The PNB –Nirav Modi case is a text book case of an operational risk event. The fact of the case is now well known. The case revolves around letters of undertaking (LOU) issued by PNB (issuing bank) to overseas branches of many Indian banks. An LOU is, in essence, an irrevocable bank guarantee issued by a bank (Issuing bank) on behalf of its customer to another bank (Recipient bank). The recipient bank extends credit (buyers’ credit) to the issuing bank‘s customer by way of financing import of goods as a part of the latter’s legitimate business. In this case, the issuing bank is PNB and the customers are companies owned by billionaire diamond merchants Nirav Modi and Mehul Choksi. These two happen to be also close relatives. The fraud began in 2011 with a small amount of 800 crore and gradually ballooned to 11000 crore ($1.8 billion) when it was ultimately detected. This gradual increase in the size of the loss is identical to many earlier operational risk cases. For example, in the Baring bank case (1995), the fraudster Nick Lesson got deeper and deeper into the quagmire when he tried to cover up initial loss with a bigger bet, hoping that luck would turn and he would be able to get away with laurels and not a jail term of six and half years. In a similar way the rogue trader Jérôme Kerviel of Société Générale (SG) wanted to cover up trading losses to ultimately leading SG to stare at a total loss around $7 billion in 2008. Although these cases are now part of the standard literature on operational risk, it appears from the PNB event that there is complete lack of awareness or even basic understanding about the seriousness of operational risk events on the part of top management of banks and also the board of directors of Indian banks. It is a known fact that Indian banks are more concerned about submitting risk compliance reports and meet capital adequacy norms set by RBI than establishing proper risk governance architecture within their respective organization. Most of them lack basic knowledge of risk management and do not care a hoot about it also.
The full details of the PNB case are yet to be made public. But the main features of this operational risk event are now in public domain. Nirav Modi and his firms managed to procure LOU from PNB’s Brady house branch with the connivance of branch officials and using these LOU obtained short term credit from foreign branches of many Indian banks to finance import of diamonds. The LOUs were communicated with the financing branches thorough the SWIFT messaging platform. When the time of repayment arrived, Modi could get more credit through the LOU route to both pay back the old loan as also obtain fresh loan. Thus size of PNB’s contingent liabilities continued to increase without raising any alarm in the controlling offices of the LOU issuing branch. When the main fraudster within PNB retired and a new official took charge of his desk, this smoothly managed scheme, started unravelling. The new official asked for required 100% margin as collateral from Modi’s firms when they came for roll over of the outstanding LOU as before. This was a standard operating procedure as these firms were neither customers of the branch nor enjoying any credit facility from the bank. Then the digging of old records started and the enormity of the fraud came to light.
Let us now analyze the case from the risk management perspective. It is clear that this is neither a case of credit loss nor a trading loss. It is a case of both internal and external fraud. We need to seek answers to the following questions.
- Could this fraud be avoided or at least the loss amount contained?
- Was the procedural failure only on the part of PNB or even lending overseas branches banks were equally culpable? Was the connivance systematic at both at the issuing bank side as well as on the side of lending banks?
- What lessons Indian banking system should learn from this incident?
Avoiding or containing the fallout of such an incident would depend on the establishment of an effective and robust operational risk framework within the bank. The first requirement is to have a Key Risk Indicator (KRI) for all processes and tasks that a bank undertakes. In the present case, the following KRIs would have surely prevented occurrence of this incident or at least contained its loss amount. These are:
- The number of employees with tenure at a desk more than a given threshold. Depending on the potential severity of loss that can happen for a specific desk, threshold can be fixed.
- Leave record of employees- list of employees who have been manning a desk for a long period without talking leave for desks handling customer engagements.
- Reconciliations of transactions- on balance sheet as well as off balance sheet ones- as between various transactional systems, including those carried out on SWIFT platform. SWIFT itself provides a daily validation report, giving a global summary of the bank’s inbound and outbound counterparty payment /messages. If suspicious or fraudulent activity occurs, such a report provides the information y that could have helped the bank to cancel messages and recover funds. This reconciliation should be treated as a mandatory control mechanism for avoidance of occurrence of incident like this.
- Ideally, the bank should have integrated SWIFT messaging system with its Core Banking System. In the absence of this, the bank could have procured applications that generate report of all activities carried out on the bank’s SWIFT system. Many such systems are available in the market1
Apart from KRI tracking and monitoring, a bank needs to establish a Risk Control and Self-Assessment (RCSA) process across the banks’ all operational units. It is obvious that PNB did not put in place such a system in the bank despite an warning bell was rang by RBI itself about the possibility of occurrence of exactly such an event ( see speech of S.S.Mundra on September 7, 2016)2.
It is really sad state of affair in Indian banking sector that neither RBI nor the top managements of the public sector banks are seriously concerned about the risk governance architecture prevalent in these banks. For them the implementation of Basel framework starts and ends with computation of regulatory risk capital.
As regards the liability of PNB to the lending banks, we may refer to a similar case where a fraud happened at the issuing bank end and, therefore, the issuing bank refused to honor the Stand By Letter of Credit (SLBC) when it devolved on it. The fact of matter is as follows3.
Banco Ambrosiano Veneto S.P.A ( the defendant) ., an Italian bank was said to have been issued two SBLCs in favor of Industrial & Commercial Bank Ltd of Singapore ( the plaintiff). On devolvement , the Italian bank refused to pay the Singaporean bank on the plea that it never intended to issue the two SBLCs in question which were issued by one of its employee, , fraudulently, pursuant to a fraudulent scheme involving this employee , a customer, a Plaintiff’s employee and others. The case was heard by the Singapore High Court in 2001 and was decided in favor of the plaintiff bank. While deciding the case the honorable judge said the following:
It is my view therefore that SWIFT messages have the legal effect of binding the sender bank according to the contents. The fact that a recipient bank may still wish to protect itself by doing checks on credit standing or other aspects does not detract from this proposition. SWIFT communication is still subject to the general law of contract.
However, this does not mean that the recipient banks can completely absolve themselves of establishing a proper risk managements system within their banks. A continuing roll over with larger and larger amount of LOU to a group of companies from the same promoter should have alerted the recipient banks. In fact, these banks should have found out whether a single branch had the authority to issue LOUs of such magnitude. It shows lack of rudimentary risk management practices within the recipient banks also.
The only lesson that Indian banks should learn from this episode is that risk management is a serious business, not a practice for showcasing to the regulator. For the most of Indian banks risk management means hiring a consultant to prepare a guideline and procurement of an application. That is the end of it. For example, PNB boasts of having an enterprise wide Data Warehouse (DW). One should ask the bank-why all swift messages are not stored in the bank’s central repository?