Let’s tighten our seat belts and let Mr Narendra Modi shake up and clean the Indian Banking system

After the surfacing of the Nirav Modi-Mehul Chokshi scam in PNB, media is on its own interpretation some of which are politically motivated and some are born out of lack of information. According to NDTV and some other media, the loss may be over Rs 20000/- crores. Rahul Gandhi who may think he belongs to the Mahatma Gandhi family but he is still struggling to distinguish if Nirav Modi is the cousin of Narendra Modi. Mr Singhvi is caught in the “Unaccounted Money” allegations. The Alpha files and deep throat are also in the fray making this a great time for TRP oriented media.

Negligence in Banking is universal

The Dinesh Dubey revelations may appear sensational to Mr Arnab Goswami but the fact that Bank Boards are manipulated by the politicians is well known. The UPA Government which had mastered the art of making money by exploiting the land, see, air and even the spectrum, could not have missed an opportunity to take money directly from the Bank. Hence if Mr Narendra Modi says that when he took over, NPAs were more than 126000 crores and he could not have publicised it without hurting the industry, it does not come as a surprise to observers like us. From the old Indian Bank fraud to Harshad Mehta Fraud, we have seen enough of frauds in the Banks to believe that if Digital Banking is indiscriminately promoted, fraudsters will make merry.

If Global Bankers have a system where by  SWIFT message from a deputy manager of a Bank can be used to lend Thousands of Crores to one company by several banks, then the problem is that Digital Bankers of the day donot know the Risks inherent in Banks. This includes even the wisemen in RBI who are good paper pushers.

Naavi.org had its own share of “Dooms day predictions” in Banking and there are plenty of articles in the past highlighting a day of this nature when Cyber Frauds or Frauds in the Cyber Banking scenario could be huge enough to wipe out even big Banks.

For a long time we have held that RBI has no control over influential Commercial bank Chairmen. We have stated this in the context of ICICI Bank, State Bank of India, PNB and  Axis bank where we had observed frauds, brought it to the notice of RBI and found no action was taken. We had even demanded that some branch licenses of ICICI Bank and PNB should be suspended as a deterrent. Some of these Chair persons have held influential positions in IBA which has been more powerful than RBI. Hence many security guidelines of RBI are simply ignored by IBA and RBI has done nothing to enforce its authority.

As a result, the negligence and apathy in the Banking industry continues. Security is always subordinated to profits and hence we see weak IT systems and opportunities for frauds increasing by the day.

Yesterday, City Union Bank has also been confronted with the SWIFT fraud in which three fraudulent remittances seem to have been attempted. One of this has been prevented. One more may be retrieved quickly. Other may require some effort. But the fact that CUB faced the same problem which Bank of Bangladesh suffered long ago shows that our Banks donot learn lessons.

There is presently no doubt that officials of PNB were involved in the fraud to favour Nirav Modi-Mehul Chokshi. They might have been pressurized politically at the Chairman level. It is only when Mr K.R.Kamat the former Chairman of PNB is queried about some of these transactions, that the truth may come out.

In this confusion, we should not forget that it is not only PNB that should be hauled up, but each of the Banks which gave funded loans to Nirav Modi-Mehul Chokshi firms based on a SWIFT message from a junior officer without following the 90 day RBI norm or examining the end-use of funds and feasibility of the operations.

As Mr Dinesh Dubey’s statements indicate, there was political conspiracy where by multiple Bank Chiarmen were made to provide funded loans against the PNB’s LOUs. Hence all these Banks are part of the conspiracy to siphon off Rs 11000 crores or whatever amount we finally end up with as the loss in the funded accounts. It is for this reason that RBI should not force PNB to take all the liability and leave out the other Banks from the conspiracy. If this is forced, it would mean that RBI itself would be guilty of abetting the fraud.

The other independent Directors who were complicit with these frauds should also be questioned in each of these Banks.

The contribution of Finacle sofware

Another neglected aspect is the Company that is responsible for the Core Banking Software used in Indian Banking system which happens to be our beloved Infosys. The system is FINACLE. After the few PNB phishing frauds that I had come across, I have raised my voice against FINACLE not being Cyber Law Compliant. Now this PNB fraud indicates some of the systemic weaknesses in the Finacle software.

I am sure that my friends in Infosys will immediately object to my drawing their name into this controversy. When I objected to Finacle Marketing chief hailing it as a platform for Bitcoin usage, I had many of my friends displeased. But the reason why Infosys should find itself reviewing its own contributory role in this Banking fraud is because it appears that the software is not built by design to prevent such frauds.

Software developers may conveniently say that it is for the software user to provide specifications and the developer will provide a solution as desired. If the solution facilitates frauds, it should not be the responsibility of the software developer.

They may say that “Releasing a Software with Bugs is their right” and what conventional Bankers like the undersigned may dub as “Fraud friendly specifications”, is the responsibility of the Bank using their software.

I am aware that in the past developers of the Accounting software “Tally”  telling me that some security features in the software was deliberately removed in subsequent versions because the users wanted “Flexibility” in the accounting. The flexibility wanted by the users was the ability to manipulate accounts so that false accounts can be created without the log system capturing the manipulations. This facilitated a fraud in an Exporter’s firm in Chennai in whose investigation, I had participated. Tally succumbed to this marketing pressure and fell into the practice of “Customization for Customer Convenience”.

It is possible that Infosys might be in the same situation where for commercial reasons, they have to configure FINACLE to facilitate convenience even though it makes it easy for fraudsters to misuse the system.

Today everybody is asking why The PNB’s SWIFT messaging system works outside CBS.

If certain messages sent out of SWIFT creates liabilities (contingent or otherwise) for PNB, and has to generate a corresponding “Margin Money Demand” and “Guarantee Commission Credit”, then FINACLE should have ensured that the messages are generated only from within FINACLE only.

If PNB officials did not want it this way, Infosys should have documented the request with the reasons. If Infosys developers were aware of “Banking” in depth, they would have immediately sensed that the request is made only to keep a “Backdoor for fraud” that can be exploited.

Infosys failed to show the commitment to prevent a “Fraud Friendly Configuration” to prevail which could hurt the society.

I would be happy to receive a clarification from the FINACLE team if my conjecture is wrong. I would expect Mr Nandan Nilekani to order a review of the security features of Finacle without restricting the definition of security to only the CIA principle of technical security but extending it to “Security of the underlying business which the software supports”, which is the “Total Information Assurance” principle.

Role of Auditors

We can now shift our attention to the auditors and Information Security department of PNB. Should they not have seen the “Vulnerability” in the CBS system and flagged it as a risk?.

Probably these are auditors did not understand how the IT system of Financle could be misused. Even if they were not IS experts and had to believed the management statements, the nature of financial transactions, the 365 day window provided for the LOUs, the frequent roll overs etc should have given them the clue.

Internal auditors who should be Techno Banking specialists also failed to note the suspicious patterns.

I am sure that SWIFT messages are separately audited and at least it should have been reconciled with margin money and guarantee commission account which the auditors ignored.

The Board which should provide an annual declaration under clause 49 of the listing requirements in the annual report stating that there are “Adequate Controls and the correct financial statements are reflected” have made false statement for which the entire board of directors are responsible.

The same questions of internal controls of auditing failures applies in each of the other Banks who are today claiming that they trusted the LOU of PNB and blindly paid out money in thousands of crores to beneficiaries. We are not fools to accept this argument.

I consider that the issue of loans by all these Banks under circumstances where the business feasibility was doubtful and known norms flouted, is a prima-facie evidence of the involvement of employees/Directors/CMDs in all these Banks (6 or 32?) in a great Banking fraud conspiracy.

CBI must enquire all these employees starting with Allahabad Bank Board members on whom specific information is now available.

Demoralization Effect

As an ex-banker, I am aware that this fraud which cuts across many Banks will have a demoralizing impact on the employees when CBI extends it’s net wide. We have seen this happen after the Indian Bank fraud surfaced two decades ago.

It is for this reason that Media should stop creating panic and putting pressure on BJP Government. Instead, they should try to instill confidence in the public that what the Government is trying to do is a very sensitive operation and has to be done discretely.

While the anti national forces which includes the present version of the Congress party would like to create more confusion with its demand for JPC so that the thieves can themselves be the judges, Government of India should resolutely move towards cleaning up the mess. Less they talk, better it is.

Only one word of comfort from Mr Arun Jaitely or Narendra Modi that proper action would be taken should suffice. All the spokes persons should stop talking on this scam even if they are tempted to do so because of the utterances of the opposition. The “Professional Panelists” like Sumant Sriram et.al, should be kept out of the channels for some time so that a sense of responsible reporting returns to the media rather than shouting for political gains.

In the process,  we need to root out corruption in Banking and ensure that the future of Banking is saved. Let more heads roll and more bodies go behind the bars. It will be in good cause.

Indian Banking system has many honest individuals who can raise to meet the challenge, fill the void even if 25% of the top management in Banks are removed and manage the turmoil. All the independent directors of the 6-32 Banks who were complicit in the conspiracy should be removed forthwith and brought into the enquiry process.

This will have its share of demoralization in the industry. But it will spur the honest Bankers in the next level to work more honestly than before and restore the Banks back to health.

This is like the Kargil fight. We might have lost the battle but let us fight to win the War. Just as in the demonetization days, the public supported Mr Narendra Modi, they will support him even now.

Let’s therefore tighten our seat belts and let Mr Narendra Modi shake up the Banking system.

May be the above ad from PNB on its home page is meaningful in the current context.


P.S: It is now reported that Level 5 password for SWIFT which only AGMs could use was shared by Mr Shetty who was a deputy manager with the officials of Nirav Modi so that they could issue their own LOUs.

This means that the password was first shared by the AGM with Mr Shetty and the system was not configured to link the hardware ID from which the SWIFT could be accessed. Normally the adaptive authentication system should prevent logging in to SWIFT except from a designated computer. The IT Manager, the IS manager, the AGM himself all deserve to be put to jail for giving away the key to the strong room to the fraudster.

If the software had been designed with this possible use case in picture, such logging in would not have been allowed even if the fraudsters had come to Mr Shetty’s cabin and operated his computer since the AGM’s password should have been linked to his computer.

It also means that there was no digital signature or biometric authentication either to the SWIFT application or to the computers authorized to access SWIFT application. (Refer India Today article)

…Disgusting

Naavi

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.