lots of testing to make sure there are no faults.

3) You can't add features to it. Once the system is in place, it can run only what it was designed for. You can't go and install new software or anything. If you want any changes made, those will have to go through a full set of testing. No unverified code can be running.

4) It must be accessed only in approved ways. You can't just hook it up to the Internet and go wild, input will need to be properly regulated to make sure it doesn't cause an unforeseen problem.

5) You can't mess with it. Your people will not be screwing around trying things with it. It'll be maintained under a support contract only by certified personnel.

If that's not ok with you, well then some bugs are something you have to accept. This idea that programmers should be able to easily engineer perfect, bug free software quickly and cheaply is just amazingly ignorant. Especially when people come up with false analogies "Oh well people would sue if cars were made as badly as computers!" No, you'd get arrested (or killed) if you tried to use a car like people use computers. If people treated cars like computers they'd expect to be able to run in to a wall at 80 miles an hour and suffer no injuries to themselves or the car.

Cars work well if an ONLY if they are operated properly (and even then not always). You have to do things like obey proper driving regulations, maintain the engine, and so on. If you don't, well shit is going to go wrong, maybe catastrophically wrong. Yet people do just that with their computers all the time. They install random shit, never perform any maintenance, and expect that the computer will magically protect them from all problems.

Re:not err

[dubl-u]

IOW, they are blaming the coders for generating results that should have
failed even the most basic sanity checking.

Indeed. This isn't a coding error, it's a testing error. Or perhaps a process design error.

Any professional knows that coding has a certain error rate. So you add practices, like pair programming, unit testing, acceptance testing, external code reviews, parallel implementation, and black-box testing until you get below the error rate you need.

For some part-time e-tailer's web site, you can skip a fair bit of that; if you fuck up badly enough, you might cost them an entire $500. But in the financial world, they know that errors can cost a lot more, like a million times more, and so it's worth spending more on quality-oriented practices.

Blaming this on the coder who happened to make the key error (if indeed their was one) is like blaming the Titanic disaster on some guy who missed a rivet on that side. It's the purest bullshit, designed to deflect responsibility from the people in charge. If they set it up right, a single person would be unable to make a mistake of this magnitude.

Re:not err

[DragonWriter]

I'm no MBA but I would imagine that the rating of any composite
security should be the lowest rating of the most risky component.

To the extent that different investments in a portfolio (which is what a "composite security" is, in essence, a prepackaged portfolio) have independent risks, there is a leveling effect (this is why, e.g., when you roll two dice, the distribution of the results is tighter proportionate to the range than when you roll one, and tighter still when you roll three, etc.)

OTOH, to the extent they tend to vary together, they don't level each other. Assessing the degree to which two different investments are independent in their risks is, AFAIK, still more art than science to start with, and when the people doing the assessment often have financial interests (even if only indirectly) in promoting the sales of the packaged investments, well, the results are likely to represent those interests more than any rational assessment of reality.

Re:not err

[tqft]

Coder? More like junior messed up a spreadsheet and higher ups had no way to know if it was right or wrong other than the issuers who pay Moody's & S&P (and others) big time for ratings kept coming back for more.

Now if the users paid for ratings the customers would be whining pretty hard - to some extent the users of ratings do pay in deciding what effective interest rate they will pay to hold a bond.

Billions of...

[dave562]

The wording of the summary is confusing. Were there literally billions of bonds given incorrect AAA ratings, or were the incorrectly rated bonds worth billions of dollars because of the flawed rating?

Confusing summary aside, this is the biggest load of crap I've read in a long time. The financial world made a really bad guess on just how much "money" was really in the US economy and now they are paying for it. They can't actually be held accountable because then people might catch a glimpse of the fact that the financial wizards who run our lives are really full of shit. So instead of taking responsibility for their mistakes they are blaming it on a computer bug. How effin convienent for them.

"Hey everybody, we aren't fucking idiots. You see, it was the computer! I just told you what it told me on my screen. Hold on... my third trophy wife is on the phone... she's telling me that her and the Lamborghini are stuck in traffic somewhere between my multi-multi million dollar home and the club house where I spend multiple tens of thousands of dollars a year. I'll get back to you right after I blow a few more rails of coke!"

How the hell did these people get to be in charge of society?

Re:Likely a feature

[Aardpig]

Except that all lenders are required to provide a Truth in Lending statement, and comply with it. If they misled the borrower, then they have broken the law; there's no two ways about it.

I call BS.

[benhattman]

This entire story is bullocks, and your analysis is accurate. We aren't talking about a trivial error here. The models were spitting out obviously false results, and Moody's (and everyone else) gladly accepted those bad results. For at least 3+ years now, several analysts have pointed out ratings were too high and that they didn't pass the "smell test". If Moody's is not responsible for their models, then why shouldn't I write some half-assed model of my own, demonstrate to lenders how in the short term it will make them money, and then when I get caught, just point out that I never claimed my models were accurate.

Actually, that's not a bad idea.

To put it in a language slashdotters will understand.
1. Invent model.
2. Lie about model's accuracy.
3. (Sell model)???
4. Profit.

Re:not err

[lgw]

In my opinion, there is a very strong need for regulation of the credit agencies. If they didn't allow for CDOs and MBSs to get AAA ratings, this credit crunch and likely recession wouldn't have occurred.

Yes, giving CDOs and MBSs AAA ratings just because house prices have never before declined sharply enough to affect the reliability of these securites was a problem, but government oversight wouldn't have helped here: securities regulation is good at preventing us from repeating past errors, but that's about it.

Of course the credit agencies used past data: that's how insurance works. You examine the past for hard data on the likelyhood of events, and the cost when those events occur. Stating a couple years ago (as I did) that house prices were in an unsustainable bubble (or as Shiller did much earlier) was just an opinion. Shiller is taken seriously *now*, because his hypothesis made predictions that turned out to be accurate, but before those predictions were validated it was just another hypothesis.

Would a government bureaucracy that ignored the prevailing opinions in a field and ruled based on one guy's untested hypothesis really be a good thing? Does "we need a government bureaucracy so that we can react to change quicker" make any kind of sense whatsoever?

The credit crunch happened because people willingly borrowed more than they could afford to. Asking for a government "department of preventing me from borrowing too much" because you don't have the sense to moderate your spending is a really pathetic abandonment of personal responsibility, right up there with a "department of outlawing unhealthy foods" because you don't have the sense to moderate your eating.

It's not the government's fault if you bought a house you couldn't afford. It's not the seller's fault. It's not the lender's fault. It's not the credit agencies' fault. It's not the evil corporations' fault. It's not George W Bush's fault. (And yes, I've heard every one of these arguments used seriously.)

Re:After the OpenSSL bug

[Anonymous Coward]

Yeah, ask anyone who has to suffer through programming in LabVIEW (which uses the circuit paradigm). LabVIEW makes a particular kind of data-flow driven programming very, very easy to write, and any other kind of program mind-bendingly hard.

Debugging a LabVIEW program of moderate complexity is horrible.

Re:not err

[electroniceric]

Therein lies the problem: the senior 100000 of 2 million piece of crap mortgages that their holders can't pay still has a high likelihood of some or all of those mortgages defaulting. So if the pool overall is no good, the seniority does nothing to solve that problem. And that's before CDO^2 nonsense is used to claim that the senior of lots of junior tranches of various pools are as good as the senior tranches of a single pool...

So the senior tranches of CDO's have to be based on the risk ratings on the whole mortgage pool, and this is precisely where Moody's and S&P bamboozled the public and are now trying to blame it on a bug. They would bless the claim that the top of nearly any pool was great stuff, no matter what the contents of the pool were. As others have observed, that's no coding bug, it's a policy to willfully ignore reality to facilitate the sale of more securities.

The mortgage market was hardly unserved when the securitizers entered it - rather it was full of banks offering conventional mortgages at rates that properly priced the risk (and the banks took care to do that, since they held on to the risk at that time, and federal insurance laws require them to have sane risk holdings). The introduction of securitized mortgage products flooded the market with much cheaper debt. That meant that the pools kept getting progressively worse and worse as the lenders headed down-market to try to sell mortgages to people who didn't already hold more than enough debt.

And as for the loonies, as asset bubbles go, the runup in housing has only one precedent in American history: the speculation before the Great Depression. Now there are a lot more safety valves in the finance system these days, but to claim that it is or was doom and gloom to be concerned about the size of the bubble is pretty a blinked view of the world.

Re:After the OpenSSL bug

[vux984]

I'm not sure you've got the right end of the stick, here. "formal verification" doesn't mean "code review by some officially-sanctioned third party". It means "verification using formal methods".

As such, the only cost is time. People already volunteer their time to work on open source projects; there's no particular reason [other than mind-numbing tedium] why they wouldn't volunteer time for this too.

Well the mind-numbing tedium for one thing. :)
But the real issue isn't lack of volunteers, its that volunteers are just as likely to turn in bad proofs as they are to turn in bad code.

If you wanted to build a bridge and some volunteer on the internet submitted a design, along with some structural analysis by other volunteers from the internet declaring that it was a sound design, would you just accept it and build the bridge? Or would you want some "officially sanctioned engineers" to review it first?

The issue with requiring that code be provably correct is the same; the proofs have to be done by people that are demonstrably competent at formal methods, and the proofs themselves must be reviewed by people who are demonstrably competent at formal methods. So even if the internet volunteers perform verification using formal methods -- no one will have any confidence that it was done right.

And of course, the number of volunteers capable of proving code (who understand the mathematics and what not behind the methods) and who interested in doing so is VASTLY outstripped by the number of volunteers capable and interested in writing code.

So even if the volunteers COULD satisfy the formal verification requirement -- OSS would be utterly hamstrung due to the back log getting new code volunteer verified.

Re:not err

[sjf]

I dunno. I'm no MBA but I would imagine that the rating of any composite
security should be the lowest rating of the most risky component.

Nope. That's precisely the opposite purpose of a composite security. Think about a mutual fund: the risk of one component is mitigated by the risk of all the other components.
You'd have no possibility of retiring if your pension was predicated on the risk of your riskiest investment.

Re:not err

[Alpha830RulZ]

and the hard data supported the ratings.

Which is the fundamental issue here. The ratings, or rather, the underlying risk models depended on some assumptions about the data, that past trends will continue. In a bubble situation, which I think is how history will view the real estate situation, the trends are not reliable indicators. It's a black swan problem [wikipedia.org].

Re:not err

[Anonymous Coward]

I think you mean the distribution OF THE MEAN of the results.

You know. The average.

I think you mean something like the central limit theorem.

Well, maybe not since these... composite securities... are composed of very connected parts.

Maybe you want another fancy limit theorem. Maybe you want to do some math so your data look like something a system based on limit theorems can work with.

Maybe you don't.

Maybe you build a fucked up model. Your assumption that there is a leveling effect is wrong in your setup. You misjudge risk. You don't find a way to backtest things and a few years later you learn how fucked you are.

Whoopsy Daisy.

Peace.

Another me-too post (please don't mod down)

[sydbarrett74]

I hate me-too posts, but I'm going to cast my vote in agreement that the explanation is too simple. This stinks of scapegoating.

Re:not err

[TemporalBeing]

If you look through all historical American data and see that failure of 60% of mortgages has never happened (assuming here that we're taking the mortgages from different markets in theis simple example) then you have created a security that, based on all available historical data, is quite reliable.

You forgot about 1929, didn't you? There is prior precedence for such a fall. And the US housing market really sucked thereafter too until just after WWII at which point it picked up steam and stabilized until the late 1980's where it jumped and started the creation of a big bubble that is only just starting to deflate. There's a study out there of housing data from the late 1800's until pretty recently. (Wish I had the specific link, but you can find it on-line. It was done by Harvard/Standford/ or such.) The study adjusted for inflation and leveled, which set the adjusted housing price at $100k. During the Great Depression it dropped considerably (over 50%), and didn't revive until after WWII, when it came back up to around $100k and stayed there until the late 1980's when it started to go skyward, peaking near $190k or so around 2002 or so, and then starting to decline. I think the most recent number was still above $180k. Guess what? That number still has a long ways to drop before it'll be back in reality.

The problem is larger than simply what you are stating, though it certainly didn't help at all - and problem made things worse.

What you have to look at is the long term trend and also the affordability to the base market. For example, in Northern Virginia buying a house went skyward after 2000. My sister's townhouse went from $93k (1997) to a peak of $330k (2005) - little to no change in the property itself outside of standard maintenance. It's settled down some, but is still well above $200k. The primary causes were (a) zoning laws modified to "keep the way of life the same" (i.e. houses spread apart, country feel), (b) growing increase in population, and (c) the belief that the prices would forever go up b/c the gov't is there and thus makes a stable economy.

The problems ended up being: (a) there existed a $20k gap between what an individual could leave on under subsidized housing ($42k salary max) and what the same person could live on without subsidized housing (roughly $60k salary) due to housing (renting) prices alone, and (b) the base market (people in their mid-20's to early 30's) were being forced out of the market - they simply couldn't afford to buy a house any longer; moreover, it was showing signs of the problems even in 2005 when people that had been in the area for a while wouldn't have been able to buy their own homes.

I still have quite a few friends in that area, and while the market has come down some, it is still quite crazy and unaffordable (the reason my wife & I moved out of that area). Sadly, many are in a very tough position b/c if the housing market keeps going the way it is (and it will until it reaches a full correction) many are going to end up in bankruptcy as a result. But that's the "high demand" side of the story.

On the other hand, out in Columbus, OH - city officials decided they wanted to "clean-up downtown" and get rid of the "poor people", so they worked with lenders to get those people loans and move them out to the suburbs. For example, in my parents development there was a high school student who (a) just graduated high school, and (b) didn't have a job (period!) but had been qualified for a mortgage and allowed to buy a home. She's now in bankruptcy. The "clean-up" simply put the poor people elsewhere, essentially making them someone else's problem while making the politicians look good. In the meantime, that "someone else's problem" has resulted in mass foreclosures in neighborhoods as things caught up to people that weren't have been able to pay the mortgage to start with and ended up in foreclosures quite predictably, which is on

One thing I don't understand

[johannesg]

All of you guys that are now boasting here that you actually knew what was going wrong, but not one of you decided to open your mouth before it became a major disaster. Apparently the fact that the world economy has gone to shit over this means nothing to you, or the fact that thousands upon thousands are now homeless.

What I read here are admissions of guilt: you knew of a very serious crime with very serious consequences (and helped commit those crimes sa well) and chose to remain silent. It is both stupid (to admit to it now) and pathetic.

Re:Likely a feature

[ThaReetLad]

I have only one thing to say to you and your wife. I hope you do go to jail. I know technically you did nothing wrong, but you failed to blow the whistle on illegal practices which have helped to propel the world into financial chaos.

People losing their homes is as much on your heads as if your wife HAD forged those applications.

Re:Tranche is just the french word for "slice"

[Abcd1234]

Meh, that's typical of every specialized industry I know of. Law, medicine, computing, engineering, you name it. They all develop a specialized lingo that identifies the players from the outsiders. Pretty standard human behaviour, really... kinda reminds me of the old days of the guild.