And so the hunt begins. A handful of bank officials who perpetrated the fraud at India’s second-largest public sector bank — leading to unauthorised issue of Letters of Undertaking (LoUs) to jeweller Nirav Modi’s firms — have been brought under the scanner. The Central Vigilance Commission has stepped in and asked Punjab National Bank to name the bank officials involved in the scam and identify senior management officials who could have taken action to prevent this fraud.

The All India Bank Employees’ Association, which until now was surprisingly silent on the colossal scam, has finally spoken, albeit on predictable lines. “What is sauce for the goose must be for the gander too,” the union body puts in with a punch and asks for keeping out the entire top management and higher officials from the bank until the probe is completed.

In the entire blame game, the murky role of auditors and the RBI in the scam has only found shaky references. While questions have been raised, it is unlikely that the auditors would be held accountable for their failure this time around, too. But the fact that the fraud at PNB spanned for seven years without setting the alarm bells ringing at the numerous audits at banks, raises some hard-hitting questions on the manner in which auditors carry on their affairs.

How did a scam of this proportion happen when swarms of external auditors are scrutinising banks? How did all audits manage to not notice any red flags in the entire modus operandi?

Modus operandi

At the heart of the matter lies the gaming of the SWIFT messaging system. SWIFT, or Society for Worldwide Interbank Financial Telecommunications, is a messaging network for securely transmitting instructions for all financial transactions through a standardised system of codes. Used by more than 11,000 financial institutions worldwide, SWIFT is a secure message carrier — its core role is to provide a secure transmission channel so that Bank A knows that its message to Bank B goes only to Bank B.

Our correspondence with SWIFT reveals that the way banks use SWIFT, and the business processes they have in place to do so, differs from bank to bank. It goes without saying that banks will want to have checks in place before actually sending messages. The processes, checks, balances, authorisations and so forth differ hugely from bank to bank, depending on their size and the scale of their activity.

In the case of PNB, it is evident that the various checks and authorisations (if at all) had been completely compromised. Hence, a SWIFT message was sent from PNB’s Mumbai branch to overseas banks offering unauthorised LoUs.

Ideally a bank guarantee, an LoU allows a customer — Nirav Modi here — to raise money from another Indian bank’s foreign branch in the form of a short-term credit to pay offshore suppliers in foreign currency. By rolling over of credit, Modi had ensured that subsequent LoUs repay the money due on the earlier LoUs. So, there had been no default until now.

Red flags

But how could such a massive operation have been in existence for several years without raising red flags at auditing? The Guidance Note on Audit of Banks brought out by the Auditing and Assurance Standards Board of the ICAI every year is an important resource which provides detailed guidance on various aspects of bank audits. A look into the buyer’s credit and NOSTRO account (which facilitates forex transactions) section of this 674-page document clearly points to the utter failure in the auditing processes of PNB.

The typical flow of transaction of buyer’s credit includes the borrower approaching foreign bank (or overseas branches of Indian banks) for availing buyer’s credit for payment to be made to the foreign supplier.

The Letter of Credit/Undertaking is issued by Indian bank to the foreign bank through SWIFT message. The foreign bank remits funds to the NOSTRO account of the Indian bank, backed by the LoU.

Hence, the Indian bank remits the funds to foreign supplier through its NOSTRO and on the due date the Indian bank remits the funds (inclusive of interest) to the overseas bank and recovers the similar amount from its customer (Nirav Modi in this case). The flow of operation clearly indicates that a proper audit would have found out these problem areas.

Missing in action

To understand the audit flaws better, let’s take a look at how NOSTRO accounts actually work. The entries of inward and outward remittances have to be recorded in the books of the India bank (a NOSTRO mirror account). Assuming that this did not happen, an audit process, which requires reconciliation of the two accounts, should have thrown up anomalies.

According to the guidance note on bank audits, the auditor has to consider whether a system of periodical reconciliation was in place and whether confirmations from the foreign banks are obtained on a periodic basis, either through physical confirmations, SWIFT messages, emails, etc. None of this appears to have been done, shockingly, for several years.

Banks are subjected to many types of audits. The concurrent branch audit is a real time audit that is done as transactions take place or in the worst case at the end of the day. Sudden surge in surpluses in the NOSTRO account on a day to day basis should have been enough to trigger an enquiry. Why didn’t it?

Banks also invest surpluses in NOSTRO account in money market. How can a bump in treasury income in a particular account not catch the attention of the auditor or even the CFO? The fee that PNB would have earned through such LoUs has apparently also not fallen under the auditors’ radar. How did the RBI not audit SWIFT messages or the NOSTRO balances?

The bigger question is what is the real scale of this scam? Have other banks also issued LoUs without collateral or margin money (something few industry players agree is a possibility)?

How many such transactions are waiting to tumble out of the closet, particularly in PSU banks where internal processes and controls have time and again been compromised?

The task for the RBI is clearly a herculean one, scrutinising numerous accounts of banks to unearth such irregularities. But before it does that, it needs to own up for lapses in its own audit practices.

Deconstructing the PNB scam

The Nirav Modi-PNB scam explained: how it was pulled off, how it came to light, and what we still don't know.

The surfacing of the scam

********************

Loose ends

Why is the CBS/SWIFT integration important?

Normally a credit limit is first set in the CBS, which in turn triggers SWIFT messages confirming the bank’s commitment − in this case the guarantee it extends through LoUs. Non-integration of SWIFT and CBS in the case of PNB has allowed stand-alone messages to be sent out without making entries in the CBS.

If the integration is not smooth...

Even if integration is not done, banks have to regularly reconcile Nostro accounts immediately on receipt of the statements from the correspondent banks with Nostro mirror balances. According to bankers, most banks receive Nostro account statements through SWIFT MT940 and MT950. Banks without SWIFT get a soft copy of the statement either by email or a hardcopy delivered from the local branch of the correspondent bank. Reconciliation can be done manually or can be automated through specialised solutions.

Despite integration...

According to the CBI FIR filed by PNB dated February 15, 2018, along with unauthorised LoUs amounting to ₹3,032 crore, the bank officials had also issued fraudulent LCs (Letters of Credit) amounting to ₹1,854 crore to the Gitanjali Group of companies.

The conniving officer issued LCs by entering a smaller amount in the trade finance module of the CBS system and generated the reference number; a SWIFT message was sent for the amount. Subsequently, without making any change in the trade finance module of the CBS, the bank officials sent modified SWIFT message for an enhanced amount under the same reference to the beneficiary bank.

The overseas supplier discounted the documents drawn under such LCs (based on the SWIFT message) with overseas banks.

As this illustrates, a failure of all control systems and checks can lead to fraud, irrespective of software systems

********************

Unanswered questions

• SWIFT entries may have been generated fraudulently, but how could entries in PNB’s Nostro account remain undetected for 7 years?
• While SWIFT messages were dispatched without making entries in PNB’s trade finance module of the CBS system, how could CBS not catch inter-bank fund transfers when funds were remitted by Indian banks overseas into the Nostro account of PNB?
• In the normal course of business, a bank and its branches are subject to internal audit, concurrent audit and statutory audit, apart from the regular inspection by the RBI. How did a scam of this proportion happen when swarms of external auditors are scrutinising banks?
• The entries of remittances have to also be recorded in the books of the India bank (Nostro Mirror account). Assuming that this didn’t happen, how did an audit process, which requires reconciliation of the two accounts not throw up anomalies?
• According to the guidance note on bank audits, the auditor has to consider whether a system of periodical reconciliation was in place and whether confirmations from the overseas banks are obtained on a periodic basis, either through physical confirmations, SWIFT messages or emails. Why was this not done for several years?
• The concurrent branch audit is a real-time audit. A sudden surge in surpluses in the Nostro account on a day-to-day basis should have been enough to trigger an enquiry. Why didn’t it?
• Banks also invest surpluses in Nostro account in money market. How can a bump in treasury income in a particular account not catch the attention of the auditor or even the CFO?
• How did the fee that PNB would have earned through LoUs not catch the eye of the management or auditors?
• Why did the other banks acting on the fraudulent LoU issued by PNB not do the needed due-diligence before depositing money into PNB’s overseas accounts, which was subsequently transferred to the supplier of Modi’s companies?
• The RBI-prescribed credit for import of semi-precious and precious stones is up to 90 days. But it appears that the credit allowed in most cases was for a much longer period − even 360 days. How did this violation of norms not evoke suspicion by other banks extending credit based on PNB’s LoUs?
• The bigger question is what is the real scale of this scam? Have other banks also issued LoUs without collateral or margin money? If SWIFT and CBS are not integrated in most PSU banks, how many such fraudulent transactions are waiting to tumble out of the closet?

********************

Clarifications from PNB

The CBI sealed the bank’s MCB Brady House branch in Mumbai as part of the ongoing investigation. Implications?

PNB : The bank is discussing with the CBI to allow normal operation in the branch during business hours. However, the bank has a Core Banking Solution through which any customer of bank can transact at any branch of his convenience. The bank has made enough arrangements to ensure that no customer is put to any inconvenience.

The quantum of the fraud was initially reported by the bank as ₹280 crore and in a subsequent disclosure the amount was reported as approx. ₹11,000 crore. Can the bank clarify on the increased amount reported in sequential filings?

PNB : On February 5, 2018, we, on the basis of a preliminary investigation report, informed simultaneously to our board as well as to BSE and NSE of initial fraud case of ₹280.70 crore. Upon receiving further investigation reports, we enhanced the fraud amount to ₹11,394.02 crore. ($1.77 billion) and filed information with BSE and NSE at 9 am on February 14.

What has been the impact of the event on the financials and operations of the bank?

PNB : We have enough assets / capital to meet any liability which is decided as per law.

Has PNB closed all options to recover the dues by going public?

PNB : We have followed lawful avenues available to us as per the law of the land to recover our dues

COMMENT NOW