PNB scam is just the tip of the iceberg

By Chetan Dalal and Kanwal Mookhey

“Our messaging, standards and services connect you to your counterparties worldwide, so you can transact securely and reliably.” So reads the home page of SWIFT, the secure messaging system that has been used by Nirav Modi and his associates within and outside the Punjab National Bank (PNB) to suck out over one billion dollars from the banking system.

SWIFT (the acronym for Society for Worldwide Interbank Financial Telecommunication), is a cooperative headquartered in Belgium offering messaging services that went live in 1977 to replace the telex technology then widely used by banks to communicate instructions related to cross-border transfers. Today, SWIFT represents the primary communications channel for financial institutions engaged in correspondent banking all around the world, and claims to be “offering the most secure, cost-effective and reliable way of transmitting financial messages relating to payments, securities, treasury and trade.”

Trust and breach

SWIFT traffic rose to 7.1 billion messages in 2017, a reflection of trust in the system. But the system is not been hacker-proof.  A recent major attack was reported in February 2016, when hackers breached the systems of Bangladesh Bank and used the SWIFT network to order the transfer of nearly USD One billion from the bank’s account at the New York Fed.  Reports said the U.S. central bank rejected most of the requests but some passed through, resulting in USD 81 million being transferred to bank accounts in the Philippines, where the money was withdrawn.

A troubling case was that of the Union Bank of India, where nearly USD 171 million was transferred out last year. While UBI claims that it managed to recover most of these funds, incidents such as these highlight the fragility of closed ecosystems such as SWIFT, which often operate on the assumption that their relative obscurity provides sufficient protection. In the aftermath of these attacks, SWIFT created a cybersecurity programme and mandated all participating institutions to implement stringent security controls to protect the SWIFT systems and networks.

SWIFT traffic rose to 7.1 billion messages in 2017, a reflection of trust in the system. But the system is not been hacker-proof.  A recent major attack was reported in February 2016, when hackers breached the systems of Bangladesh Bank and used the SWIFT network to order the transfer of nearly USD One billion from the bank’s account at the New York Fed.

In the case of the Nirav Modi saga, the case is different. Here, it is not a hacker attacking the system but messages that went over the SWIFT system from within the bank by people who were authorised to use the system. A specific type of SWIFT instruction in the form of a Letter of Undertaking (LOU) was sent out from Punjab National Bank to other Indian Banks having branches in major international diamond trading hubs.

What the LOUs implied was that PNB had done its internal due diligence, confirmed that Nirav Modi’s companies had the wherewithal to pay for these funds eventually and therefore the foreign branches of these banks should provide the funds to Modi and his firms there. Essentially, these were bridge loans to fund the working capital requirements in the jewelry trade for the time that it would take for Modi’s companies to buy the diamonds, convert them into finished jewelry products and sell them through his outlets.

Why did this not get flagged

While almost every such high-value fraud involves a strong degree of collusion, banking systems do have multiple checks and balances in place to ensure that such fraudulent transactions are caught via a maker-checker system – one person enters the transaction and another person authorises it. The level of seniority of the maker and checker and the number of people in the approval chain increases based on the quantum of the amount involved in the transaction.

Further, SWIFT systems do not operate in an isolated manner, but are linked to multiple other systems within the bank, such as the Core Banking System, the fraud monitoring system, etc. Every SWIFT transfer implies money that has to be accounted for in the financial books of the Bank.

The fraud is very likely just the first glimpse of a very deep rabbit hole. In fact, this isn’t even the first time PNB has been caught on the wrong foot issuing LOUs without proper due diligence. A similar scam happened in the case of Winsome Diamonds and Jewellery Ltd and related companies, where PNB had the maximum exposure of a total of 14 banks.

An LOU, however, turns out to be different. It is simply an assurance provided by bank A to bank B on the basis of which bank B provides funds to company C. Here, the amount involved in the assurance is not linked to the core banking system, i.e. it does not appear as an outstanding loan in the books of Bank A, though it does appear as an outstanding loan in the books of Bank B. Which is why PNB is trying to pin the entire loss onto the other banks since a large part of the Rs. 11,000 crores is money that PNB hasn’t really given out from its own account.

How deep is the rabbit hole?

The fraud is very likely just the first glimpse of a very deep rabbit hole. In fact, this isn’t even the first time PNB has been caught on the wrong foot issuing LOUs without proper due diligence. A similar scam happened in the case of Winsome Diamonds and Jewellery Ltd and related companies, where PNB had the maximum exposure of a total of 14 banks. There is also a very high chance that similar LOUs have been issued by PNB to multiple other firms. Worse, many other public-sector banks may have been engaged in similar modus operandi with dozens – if not hundreds – of other firms.

This is very likely the tip of the iceberg. The total exposure of the banks on LOUs will not be known till a proper audit and reporting mechanism for LOUs separately is mandated by the regulators. It is not unlikely that the amount in question will be large and can substantially add to the NPA figures.

Where does the buck stop?

The buck for this stops not just at the employees who are being named in the police FIR, but this fraud clearly implicates the senior-most management of the Bank. It is nearly impossible to think that such high value transactions were taking place without the higher ups being in the know, particularly since it seems that PNB did not ask for margins against the LOUs.

All banks must be asked to submit a list of all LOUs they have made in the past decade or so and report the status of reconciliation of the funds extended to the various companies. Mere collection and reconciliation of this data is not enough. The authorisation and monitoring responsibilities for all high value LOUs issued will have to be identified and traced right up to the top levels of management.

The Reserve Bank of India is known to be one of the most active banking regulators in the world. It is very damning to the RBI’s reputation that in its multiple audits and numerous SWIFT and fraud-related circulars, it failed to pick up the massive fraud that fake LOUs could end up perpetrating.  Equally intriguing is the complete lack of any tangible outcomes from the Banks Board Bureau that was set up with the main objective to reconstitute the senior management and the Boards of the Public Sector Banks and bring in higher accountability and greater transparency in their appointments. Not only did this Bureau achieve none of its stated objectives, but reports say it is now likely to be dissolved at the end of this financial year.

What’s next?

The RBI will have to do some soul-searching. But at a more practical level, it will have to ask all banks to submit a list of all LOUs they have made in the past decade or so and what is the status of reconciliation of the funds extended to the various companies. Mere collection and reconciliation of this data is not enough. The authorisation and monitoring responsibilities for all high value LOUs issued will have to be identified and traced right up to the top levels of management.  A forensic audit of the money trail should be initiated immediately to first find out where the money went and to recover whatever is possible. Any gaps founds must be reported, investigated and if necessary the bank and police agencies must work to ensure the promoters of companies found to be violators of norms are not allowed to leave the country and that their assets are frozen.

(Chetan Dalal and Kanwal Mookhey are forensic investigators and cybersecurity experts who have worked with corporates and government agencies investigating large value financial crimes)