The story of how India’s biggest bank fraud went undetected for seven years includes an $81 million cyber-heist in neighboring Bangladesh, penny-pinching lenders and a series of missed opportunities.
In 2016, after revelations that hackers had infiltrated the Bangladeshi central bank’s computer systems to siphon off money, its counterpart in India sensed a danger to its own banking system. The Reserve Bank of India reminded all the country’s lenders to ensure their computer networks were properly integrated with Swift, the global system used to transmit payment instructions in the Bangladesh theft.
Unknown to the RBI at the time, a rogue employee at state-owned Punjab National Bank had allegedly been taking advantage of precisely that flaw in the Indian lender’s computer systems for five years, perpetuating a fraud that would eventually balloon to $1.8 billion, according to PNB’s account.
“The biggest thing that didn’t happen was the linkage between Swift and the bank’s back-end software — they didn’t talk,” said Abizer Diwanji, a financial services partner in India at the accountancy firm EY. “The ball was first dropped” when PNB missed a chance to reconcile the two systems, he said.
As the fallout from the incident spreads and various government agencies move to investigate, one thing stands clear: the financial damage was exacerbated by a combination of inferior technology, weak risk management and insufficient regulatory oversight. Had the fraud been discovered a year earlier, the total amount would have been about $800 million lower.
PNB alleges its former employee Gokulnath Shetty provided billionaire jeweler Nirav Modi and his associates with guarantees to obtain loans from abroad. Between 2011 and early 2017, guarantees worth 65 billion rupees ($1 billion) were issued without any collateral, followed by another 49 billion rupees over March to May last year, when Shetty retired, according PNB’s complaint that has been made public.
Because the computer systems of many Indian banks weren’t compatible with Swift, the RBI didn’t make it a requirement to integrate the two, according to R. Gandhi, a former RBI deputy governor who oversaw the central bank’s risk operations at the time of the Bangladesh hack. However, banks like PNB that hadn’t integrated their systems were required instead to perform daily manual checks to reconcile the Swift messages with internal records, Gandhi added.
Given the prevalence of fraud involving global trade finance transactions, it’s critical for banks to ensure automated or manual reconciliation with Swift, said Tim Phillipps, an Asia-Pacific financial crime specialist at Deloitte. It isn’t hard to build an interface between Swift and the bank’s own software, he said.
“Trade finance operations at banks are one of the riskiest parts of the business they do and also one of the most profitable,” Phillipps said. “Most checks in world structured environments don’t allow data to be entered directly into Swift because that is where many of the big problems have occurred over the past decade in terms of falsifying information.”
Cost may have been a factor in preventing Indian banks from upgrading their systems, according to Saswata Guha, a director in the financial institutions group at Fitch Ratings. Indian lenders have been grappling with rising bad loans and insufficient capital for years, a situation that may worsen after new regulations take effect in coming months.
The RBI didn’t reply to an email sent early Tuesday seeking detail on its warnings about Swift, but late that evening it posted a statement on its website saying it had confidentially cautioned banks about misuse of Swift on at least three occasions since August 2016. “Banks have, however, been at varying levels in implementation of such measures,” the RBI said.
‘Down to Its Heels’
Federal officials have arrested Shetty, who couldn’t be reached for comment. PNB didn’t reply to emails seeking comment. Swift doesn’t comment on particular allegations and customers, spokeswoman Natasha de Teran said by email on Tuesday.
All of Modi’s transactions with PNB were documented and Modi denies allegations he was involved in the fraud, Modi’s lawyer Vijay Aggarwal told NDTV on Tuesday. Modi’s office didn’t reply to a Bloomberg email seeking comment.
Finance Minister Arun Jaitley on Tuesday said supervisors and auditors must ensure that frauds are detected early. His ministry is said to have sought a reply from the RBI on whether it found any wrongdoing while inspecting PNB’s account books. The 10-member Bankex index rose 0.3 percent in Mumbai on Wednesday, snapping a three-day drop, as the main equity gauge advanced 0.4 percent.
While India’s government and central bank have been setting up panels and making recommendations for years to reform the nation’s banking sector, real progress has been slow, said Fitch’s Guha.
“If a few people, or connivance of a group of people, can take a bank this large down to its heels with the kind of capital market implications one has been seeing, then it poses very serious questions,” he said. “At the core of it, it’s really governance.”