The vulnerabilities in India’s banking system that exposed Punjab National Bank (PNB) to a mammoth financial fraud last year remain unpatched.
Over the last few days, the country’s central bank has fined 19 lenders for non-compliance with its guidelines on using the SWIFT technology system. SWIFT, or the Society for Worldwide Interbank Financial Telecommunications, was at the centre of the $2 billion (Rs14,000 crore) PNB scam. The state-owned bank’s employees had allegedly manipulated SWIFT in favour of the diamantaires Nirav Modi and Mehul Choksi for seven years before the fraud came to light.
The ones fined by the Reserve Bank of India (RBI) recently include the country’s largest lender State Bank of India, ICICI Bank, Union Bank, YES Bank, Bank of Baroda, and Canara Bank. They have been levied penalties ranging between Rs1 crore and Rs4 crore, as per their filings with India’s stock exchanges.
Bankers, meanwhile, have tried to downplay the issue, saying the loopholes the RBI autopsy revealed are not glaring.
Experts, however, say it is about time the lenders took their security issues more diligently. “Banks need to step up the effort that they are taking on the technology front,” said Ashvin Parekh, who runs Ashvin Parekh Advisory Services, a global management consulting firm that works with several lenders in India. “I don’t think that at all the public sector banks’, or even in some of the older private banks’, technology has taken a leap to match the current standards. The focus has to be on completely removing manual intervention to reduce the margin for error.”
It is unclear what the lapses pointed out by the RBI are, but it could range from not adhering to compliance timelines to issues with third-party vendors involved in software upgrades, according to Romit Dasgupta, founder, and CEO of 3rd.Life, a firm that provides a SWIFT-based middleware solution.
“RBI’s penalty is a clear signal that it is not taking any shortcomings lightly and is seriously looking at any loopholes that may creep up,” said Dasgupta. “Most banks have been moving in the right direction but more needs to be done to ensure people and processes are fully compliant.”
What is SWIFT?
Brussels-based SWIFT was formed in 1973 by a group of seven banks to replace Telex, the system that was then used to facilitate financial transactions.
After about four years, SWIFT went live and was quickly adopted by several financial institutions as it reduces the room for error by limiting manual processes. Now, the financial system boasts of being employed by more than 11,000 banks, brokerage houses, and other institutions across 200 countries.
For cross-border fund transfers, most lenders now use SWIFT technology, which is similar to a messaging system that uses encrypted channels for safety.
But the system is not foolproof. PNB wasn’t the first instance where tampering with SWIFT system had led to financial irregularities. Similar incidents have been reported in Bangladesh and Russia. In the case of PNB, it was found that its SWIFT system wasn’t linked to the core banking system, a centralised database of all transactions. This ensured that the alleged manipulation by employees went unnoticed.
Even this time around, the banks have been fined for similar lapses—a clear sign that lessons have not been learnt.
The RBI had been publicly telling lenders to strengthen their SWIFT systems since 2016. However, most banks have turned a deaf ear to these warning bells.
In fact, Usha Ananthasubramanian, who served as the MD & CEO of PNB between August 2015 and May 2017 was fired from her post as the chief of Allahabad Bank, where she was serving in 2018, when the fraud came to light. The investigative agencies have levied charges against Ananthasubramanian, alleging she repeatedly failed to act upon the red flags issued by the RBI on bank’s security and SWIFT systems.
Soon after the scam surfaced, the RBI had issued another advisory in February asking all banks to comply with SWIFT guidelines within the stipulated time. Reportedly, in audits conducted in April last year, it was found that nearly 25 banks were still non-compliant and they were issued showcause notices in August, which prompted the latest penalties.