Understanding and managing the risks emerging out of issuing letters of undertaking was the responsibility of the board of Punjab National Bank, the Reserve Bank of India said in response to queries from parliamentarians asking whether the banking regulator had failed in detecting and preventing a Rs 14,000 crore fraud at PNB.
The primary responsibility of understanding the risks undertaken by the bank and ensuring that these risks are managed rests with the board of directors of the bank, the RBI said in written responses submitted to the Parliamentary Standing Committee on Finance.
The board of the bank is responsible for putting in place robust internal control mechanisms within the overarching regulatory and supervisory framework of the RBI.RBI To Parliamentary Panel
In February, Punjab National Bank disclosed that it had detected the issue of fraudulent letters of undertaking from its Brady House branch in Mumbai. These LoUs were issued to entities linked to diamantaire Nirav Modi and his uncle Mehul Choksi. The SWIFT messaging system, through which these guarantees are transmitted to other lenders who loan money against them, was not integrated with the bank’s core banking system. This allowed the fraudulent LoUs to go undetected for nearly seven years.
The enterprise-wide risks of a bank are to be managed under the 'three lines of defence' model, the RBI told the parliamentary panel. This is typically known as the maker-checker-verifier model.
The first line of defence is the line function which assumes, owns and manages the risk. The second line of defence are the risk monitoring processes put in place by the bank. The third line of defence is the concurrent, internal or statutory audit.
In the case of PNB, there seems to be a failure of all the three lines of defence resulting in a fraud of this scale, the RBI said. BloombergQuint has reviewed a copy of the responses submitted by the regulator.
An email sent to PNB seeking comment on RBI’s observations was not answered.
A Supervisory Failure?
When questioned whether the RBI’s supervisory processes had failed to detect the fraud, the regulator said that it follows a ‘risk based supervision’ framework. Under this framework, supervisory resources are directed at banks which pose a higher risk and functions within a bank that are seen to be most at risk.
This framework monitors banks through a robust offsite reporting mechanism coupled with need-based onsite inspections, the RBI said. It added that conducting onsite inspections of more than 1 lakh bank branches in the country would be impossible.
Since RBI’s supervisory process does not constitute an audit of banks and does not seek to replace it, RBI has issued to banks detailed instructions for putting in place and strengthening their internal control systems and on scope of concurrent audit, which is an important component of the risk control system.RBI To Parliamentary Panel
Specifically, the RBI said that banks had been instructed to integrate the SWIFT messaging systems with core banking. They had also been told to ensure reconciliation of transactions via the SWIFT messaging system with internal records. A cautionary notice to banks had also been sent out, warning them of the possible misuse of SWIFT systems. The same had also asked banks to be careful in the communication of LoUs via the internationally accepted messaging system.
In addition, banks had also been asked to adopt a ‘four-eyes’ principle for large value transactions, expanding the mandate of internal audits.
RBI told the parliamentary panel that the bank furnished a compliance report on all these counts to the regulator.
Reviewing The Supervisory Regime
The RBI also informed the parliamentary panel that bank supervision is being reviewed by a committee headed by YH Malegam.
The committee had been set up in February in light of large divergences in bad loan reporting. The committee has a wide mandate and will look into audit systems of banks as well as the reason behind rising instances of fraud.
Data provided by the RBI to the committee showed that 5,904 frauds were reported in 2017-18, involving an amount of Rs 32,361 crore. This is significantly higher than the 4,693 frauds reported in 2015-16, involving an amount of Rs 18,699 crore.
The Malegam committee is examining the causes behind the increase in frauds and the effectiveness of various audits conducted in banks, the RBI said.
When asked whether a CAG audit of banks would help, the RBI said this it is doubtful whether adding a fourth layer of audit by the CAG would have much incremental impact. At present, audits are conducted at three levels - concurrent audit, internal audit and statutory audit.