The Reserve Bank of India (RBI) ban on banks issuing letters of undertaking (LoUs) and letters of comfort has come not a day too soon. That should put an end to any new violations of the kind that have jolted the entire banking system and raised new questions about the quality of supervision and governance. While the Punjab National Bank case is being investigated (and this will hopefully help the government trace the funds taken by Nirav Modi or his associates), there can be no comfort until all the LoUs issued by all the banks over the last decade are reported and analysed. The nation can afford nothing less than a full-fledged and transparent account of the letters so issued, the liabilities they raised, the liabilities still outstanding, and those which stand extinguished, and how.
This is, in short, a fit case for a forensic audit across banks. Many banks have already begun such a process and those that have not should be compelled to do so without any further delay; if necessary, by a regulatory order.
But the audits are by no means an easy task given the complex nature of the transactions, compounded further by reports of deep-rooted connivance between multiple parties at various levels to defeat the checks and balances in the system. Most forensic auditors are currently busy in:
i) LoU reconciliations: examining and reconciling data for the last 7-10 years relating to LoUs issued, settled, and outstanding,
ii) Data analysis: performing the appropriate LoU and fund movement data analysis,
iii) Evaluation of the control environment: by making inquiries among bank staff, customers and their employees, and,
iv) Documentary checks: verifying all relevant documentary evidence in a conventional manner.
All these steps are excellent and much needed, but may not be enough to get a comprehensive evaluation and quantify the magnitude of the fraud, the modus operandi, and existence of other related frauds. The obvious “papers-amounts-people” checks must therefore be conducted alongside a macro-cum-micro analysis to ferret out the full nature of what has been going on under the guise of LoUs.
As an example, the macro approach should include a deeper check in all cases where the relevant staff has not been transferred out for over three years. Any particular employee or groups of employees who have been too long in the LoU or credit appraisal function without rotation should merit investigation. During this period, if any consultant, third party or contractual staff has been included regularly, the rights and privileges given to them must be checked and investigated.
All banks are supposed to report instances of attempted fraud to the RBI. This data for the last 10 years relating to all attempted frauds must be studied, especially cases concerning LoUs, guarantees and letters of credit (LCs).
This is a very effective method of understanding the mindset of fraudsters and exposing other unknown methods of fraud adopted. It would be useful for the RBI itself to pursue further investigations because that may reveal organized crime on a larger level.
In a micro approach, forensic auditors must use unconventional methods. An example of this is the simple “juxtaposition test” wherein two or more documents, pictures, letters, or records are placed side by side to study differences and similarities. These tests have been applied in several situations successfully. In one instance, subtle differences were found between two copies of the minutes in possession of different directors. No one would imagine that LoU copies within departments of the bank, as well as those with the overseas bank, and customers, could be different. If this simple test is performed, not only on LoUs but also on important agreements, LCs, etc., the results may reveal instances of fraud previously not envisaged.
A version of the relative size factor (RSF) test, used to check for unusual fluctuations in ledger entries, could be used to spot outliers, customer-wise, in the number of days’ usage of LoUs, amounts granted in excess of approved limits, margins waived, etc. to show favouritism. Data congruency tests even on non-financial data, such as the addresses and telephone numbers of customers with the addresses and telephone numbers of employees, could also possibly expose the nexus between customers and employees.
The services of a digital forensics expert would have to be used imaginatively to determine any system breaches, or the use of overriding instructions to bypass system controls. A trend analysis, and pinning down authorization with respect to such abuse, would help to rope in the wrongdoers quickly.
It may be worthwhile for regulatory agencies like the RBI to bring in a coordinating forensic expert to understand and evaluate the reports and views of various forensic experts appointed by various banks and enforcement agencies. This will bring greater clarity, enable quicker picking up of lines of further investigation, and facilitate the incorporation of better and stronger control systems.
If the credibility of the system has to be preserved, it is critical not only that frauds are prevented in the future but that this one is dealt with in a manner that sends out a clear signal that the guilty will be pursued and brought to book, no matter what it takes.
Chetan Dalal is a Mumbai-based forensic auditor.