March 5 (Reuters) - A $2 billion fraud at India’s second-biggest state-run lender Punjab National Bank has raised questions around the auditing and regulatory oversight of the country’s banks.
Documents reviewed by Reuters show the Reserve Bank of India (RBI) had come across issues related to the misuse of the SWIFT interbank messaging system, and other loopholes in many banks’ information technology infrastructure, as early as mid-2016.
Many of these loopholes are only now being closed after the PNB case.
Here are details from a series of “confidential” letters from the RBI to the top management at banks, flagging loopholes and recommending solutions:
** On July 22, 2016, the day when state-run Union Bank of India reported a cyber breach, the RBI sent an email to all banks asking them to strengthen controls over payment instructions sent to other banks, and to reconcile their nostro accounts - accounts held in foreign currency at another bank overseas - on a “real time/near real time basis so that any abnormality is noticed immediately”.
** On Aug. 3, 2016, the RBI sent a letter to banks reminding them about the July letter and asking them to immediately get their SWIFT system “comprehensively audited”, according to the letter reviewed by Reuters.
** It also detailed a set of “best practices” in an annex to the August letter.
** On Nov. 25, 2016, the RBI sent another letter to banks saying it had found several “common deficiencies” in the way banks were using SWIFT, according to a copy reviewed by Reuters.
** In the letter, the RBI said a decentralised set up for SWIFT at several banks meant that as many as 1,000 users per bank in some cases had access to SWIFT. It warned this increased the probability of “compromise of credentials which in turn exposed the bank to heightened risk of fraudulent activities as well as potential malware attack”.
** The letter also criticised banks for not having robust oversight despite having a decentralised SWIFT system, and in particular flagged the access being given to junior officials.
** The RBI had also highlighted a lack of “straight through processing”, or a connection between most banks’ core accounting software with the SWIFT system - one of the main issues blamed for the alleged Punjab National Bank fraud.
** The RBI said there was no mechanism at most banks to verify whether every outward SWIFT message related to trade finance had a corresponding underlying letter of credit, and thus check if a letter of credit was being fraudulently issued.
** The RBI asked banks to reconcile all letters of credit they had issued through SWIFT and ensure that those were reflected in their accounts. Banks were asked to complete this task by Feb. 28, 2017 and report back to the RBI by March 15, 2017.
** The RBI called for the banks to examine centralising the approval of SWIFT messages at the head office. It asked banks to explore linking their core banking software with SWIFT, although it did not set a deadline.
* On Feb. 20, 2018, the RBI sent a letter to the heads of all banks, again marked “confidential”, setting strict deadlines for more than two dozen actions, including the linking of SWIFT with the core banking system by April 30.
** It also mandated nostro reconciliation on a real-time basis, reconciliation of payment messages every one or two hours and tightening the rules around use of SWIFT.
Reporting by Devidutta Tripathy and Suvashree Dey Choudhury Editing by Alex Richardson