Regulatory lessons: India should reduce dependence on the banking system

The central error here is that the SWIFT inter-bank communication system is not monitored as carefully as it should be by some Indian banks

The accusations levelled against staffers of Punjab National Bank (PNB) — that they arranged for letters of undertaking to be provided to foreign branches of Indian banks to benefit companies controlled by jeweller Nirav Modi and associates — have thrown up important questions about bank management and regulation in India. While the sums involved are large — the total sum being examined in relation to the fraudulent letters of undertaking is $1.8 billion — it is unclear how much has actually been taken out of the system. It is also an open question whether PNB is on the hook for the entire amount lost, whatever it may be, or if the other banks involved are liable for some amount. Yet these questions should not be allowed to distract regulators and bank managements from the central question: How did this problem arise, and what can be done to ensure it does not recur?

The central error here surely is that the SWIFT inter-bank communication system is not monitored as carefully as it should be by some Indian banks. The accusation in this case is that bank employees sent messages through this system without these appearing in the core banking system, or CBS, which is what is generally scrutinised. Had SWIFT transactions been reflected in the CBS, the alleged fraud could have been nipped in the bud. Unfortunately, it appears that reconciliation of these two methods has not been a priority for Indian banks. The banking regulator, the Reserve Bank of India (RBI), clearly failed to ensure that these monitoring processes were in place. Other forms of supervision and monitoring also failed, such as scrutiny of foreign exchange balances. 

The fact that the basic software solutions used for SWIFT and CBS do not talk to each other automatically is particularly worrying given the fact that SWIFT-based fraud has become a well-known vulnerability in recent years. The Bangladeshi central bank lost $81 million some time ago through the generation of a fraudulent Nostro account and misuse of the SWIFT system. This in itself should have served as a wake-up call for Indian banks as well as the RBI. It is not as if the vulnerabilities were not known. In fact, the then deputy governor of the RBI, S S Mundra, in a 2016 speech on cyber risk, highlighted this very problem and indicated that stakeholders “had not learned lessons” yet. However, it did not seem like the banking regulator cracked the whip hard enough. This alleged fraud at PNB was not brought to light through a regular supervisory exercise or through software-based red flags. 

Several lessons emerge for the future conduct of banking regulation in India. First of all, this will provide ammunition to those who argue the RBI is too gentle with nationalised banks and does not maintain a sufficient regulatory distance. Since the RBI needs their co-operation in its other roles as monetary policy maker, as well as manager of the government’s debt, maintaining this distance can be difficult. The clear separation of these roles is desirable. Investment in the regulatory capacity of the RBI, and monitoring capacity in banks, is overdue. Attention should also be given to reducing the dependence on the banking system. Recent events show India needs to create the opportunity for majority private participation in public sector banks. Till that happens, the size of many of these banks should be shrunk. A reformed financial sector and a new regulatory framework must have a place for “narrow” banks.