And so the hunt begins. A handful of bank officials who perpetrated the fraud at India’s second- largest public sector bank — leading to unauthorised issue of Letters of Undertaking (LoUs) to jeweller Nirav Modi’s firms — have been brought under the scanner. The Central Vigilance Commission has stepped in and asked Punjab National Bank to name the bank officials involved in the scam and identify senior management officials who could have taken action to prevent this fraud.
The All India Bank Employees’ Association, which until now was surprisingly silent on the colossal scam, has finally spoken, albeit on predictable lines. “What is sauce for the goose must be for the gander too,” the union body puts in with a punch and asks for keeping out the entire top management and higher officials from the bank until the probe is completed.
In the entire blame game, the murky role of auditors and the RBI in the scam has only found shaky references. While questions have been raised, it is unlikely that the auditors would be held accountable for their failure this time around, too. But the fact that the fraud at PNB spanned for seven years without setting the alarm bells ringing at the numerous audits at banks, raises some hard-hitting questions on the manner in which auditors carry on their affairs.
How did a scam of this proportion happen when swarms of external auditors are scrutinising banks? How did all audits manage to not notice any red flags in the entire modus operandi?
Modus operandi
At the heart of the matter lies the gaming of the SWIFT messaging system. SWIFT, or Society for Worldwide Interbank Financial Telecommunications, is a messaging network for securely transmitting instructions for all financial transactions through a standardised system of codes. Used by more than 11,000 financial institutions worldwide, SWIFT is a secure message carrier — its core role is to provide a secure transmission channel so that Bank A knows that its message to Bank B goes only to Bank B.
Our correspondence with SWIFT reveals that the way banks use SWIFT, and the business processes they have in place to do so, differs from bank to bank. It goes without saying that banks will want to have checks in place before actually sending messages. The processes, checks, balances, authorisations and so forth differ hugely from bank to bank, depending on their size and the scale of their activity.
In the case of PNB, it is evident that the various checks and authorisations (if at all) had been completely compromised. Hence, a SWIFT message was sent from PNB’s Mumbai branch to overseas banks offering unauthorised LoUs.
Ideally a bank guarantee, an LoU allows a customer — Nirav Modi here — to raise money from another Indian bank’s foreign branch in the form of a short-term credit to pay offshore suppliers in foreign currency. By rolling over of credit, Modi had ensured that subsequent LoUs repay the money due on the earlier LoUs. So, there had been no default until now.
Red flags
But how could such a massive operation have been in existence for several years without raising red flags at auditing? The Guidance Note on Audit of Banks brought out by the Auditing and Assurance Standards Board of the ICAI every year is an important resource which provides detailed guidance on various aspects of bank audits. A look into the buyer’s credit and NOSTRO account (which facilitates forex transactions) section of this 674-page document clearly points to the utter failure in the auditing processes of PNB.
The typical flow of transaction of buyer’s credit includes the borrower approaching foreign bank (or overseas branches of Indian banks) for availing buyer’s credit for payment to be made to the foreign supplier.
The Letter of Credit/Undertaking is issued by Indian bank to the foreign bank through SWIFT message. The foreign bank remits funds to the NOSTRO account of the Indian bank, backed by the LoU.
Hence, the Indian bank remits the funds to foreign supplier through its NOSTRO and on the due date the Indian bank remits the funds (inclusive of interest) to the overseas bank and recovers the similar amount from its customer (Nirav Modi in this case). The flow of operation clearly indicates that a proper audit would have found out these problem areas.
Missing in action
To understand the audit flaws better, let’s take a look at how NOSTRO accounts actually work. The entries of inward and outward remittances have to be recorded in the books of the India bank (a NOSTRO mirror account). Assuming that this did not happen, an audit process, which requires reconciliation of the two accounts, should have thrown up anomalies.
According to the guidance note on bank audits, the auditor has to consider whether a system of periodical reconciliation was in place and whether confirmations from the foreign banks are obtained on a periodic basis, either through physical confirmations, SWIFT messages, emails, etc. None of this appears to have been done, shockingly, for several years.
Banks are subjected to many types of audits. The concurrent branch audit is a real time audit that is done as transactions take place or in the worst case at the end of the day. Sudden surge in surpluses in the NOSTRO account on a day to day basis should have been enough to trigger an enquiry. Why didn’t it?
Banks also invest surpluses in NOSTRO account in money market. How can a bump in treasury income in a particular account not catch the attention of the auditor or even the CFO? The fee that PNB would have earned through such LoUs has apparently also not fallen under the auditors’ radar. How did the RBI not audit SWIFT messages or the NOSTRO balances?
The bigger question is what is the real scale of this scam? Have other banks also issued LoUs without collateral or margin money (something few industry players agree is a possibility)?
How many such transactions are waiting to tumble out of the closet, particularly in PSU banks where internal processes and controls have time and again been compromised?
The task for the RBI is clearly a herculean one, scrutinising numerous accounts of banks to unearth such irregularities. But before it does that, it needs to own up for lapses in its own audit practices.