In one of the largest banking fraud involving PNB, the role of SWIFT involving online inter-banking financial transactions was questioned. Let’s look at the ways to mitigate the banking frauds…
In February this year, India’s second-largest Public Sector Bank (PSB), PNB, disclosed that some of its officers was involved in the scam. The fraud was committed bypassing the bank’s core banking system to raise payment notes to overseas branches of other Indian banks, including Allahabad Bank, Axis Bank, and Union Bank of India, using the International financial communication system, Society for Worldwide Inter-Bank Financial Telecommunication (SWIFT). One basic question which baffles everyone is — how could anyone manage to steal more than ₹11,000 crore and remain safe from being exposed for a period of seven years.
In the PNB scam one of the crucial factors discovered by experts was the reason that Core Banking System (CBS) was not integrated with SWIFT, helping executives at a Mumbai branch to bypass the system and issue fraudulent transaction messages to other banks. In fact, from many years several banks in India including PNB, have not linked their CBS with the SWIFT network. The SWIFT system is widely used by global banks to securely communicate with each other on online financial transactions. A SWIFT system is basically a network infrastructure to provide secure financial messaging services across the world. The SWIFT group, headquartered in Belgium, provides a network to enable financial institutions to send and receive secure financial information and transactions.
What Went Wrong
The PNB scam used an age-old method of internal threat to defraud the banking system. The fraud was carried out by dubious LoUs raised at PNB’s Mumbai office by firms owned by private persons and manipulating the operation protocol of SWIFT system. A SWIFT transaction calls for a three-tier intervention. In other words, banks using SWIFT system usually have one person entering a transaction, a separate person approving the transaction and a third person verifying all transactions. These systems have unique controls in which a password is used for each type of duties or job responsibilities. In the case of PNB, all the three unique passwords relating to SWIFT system was shared by several persons. As a result, all the key high value transactions were not reported in PNB’s account books.
Technically speaking, the Level-5 password is the key factor which allowed several unauthorized persons to reach out to several banks to release the money to the Nirav Modi and Gitanjali groups through the SWIFT system. The fraud involving PNB have also raised some specific questions on the security process of the SWIFT system that have eventually been misused by some retired and low-level banking staff. While the new measures concerning the operation of SWIFT system has been spelt out by the RBI, how does one ensure that the system of SWIFT is not misused again by the banking staff?
Limitations of SWIFT
The SWIFT system is designed to be secure for worldwide financial institutions to send and receive information on financial transactions. The SWIFT codes, messages and data flows are regularly encrypted, and both logical and physical security measures are implemented and monitored for its continued effectiveness.
But the fact that SWIFT has been hacked several times raises questions on its fool-proof security. Russia revealed that last year malicious hackers stole six million dollars from one of the banks using the SWIFT network. The hackers remotely hacked into one of the bank’s computer and used it to transfer money to their own accounts. In 2016, hackers made use of compromised SWIFT credentials of employees and stole 81 million dollars from the central bank of Bangladesh. In another incident, in 2015, cyber criminals made away 12 million dollars from Ecuadorean bank using SWIFT codes.
While the hacking incidents using SWIFT system were reported, SWIFT group promptly denied the hacking incidents of its system and said that banks are solely responsible for the security of their systems. This simply means that in future any hacking incidents or financial frauds using SWIFT systems are reported by its clients i.e. banks, SWIFT group is not responsible for any fraudulent messages created by unauthorized banking staff using the SWIFT system. However, it’s surprising to know that SWIFT group has focused specifically on authentication and missed out the crucial aspects of remote hacking of its system and fraud detection controls on the system.
Tightening Internal Threats
To mitigate the frauds committed by the bank’s staff, it’s crucial that they setup an additional layer of security enforced by following the security protocols, standards, auditing and other process. All the banks have to integrate an comprehensive security mechanisms involving its staff members at various levels. As already recommended by the RBI, banks should rotate its staff handling sensitive work and ensure it is implemented on a high priority basis and not remain as a policy on paper. Banks need to put systems in place to ensure security of transactions is not compromised. One such security system is the integration of CBS with the SWIFT system by all banks as already notified by the RBI. Effective controls and risk management tools, such as integration of CBS and SWIFT brings greater transparency and more process-driven decisions can be taken to minimize the time taken in exposing the high value financial frauds.
The RBI on its part can minimize banking frauds through ad hoc rules and set rule-based accounting that will help substantially reduce the chances of fraud. Usage of data analytics technology in the audit process should not be sidelined because this enhances the possibility of highlighting any transaction that could need any further investigation.
The Road Ahead
Against the backdrop of Letters of Undertaking scam which hit PNB, there have been some talks for consolidation and privatizing of State-owned banks. If there is one thing which is strange about the scam involving PNB is that — till now there are no involvement of highly intelligent malicious hackers or other online scamsters. So, the general thinking that in the cyber age — only malicious hackers can steal large money from the banks does not hold true. The fact that internal threat involving banking staff along with outsiders can also be responsible for scams should not be sidelined by the government and financial agencies.
The simple truth is that financial frauds in the banks happen all the time, but the key factor lies in how quickly they are tracked and exposed. The biggest lesson to be learnt from the PNB scam is to identify the procedural lapses that led to breakdown of the banking system and mitigate the scams in its initial stages by strengthening the pillars of financial, technical and legal system. Ultimately, it’s the collective responsibility of banks, auditors, RBI and the finance ministry, to tighten vigilance through internal and external checks and balances.