Viewing: Two years of PNB fraud, far from being mitigated

By Atul Khadilkar

In February 2018, after one of the biggest frauds in Indian Banking was reported by a public bank, one of the identified system deficiencies was the core lack of integration between banking platforms for banks and SWIFT messaging system. This unexpected operational risk caused a very large financial loss to the bank in question but also had an impact on its reputation due to perceived government failures.

The Indian Reserve Bank quickly came up with guidelines to adjust the identified gap and urged the banks to implement these with the highest priority. Banks took the necessary steps and complied with the regulatory directive on the integration of the two systems mentioned earlier in this note.

Another important mandate of the regulator was to improve the management of relatively higher value transactions, which required banks to add an additional two-stage check:

1. Senior-level centralized authorization / checker at the site independent of the treatment center / branch

2. Seek confirmation once the transaction has left the bank’s SWIFT gateway from an external source (such as a currency correspondent). The threshold for such confirmation, called Positive Payment by RBI, should be decided by the individual banks.

Second, most banks reached their foreign correspondent banks immediately to set up a Positive Pay mechanism where payments above a pre-agreed threshold were expected to be stopped by the correspondent bank for further confirmation by the transaction initiating bank.

While this, in theory, seemed a logical question, it led to bilateral agreements between some banks and few of their correspondents. Therefore, each Indian bank had several such arrangements due to different requirements specified by individual correspondents across different currencies. Not all foreign correspondent banks, especially those offering payments in currencies that see low transaction volumes, agreed to support this requirement. This is because almost all banks globally have a pervasive treatment of SWIFT messages that limit only manual interventions to very limited scenarios, such as incorrect message formatting or financial crime-related screening hits. So the process / technology is changing the cost to meet the demands of payments from an internal market was not financially sustainable or faced internal operational risk issues in correspondent banks.

In addition, with several events that differ across each correspondent bank, there is an opportunity for operational lapses, depending on manual intervention as well as inaccurate confirmations, so that risks are not adequately addressed even when such a scheme exists.

So even after making a strong effort while trying to tackle the operational risk that led to fraud and with the intention of meeting RBI requirements, some banks continue to expose themselves to other types of operational risks.

That said, there are quite a few banks that have managed this risk very well. They have utilized some of the available technology solutions that are agnostic for correspondent banks and currencies, but fully meet the RBI requirement in a robust and sustainable way. In addition to internal processes supplemented with additional checks, banks also implemented technology-based tools offered by a global payment messaging provider that all banks use for international payment transactions. These solutions give user banks flexibility in defining control parameters to fit their individual business models, thus introducing a further review mechanism for payments released from the banking systems, but before being processed by the receiving correspondent bank. Solutions such as these ensure that all necessary care is done within the payment initiation bank as well as in an external environment, which in my opinion was the basic intent of RBI’s mandate.

Unlike bilateral agreements with correspondent banks, third-party technology solutions come at an incremental direct cost and therefore tend to face resistance on adoption. But given the banks’ total foreign currency payment volume, across all currencies they trade with, it probably adds a few cents a day. Transaction costs annually. However, the benefit far outweighs the risk of potentially large losses due to operational risks that remain unobstructed through bilateral arrangements.

While most banks have signed up for such a service, they appear to be challenged to direct regulatory dialogue as the regulatory notice mentions that banks should seek confirmation from correspondent bank. Therefore, apparently, having made the decision to incur the small rising cost of a technology-based comprehensive solution, they are not taking full advantage of the expense.

Banks that have not only successfully adopted such solutions but have also removed regulatory scrutiny of this requirement can help support the community by sharing its experiences through various forums including interactions organized by the Indian Banks Association.

Controlling operational risk may seem easier than managing compliance risk by taking a checkbox in the box. But banks need to take a pragmatic approach when implementing regulatory mandates so that they are able to manage both risks in a robust and sustainable way.

(Author is Principal Representative – India, Wells Fargo Bank. Views are personal)

Source link