Some thoughts on PNB Fraud

Over the past weeks, the nation has been shocked by the PNB fraud, not only the way it was perpetrated, massive amounts involved (1.8 billion USD) but also the years (since 2011) over which it remained undetected. The fraud has done severe damage to the credibility of the banking system in the country and shaken the confidence of the public.

At a time when banking system is struggling with problem of ballooning non-performing assets, this fraud may raise a big question mark on success of Government efforts to recapitalise Public sector banks by infusing massive amount of Rs`2.11 lakh crore.

Questions arising from fraud

1. Could the fraud had been prevented or detected early?

2. Can it happen again and how vulnerable is the banking system?

The answer to the first question is yes. Banks are subject to multi-layers of checks, balances, and supervision (internal, external and regulatory) which should normally at least ensure early detection and limitation of damages. As reported, post-heist at the Central Bank of Bangladesh in February 16, involving the transfer of huge funds (81 million USD) by hackers through Swift system, RBI has issued in August 2016, an advisory to banks to ensure that its computer systems are properly integrated with Swift which is a global platform for transmitting payment instructions between banks.

It appears that the matter was not taken up with required seriousness and speed and turned out to be a major instrument of this mammoth fraud.

RBI had also advised daily manual reconciliation process of SWIFT messages with internal records till the time such integrations are completed. PNB could have detected the fraud earlier, if it had acted on RBI advice and limited the damage (as per reports even discovery a year early would have lowered the fraud amount by 800 million USD).

Currently, we do not have knowledge of steps taken by other banks after advisory was issued by RBI. As per follow up circular issued in RBI in November 2016, all banks were required to complete the reconciliation process by February 28, 2017 and report back by March 31(status of compliance the same and actions taken is not known).Hence, it is tough to assess the extent of vulnerability of the whole banking system and whether there are other such frauds lying undetected or amounts discovered so far by PNB represents the complete amounts.

This brings us to the answer to the second question also. Banking systems may be prone to such and other types of frauds if the underlying reasons for the fraud including inadequate risk management framework, weak credit assessment and recovery follow up practices, failure of internal controls and multiple oversight/supervisory mechanism are not addressed on the war footing. Two frauds (Rotomac and Delhi based Jeweller) subsequently coming to notice of public have only raised discomfort level on this account.

Probable factors contributing to the fraud

Based on information available from press reports, (within the overarching factors of inadequate risk management framework etc as mentioned above) absence/non-adherence of following controls, either individually or in combination, were some of contributing factors:

• Lack of integration and reconciliation of transactions through SWIFT system with Core Banking Software
• Non-rotation of employees in core functions as required by the policy
• Connivance of these officials with borrowers
• Unauthorised sharing of passwords (RBI follow up circular of November 2016 warned banks of risk of misuse of Swift users IDs due to existence high numbers)
• Lack of segregation of duties/standard maker checker procedure not followed
• LOUs issued without sanctioned credit limits many of these beyond prescribed period of 90 days
• Issuance of LOUs without insisting on any margins/security
• No linkage or reconciliation of LOUs issued with the end transactions and underlying documents for movement of goods
• Inadequacy in Inter-branch/banks (overseas particularly) reconciliations and confirmation process
• Non-confirmation by overseas lending banks/branches with LOUs issuing branch of the genuineness of LOUs particularly when abnormally large amounts were involved
• Not obtaining balance confirmations of period end balances of loans given by overseas lending banks against LOUs issued by Indian branch of PNB
• Inadequate or absence of review, monitoring and reconciliation of Nostro accounts

Need for Fraud Risk Assessment study

Above reasons indicate inadequate risk management framework and assessment of fraud risks (and its potential impact on the bank) in the critical processes. In my view, to avoid recurrence of such frauds, RBI should strengthen overall risk, Governance and oversight mechanisms. Also, PNB must on war footing basis revisit current risk assessment framework with specific focus on a comprehensive fraud risk assessment study by hiring experts in the field.

The scope of this study would broadly include:

• Review of all critical system and processes at the bank and existing controls (including IT)
• Identify potential fraud risks to which each process is exposed (including cyberthreats)
• Whether there are adequate systems and controls to address the identified risks and are the same are being followed

The study would recommend:

• System, controls and processes to plug the gaps
• Areas of technology upgradation to improve efficiency of processes, monitoring of controls, prevention and early detection of frauds
• Regular review, monitoring and oversight mechanisms (both external and internal) and prompt reporting thereof
• Fraud incident management/response system
• Disclosures to regulators (RBI, SEBI etc), Board of Directors, Audit Committee and other stake holders including timing, manner, extent etc.
• Regular updating of systems to address issues based on experience of any fraud noticed
• Staff training mechanism to create awareness and upgradation of skills to effectively use technology and analytics to identify aberrations

The Expert agency should also

a) bench mark its recommendations to international best practices

b) carry out implementation review of its recommendations after an agreed period over and above regular internal monitoring to be done by internal teams consisting of senior management and checks by internal/concurrent auditors.

In my view, RBI should make such studies mandatory to every bank, financial institutions, systematically important NBFCs which are rapidly growing in size as a proactive measure to prevent and detect frauds.

Conclusion

Now that fraud had already occurred all that can be done is to:

• Ensure that frauds amounts are determined, and no similar frauds are lying unearthed in PNB or other banks. Towards this end, Finance Ministry has already directed all banks to reconcile Swift accounts with core banking software and complete interbank reconciliations with overseas branches of other banks with in stipulated time frame
• Take rigorous efforts to recover the amounts involved and punish the guilty

Going forward, the experiences from this incident should act as a wakeup call and used as an opportunity to reform the banking system to tighten Governance structure, risk management processes, internal controls and supervisory/oversight mechanisms to avoid recurrences.

RBI has already constituted an expert panel to explore factors leading to rising incidence of frauds in the banking system and recommend measures needed to curb and prevent it. One can hope that recommendations made by the Committee are implemented in time( many recommendations of past committees are still pending implementation) to avoid future shocks and helps in restoring the public’s confidence in the banking system which is most critical for the nation.