In a bid to prevent embarrassments like the ‘PNB Scam’ in future, the Reserve Bank of India has slapped fines on several premium public and private sector banks for failure to comply with a set of guidelines issued in February 2018.
- RBI has fined 36 Banks over 71 Crore for non-compliance of regulatory guidelines concerning SWIFT payment network
- SWIFT vulnerabilities came into the lime light post the PNB – Nirav Modi Scam in February last year
- The scam prompted RBI to issue guidelines to Banks on the usage of SWIFT payments network
- Despite repeatedly urging the banks to fix gaps in their systems, the apex financial regulator found 49 still short of compliance
In a remarkable show of authority, RBI has decided to discipline 36 banks with fines totaling INR 71 Crore for failure to comply with its guidelines on the usage of SWIFT payments network. The apex bank issued a statement on Friday late evening. The statement reassured the sanctity of the institutions in question saying:
“The action was based on deficiencies in regulatory compliance and was not ‘intended’ to pronounce upon the validity of any transaction or agreement entered into by the banks with their customers.”
In February last year, the RBI had issued a circular on time-bound implementation and strengthening of SWIFT- related operational controls which mandated adherence to prescribed measures on a stipulated timeline. The financial regulator set up an Expert Committee under the chairmanship of Y H Malegam, a former member of the Central Board of Directors of RBI, to assess 50 major banks. This came in the wake of the INR 14,000 Crore (USD 2 Billion) fraud at Punjab National Bank involving fugitive businessmen Nirav Modi and Mehul Choksi. The fraudsters had conspired with a PNB official to gain unauthorized credit guarantees via vulnerabilities in the bank’s integration with the SWIFT network. The incident also led to the BJP government calling into question RBI’s regulatory oversight and accountability in a high stakes blame game. In September, an anxious RBI discovered that many banks had yet to fully implement the measures and asked the CEOs to explain why gaps still remained.
The expert committee headed by YH Malegam assessed the state of Banks’ Swift Networks and explored ways to eliminate or greatly reduce the chances of fraud in future.
The RBI has been voicing its concerns of SWIFT systems long before the PNB scam jolted the nation. It had alerted banks of such possible misuse, on three separate occasions since August 2016, advising them to implement the safeguards detailed in its communications. The penalized banks have not complied with one or more of the major directions pertaining:
- Direct creation of payment messages in the SWIFT environment
- Implementation of Straight Through Processing (STP) between CBS/Accounting System and SWIFT system
- Ensuring that users entering/ passing/authorizing the transactions in CBS were different from those operating in SWIFT environment,
- Independent reconciliation of logs generated from SWIFT with corresponding entry passed in the CBS/accounting system
- Introduction of an additional layer of approval for all payment messages exceeding a particular threshold
- Nostro reconciliation on T+1/T+5 basis.
Source: Economic Times
Banks pay for lax attitude
Based on the assessment and extent of non-compliance, the RBI had issued Show Cause Notices to 49 banks after which it decided to impose monetary penalty on 36 of them based on the extent of non-compliance. The process involved written replies from the banks, oral submissions made in personal hearings, and examination of additional submissions. The long list of penalized institutions includes:
|Amount of Fine Imposed||Banks|
|INR 4 Crore||Bank of Baroda, Citibank, Catholic Syrian Bank, Indian Bank, Karnataka Bank|
|INR 3 Crore||BNP Paribas, City Union Bank, Indian Overseas Bank, UCO Bank, Union Bank of India, United Bank of India|
|INR 2 Crore||Allahabad Bank, Bank of Maharashtra, Canara Bank, DCB Bank, Dena Bank, Jammu & Kashmir Bank, Oriental Bank of Commerce, Syndicate Bank|
|INR 1 Crore||Bank of America, Barclays Bank, Central Bank of India, Corporation Bank, DBS Bank, Deutsche Bank, HSBC, ICICI Bank, IDBI Bank, IndusInd Bank, JP Morgan Chase Bank, Karur Vysya Bank, Punjab & Sind Bank, Standard Chartered Bank, the State Bank of India, Tamil Nadu Mercantile Bank, Yes Bank|
SWIFT or Society for Worldwide Interbank Financial Telecommunications is the global messaging platform where banks across the globe transmit information on financial transactions. A number of SWIFT related cyber frauds have come to the forefront in recent years. The 2016 Bangladesh Bank fraud worth USD 81 Million was a case of unauthorized SWIFT transactions targeted to its account at the Federal Reserve Bank of New York. In February 2019, Union Bank of India managed to evade a similar attack that could have cost it USD 171 million. Although SWIFT has maintained that its network was never hacked, the company increased its security investments after the Bangladesh Bank heist by hiring a CISO and additional security staff, refining its security guidance, and maintaining a 24/7 operations center to respond to incidents and regularly testing its processes and procedures.
A Swift Response
SWIFT shrugged off any blame, attributing the fines to lack of automation at member banks as the source of continued vulnerabilities. He asserted that the Agency’s role is limited to flagging concerns as a “hygiene” policy. It stated that most frauds happen due to manual interventions and insisted on enhanced automation at the lenders. Alain Raes, Chief Executive, Officer, Asia Pacific and EMEA, Swift said:
“It’s about STP (straight through processing) automation within a bank’s operations, which has nothing to do with us, and also reconciliation. Whenever we find a shortcoming in any member institution, we flag the same to the respective regulator and it’s up to the regulator to take a call on how to tackle the issue.”
Alan Raes, Chief Executive, Officer, Asia Pacific and EMEA asserted that SWIFT’s role is limited to flagging concerns as a “hygiene” policy.
The agency has mandated 16 principles for every institution connecting with the network. It said that its Indian clientele was in compliance with them by self-attestation.
Big leap on recovery road from embarrassment
The RBI’s step has been lauded as a major leap towards securing India’s banking systems from rising cyber fraud in the country. It also reasserts the credibility of the central institution as the apex financial watchdog. Mitul Budhbhatti, Associate Director and Head of banking, Financial Services and Insurance at CARE Ratings said:
“The series of fines imposed is a stern signal from RBI to banks to strengthen their internal systems and minimize fraud after the PNB fraud last year, which tarnished the image of India’s banking system. I expect RBI to continue to be more and more vigilant and continue with such monitoring.”
Voices from the banks in question opined that the issues are related either to interpretation of the RBI’s guidelines or minor technical matters which have been addressed after SCNs had been issued to them. The RBI statement mentioned that it will continue to closely monitor compliance with these controls across the Indian Banking System on a continuous basis.
- The disciplinary act reaffirms the RBI’s place as the apex authority in the Indian Banking system
- SWIFT officials say their role is limited to advisory and onus of compliance remains with member banks
- There is a need of greater automation at SWIFT member bank networks as most frauds are due to manual interventions
- The banks say they have fixed the issues following the receipt of Show Cause Notice from the RBI