Any communication from Reserve Bank of India emits a strong interest from bank account holders exhibiting a strong faith in its study, reporting, and monitoring capabilities. Its latest emit of report on cyber frauds is no exception. Its reference is given at the end.
Let me recall its reference of fraud as under:
“‘A deliberate act of omission or commission by any person, carried out in the course of a banking transaction or in the books of accounts maintained manually or under computer system in banks, resulting into wrongful gain to any person for a temporary period or otherwise, with or without any monetary loss to the bank’.
The numbering of coverage of its report is hap hazard and is proceeding as under:
1. Roles/Responsibilities and Organizational structure for fraud risk management:
2. Components of fraud risk management:
3. Industry-Wide Recommendations
Let us view in details of coverage of fraud in banks.
Organizational structure
The reserve Bank recollects the current prevalent practices in banks on frauds occurring regularly or on earlier ones already on process of monitoring.
- The current instructions expect the banks to report frauds of amounts of Rs 1 crore and more to Audit committee periodically and once a year an annual review of frauds.
- The banks may also recollect that the Board for Financial Supervision (BFS) of RBI has instructed that in terms of higher governance standards, the fraud risk management and fraud investigation must be ‘owned’ by the bank’s CEO, Audit Committee of the Board, and the Special Committee of the Board.
- The report further explains that the special committee of the Board dealing with frauds of Rs 1 crores and more should also be given periodical reports on other frauds involving lesser amounts.
Components of fraud risk management
Various heads will spell the recommendations or observations of RBI as under:
Updating of the systems to deal with frauds
A strong internal control framework is the strongest deterrence for frauds. The fraud risk management department along with the business/operations/support groups, to review various systems and controls.
Fraud vulnerability assessments should be undertaken across the bank by the fraud risk management group. Apart from the business and the operations groups, such assessment to cover various channels of the bank including the branches, internet, ATM, and phone banking, as well as international branches.
Mystery Shopping’ is an important constituent of vulnerability assessment. Transactions in ‘live’ scenarios to test the efficacy of controls. Such dealings are in vogue relating to sampling techniques under auding procedures.
No new product or process or modified one in a bank to be ushered in without the approval of concerned control groups.
All residual/open risks in products and processes to be covered by setting ‘fraud-loss’ limits.
All actual fraud cases above ` 10 lakhs and cases where a unique modus operandi is involved, should be reviewed immediately after such a fraud is detected.
Most banks have incorporated several security measures for their documents, information, systems, and customer deliverables such as cheque books/debit cards.
Security measures have also been incorporated during delivery of instruments such as cards/cheque books/internet passwords to customers through couriers.
Internet banking systems have security features such as separate transaction passwords, two factor authentication, multi-channel process for registering payees, upper limit on transaction value and SMS alerts to customers.
Banks to have periodical reviews to assess the culpability of above procedures.
A strong KYC process already in existence for a long time needs periodical check up and strong implementation along with required technological up dation like allowing centralized obtaining of information by an authorized agency and maintaining the safe data but allowing the users to get a certificate for KYC purposes.
What about new skilling of employees to meet new challenges of deviation of bank proceeds illegally, diversion of funds, proper utilization for intended purposes?
Present systems in banks need constant review of training systems, motivation for employees to gain new skills, systematic revaluation of professional skills from expert groups like IBA approved ones.
Did the report have any specific recommendations industry wide?
1. Interbank co-operation: While most banks today actively co-operate in freezing funds when information is received from another bank, when it comes to refund of the funds lying in the account, there is no standard practice for refund between banks
2. The experience of controlling/preventing frauds in banks should be shared between banks on a regular basis. The standing forum provided by the Indian Bank’s Association (IBA) can be used to share best practices and further strengthen internal controls at the respective banks.
3. To enhance investigation skills of the staff in the fraud risk management group, a training institute for financial forensic investigation may be set up by banks under the aegis of IBA. Private sector involvement in developing new training programs, authenticating of such institutions, and even allowing certification of such personnel would develop the banking systems.
4. The matter of having a separate cell working on bank frauds in each state police department authorized to register complaints from banks and get the investigations done needs to be taken up with the respective police departments. Policemen to get duly trained and involved actively to pursue, catch the crime creators, and punish them on a time line.
5. Working with law enforcement authorities: At each state, a Financial Crime Review Committee needs to be set up on frauds along the lines of Security Committee that has been set up by the RBI to review security issues in banks with the law enforcement authorities.
While 21 recommendations have been made in the report with many of them repeated ones, I have decided to give in brief a few of them only.
- All cyber frauds to attract the banks to deal with them on war footing rather than only those with Rs 1 crore or more as per present system. Banks are not doing a special favor by dealing with frauds. In USA, the system blames the bankers more than individuals who lose money due to frauds.
- Fraud review councils to further assist Audit committee to deal with frauds on priority basis. Current systems are not fast enough to deal with the matter effectively.
- The activities of fraud prevention, monitoring, investigation, reporting and awareness creation should be owned and carried out by an independent group in every bank.
- Banks should set up a transaction monitoring unit within the fraud risk management group. The transaction monitoring team be made responsible for monitoring of transactions, especially of potential fraud areas, and send early alarms.
- Fraud cases mentioned in RBI circular on frauds for reporting to include cyber frauds.
My observations
The whole report of RBI lacks the emergent nature of frauds which occur due to non-upgradation of inclusion of the latest technologies, lack of awareness of the suffering of the clients due to massive frauds in bank accounts, particularly of senior clients who do lack proper knowledge to handle modern banking products like ATM, credit/debit cards or on- line banking. How many times the banks ever bother to inform me, as a client to learn anything new?
Up to a fraud limit of Rs 10 lacs or more, the banks should reimburse without any delay after a said period, say 5 business days like many Western countries prescribe.
Why not the banks prescribe dos and don’ts on cyber frauds for its customers?
Let me also introduce recent survey on bank frauds by M/S Deloitte Touche Tohmatsu India LLP (Deloitte India) as its fourth edition of India Banking Fraud Survey. It is highly valued and eagerly waited by banking scholars.
The fourth edition of the Deloitte India Banking Fraud Survey attempts to understand banks’ mechanisms to tackle fraud risks, the impact of new operational models on fraud risk management, and perspectives on making strategic investments for the future.
Let us deal with the information from above report. Proper reference given at the end.
What does the survey say? (2021)
Let me quote some information from its survey directly to understand its conclusions effectively.
“Top three responses on the factors responsible for the increase in fraud incidents over the next two years:
- Increase in customers using non-branch banking channels
- Limited/ineffective use of forensic analytics tools to identify potential red flags
- Large-scale remote working models
Top three responses on how a fraud incident is typically detected:
- During routine account audit/reconciliation or process reviews
- Through internal automated data analysis or transaction monitoring software
- Through a customer complaint/an internal whistle blower complaint.
Top five responses on the types of fraud experienced over the last two years
- Data theft • Cybercrime • Third-party induced fraud • Bribery and corruption • Fake/fraudulent documentation
It is interesting to know that the responses were on different items during 2015, 2018 while compared to 2021. Technology contributed to fighting the fraud risks as per the responses in 2021 though it was also used to enable the frauds.
(About the survey: The above agency gathered the views of 70 key C-suite stakeholders/ senior management responsible for compliance and fraud risk management, audit/ finance, asset recovery from varied financial institutions based in India. Banks and financial institutions who participated in the survey included private, public, foreign, co-operative, and regional rural banks in India.)
Some other key survey findings to note are:
1 “What kind of fraud risks are currently the biggest concerns for your bank? (The top four responses have been highlights)
24% for loan frauds
14% for mobile/internet frauds
13% for identity/data thefts
9% for phishing.
2 “What will be some important outcomes of COVID-19 on your banks’ Fraud Risk Management (FRM) function?”
25% for Increased dependence on analytical tools for fraud monitoring and detection.
23% for Creating increased awareness on fraud
3 “How frequently does your bank conduct fraud risk assessments and update the fraud risk register?”
50% for once a year.
45% for once in two/three years.
4 “Which areas will your bank most likely benefit from by deploying AI/ML technology?”
21% for KYC and anti-money laundering.
18% for credit approval process.
Let us also have some more information from various sections which also dealt with frauds.
SECTION 1
Understanding the current fraud environment in the banking sector
a) Trend analysis
“Do you believe that the current business disruption due to the pandemic can spur banking sector frauds over the next two years?”
78% said “yes”
“Which of the following types of frauds has your bank experienced in the last two years?”
8% each was given for cybercrime, third party induced fraud, bribery and corruption, fake/fraudulent documentation, and 10% for data theft.
b) Impact of COVID-19
Stressed assets
“What do you believe has led to higher stressed assets?”
38% for limited monitoring of assets after disbursement.
24% for economic slow- down.
21% for inadequate due diligence before disbursement.
SECTION 2
Fraud risk management and continuing monitoring at banks.
a) Current FRM governance and structure
The survey informed us that only 24 percent respondents mentioned that their FRM department reports directly to the ED and MD. Additionally, about 45 percent and 25 percent respondents stated that the FRM department was a part of the Risk Management and Internal Audit/Inspection functions of the bank, respectively.
b) Current- status of the implementation of anti-fraud programs “What do you feel will be the most important outcome of COVID-19 on your FRM function?”
25% for Increased dependency on analytical tools for fraud monitoring and detection.
23% for Creating increased awareness on fraud among customers and employees.
“How is a fraud incident currently detected in your bank?”
36% for during routine account audit/ reconciliation or process reviews.
31% for through internal automated data analysis or transaction monitoring software (EFRMS/ EWS).
The following interesting question elicited answers not expected normally for such a question.
“Which of the following stages in the lifecycle of a MSME/ corporate loan is most vulnerable to fraud?”
19% for sourcing, 16% each for appraisal/renewal, sanction, disbursement, and 33% for end use monitoring.
“What are the challenges faced by your bank while conducting forensic audit in-house?”
20% for lack of required skillset to conduct forensic audit, 21% for lack of data analytics capability to evaluate large data set, and 17% for absence of a dedicated team or inadequate skilled resources to conduct forensic audit.
The closing thoughts of the survey do portray the feeling the current ad hoc approach of the banks may not serve the recurrence of frauds in a meaningful way.
- To review scenarios/rules to reflect the “new normal”.
- Regular/timely and updated risk assessments may help banks to ensure that there are linkages between risk typologies and the control framework.
- Banks to reflect on the technology used/strategy to prevent, monitor, and detect financial crime.
Conclusion
The coverage of the RBI report on cyber frauds as well as the actual survey by an eminent separate body, namely, M/S Deloitte Touche Tohmatsu India LLP (Deloitte India) clearly indicate that not much importance is given by banks to plan, institute a system of fraud avoidance, monitoring, planning employees to foresee the portending signs, and take an active interest to remove them at the bud. Sad but true that the employees want to blame the authorities while the authorities are not concerned with the happening of frauds.
Why the authorities could not implement the latest technologies, invest on having the best forensic teams to investigate and avoid the frauds, and enable to have the clients with financial stability are to be answered by the regulatory and government authorities. Let us raise this issue at every available opportunity to improve the financial stability of customers who decide to deal with the banks. Audit committee members should also be held responsible for regular frauds which could have been avoided. Most of the audit committees have the CMD of the banks as a member maiming its attempts to improve proper governance. How can one disobey its CMD who reportedly has unlimited powers as per the recent frauds among all private/public sector banks CMDs/Eds indicated recently?
Reference: RBI
https://www.rbi.org.in/scripts/PublicationReportDetails.aspx?ID=621
Survey from Deloitte
******
Disclaimer: The contents of this article are for information purposes only and do not constitute an advice or a legal opinion and are personal views of the author. It is based upon relevant law and/or facts available at that point of time and prepared with due accuracy & reliability. Readers are requested to check and refer relevant provisions of statute, latest judicial pronouncements, circulars, clarifications etc. before acting because of the above write up. The possibility of other views on the subject matter cannot be ruled out. By use of the said information, you agree that Author/Tax Guru is not responsible or liable in any manner for the authenticity, accuracy, completeness, errors, or any kind of omissions in this piece of information for any action taken thereof. This is not any kind of advertisement or solicitation of work by a professional.
Author Bio
