Can PNB Like Fraud Occur In Other PSU Banks?

Can PNB Like Fraud Occur In Other PSU Banks? Punjab National Bank (PNB), the Delhi-based second-biggest public sector lender's fraud relating to LoUs (Letters of Undertaking); and followed by it, the closure of Nirav Modi's and Mehul Choksi's jewellery businesses as a consequence to fraud-related actions by investigative agencies, is likely to result in cumulative impact on the Indian banking industry to the tune of more than $3 billion.

Modus Operandi PNB's Brady House Fort, Mumbai branch, had issued LoUs to the accused firms and people managing these firms without having a sanctioned credit limit or maintaining funds "on margin". These officials had been issuing LoUs on the SWIFT messaging system without entering the transactions on the bank's own system. The LoUs were used to obtain buyer's credit from overseas branches of other Indian banks.

The overseas banks' branches extended buyer's credit to the importer on the basis of an LoU issued by the importer's bank, i.e. PNB. These transactions were carried out over the last seven years without being detected. The accused firms, instead of paying off the buyer's credit from their own businesses on due dates, rather went on for ever-greening of the loan, by way of issuance of fresh LoUs. 

 Underlying Serious Issues The maturity terms of LoUs issued ranging from 30 days to a year have to be examined in the light of RBI Master Circular of 2015 and RBI Master Direction of 2016, which prohibits buyers' credit beyond 90 days from the date of shipment, for import of platinum, palladium, rhodium and silver and rough, cut and polished diamonds and precious and semi-precious stones. 

SWIFT works under standardized system, wherein different individuals perform the role of maker, checker and authoriser at information transmitting point. Had due diligence at different layers been observed, the fraudulent issuance of LoUs could have been averted at the budding stage itself. 

The frequency and high value of transactions by the accused firms relating to the payments of buyer's credit for the principal and interest amount taking place over the years should have aroused suspicion at the branch/treasury/foreign department/ controllers level, who could have then looked at the business model from the safety and security perspective for the PNB. 

Various audits, viz.,. IT-related audit, concurrent audit, regular audit and statutory audit, seem to have not acted with due diligence and prudential banking. The due diligences at PNB's different layers of controllers appears to be lacking on risk management aspects. 

RBI's 2016 Guidance on SWIFT transactions In 2016, RBI had raised serious concerns relating to the security environment in the banks for the usage of SWIFT messaging system and also shared the indicative list of best practices to strengthen the security environment for SWIFT usage. Despite the RBI raising these concerns over SWIFT-related messaging, the risk management gaps continued in PNB. The regulator had expressed concerns that most of the banks did not have straight through processing from CBS for trade finance transactions such as Letters of Credit/ Comfort etc. 

This ability to initiate LC messages without reflection of transaction in the CBS posed serious inherent risk. Despite having a decentralised set-up for SWIFT operations, there was no mechanism to verify whether every outward trade finance related SWIFT message had a corresponding underlying LC and thereby identifying fraudulent LC related SWIFT messages, if any. 

The regulator advised the PSBs "to explore Straight Through Processing between CBS and SWIFT messaging system so as to avoid potential fraudulent messages". 

Risk Management Gaps in PNB 

Banks have an apex level Risk Management Committee of the Board (RMCB); as also Operational Risk Management Committee (ORMC) and Credit Risk Management Committee (CRMC), especially overseeing the operational and credit risk areas. Despite all these mandatory structures in existence, there have been multiple level failures in safeguarding the PNB's interests.

Operational Risk: The board of directors of a bank is primarily responsible for ensuring effective management of operational risks through RMCB and ORMC. 

1. The board of directors should be aware of the major aspects of the bank's operational risks as a distinct risk category that should be managed, and it should approve an appropriate operational risk management framework for the bank and review it periodically. It is not clear whether in the PNB, its ORMC brought up before the RMCB the agenda on the SWIFT and Nostro account reconciliation related issues, and if it did, what were the guidance given on these risks. 

2. The framework should be based on appropriate definition of operational risk, which clearly articulates what constitutes operational risk in the bank and covers the bank's appetite and tolerance for operational risk. The framework should also articulate the key processes the bank needs to have in place to manage operational risk. Did the RMCB or the ORMC in PNB deliberated on the bank's appetite and tolerance for operational risk in the context of its security environment for SWIFT usage, especially after regulator's concerns in 2016? 

3. Board should ensure that the bank has in place adequate internal audit coverage to satisfy itself that policies and procedures have been implemented effectively. 

In PNB, was the operational risk management framework subjected to an effective and comprehensive internal audit by operationally independent, appropriately trained and competent staff?

Credit Risk: The directives were issued by the RBI way back in 2002, wherein each bank had to put in place Credit Risk Management Department (CRMD), independent of the Credit Administration Department.

1. Each bank has to measure, control and manage credit risk on a bank-wide basis within the limits set by the Board/ CRMC. This needs to be looked into for the kind of LoUs' exposure and if any industry-specific limits were set up by the PNB at the apex level. 

2. For large banks, regulatory guidelines emphasize on a separate set up for loan review/audit. For such a high level of exposure to a particular group of industry, what were the concerns raised on safety and security of banks' interest by the PNB auditors and Inspection & Audit Department. 

3. Be accountable for protecting the quality of the entire loan/ investment portfolio. 

4. The regulator emphasized that the strategy to sanction non-fund facilities with a view to increase earnings should be properly balanced vis-à-vis the risk involved and extended only after a thorough assessment of credit risk is undertaken. The PNB appears to have relegated the significance of these regulatory guidance in respect of credit risk management in the case of Nirav Modi and Mehul Choksi fraud cases.

Way Forward 

The PNB fraud of such a high magnitude warrants measures to ensure non-recurrence of such instances in the Indian banking system. 

1. SWIFT platform linkage to CBS platform is a must, so that messages emanating on SWIFT system are captured in the CBS. Various fields of information need to be built in so that unless these details are keyed in CBS with maker/checker concept, the SWIFT platform activation for transmission of message will not take place. 

2. RBI has to deal with an iron hand any system based loopholes or any regulatory non-compliance and impose heavy penalties on defaulting banks under the power vested under the Banking Regulation Act, 1949 (Section 35A). 

3. A specialised forex audit annually/halfyearly at forex authorised branches and foreign/treasury department needs to be instituted to keep an eye on SWIFT messaging, Nostro reconciliations and verifying underlying genuineness of business transactions. 

4. Bank's concurrent auditors must develop forensic sensitiveness at bank' branches where placed and must give periodical reports to the immediate controller on sensitive transactions, commenting on genuineness of transactions with supporting sanctions; and existence, if any, of gaps/ non-compliances in systems and processes. 

5. Scaling up of risk management capabilities is a paramount necessity. Risk management architecture of Indian banks requires a thorough revisit in the light of the PNB fraud. 

6. PNB fraud episode must drive the Indian banking system to take a close look at the quality of imports, the genuineness of the bills and an incestuous relationship, if any, between the importers and the exporters. 

7. Government outfits like Central Economic Intelligence Bureau, Financial Intelligence Unit, Directorate of Revenue Intelligence, and Serious Fraud Investigation Office, need to be strengthened with robust structure and latest technology to pre-empt financial crimes.