PNB Fraud: How Do Banks Manage Operational Risk?

Following the detection of fraud amounting to Rs 11,400 crore in the Punjab National Bank (PNB), and the default and fraudulent misuse of funds by Rotomac Global Private Limited (RGPL) to the tune of Rs 3,695 crore, there is furore in the industry. The two cases are different types of fraud and cannot be equated.  Banks are going to be affected, but in different ways. Peer banks are in a state of fear. This has triggered the tightening of systemic controls which failed to detect the persistent irregularities practiced by a few individuals in the bank. 

More than the large amount involved, the reputation of the banking industry is at stake, especially at a time when global attention is focused on stabilising bank reforms and greater efficiency of the financial sector is expected. Massive capital infusion through recapitalisation bonds is intended to resurrect the public sector banks (PSBs) that are burdened by a huge pile of non-performing assets (NPAs) and low capital adequacy. The government may have to rework its capital infusion plan in the light of these frauds.  

Issue of LOUs to Obtain Buyer’s Credit

The modus operandi of the fraud that is known so far is unbelievable. How is it that for seven long years, Letters of Undertaking (LoUs) were issued to substitute for older such LoUs? The amounts on the new LoUs were adjusted to cover the older principal and interest each time. These LoUs facilitated access to short-term buyer’s credit at overseas centres without any underlying formal line of credit or collaterals. 

Investigative agencies put the number of LoUs unearthed so far at 293. The initial cumulative amount was Rs 11,400 crore for which there is neither any sanctioned loan nor any collaterals to fall back upon. The amount is now being reported to be over Rs 12,000 crore. All prudential standards have been allowed to be compromised by a few in-house fraudsters in connivance with outsiders. The issue of LoUs was routed through Society for Worldwide Interbank Financial Telecommunication (SWIFT) on a stand-alone basis, with no integration with the mainstream technology platform of the bank. Based on these authenticated LoUs, some overseas branches of Indian banks and foreign banks have provided short-term buyer’s credit in foreign currency to the beneficiaries of LoUs in order to pay for imports in foreign currency, thus obviating exchange rate risk. 

LoUs are non-fund-based facilities carrying credit risk. They should be issued only after due credit appraisal and after obtaining sanction from a competent authority in the same way as any other loan facility. Issuing LoUs without the sanction of credit facilities tantamount to parting with cash from the bank’s currency vault without a valid cheque. 

Indiscriminate issuance of LoUs in PNB is a form of operational risk, whereas the default and misappropriation of bank’s loan by RGPL is a credit risk because it is a duly sanctioned credit facility. 

Operational Risk

According to the Bank for International Settlements (BIS), operational risk is attributed to “losses resulting from inadequate or failed internal processes, people and systems or from external events.” In the case of the PNB fraud, the fact that perpetrators of the fraud could continue the chain of transactions in a “business as usual” mode without being detected at any point, is a complete failure of internal processes. This has caused huge operational risk to PNB and partly also to banks that have advanced foreign currency loans against those LoUs at overseas branches. 

In the ordinary course of business, such persistent irregularities cannot escape the attention of staff working in the branch for such a long duration. The mysterious staff members who stay away due to sickness, personal work or for attending social engagements during such episodes can get easily exposed. But the fact that this did not happen, indicates the existence of a second layer of fraudsters in the bank. The conspirators cannot be limited to a bunch of people. It must be a bigger group that supports each other in maintaining the stream of LoUs without causing any break or reporting anything to higher authorities. Keeping them isolated from the rest of the banking operations is an onerous task, but it has been ensured by a close nexus among colleagues. 

Systemic Controls

The Reserve Bank of India (RBI) and the individual banks themselves prescribe systemic controls such as internal inspections, reporting systems to higher authorities on the state of credit exposure (fund based and non-fund based such as LoUs/Letters of Credit/Bank Guarantees). Concurrent audit, statutory audit, RBI audit, and many more sporadic management audits are institutionalised to ensure compliance at every stage. Beyond these, there are undefined controls in branches. 

Similarly, banks are supposed to conduct on-site inspection of borrower units where loan facilities are extended. Even visits of internal inspection teams of the bank to borrower units are necessary to re-verify and ensure proper end use of loans. The periodical reconciliation of nostro accounts (foreign currency denominated accounts of Indian banks maintained in overseas centres) where the buyer’s credit in foreign currency is credited, is to be done from time to time. 

Given these control systems to regulate banking operations, the protracted period of fraud is astounding. Moreover, the behaviour and conduct of the staff involved in the fraud, their routine discussions, hearsay comments, repeat visits of fraudsters or his representatives to the branch to seek fresh LoUs to replace the old ones, informal interactions with colleagues in the department, events and campaigns held in branches and visits of bank’s higher authorities to branches could not have escaped the attention of the branch staff in usual circumstances. Perhaps, some more facts will come to light as the probe deepens. 

Absorption of Losses Due to Fraud

An LoU is an irrevocable assurance given by one bank to another. In case the borrower does not pay, the bank that issues the LoU will pay the other bank. It is a trust instrument known to be reliable in global markets. Hence, lending against LoUs for banks is like investments for shorter durations. Though it is credit risk for such lenders, but it is considered risk free because of the guarantee of a peer bank. Therefore, when seen in the context of absorption of losses on account of fraud, the PNB will have to foot the bill unless the underlying LoUs are proved to be forged. But since the LoUs are transmitted through duly authenticated SWIFT messages which cannot be intercepted in ordinary course, the underlying obligation to pay cannot be abrogated by PNB. The RBI stipulates that for the gems and jewellery sector, LoUs normally should not be issued for more than 90 days. These have been issued by PNB for a year, violating regulatory norms. It is the responsibility of the issuing bank to follow the home country regulations and the onus cannot be shifted to the LoU honouring bank at an overseas centre. The weakness of systemic controls and the knack of in-house culprits in keeping the transactions away from the mainstream of operations is condemnable. The flow of such huge funds into the nostro account of PNB and inability to flag any trace of the series of fraudulent transactions are puzzles that can be solved by probing agencies. 

Due to continued slackness of managerial control, PNB became easy prey for dubious diamond firms that could get access to unlawful money. The perpetrators of fraud can play around with the weaknesses in banks but they cannot get away for a long time. It is more important to look at lapses and how the fraud could seep into such tightly regulated and reinforced barricades of the banking system. 

Reasons for the Fraud 

Some of the obvious reasons for the PNB fraud could be the following. 

• Non-fund-based facilities were considered casual products that can escape the oversight of authorities;
• People were allowed to remain at a position for a long time without job rotation/transfers;
• SWIFT access was given to a few officers without in-house job rotation;
• Non-integration of the SWIFT system with the mainstream core banking system led to a possibility of isolating transactions;
• Lack of systemic control on nostro account reconciliation where funds have landed;
• Advice from LoU honouring bank about grant of loan facility at overseas branch is prevented from reaching the management. Some fraudulent arrangement is made to intercept it. 
• Failure of all forms of systemic controls, like audits, RBI inspections, and concurrent audits. 

Essentially, the inability of the bank to control operational risk and the inattentiveness of  all stakeholders to notice the signs of slackness over a long period of time has resulted in colossal loss of reputation for the banking system. The RBI has now formed a five-member committee led by Y H Malegam, former member of the Central Board of Directors of RBI, to examine the role and effectiveness of various types of audits in banks. This together with the findings of the probe will enable robust measures to prevent the recurrence of such scams in future. 

Lessons from the Fraud 

Taking cue from the PNB fraud and the ongoing RGPL loan fraud, banks should henceforth be cautious in handling such sensitive fund and non-fund-based products. Buyer’s credit is a simple and easy to operate facility provided the basic tenets of lending are followed. Such non fund-based facilities are more risky than funded loans, more rigour is applied in granting such facilities. Many times, even 100% cash margin is insisted upon. But it often attracts less attention of compliance wings in banks because these instruments are self-liquidating products and are supported by better standards of collaterals. 

In addition to the conduct of those handling such sensitive and risky portfolios, there is an urgent need to sensitise line management about managing operational risks. They need to be educated to remain vigilant about the conduct of other colleagues. Besides institutionalising a whistle-blower policy, the staff should be able to sense wrongdoings and alert the management. It is necessary to realise that keeping the work-space safe and secure is the collective responsibility of all staff. 

Management of operational risk is more about watching the behavioural aspects of the work-force because their intentional or unintentional failure to enforce systemic controls will cause loss to the bank. This precisely is the reason that staff accounts are under greater scrutiny and even the lifestyle of employees are watched. 

Banks tend to accord more significance to managing credit risk with which they are familiar and many tools have been developed to manage it. They are diffident in managing operational risk which could be more damaging. In every interaction with the line management, banks should discuss ways and means of curbing operational risks, particularly when banks are operating in a technology-intensive environment. Staff failure or technology failure when seen together with potential connivance of ill-willed hawks or other accomplices can shatter the reputation of banks. The only solution is to not only put operational control systems in place but also to educate every employee to improve their effectiveness as part of the operational control system. The only invincible operational risk management tool is to foster the collective collaboration of staff in the long-term interest of the industry.