Last week, the Reserve Bank of India (RBI) asked all banks to integrate their core banking solutions with the SWIFT messaging network by 30 April. Just ahead of that, the banking regulator announced setting up a panel, headed by noted chartered accountant and a former long-serving director on the central bank’s board Y.H. Malegam, to look into the “increasing incidence of frauds in banks and measures (including IT interventions) … to prevent it”. The panel will also assess the efficacy of various types of bank audits in mitigating such frauds and divergence in asset classification between what the central bank asks for and what commercial banks end up doing. I understand this panel has a short deadline even though RBI has not made it public.

The backdrop of the RBI action is the $1.77 billion fraud at India’s second largest government-owned bank by assets, Punjab National Bank (PNB). A few employees of the bank, at different levels, perpetrated the fraud over at least seven years, taking advantage of the fact that PNB’s core banking solution (CBS) has not been integrated with SWIFT.

Was the banking regulator completely unaware of the operational risks of such a disintegrated system? Should we call its actions now the proverbial closing of the stable door after the horse has bolted?

RBI has all along been aware of this but, instead of cracking down on the banks, it had been trying to persuade the banks to put their houses in order. It’s now widely known that former deputy governor S.S. Mundra, in a September 2016 speech, warned the banks against the misuse of the SWIFT infrastructure, citing instances of fraudulent messages being transmitted using SWIFT for credit disbursements which smacked of failure of internal controls. Those banks that have already integrated their systems say RBI’s audit reports have repeatedly emphasized on this in the past couple of years. Clearly, PNB and most public sector banks have chosen to pay no heed to the regulator’s concerns (and got away with that).

Of course, the lack of integration between CBS and SWIFT is not the only loophole in PNB’s operations. It gave a window to the employees for misuse; that was complemented at different levels with the complicity of many.

For instance, backed by the letters of undertaking, or LoUs, issued by PNB’s Brady House branch in Mumbai (bypassing its CBS), overseas branches of Indian banks sent money (buyer’s credit) to PNB’s Nostro account in Citibank, New York (111 Wall Street, Indian Service Mgmt Centre New York, NY 11043, USA Account No. 36003588 [UID 033086] Swift Code: CITIUS33). How could such remittances remain outside CBS? Standard banking practice demands that each credit and debit in a bank’s Nostro account should have a mirror entry in CBS. SWIFT has nothing to do with this.

Also, what happened to the commission that was paid for availing of the LoUs over the years? Here, too, SWIFT has no role to play. Did a gang of employees, allegedly led by deputy manager Gokul Shetty, pocket it or share it with the bank?

Clearly, the entire operational system of PNB stinks. And this is not the first time this has been exposed. Not so long ago, in 2013, the bank, along with a few others, was involved in a similar fraud. A consortium of banks lent Rs6,800 crore to Jatin Mehta’s Winsome Diamond Group. Instead of LoU, this was done through issuance of standby letter of credit to overseas banks which devolved on them. PNB had the maximum exposure—Rs1,800 crore. It did come under RBI scrutiny which found related-party transactions, among other things.

Auditor’s Role

While employees can have a free run in a rotten operational system, what have the auditors been doing? Concurrent auditors in bank branches are assigned the job of periodic on-the-spot transaction verifications. They are the first line of defence, and they failed. A bank’s internal auditors are entrusted with the job of keeping tabs on what’s happening in the front, middle and back offices. They failed. Finally, the statutory auditors oversee the overall compliance with all regulatory aspects and sign off on the balance sheet. They, too, didn’t smell a rat for years.

The central bank’s June 2017 Financial Stability Report, a biannual publication, spoke about the growing volume and value of frauds in the banking sector and described it as “one of the emerging risks to the financial sector”. It highlighted the “general credit governance issues” and referred to serious gaps in credit underwriting besides the lack of continuous monitoring of cash flows and cash profits, diversion of funds and double financing. RBI data, which Reuters obtained through a right-to-information request, show PSU banks have reported 8,670 “loan fraud” cases totalling Rs61,260 crore in five financial years up to 31 March 2017. PNB topped the list with 389 cases totalling Rs6,562 crore.

Systemic Risk Survey

For about seven years now, RBI has been conducting a systemic risk survey to capture the risks in the financial system through the views of market participants. There are different kinds of risks such as global risk, macroeconomic risk, financial market risk, institutional risk and general risk. The PNB fraud is an offshoot of operational risks, part of institutional risk in the survey. The last survey in October 2017 ranked operational risk in banks as “medium”. It had been “very low” in April 2015 and “low” in October 2015; moved up to “medium” in October 2016. Clearly, there were indications of the gradual deterioration in operational risks in the banking system.

All these suggest that RBI was not unaware of the increasing risks in the banking system. But why didn’t it act? Why did its auditors fail to detect this fraud? After all, RBI is not only the lender of the last resort; its annual inspection in banks is also the last line of defence. Shouldn’t the RBI auditors have detected it?

The key reason seems to be the way the supervision is being conducted in India now. The current regime of risk-based supervision is an extremely data-intensive exercise where banks are expected to report automated data in a seamless way periodically to RBI. So, if an entity—in this case, PNB—does not give the data or offers incorrect data, the regulator cannot catch them.

A few years ago, the new architecture replaced the CAMELS-based supervision. CAMELS stands for capital adequacy, asset quality, management, earnings, liquidity, and sensitivity. Originally it was called CAMEL and ‘S’ was added in 1997 to include sensitivity for market risks.Since the focus of CAMELS inspection was on earnings, among other things, it could have encouraged a bank to show high profitability, earned at the cost of higher risks in the business, to get a higher rating. That’s why RBI shifted to risk-based supervision. Describing the move towards risk-based supervision as a step in the right direction for the banking industry, a January 2014 Deloitte paper—Navigating the risk-based supervision process—lists the challenges for both the supervisor and the banks as the industry grapples with wide-ranging issues, including quality of data, scalability of regulatory reporting processes, efficacy of risk management systems and cost of compliance. This supervisory process significantly focuses on continuous collection of data from banks and relies on the bank’s audit and compliance functions to provide transactional assurance to the supervisor, it says. The impetus is on corporate governance and regular dialogue between the bank and supervisor. RBI had repeatedly warned the banks, had dialogues and raised the red flag, but PNB (and let’s hope that PNB alone) chose to ignore that.

A 19 January 2018 International Monetary Fund (IMF) report on India’s Financial Sector Assessment Programme commended RBI for the “remarkable progress in strengthening banking supervision”. Stating that supervision and regulation by RBI remain strong and have improved in recent years, it lists the implementation of a risk-based supervisory approach as the key achievement. “The system-wide asset quality review (AQR) and the strengthening of prudential regulations in 2015 testify to the authorities’ commitment to transparency and a more accurate recognition of banking risks,” the IMF report says.

RBI had sent its inspectors to all banks in 2015 to conduct AQR because it did not trust the banks, which were in a denial mode and refusing to disclose their bad assets. In hindsight, we can say the RBI inspectors could have swooped down on PNB’s Nostro transactions in the same fashion; but it could do so only if it had a premonition that disaster was about to strike the bank. Besides, such interventions also run the risks of being interpreted as micro management.

Unsolicited Advice

One unsolicited advice though: to avoid a recurrence of the PNB episode, even in risk-based supervision, RBI should intervene and start random transaction testing and what is popularly known as ABC analysis in inventory management. What it needs to do is divide banks into three categories, A, B and C—‘A’ being the most valuable bank (in terms of size and systemic importance, but fewest in number) and ‘C’ being the least valuable ones (but most in number). It must give the maximum attention to the critical few (‘A’ banks) and follow the routine for the trivial many (‘C’ banks). PNB has failed on multiple counts. Ideally, the regulator should dismantle its board and take everybody to task. Can it do this? No. This is because the Banking Regulation Act, 1947, which lays down norms for all banking companies in India, including foreign banks, is not entirely applicable to government-owned banks. RBI does not appoint the chairman, managing director and other directors of a bank board; the government does this (in consultation with RBI). Similarly, it cannot dismantle a board and remove the chief executive officer.

Also, the capital market regulator’s listing agreement, which stipulates that one-third of the directors of all listed entity must be independent, is not applicable to PSU banks. Clearly, the regulation is not ownership neutral. While privatization is a tough political call (and finance minister Arun Jaitley has virtually ruled it out), having uniform regulations for all banks may help in addressing governance issues at government-owned banks.

In 1995, the discovery of a secret file—Error Account 88888—brought to light the fact that Nick Leeson had gambled away £827 million in Barings Bank. The rogue trader single-handedly finished a 200-year-old bank. Leeson held the world title for losses due to unrestricted trades for over a decade till 25 January 2008, when Societe Generale announced that it uncovered a $7.14 billion fraud, involving a futures trader Jerome Kerviel.

Let’s hope that in the history of Indian banking fraud, it takes many more years to eclipse Gokul Shetty’s alleged record. Of course, there is a big difference between what happened at Barings and Society Generale and PNB. Both Leeson and Kerviel were making profits for their banks and earning fat bonuses for them, initially, in speculative trades till greed overtook them. Shetty & Co. were not making any profits for PNB. They worked on behalf of a few rogue promoters to rob the bank.