Editor's note: The Rs 11,400-crore bank fraud in Punjab National Bank, that was perpetrated by billionaire Nirav Modi in collusion with a few bank employees, has once again brought governance practices in Public Sector Banks (PSBs) back to public debate. There are questions raised on the way these entries function. A political blame game is on. But the problems in this sector are far beyond one instance of fraud. After five decades of bank nationalisation, India's public sector banks face deeper structural problems ranging from poor management practices, ineffective risk-management systems, vulnerability to a political-corporate nexus, large chunk of bad loans and lack of sufficient autonomy. Beginning today, Firstpost will publish a multi-part series that examines the serious structural problems that have engulfed India's state-run banks and the likely course of this industry, which constitutes 70 percent of India's banking sector assets. You can read the first, second and third part of the series here.
Most commentators on the Punjab National Bank (PNB) scam have wondered how the rogue employee managed to fraudulently issue Letters of Understanding (LoU) to the tune of Rs 11,400 crores. It is by now understood that the absence of a link between the SWIFT system (through which the LoUs are authenticated) and the bank’s own IT system (‘Core Banking System’) was the main flaw.
But it is astonishing how this vital weakness and the consequent fraud went unnoticed by auditors. Even the Reserve Bank of India (RBI) did not detect it for seven years even though it now claims to have cautioned banks confidentially at least thrice since August 2016. In banking parlance, this was an operational risk which remained uncontrolled by those discharged with identifying and mitigating it. The final responsibility for risk management lies with the board of the bank and the banking supervisor of the country. Where did these two entities fail?
There are several acts of omission that the RBI as the banking supervisor is guilty of. The RBI should have ensured that banks adopt risk management frameworks as per the Basel Committee guidelines. While there is a lot of justifiable emphasis on business risks (such as credit risk) in Indian banks, operational risk has been ignored. For instance, RBI has allowed banks to lag in implementing advanced technology and secure systems. Proper operational risk management by the bank would have red-flagged the IT systems flaw and the RBI should have insisted that the weakness be resolved in a time-bound manner, failing which action against the bank should have been initiated.
Banks on their own may be reluctant to link the SWIFT system with CBS as it may be convenient for them to evergreen export-import accounts without the practice getting detected. While the RBI had publicly raised the issue of systems weaknesses in its Financial Stability Report, it did not actually act against recalcitrant banks.
The SWIFT system requires multiple interventions to complete a transaction, starting with initiating the message, verifying it and recording the acknowledgement. It seems the rogue employee of PNB was either taking all these actions himself or was colluding with others. That is how he must have obliterated the return confirmation messages and destroyed paper trails. The RBI should have made sure that banks have proper controls in place to ring-fence these tasks as well as access to the SWIFT system at each stage of a transaction.
The typical defence from banks seems to be that branches are overloaded with work and hence it is just convenient for one person to complete the transaction on behalf of many. In spite of additional workload involved, separating the tasks was imperative since the costs of a failure (even from an erroneous SWIFT entry) are high but the number of such LoUs on a day are not too many.
The other defence from banks is the lack of expert staff. This became an excuse to continue with the same employee in this critical role for seven years. Apart from securing IT systems, employee risk must be evaluated through ‘Know Your Employee’ guidelines and staff turnover at one post or branch should be effectively monitored. In fact, all banks must develop their own internal frameworks for operational risk management, whether RBI insists or not.
The RBI’s on-site monitoring system during branch visits uses the CAMELS framework (Capital, Asset, Management, Earnings, Liquidity and S is the much-neglected system and controls). The on-site inspections should have flagged all such cases where banks lag behind in terms of effective internal systems and controls. The RBI should have insisted that automatic alerts are generated whenever the value of credit exceeds authorized limits even for non-fund based guarantees such as LoU. The RBI inspectors should have also insisted on ring-fencing the front office (the initiator of a transaction) from the back office (the recorder of acknowledgement). It is not clear whether RBI inspectors visited this non-compliant branch even once in the past several years.
While the RBI may mandate that banks introduce all these checks and balances, but if its on-site monitoring is weak, how else can banks be forced to implement the requisite controls?
That brings us to the failure of the audit mechanism. The internal auditors should have cross-checked the paper trails from the SWIFT system and spotted any missing records. The concurrent auditor and the statutory (external) auditor should have verified all high value transactions carried out through the SWIFT system. That the auditors did not discharge their duties is a failure of the Audit Committee of the Board (ACB) that is supposed to oversee the internal and external audit process. Interestingly, PNB’s ACB has five members, two of whom are nominees of the RBI and the government.
The responsibility of overseeing operational risk management also lies with the board, particularly with its Risk Management Committee (RMC). Consider what the Basel Committee on Banking Supervision has to say on the principles of corporate governance of banks. The Risk Committee of the Board should have a chair who is an independent director and is not the chair of the board and the Committee should have a majority of members who are independent directors. PNB’s RMC is not only chaired by the chairman of the board, it has seven members out of whom only one is an independent director, who also happens to chair the ACB!
While we are citing PNB as an example because of the recent incident, many public sector banks have similar weaknesses in their audit and risk governance structures. Indeed, the Basel Committee makes it quite clear that the principles of corporate governance should equally apply to state-owned banks and it is the supervisory authority’s responsibility to ensure that the principles are followed. Not only did the RBI allow bank boards to violate these principles, in the case of PNB it allegedly ignored a letter from a whistleblower who happened to be a board member!
The PNB scam is a failure of risk governance and risk supervision (by the board and the RBI). While investigation and prosecution of the guilty will take time, immediate steps must be taken to instil public confidence in the banking system. Specific action must be initiated at the senior levels to demonstrate accountability of the board and the supervisor.
The government must announce concrete plans for improving governance of PSU banks. With the privatisation option unfortunately off the table, a bank holding company could do a better job of governing banks than the department of financial services. RBI must roll out the long overdue risk-based supervision method encompassing more intensive inspection of systemically important or high-risk banks and branches. If the RBI is unable to immediately act on the scam, it would be time to restart the discussion on forming a unified financial agency in India which can coordinate risks across market segments. This was a key recommendation of the Financial Sector Legislative Reforms Commission that was vehemently opposed by the RBI.
For instance, in this case, SEBI failed to act against Gitanjali Gems for stock price manipulation while RBI could not detect the fraud at PNB, but better coordination between the two regulators may have helped (since Gitanjali Gems was also a beneficiary of the fraudulent LoU). With multiple functions currently weighing down the RBI and most of its attention going towards monetary policy and management of debt and forex, is the central bank really up to the task of regulating and supervising India’s banks? A super regulator for the entire financial sector may just be the answer.
(The writers are faculty members at the Indian Institute of Management, Kozhikode (IIM-K), and have previously worked in central banking and commercial banking)
Published Date: Feb 23, 2018 07:57 AM | Updated Date: Feb 23, 2018 09:28 AM