Home / Industry / The tech hygiene problem at public sector banks

Even after more than two decades of automation and computerization of 21 public sector banks, basic housekeeping, accounting and reporting functions are not up to the mark—resulting in bank frauds happening with sickening regularity. A Reuters report citing Reserve Bank of India data puts the aggregate of loan fraud cases of banks at about $10 billion in the five financial years up to 31 March 2017.

What could be the problem?

As the popular refrain goes: It’s the technology, stupid—or rather, in this case, the lack of it. It is not that PSU banks don’t use or spend on technology. They are by and large on par with their private sector counterparts. But while the private sector banks fuss over every rupee spent and match it to desired impact, there is no such objective for PSU banks. And although a few of them are quick movers in adopting channels such as mobile banking and payments, the basic tech hygiene at the larger back-end level still remains poor.

Many of these back-end systems do not exist at all, or remain on paper. And where they do exist, they remain in separate silos—not integrated with each other for smooth operations. So core banking system (CBS) may not quite be “connected" to SWIFT in a way which is useful, and SWIFT, in turn, may not “talk" to an MIS/reconciliation module or may not be able to “match" debits from Nostro accounts with general ledger or trade finance or not be provisioned for real time “tracker". Furthermore, cash flow statements may not “tie in" with current assets/contingent liabilities. (MIS is short for Management Information System and SWIFT, for Society for Worldwide Interbank Financial Telecommunication.)

Because of all of these disjointed systems, what you have is systemic gaps in how banks function.

Ideally, banks should harmonize and knit together day-to-day retail, corporate, financial inclusion and off balance sheet (OBS) software and modules, and cull key data in a user-friendly format—a daily dashboard with red flags. The same should be visible to the chain of command—including internal risk and audit personnel, and board sub-committees—and readily accessible for RBI inspections at no notice.

Just to illustrate: a slice of such a “read-out" ought to typically include status of contingent liabilities, namely, unsecured guarantees, non-funded commitments and advances, value of and number of rollover letters of credit (LoCs) and unfunded part outstanding with tenure/maturity periods. It should also include income recognition, namely, unearned and actual income from fees earned from providing letters of understanding (LoUs) and LoCs. Knee-jerk banning of LoCs or LoUs by the RBI is not really a panacea: this affects overall buyers’ credit for genuine cross-border trade (imports) and overall economic growth. Therefore, it is time to move away from stilted thinking.

Let us just take SWIFT, for example.

SWIFT has to perforce tie in with the trade finance system and CBS electronically—not manually—even if not in real time in the first instance. Also, there has to be a “hard binding" of password and authentication with the actual physical device from where the SWIFT entries are authorized to be made. Which means: no remote log-ins and no different consoles.

As another cautionary measure, a one-time password (OTP) or formal verification email link could be added to go to a super user group that is not part of the “maker-checker-verifier/approver" chain, on each and every entry and pre-determined red flag indicators provisioned with automatic triggers visible to folks not in the direct chain.

The human discretionary element has to be taken out and the SWIFT access (log in/password) should be rewired to “lock out" a user and reset the credentials every few months. This will ensure that there is a “forced review" of person(s) authorized to make entries in the system.

Finally, the SWIFT board in India has to be recast. It has a surfeit of reps from only banks, especially PSU banks. Independent directors with background in financial technology need to be inducted.

It is now an acknowledged fact that exploiting vulnerabilities in SWIFT is a cottage industry for cyber criminals in North Korea and well-organized groups in many parts of the world. SWIFT has been vulnerable to hacking from within or externally—there have been cases in which a local network or computer is compromised/bypassed, or lenders’ computer taken over, or secondary controls tampered with. Several countries have been hit, including Bangladesh, the Philippines, Taiwan, Ecuador, Sri Lanka, Nepal, Vietnam, India and Russia.

A long-term solution needs to be found given the frequency of these hacks. Blockchain technology, for instance, is one of the options that SWIFT can look at in the next five years or so. Scams may still exist but, in a distributed ledger system such as the blockchain, all the transactions are transparent, so frauds can be relatively easily caught and ‘localised’.

Probir Roy is co-founder of Paymate and an independent director at Nazara Technologies.

Catch all the Industry News, Banking News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
More Less

Recommended For You

Trending Stocks

Get alerts on WhatsApp
Set Preferences My ReadsWatchlistFeedbackRedeem a Gift CardLogout