SWIFT fiasco in PNB scam raises questions about lax banking software; are RBI and IBA to blame?

Have you linked your Aadhar number to your bank account yet before the 31 March deadline that your bank keeps talking about? No? Well, now you can turn around tell them this: “Why don’t you first ask Vinod Rai, the government auditor who blew the whistle on the 2G spectrum scam and is now heading the Banks Board Bureau, to first ask the country’s banks to link their SWIFT messaging system with their core banking software?” As details emerge on the Rs 11,000-crore scam involving elusive luxury jeweller Nirav Modi and the Punjab National Bank (PNB) he allegedly defrauded, it is clear that senior managers and regulators at India’s second-largest state-run bank had no dashboard mechanism to police the big banking fraud being probed by the Central Bureau of Investigation. There is a not-so-delicious irony in this when activists are accusing the government of having Big Brother intentions in trying to link PAN numbers, Aadhar, mobile numbers and bank and mutual fund accounts together. Is the government trying to snoop at the wrong place? Seriously, not just PNB but a whole slew of Indian banks seem to have either missed a few key steps in policing an important part of the system involving tens of thousands of crores in unsecured loans or pinched pennies in the process of building technologies to supervise the financial system. [caption id=“attachment_4354641” align=“alignleft” width=“380”] AP image.[/caption] The big question is: Have the alleged errors of commission blamed on deputy manager Gokulnath Shetty at the heart of the scam been compounded by the serious errors of omission at several senior levels of the banking system? The expert view is that the “maker, the checker and the verifier” in the SWIFT messaging system between banks should have been different persons but were not. Also, there should have been a reconciliation of accounts at various levels at regular intervals that did not happen. What’s more, auditors and supervisors would ideally have access to various pieces of information for checks and balances, and the absence of a linkage between the core banking solutions of the banks with the slightly outdated SWIFT system left a yawning gap in the system. All this resulted in dubious, huge loans being given under guarantees called letters of undertaking (LoU) not just by one bank by quite a few. Imagine this like a situation where a batsman square cuts a ball in a cricket match past three slips and two gullies, with the fielder at backward point and the one said to be backing it all up from the third man all missing the red cherry that darts past the boundary line for an undeserved four. This seems to be a year of living dangeously for Infosys, the company that built the Finacle core banking solution for PNB. Already facing questions and explanations on software for the Goods and Services Tax (GST), it may have some answering to do on banking software, not perhaps for a flawed construction as for a general understanding of how things can go wrong. Risk management is a serious business in banking, and there are dozens of software solutions that help banks manage risks on everything from commodity trading to operational errors. PNB seems to have been hit by operational errors and also by supervisory gaps. Did no one in the Indian Banks Association (IBA), the apex body that represents public sector banks, ever think of a checklist to ensure that the kind of risk that PNB faced was mitigated by software solutions? Does or did the RBI have a technological design cell for standards and specifications on risk management that guides banks as it regulates them towards better supervision? Even if the core banking software was not linked to SWIFT by an automatic connection, was there no data entry based monitoring that would have red-flagged big loans that needed supervision and accountability? Corporate employees filing expense claims in enterprise software built by companies such as Oracle and SAP understand authorisation and approvals at various levels with automatic escalation on dubious or large-scale issues. It is difficult to imagine how seriously huge LoUs did not have such checks and balances at least through a reporting system linked by data entry – unless the rot was so deep that a big conspiracy is being passed off as low-end connivance. If indeed Shetty was a “rogue manager” on the lines of rogue trader Nick Leeson who brought down London’s oldest merchant bank, Barings, in 1995 with his gambling that appeared disproportionate to his stature in a huge institution, we need to find ways to check this. In a tweet on the Nirav Modi scam, I had raised four questions: One, what are the usual checks and balances in SWIFT use & LOUs? Two, what is the inspection mechanism? Three, how do banks limit damage from individual employee transgressions? Four, in 2011 and later, was there any extra-normal interference at the affected branch? Of these, the last could be used to seek details on possible bureaucratic or political interference, but the first three could have been addressed at least partially by technological means. The SWIFT fiasco at PNB, on the one hand, raises questions on whether there was a penny-wise-pound-foolish approach on the part of banks spending on software and on the other serious questions on risk management and compliance built into the supervisory mechanism aided by technology. These questions need to be looked at both forward and backward in the coming days. (The author is a senior journalist. He tweets @madversity)