At the heart of the Rs 11000 cr scam Nirav Modi PNB scam, is one simple problem: reconciliation. As explained here, 2 of the bank staffers who are alleged to be involved in this fraudulent activity issued the LOU’s from their PNB branch but never made relevant entries in the Bank accounting systems. Foreign bankers trusting the SWIFT instructions and LOU’s extended credit and transactions were happening all this while. A simple reconciliation of SWIFT messages and outstanding liability could have detected this fraud long ago.
Amazingly, this exact modus operandi was highlighted by RBI at least twice. In his keynote address at the ‘International Seminar on Cyber Risk and Mitigation for banks’ organized by CAFRAL in Mumbai on September 7, 2016, S. S. Mundra, Deputy Governor, RBI spoke about this issue (emphasis added):
In the beginning of the year, Bangladesh Bank was the target and an attempt was made to steal US$1 billion and ultimately the attackers could successfully get away with US$81 million. Recently, in India too, a similar attempt was made on a commercial bank by generating fraudulent payment instructions on the Nostro accounts and transmitting them over SWIFT messaging system. Though monetary loss could be prevented with proactive follow-up with the concerned paying / intermediary banks, the incident has reinforced the fact that the various stakeholders have not learnt the lessons yet. We have also come across instances of fraudulent messages confirming documentary credits being transmitted using SWIFT infrastructure. Although, the latter incidents were mainly a result of the failure of internal controls and non-adherence to “four eyes principles”, it is also on account of reliance on disparate systems whereby SWIFT transactions could be done without originating a corresponding transaction in the CBS.
If this was not enough, it was reported that RBI had in around December 2016, asked banks to match the documents shared through SWIFT with the actual documents in their base or core banking system to find out whether systems have been misused.
This instruction had come after a similar fraud was stopped before it started. The banks in question discovered that their SWIFT had been compromised to create fake documents. Hackers had infiltrated the systems of three government-owned banks — two headquartered in Mumbai and one in Kolkata — to create fake trade documents that may have been used to raise finance abroad or facilitate dealings in banned items. There was a fraudulent duplication of trade documents like letters of credit (LC) and guarantees.
In the first case (involving another Mumbai-based public sector bank), the bank had a narrow escape after a large American bank to which hackers had tried to transfer funds suspected that something was amiss. If the hackers had their way, the local lender would have lost $150 million.
Soon after the breaches were reported to the Reserve Bank of India, the regulator last month directed several banks to cross-check all trade documents issued over the past one year. The cross-check is very much like the cross-check we had recommended in our earlier post: A simple reconciliation between SWIFT and the core banking solution (CBS) of a bank i.e. the main accounts of the bank.
The question now to be asked is, in spite of RBI once hinting at this scam and once directing actions to prevent such scams, why did PNB not take any action on these orders? If the RBI orders had been followed, the scam would have been detected at a much earlier stage.
It is being said that 2 PNB officials were in collusion with the Nirav Modi group. Then why did senior bank officials not follow the RBI guidelines? In an ordinary case, a bank is audited at least 4 different levels: a Concurrent audit, a statutory audit, an internal audit and an RBI inspection. Did none of these 4 levels of checks and balances bother to follow RBI orders?
The saving grace, in this case, is the authorities have been quick and have already managed to seize gems and gold worth Rs 5100 crores from the premises of Nirav Modi. RBI officials too, have maintained that the issue is under control. One only hopes that the clean up is thorough and all the people who are guilty of omission or commission are punished.