The central bank has directed all banks to implement as many as 29 measures — from creating an alert system by June 30 on breach of any control limits to linking of SWIFT system (which was abused by some PNB employees causing the fraud) with Privileged User Management Systems as well as core banking solutions (CBS) — within set deadlines
The $2-billion fraud at Punjab National Bank (PNB) involving jeweller Nirav Modi has prompted the Reserve Bank of India (RBI) to read the riot act to banks to bolster their fraud prevention and detection framework.
The central bank has directed all banks to implement as many as 29 measures — from creating an alert system by June 30 on breach of any control limits to linking of SWIFT system (which was abused by some PNB employees causing the fraud) with Privileged User Management Systems as well as core banking solutions (CBS) — within set deadlines.
It has warned that “any lapse on the part of the banks in ensuring compliance with the aforesaid requirements would attract strict enforcement action”.
In a letter to chiefs of all scheduled commercial banks, the RBI said the fraud “indicates ineffective implementation of the prescribed control at the levels of business unit, risk management and audit function”. “Compliance with clearly-articulated regulatory/supervisory instructions on a vital subject such as SWIFT has not been ensured by many banks. Against this backdrop, there is a need for a thorough review and reinforcement of fraud prevention and detection frameworks in place in the banks,” the RBI said in its February 20 letter, reviewed by FE. The regulator also stressed it had flagged potential misuse of SWIFT and issues relating to cyber security controls in its confidential circulars sent to banks in August and November 2016.
Banks have been directed to implement as many as 23 measures immediately, and two each by March 31, April 30 and June 30.
The letter suggests various checks and balances for banks, covering a wide spectrum of their operations — from daily transactions to security alerts to HR initiatives. For instance, it asked banks to set up a system by June 30 to generate alert on breach of any control limits as well as any on other unusual feature in transactions. Similarly, banks have to create by March 31 an additional layer of approval for all payment messages exceeding a particular threshold. Until SWIFT is linked with CBS by latest by April 30, no SWIFT message will be created without ensuring the underlying transaction is duly reflected in the CBS.
Similarly, the regulator has asked banks to exercise control over sending payment messages to banks with which the Nostro account is maintained. It said a limit on the payments that had individuals as beneficiaries would be determined, above which the correspondent bank will be asked to seek confirmation from the remitting banks before effecting payment. This control would be in place by March 31, 2018, it said.
The SWIFT system was misused by some officials at PNB to issue letters of undertaking (typically credit guarantees) to firms of Modi and his uncle Mehul Choksi without making corresponding entries in the bank’s CBS in a bid to escape tighter scrutiny, which led to the biggest fraud in the country’s banking history.
Finance minister Arun Jaitley has already slammed auditors, bank management and regulators for the inability to detect the fraud at PNB on time and said laws would be further tightened, if required, to punish fraudsters.
The central bank has also set up a panel in February, headed by its former board member YH Malegam, to look at the divergence in asset classification and provisions reported by banks and those interpreted by the RBI’s auditors. The committee will also examine the increasing instances of fraud in the banking system.
This news was originally published in the Financial Express on April 3, 2018