Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

After the PNB Fraud in which over Rs  11400 crores are suspected to have been lost came to light, many other frauds are slowly tumbling out the closets of E Banking.

Leaving aside the fact that the lenders of different Banks who lent money to Mr Nirav Modi and Mehul Chokshi failed to check the “End Use” of funds and allowed renewal of LOUs without checking the previous utilization and need for extension, it was also realised that PNB had even allowed the Nirav Modi employees to directly access the SWIFT messaging system of the Bank.

The system of the Bank was so configured that SWIFT system could be accessed from outside the banking network. The operating officials of the Bank gave away passwords of multiple officials  to the Nirav Fraud team.

The system had no control that could detect that the log in was from outside the Bank’s network, multiple passwords were entered from the same computer and the messages did not reflect in the CBS system, nor created vouchers for commission or margin collection.

This was a gross failure of the Bank staff and the information security configuration of the systems.

It is true that any IS control can be defeated if the employees are dishonest. But still, the system design should be such that even if some of the employees are dishonest, the fraud should be detected, if not for the first time, in subsequent times.

Unfortunately the creators of the software in Infosys who sell FINACLE and supply it to a number of Indian Banks, are not aware of the intricacies of Banking transactions and how frauds could be committed. Hence their design is a faulty design and Banks are saddled with this defective product.

Now yet another fraud has come to the open in State Bank of India, Chennai where also it appears that the passwords of the Bank staff has been used by an outsider to divert over Rs 3.2 crores of money (Refer article here) meant for purchase of Cars as an unsecured cash advance which was used for funding a Film production. Here again, the security configurations of the CBS software has failed to recognize that Cars were not purchased, money was not credited to a Car dealer’s account, documents such as RC book etc was not submitted, asset inspection did not take place etc.

In all such cases, it is clear that it is not only the Software that failed, but also the internal audit system.

It is high time that Indian Banks rethink on how their “Internal Auditors” are equipped to conduct audits in the Computerized environment.

If internal audit cannot identify this new generation of Bank frauds where the customer himself is given access to the Bank’s systems to design his own loan sanctions, create approvals of several layers of bank officers and take the money out, then there is no need for such audits.

Where such “Self Loans” are used in the “Kite Flying Mode” and repaid with a roll over loan, it is very difficult for normal audit processes to find out the anomaly. There is definitely a need for Computer Assisted Audit techniques either with in built features of the core banking software or through specialised audit tools.

FINACLE Strengths and Weaknesses

The Banking software like FINACLE which costs a fortune for the Banks should have an inbuilt, non-tamperable audit module that should be effective in preventing such frauds to continue beyond the first couple of occurrences if not the first time.

FINACLE boasts of an Audit module as part of its system but it is clear that it has failed in the context of not only PNB Brady Branch but also SBI Chennai branch and in the many other similar cases that have come to light now.

If the Indian Banking system is in doldrums today, a large part of that responsibility should be boarne by the CBS software suppliers who have supplied defective products to the industry.

RBI has failed to subject the software itself to an audit of IDRBT which is mandatory and hence part of the responsibility for the use of defective software lies on the RBI also.

While checking on the Audit capabilities of FINACLE, I came across an article describing the audit capabilities of FINACLE.

Some key FINACLE menus and their use for an auditor has been described in this article. Some of them are briefly reproduced here.

  1. Account Leger Enquiry (ACLI)
  2. Customer Account Leger Print and Office Account Ledger Print (ACLPCA and ACLPOA)
  3. Audit File Inquiry (AFI)
  4. Average Balance (AVGBAL)
  5. BCREPORT
  6. Customer Master Inquiry (CUMI)
  7. Report on Expiring Documentary Credits (DCEXPLST)
  8. Query on Documentary Credit (DCQRY)
  9. Exception Report (EXCPRPT)
  10. Generate Report (GR)
  11. Financial Transaction Inquiry (FTI)
  12. Accounts Due for Review (ACDREV)
  13. Inward/Outware Remittance Maintenance (IRM/ORM)
  14. Outstanding Items Report (MSGOIRP)
  15. NPA Report (NPARPT)
  16. Letter of Acknowledgement of Debt Report (LADRPT)
  17. Loan Overdue Position Inquiry (LAOPI)/Ttemporary OD Report (TODRP)
  18. Print Reports (PR)
  19. Guarantee Issued Liability Register (GILR)
  20. Partywise Overdue Packing Credit (POVDPC)

The above list indicates that there should have been several reports that should have thrown up audit queries in respect of PNB Fraud as well as the SBI Fraud.

Now what we need to check is why did the discrepancies were not thrown up by the audits?

The reasons could be many.

  1. First reason could be that no audit was at all conducted. In PNB we are told that RBI did not audit the branch for more than 9 years. It is not clear if the internal audit was also bypassed. If so was there any declaration in the annual reports to the share holders providing the list of branches which were not audited for the last 1/2/3 or more years?
  2. If an audit was conducted, it is possible that the auditors were not aware of all these modules andhow to use them appropriately
  3. Perhaps there was lack of adequate training of  the auditors.
  4. It is also possible that FINACLE comes with some base module that does not include all features and a higher priced module that may include additional modules and the Bank could have not taken the full module for cost considerations.
  5. It is also possible that the FINACLE system itself might not be able to properly analyze the data in the above modules though it may create some printable reports.

Need for Data Analytics in Audit process

Computer Assisted Audit Techniques that are essential for proper auditing of any Computerized data environment requires a capability to

a) Acquire data of different types from across the network available in different platforms and collate it into a common platform for analysis

b) Extract, Classify and Re-classify data into different groups which create new meanings not visible in the direct report

c) Search data across multiple categories and filter them against some specific risk identifying algorithms

d) Use known statistical methods such as Benford law to check on potential frauds

e) Use Forensic audit tools to discover evidence that has been buried by the fraudsters

f) Use “Checking of Controls” as a part of the audit including the Information Security controls such as “Access Control”, “Log Analysis”, “Incident Management System” etc.

It is clear that the current Internal Audit process in Banks is not equipped to conduct an audit outside what reports are submitted by the Branch to the auditor. If the Auditor audits only what the auditee wants him to see, then the value of such audit is low. Perhaps it is what statutory auditors do. But Internal auditors have to go beyond checking the arithmetic accuracy of the transactions and go into an in-depth fraud possibility analysis.

Cost and Training Hurdle

In examining the solutions that the Auditors could use, it was observed that the tools normally considered as reputed “Computer Assisted Audit Tools” or CAATs are prohibitively expensive and require a rigorous training both of which seem to create a hurdle for Banks.

However, it is possible for RBI to equip itself with such tools (ACL, IDEA, ARBUTUS etc) and use it in its audit as a starting point. Other Banks may start using it depending on their size. Obviously the larger Banks donot have any constraint on budget nor ability to train the auditors, But smaller Banks may have a problem.

I therefore suggest that smaller Banks create a “Technology Resource Pool” in a “Centralized Fraud Investigation Center” which should be equipped with such tools and talent and conduct audits of member Banks as a service.

I hope RBI will take such steps to ensure that in future the audit system is strengthened to such an extent that the frauds such as what we are now seeing does not go undetected before it balloons into a huge scam.

Naavi


(P.S: I have been an ex-Banker and therefore may not be fully aware of the current situation in the Banks about how audits are conducted in the Computerised environment.

But looking at the frauds that are surfacing, it is clear that the system is not working properly and hence some of the observations made above may be true though I may not be able to give evidence of the same. If we want to clean up the Bank system, Bankers need to do a self evaluation of their systems and check if some of the points made here are relevant or not.

I invite comments and suggestions on how to improve Audit systems in Banks in the computerized environment… Naavi)


Where there is Money, there will be Fraud” is a truth which all traditional Bankers know. Hence the essence of Good Banking is building security into the culture of the organization and into its systems. The legacy paper based systems in Banks have been robust enough to ensure that Frauds are detected quickly if and when it happens and no fraud will succeed without collusion of multiple persons and negligence of multiple persons.

Future of Banking

With the change over from paper based banking to electronic banking, the risk has increased many fold since the procedures of Banking have now been subordinated to the “Systems” designed by “IT Professionals” who are not “Bankers”.

I am reminded of one of the early warnings given out (some time around 2005) by Mr A. T. Panneer Selvam, the former Chairman of Union Bank of India (and an Ex DGM of IOB in which the undersigned worked a few decades back) who said “Future of Banking belongs to IT Professionals”. I have quoted this a number of times in my lectures promoting the advent of digital Banking before shifting to the current slogan that “Future of Banking belongs to Information Security Professionals”.

Need for Information Security Culture

The PNB fraud has highlighted this need to develop an “Information Security Culture” in Banks on a priority basis.

People in the Information Security try to design many sophisticated tools to secure the “Confidentiality”, Integrity” and “Availability” of information which they define as the contours of information security. But if an authorized system owner shares his password to another, then the entire system of security built around the system of password crumbles.

In the PNB case, it appears that the Password of an AGM was shared with a Deputy Manager. So far the name of the AGM who shared his Level 5 Password with Mr Gokulnath Shetty has not come to open. He is an abetter for the crime and should also cool his heels in the jail for some time. It may be more than one official of the banks who shared his password with his juniors and all of them should now be held responsible along with  Mr Gokulnath Shetty who shared the password with an outsider client in what can only be said as “Incredible”.

In June 2016, we saw TCS employees sharing passwords issued for an employee of a different company amongst themselves and hacked into a US Company resulting in a legal suit of US $940 million on the Company. Fortunately the Directors and CEO escaped criminal charges and contained the damage to a civil suit.

This menace of “Password Sharing” that has now reached a new dimension with password being shared with an outsider clearly indicates that our Information Security designers are at fault to first of all rely on the system of Passwords and then not have adequate measures to control the risks.

Design Faults

If we have dual keys to our strong room where cash is kept and electronic locks that can be opened only at a certain time by certain biometric authentication etc., why is that the SWIFT systems cannot use digital signatures backed by biometric based cryptographic keys and RFID based identity cards etc to build layers of security which ensures that the system cannot be operated except from within a specific system in the Bank? Why every transaction is not immediately deposited in a different system and audited independently of the maker and checker who might have colluded?

The security design in banks is faulty and I have already said that the makers of FINACLE software for which our Banks have paid a fortune should accept that their security design has left the Indian Banking system vulnerable.

Inaction by RBI

When I spotted and pointed out extreme recklessness of ICICI Bank ,PNB and Axis bank during the adjudication proceedings of some Phishing Frauds,   I had personally represented to RBI that they should suspend the Internet Banking licences of some of the branches involved in the commission of Phishing frauds.

Had RBI atleast sent one harsh letter to the Banks at that time, perhaps this PNB fraud would not have happenned. Mr K.R.Kamat was the Chairman then and he continued to raise to greater heights after the frauds were pointed out.

The fraud in which more than Rs 1.6 crores were lost by an exporter  in PNB was a clear indication of complicity by the Noida branch of PNB but Mr Kamat took no action. This case is still languishing in the Delhi National Consumer Forum and the judges who have been adjourning the case year after year obviously at the instance of the bank will have to introspect if they could have contributed indirectly to the current Rs 11400 crore PNB Fraud.

The Governors, Deputy Governors and other Executives of RBI whom I repeatedly appealed to for action but who did not respond should introspect if they are also responsible for not initiating specific action in time which has caused the present mess.

Appointment of Directors

Without diverting back into the software issue and irritating my friends in IT industry more, and also not again speaking of the RBI as a toothless paper pusher who is good in drafting guidelines without any power to implement them, I would today like to say that the root cause for the malaise lies with the Finance Ministry in their system of appointment of Independent Directors of Banks, Chair persons and other Directors.

The clean up therefore should start here at the Board level appointments in each of the Banks.  For Indian political system  to think of progress we needed a Narendra Modi to succeed Mr Manmohan Singh. Similarly, for any Bank whether it is PNB or SBI, ICICI Bank or HDFC Bank, Allahabad Bank or Union Bank, it is necessary that the head of the institution should be not only efficient from the domain perspective but also scrupulously honest. We cannot expect every Chairman to be an Information Security expert but it is for this reason that he has a Board to assist him. Every member of the Board should therefore be equally honest besides being an expert in some part of the domain.

The constitution of the Board of Directors is the biggest internal and external control for the Banks. Without correcting this, if we try to tinker with our Firewalls, Software and Hardware, we will not be able to achieve the security that we are trying to achieve.

The politicians and media who are questioning Mr Narendra Modi that Mr Hari Prasad’s letter was not acted upon by the PMO must ask why all the public postings at Naavi.org in which Banks like ICICI Bank, PNB, AXIS Bank and SBI in particular were pointed out for lack if information security practices leading to frauds were not acted upon by the respective Banks and RBI.

I had called upon the Independent Directors of the Banks with a request ” If You are a Bank Director.. Your Independence Day Resolution Should be…” after the Bangladesh Bank SWIFT fraud to ensure that the RBI guidelines on the “Cyber Security Framework” should be diligently implemented by the Banks. I am not however sure if any of the independent directors raised the issue in any of the Board meetings.

These Independent Directors have failed to discharge their responsibilities like what Mr Dubey of Allahabad Bank tried to do and therefore should bear the vicarious liability for the PNB fraud.

The Ball is in the Court of Mr Arun Jaitely

If these Directors were incapable of protecting the Banks and the Chair persons were both inefficient but also complicit in the frauds, the responsibility goes upto the Finance Ministry under Mr Aurn Jaitely and the Secretaries in the Finance Ministry who have appointed these Chairmen and Directors for their own considerations. While commenting on the Bitcoin issue, I have repeatedly stated that I have doubts on the culture of the Finance Ministry built under the regime of Mr P Chidambaram and urged Mr Arun Jaitely to take suitable corrective action.

Now we need to repeat this request once again for Mr Arun Jaitely to prove his commitment to clean up the Banks by kicking out non functional Directors and replacing them with vigilant, honest individuals of repute who can ask questions of the Chairmen and Board. Many of the Chairmen themselves need to be eased out though in a manner that does not destabilize the system. All independent Directors in PNB and other Banks which have given loans to Nirav Modi, Mehul Chokshi companies must be removed tomorrow and replaced with appropriate persons.

Will Mr Arun Jaitely have the necessary commitment?

Naavi


Reference Articles:

Naavi.org has been carrying on a crusade against Bank frauds in the Digital era and discussed many issues in the past. If the authorities had taken some action on these warnings, we would have perhaps not be in the situation we are now in. Some of these warnings were to individual Banks, some to RBI and some to the Government itself. I hope at least now some body will find time to examine how security in Indian Digital Banking industry can be improved with appropriate regulatory action. The ball is the court of Mr Arun Jaitely, the Finance Minister.

For immediate reference some of the past articles are indicated here:

Axis Bank ATM license should be cancelled by RBI

Does SBI Cards pose a special risk for customers because of Incompetence and possible collusion?

Will RBI disclose “Sanction Mechanism” to enforce sanctity of Banking license conditions?

Let RBI show Who is the Boss

1710 Bank Frauds reported by Police..Does RBI have a count?

RBI cannot remain silent.. and so also NPCI, CERT and Ministers of Home, IT and Finance1>

Banks want their negligence to be underwritten by the Customers. Do you agree Mr Urjit Patel?

Yet another Bank Fraud.. What will RBI say?

This credit card fraud should be a lesson to Judges, Adjudicators and Banking Ombudsmen

Another Great E Banking Robbery Could destroy our Banking system

Protect Bank Consumers from Frauds or be prepared for disaster..A warning to BJP Government

90% growth in Credit Card Frauds … Dear Police, How Many Banks have you Charged?

SWIFT Hacking exposes Indian Banks to huge Risks

RBI’s conspiracy by silence

Negligence of Export Promotion Councils, ECGC and Banks lead to Rs 2.35 crore fraud

Has RBI really woken up from its slumber?

What does the new RBI Governor has to say for this?

..The list is endless. May be a search page like this will help