I wrote in an earlier blog about the art of end-to-end process management. One of the biggest risks of not having end-to-end ownership is bank fraud.
The massive fraud detected in #PNB (Punjab National Bank, India) is an example of poor practices followed by public financial institutions in India. Even while the quantum of fraud is snowballing, it is surprising to read that this huge fraud was initiated by just a handful of people from one single branch of the bank.
The impact to all banks involved is almost $4 Billion and counting, with PNB itself taking a hit of $1.5 Billion, most of which will impact either the shareholders’ or taxpayers’ money. While this blog is not about how the perpetrators will be brought to justice (if ever), it would be good to know if the fraud could have been prevented in the first place.
Background of the bank fraud case:
For the uninitiated, a quick context of the PNB bank fraud case.
One or more officials in the bank’s specific branch issued unauthorized Letters of Undertaking (LoU) to a group of companies in the diamonds business, who in turn availed short-term credit facilities from the international branches of partner banks on the basis of these guarantees.
The modus operandi used was the bank officials first issued authorized LoUs and credit facilities of smaller amounts in favour of the clients which would be reflected in the core banking system. They then amended the LoUs for huge amounts only in the SWIFT messaging system that sent the updated messages to recipient banks offering higher exposure.
While the fund-based exposure of the clients to PNB was relatively small, the non-fund-based exposure created in favour of other lending banks became huge over time. These exposures never figured in PNB’s core systems and hence never reflected in their balance sheets even as contingent liabilities, while the other banks who lent on the basis of these LoUs showed huge exposure to PNB in their books.
Reasons for process failure:
To understand which processes failed in this, the key features of the case need to be examined.
- The LoU facilities were all set up in the same branch of the bank, and mostly by the same employee/s over a period of 6 years.
- The facilities were rolled-over every 90 days, each one adding up the previous exposure and applicable commissions.
- The facilities were almost all unsecured, i.e. no cash margin nor backed by collateral
- None of the banks that took fund-based exposure with the parties on the basis of the LoUs had ever invoked the guarantees, i.e. the parties had either settled or re-established the fund based facilities with the other banks regularly.
- The LoU beneficiary banks that gave fund-based facilities never ever confirmed the amendments in non-fund exposure with the issuing bank.
- Some of the said fund-based credit facilities were sold to a few other banks in the secondary market, who automatically inherited that exposure without bothering to validate the underlying security.
- One of the senior official/s who had issued the unauthorized LoUs was on the verge of retirement, and as a last favour to the clients renewed the LoUs for a year instead of the usual 90 days.
Even to a moderately experienced banker, each of the above points indicates a major process deviation or violation that could have been spotted easily in a routine inspection. But they were not.
How did controls fail despite an army of maker-checkers, supervisors, board approvals, internal & external audits, regulatory audits at multiple levels of the organization? How could just a handful of people by-pass the system to defraud $3 Billion worth of money from a bank with strong governance? Was this a systemic failure or process failure?
Reminds me of the ever-re-published story of the monkeys in a cage who gradually refuse to eat the bananas offered to them and also prevent other new monkeys from doing so. On one hand, no one ever questioned the status quo in the bank, or why something was done in a particular way. On the other hand, expertise was treated as royalty and knowledge shared only among a chosen few.
What was obviously missing was the ownership of the end-to-end process (not only at PNB, but in all impacted banks). The disconnect between the core banking and SWIFT messaging systems was never perceived as a risk. Also missing was the governance that would have provided the first-mile and last-mile connectivity just like at a metro station, the prudence to re-deploy resources handling high-value portfolios, and the common-sense to confirm both fund-based and non-fund- based balances with all parties periodically.
It is easy to advise or comment after something of this magnitude has happened, but very difficult to forecast or anticipate such rare events. Unless the organization had a very evolved risk framework that recognized lesser probable impacts as well. There could be a thousand policies, guides, and procedures on paper. But they will be effective only when each organization in the system imbibes process as part of their culture. A culture of managing their business by processes. That is when the system could become greater than the sum of its parts.