Banks rush to tweak internal controls, review HR policies

Mumbai: Banks are scurrying to install systems to prevent frauds like the one that shook Punjab National Bank, after the central bank directed them to link their core banking systems (CBS) with inter-bank messaging platform SWIFT.

The scam at PNB went unnoticed for years, allegedly because unauthorized transactions were made on SWIFT, which was not linked to the bank’s CBS. SWIFT is short for Society for Worldwide Interbank Financial Telecommunication, a worldwide messaging platform for banks.

Additional steps being taken by banks include instituting better security infrastructure, more frequent audits of internal controls, and review of human resources (HR) policies, including leaves and job rotations. Banks are also planning to put in place one-time password (OTP)-based system to log in to SWIFT, bankers said.

“There is no direct interface between the two (CBS and SWIFT) and that is done by manual reconciliation. A technology patch or a robot may be required to integrate the two and, therefore, it is important to take steps in order to create a fully secure IT system. Data from SWIFT should flow in directly to CBS so that it cannot be tampered with and reflects correctly in the book of accounts,” said Kalpesh Mehta, leader, financial services at Deloitte India.

Since CBS systems vary across banks, lenders are planning to add an interface which will be linked to both CBS and SWIFT to ensure the integration is timely and smooth, experts said.

The Reserve Bank of India has directed banks to complete the CBS-SWIFT integration by 30 April.

Currently, banks have to comply with the principle of “four eyes”—that each SWIFT message must be processed by four bank officials: a maker, a checker, a verifier and an authorizer. According to Deloitte’s Mehta, the first line of defence must be a stronger protocol for makers and checkers.

“Further, it is important that the second and the third line of defence—i.e compliance and assurance—have strong programs to monitor and report these risks, and report them on a frequent basis,” he said.

The PNB fraud revolves around SWIFT. Branch officials of the lender fraudulently issued letters of undertaking, basically guarantees, to jeweller Nirav Modi-linked companies without getting proper approvals and without making entries in CBS, the software used to support a bank’s most common transactions.

“While strengthening of SWIFT access is essential, it can’t work if the employees undertake fraudulent activities, as the PNB case showed. Anyway, important job positions are put for job rotations, we will review the whole process to see some crucial positions could be exchanged frequently without impacting the business, processes of reporting and reconciliation of messages and sanction of limits,” said a senior official of a mid-sized public sector bank, on condition of anonymity.

Recently, State Bank of India (SBI) chairman Rajnish Kumar said job rotation is one key risk management practice followed at SBI. “We don’t keep a person for more than three years at one position. There are certain positions which are very sensitive and we monitor those positions very closely,” Kumar said.

Bankers said as a fallout of the fraud, emphasis has been on centralization of processes. However, it has to be done in a manner which does not impact business as centralization could also throw up challenges such as delays in sanctioning of credit.

“An officer in headquarters or a particular zone may not understand a borrower’s risk and the nature of business like the local branch manager. Centralization of process must be done taking these factors into consideration. To begin, there could be a review of the current officers at such positions to understand their expertise and technical knowledge. This will also help in determining transfers,” said a person aware of the RBI’s thinking process.livemint