The Punjab National Bank (PNB) fraud has left everyone shocked. How could a few lower level officers manage to defraud the bank of such large amounts? Had all kinds of internal controls failed? Could it have happened without the knowledge of the higher levels of authority? There are many unanswered questions, although the extent of reporting and discussion in the media is massive.

The only thing that has emerged is that a few mid-level officials in PNB’s Brady House branch could send messages committing millions of dollars on behalf of the bank, not only without any authority but also without such liabilities even being taken into and reflected in the bank’s books. This happened because the same officials prepared the messages, checked them and authorized them against all the rules and conventions. It also happened because the messaging system was not linked to the bank’s accounting system. It came to light only when the main dealing official at the branch retired.

What are the still unanswered questions?

It seems that obtaining short-term credit from banks abroad to finance imports against letters of authorization has become common practice. Unlike the usual import letters of credit, in this case it appears that the letter of undertaking (LoU) issuing bank provides a guarantee towards the borrowing from the overseas bank on behalf of the importer. Under current regulations, banks are not allowed to issue guarantees for external commercial borrowing. The LoUs seems to be issued under the garb of “trade credit" but in effect are issued against short-term bank borrowing. Were all these borrowings backed by documents, and if the bills were not retired in time by the importer, were fresh LoUs issued? How is the Reserve Bank of India (RBI) monitoring such LoUs?

Was there any reference to the lapse in controls in the SWIFT messaging systems in the concurrent audit or internal audit report in the branch? Was there any mention of the lack of integration between the SWIFT system and the core banking system (CBS) in any of the internal or statutory audit reports?

Did the bank receive any commission from the companies as reflected in the bank’s books? If so, was there any unusual increase that would warrant a query from the accounts and audit?

Were the nostro accounts reconciled on a debit credit (net) basis or on a transaction-by-transaction basis? Who was doing the reconciliation? Was it not done at treasury at head office? Did no one notice that the account had a number of credits from overseas banks and that debits were invariably to the same group of companies? And that the number of such debits and credits were progressively growing?

Once RBI noticed the lapse in linking the SWIFT messaging to the core banking system, should it not have ensured that in all cases it was set right in a time-bound manner in all banks, and prescribed additional controls till such time it was done?

While answers are found for these and other questions, the need of the hour is to show that firm action is being taken against those accountable, and that the government and RBI are taking the necessary steps to ensure that confidence in the Indian banking system is not undermined.

First, the investigating authorities should focus on the audit trail of the money. What were the funds used for? Are they lying in the form of unsold goods, in India or abroad? They need to trace and seize the assets wherever they are. The challenges are obvious as these are cross border transactions, but top priority should be given to recovering the funds lost.

Second, RBI should ask the bank to fix accountability and take action against those responsible at branch level, at internal control level and at head office. It should also call for action against the internal and external auditors who allowed such outrageous lapses to go unchecked.

Third, RBI should undertake a quick audit of all public sector banks to check on important areas of operational risk lapses that have surfaced in the course of its inspections.

Fourth, RBI should review its risk-based supervision system of inspection and include more transaction testing, especially in critical areas. For larger and more complex banks, sufficient resources must be dedicated in terms of the number of inspectors and skills to dig deeper where needed.

Fifth, each public sector bank must immediately convene a special meeting of the board and audit committee to deliberate upon the issues arising out of this fraud in particular and internal controls in general. The board should then prepare an action plan on the measures proposed to strengthen internal control and implement it in a time-bound fashion. Governance has to start at the board level; the government should resist getting caught up in micromanagement.

Sixth, as owner, the government should make it clear that Indian public sector banks’ LoUs transmitted through SWIFT will not be repudiated. A fallout of this fraud is that there could be some hesitation by overseas banks in accepting LoUs issued by Indian banks. This needs to be addressed quickly.

Seventh, as part of the policy on overseas borrowing, RBI and the government should review the system of LoUs or similar contingent liabilities and see if this needs to be brought within the framework of capital controls, without disturbing genuine trade credit.

Eighth, the government should look into the issue of over-invoicing of imports in high-value items such as gems and jewellery, and upgrade the customs systems for checking valuations.

Ninth, effective communication is sine qua non for effective handling of any crisis situation. Allowing the media to hold a public trial and turning the affair into a mud-slinging match puts the country to shame. The public at large needs to understand the issue in the correct perspective. It is critical that RBI and government present a united front in communicating what went wrong and what action is being taken.

Usha Thorat is a former deputy governor of the Reserve Bank of India.

Comments are welcome at theirview@livemint.com

Close