SWIFT & CBS
SWIFT is a messaging system used by banks / lenders around the globe to transfer foreign money between them. The banks have Core Banking System (CBS) which has end-to-end records of daily banking transactions. However SWIFT messaging systems are not integrated with the banks CBS, and are manually entered.
Letter Of Undertaking (LOU) is a guarantee given by the bank to its customer enabling him to secure a short-term loan from a foreign bank. To get a LOU, the customer is supposed to keep a margin / guarantee collateral with the issuing bank.
PNB and most public sector banks in India are not fully integrated with a core banking software. This literally means that there can be transactions done without entering into the bank main software which literally opens loop holes to malpractice.
- 352 Letters Of Understanding and foreign Letters Of Credit worth Rs 6,500 crore
- 2 PNB employees issued LOU / LOC via SWIFT system to Nirav Modi for loans to be disbursed abroad.
- Once the foreign bank gets this LOU, they disburse loan as this is an equivalent guarantee from PNB, such that if Nirav Modi fails to repay, bank shall clear the dues.
- These transactions were not entered into Core Banking System & never made its way to any books / ledgers hence hidden from any audit / monitoring systems
- The LOU started with Rs.800 crore. If this was not paid, the banks would have raised a defaulter alert and PNB would have known. To avoid this, the PNB employees issue more LOU in favor of Nirav Modi instructing other foreign banks to disburse loans, which were used to pay the initial loan and add more to dues.
- This arrangement piled up the initial debt of Rs.800 crore to Rs.11,000 crores by 2017
Period of Exploitation
6 years between 2011 and 2017
It came into light during 3rd week of January 2018 (according to the PNB), which approached the Central Bureau of Investigation on January 29, 2018.
Estimated to $1.77 billion (over Rs11,000 crore)
The PNB fraud forced banks to recheck their LOU and SWIFT based guaranteed disbursed. This brought to light many more frauds which misused the SWIFT system.
This has raised questions on security of SWIFT System. The consortium managing SWIFT has waived hands saying they are not answerable for the fraudulent instructions placed through partner banks. They are right from a legal perspective.
From a risk management perspective:
- A third party risk assessment would have helped SWIFT understand the possible risk that might arise through their third parties involved (partner banks).
- Risk management process to rate transactions and monitor / re-validate suspicious transactions
- SWIFT could have enforced stringent measures to ensure validation of transaction at different demographic locations of bank.
- SWIFT could implement the timing restriction on their transaction based on timezones to ensure no employee is able to execute a transaction outside normal working hours.
- Working with the peers (banks) on a regular basis educating them on possible loopholes, threats and working together towards an integration with respective CBS.
- SWIFT system could have flagged the transaction for review, when multiple LOU’s were issued to same customer for a substantial amount.
There are many ways SWIFT could have ensured a better role in mitigating these risks working closely with the partner banks. Now RBI, the regulatory body in India has taken few steps to ensure this doesnt happen again, and have also requested all banks to stop issuing LOU until existing debt is sorted out.
Aftermath of incidents:
- All banks re-verify their existing LOU / SWIFT instructions, more unpaid loans revealed
- RBI instructs to stop LOU / LOC guarantees temporarily.
- Call for ensuring banks are fully integrated with CBS system to make it difficult to make off-book transactions
- Fixed timing of 9am to 8pm for all SWIFT transactions
- Integration of SWIFT messaging system with Core Banking System (CBS)
- Additional Layer of Approval for all outward SWIFT messages