PNB fraud: Banks will have to be equipped with better risk management tools as NPAs pile-up

The Reserve Bank of India (RBI) must feel like Cassandra gifted with the ability to tell the future, but cursed that her prophecies would never be believed (she is a character in the Greek myth The Iliad, and sister of one of the main protagonists, Hector, Prince of Troy). The latest example is the Rs 11,000 crore plus fraud perpetrated in a Mumbai branch of Punjab National Bank.

In its Financial Stability Report (FSR) published in June 2017, the Reserve Bank of India highlighted three major concerns: bad loans (which could get worse by March 2018), cyber threats (that could emanate from the increased use of technology) and bank frauds (which the FSR says banks are reluctant to report).

All three are connected. As the RBI’s FSR pointed out, “…almost all corporate loan related fraud cases get seasoned for 2 to 3 years as NPAs (non-performing assets, or stressed loans) before they are reported as fraud”. As is evident, the alleged fraud perpetrated on PNB seems to be a good example of an important point of connection. Simply put, the bigger the NPA problem, the greater the risk of fraud.

What do the numbers tell us? Let’s look at the RBI’s FSR once again. In the last five financial years (2012-13 to 2016-17, or from FY113 to FY17), frauds have increased substantially in both volume and value terms, says the report. The number of cases went up by nearly 20 percent – 4,265 to 5,064 instances – but the value went up by 72 percent – from Rs 9,750 crore to Rs 16.770 crore. The share of frauds from the loan portfolio account for 86 percent of the value of frauds reported in FY17. That’s an impressive number.

The previous issues of the FSR – it’s a bi-annual report – have raised questions about the risks associated with fintech (or financial technology) and Regtech (regulatory technology). If fintech disrupts traditional service delivery models, the purpose of regtech is to help financial institutions to use technology in meeting regulatory and compliance requirements. For example, a Swiss firm called KYC Exchange allows institutions to share Know Your Customer (KYC) data.

Representational image. Reuters

What about cyber fraud? The noise levels about the risk to Indian banks went up massively after a gigantic data breach of 3.2 million credit and debit cards in 2016, by far one of the biggest attacks India. An even more recent example was the global ransomware attack, this time on several countries including India. The RBI asked banks to update their ATM software and other systems, as a result.

Which begs the question: Has the Indian banking system become more vulnerable to fraud? The Indian Banking Fraud Survey Edition II – conducted by Deloitte, the global consulting firm and published in 2015 – provides some interesting answers. For the record, the Survey was conducted on August and September 2014 and respondents were senior management responsible for fraud and risk compliance management.

93 percent of the respondents to Deloitte’s Survey said there had been an increase in frauds, and more than half said that fraud had grown by 10 percent over the previous year. The reasons for the increase were illuminating: Lack of oversight by line managers or senior management, business pressures to meet unrealistic targets, lack of tools to identify frauds, software and staff collusion, which was at the bottom.

It appears that one out of every four institutions in the survey recorded at least 100 instances of fraud in retail banking; most retail banking respondents aimed that the average fraud loss of Rs 10 lakh. Compare that to the non-retail segment where the average fraud loss was about Rs 2 crore.

What kind of frauds are we talking about? The Survey says that in retail banking, it was fraudulent documentation or overvaluation of collateral; in corporate banking it was diversion or siphoning off of funds, and in private banking, it was identity theft and fraudulent documentation.

Two other findings matter: One about fraud detection, and the second about the time taken to discover an incident. In order of highest to lowest, frauds were discovered by a customer complaint, a whistle-blower or an anonymous tip, during account reconciliation and lastly through automated data analysis or transaction monitoring software. Technology hasn’t been the best way of discovering fraud, apparently.

The average time taken to discover a fraud is less than six months, according to 70 percent of the respondents in the survey, and even after detection, in a majority of the cases, defrauded institutions were unable to recover more than 25 percent of the loss value.

To be fair, the fraud typology is roughly the same across countries. But where India is probably way behind is in the preparedness of banks in fraud risk management. Clearly, it doesn’t exist. The story of the Punjab National Bank fraud is still playing out in detail; it’s also likely that other banks that gave letters of undertaking as part of the syndication may have discover they have been defrauded.

But the numbers have definitely gotten bigger; the PNB fraud by itself accounts for more than two-thirds of the value of frauds reported in the last five years. That is worrisome, as is the possibility of more large frauds being unearthed, of a similar nature. It will also raise the hackles of investors and others who bank on the efficiency of financial markets and institutions.

Banks will have to do better, even as they resist greater intervention by the RBI. Would more fraud risk regulation necessarily be a bad thing? Not really As James Surowiecki, journalist and author of The Wisdom of Crowds points out, “If we want our regulators to do better, we have to embrace a simple idea: Regulation is not an obstacle to free markets, it is a vital part of them.”

(The writer, a former journalist, is a communications consultant. He tweets @shrisrinivas)