The alleged fraud was carried out through misuse of Letters of Undertaking or LoUs issued by Punjab National Bank. What are LoUs, and how do they work?
In trade finance, which is the business of imports and exports, companies need funds to pay overseas suppliers in foreign currency. When an Indian company approaches its banker for such funding, designated officials will approve a credit limit for which an LoU can be issued. Once the LoU — essentially an undertaking by a bank to the overseas branches of other Indian banks to meet a liability on behalf of a customer — is issued, a message regarding the funding is sent from India to the bank abroad using the Society for World Interbank Financial Telecommunication (SWIFT) platform. SWIFT is a secure global financial messaging service used by over 11,000 financial institutions in more than 200 countries.
On receiving the SWIFT message, the branch (which is mostly of an Indian bank in the case of Indian companies) abroad provides credit against import documents, normally for 90 days. (It could be that the LoU-issuing bank does not have operations in a particular foreign country.) Margins on the borrowing depend on the risk profile of the borrower and the company’s credit rating, and the terms of the credit limits set by the issuing bank. This is essentially a short-term foreign currency loan, on which banks charge 60 to 90 basis points over the London Interbank Offered Rate or Libor, the international benchmark for pricing loans or lending.
This facility is used regularly by companies in the business of gold, gems and jewellery. Companies prefer this form of funding also because the costs of raising money overseas are relatively less compared to rupee funding. And for banks, this is good business — if all goes well.
What is the process that is normally followed to issue LoUs and transmit messages by SWIFT?
Requests for loans or LoUs for large amounts have to be approved by the senior management. The other part of the story is the transmission of the messages. This is usually a three-layer process that takes place either at the branch or its offices. One bank official is designated as a maker, another a verifier, and a third is the authoriser. All have different logins and passwords, and work independently of each other.
What went wrong in the PNB case?
SWIFT transactions are linked to the Core Banking Solution (CBS) of banks, which contains transaction histories and other data of all customers, and can be accessed by all branches where a customer has an account. SWIFT transactions, therefore, are automatically recorded, and are seen by officials from regional managers to general managers and, when the amount is big, by the top management. In the PNB case, the scamsters allegedly delinked SWIFT from CBS in the case of companies that were linked to Nirav Modi and Mehul Choksi. However, LoUs of other companies were routed through the SWIFT-CBS system. This meant that funds were provided to the Modi-Choksi companies without being recorded in the bank’s CBS.
Also, according to the CBI’s FIR, two officials at the foreign exchange department at PNB’s Brady House branch in Mumbai allegedly issued eight LoUs worth Rs 280 crore in February 2017 to Hong Kong branches of Allahabad Bank and Axis Bank without authorisation.
The alleged fraud continued for seven long years without being detected. How?
How — and how a handful of staffers could game the system — is baffling. The investigation should reveal details, but it seems reasonable to assume that the fraud could have gone on for so long only with the active collusion of a ring of officials. One of the bankers now under arrest reportedly handled transactions to provide credit to Nirav Modi’s firms for seven years — in violation of the normal practice of transfers every two or three years. SBI Chairman Rajnish Kumar said, “We don’t keep a person for more than three years at one position. There are certain positions which are very sensitive and we monitor those positions very closely. Banking is a risky business.”
Again, in PNB’s case, one out of the three persons that banks typically task to transmit SWIFT messages carried out two roles, according to investigators. Also, several bankers wonder how the delinking of SWIFT from CBS could have been achieved without it being detected by the bank’s information technology department.
These suggest a possible compromising of the sanctity of passwords or authentication, and the breaching of information technology systems. And the fact that at the very beginning, the approval for issuance of LoUs — whether forged or otherwise — for such huge amounts without it being captured in the system or red-flagged, indicates a major failure of internal control systems.
OK, in the normal course, how do the banks that lend to a company on the basis of LoUs, get their money back?
Banks approach the lender that has issued the LoU — because these are commitments made by the issuing bank on behalf of a customer. Many banks receive their funds at the end of the 90-day period, after which fresh LoUs may be generated, often to keep payments to banks going. The investigation will look at allegedly forged LoUs that seem to have helped the firms secure funding for long. The liability for these LoUs is being contested by PNB — but other banks are unanimous that it must honour the undertaking it gave.
So, do the banks that provide this facility on the basis of an LoU have no responsibility?
Bankers say the bank receiving an LoU sends a letter of confirmation to the issuing branch and its controlling offices. It is not clear whether receiving banks such as Axis Bank, Allahabad Bank and Union Bank sent such letters. And if they did, the question is why no alarm was raised in PNB. It could be that the receiving banks didn’t send the confirmation letter. Or it could be that the letters were buried at PNB.
The RBI said on Friday that the fraud in PNB was the result of delinquent behaviour by some employees, and the failure of internal controls. What are these internal controls?
Some have been listed in the answer to the question above on how the fraud went on for so long. Ideally, SWIFT messages should have been checked by senior officials in charge of the credit, investment or treasury departments that handle the foreign exchange business.
Whenever such huge amounts are sent through SWIFT, daily reports are generated. All banks, including PNB, have vigilance departments and fraud management committees. Banks also have internal branch audits and concurrent audits involving external auditors. They also have risk management and audit committees at the Board level to ensure compliance. The failure of all these controls is a serious concern, also because PNB had been hurt badly because of lending in the past to Winsome Diamonds, which is now listed as one of India’s top defaulters.
What is the responsibility of the RBI itself?
Bankers say all LoUs have to be reported to RBI on a quarterly basis. It is not clear if the regulator’s inspection of the bank’s books revealed anything earlier. Till a few years ago, RBI used to inspect branches of banks, but it has now switched more to offsite monitoring. Successive RBI Governors have written to the government about the conflict involved in having a central banker sitting on the Board of a bank that RBI regulates. But the government insists that having a regulatory representative helps with checks and balances. This has led to debates on the accountability of the government, which owns many banks. On Friday, the RBI said it had already undertaken a supervisory assessment of control systems in PNB, and would take appropriate supervisory action.