As the crisis at Punjab and Maharashtra Cooperative Bank unfolded, it emerged that top management at the lender had managed to hide the extent and status of loans given to entities related to the HDIL Group for years.
The modus operandi, as revealed by the bank's former managing director in a confession letter, involved marking loans as standard even when they were non-performing and using ‘dummy' accounts to hide the extent of loans given to that one group.
A factoid included in the First Information Report filed by the Economic Offences Wing of the Mumbai Police gives an idea of how widespread the violations were.
Core Banking System: The IT Backbone
The alleged fraud at PMC Bank has raised questions about the checks and balances imposed on a lender's IT systems.
Most banks are now on what is known as the ‘core banking system', which was intended to standardise banking functions ranging from daily transactions to financial reporting. It's the backbone on which all scheduled commercial banks now function.
Urban cooperative banks too have been transitioned towards CBS to improve their functioning. Of the 1,542 UCBs in the country as of March 31, around 1,436 banks have implemented a CBS, said two persons with direct knowledge of the case. They spoke on the condition of anonymity.
The CBS is the main ledger system for banks. It collates customer information and non-financial information of borrowers and depositors. It also prepares financial statements and reports on the bank's portfolio.
Still, the CBS requires bank staff to manually input data and documents. Once the information is fed in, the software perform its analytic functions automatically.
Technical guidelines issued by the Institute for Development and Research in Banking Technology in August 2017 define the data variables and documents to be collected by staff. It also provides a framework for ‘rule-engines' and ‘access-control' to the software.
While the former details the kind of analytics or calculations the CBS software will perform based on the available data, the latter defines the levels of authorisation needed to change these rules.
WATCH | Advait Palepu explains how PMC Bank officials covered up loans to HDIL group companies.
Where The Manipulation May Occur
Tarun Bhatia, managing director at corporate investigations and risk consulting firm Kroll said banks usually appoint a specific administrator to manage the CBS. The administrator could be an internal employee, supported by staff of the IT vendor.
Only these IT managers or administrators have the ability to design and modify the rule-engine and the access-control framework.
“There is a laid-down process for any change to be made in the CBS,” he said. “If the credit or risk department wants a change to the rule-engine, for example, they have to propose the change, these get collated and approved before they are shared with the relevant administrator.”
These recommended changes would require discussion and approval from other departments and senior bank executives, including the board in some cases, Bhatia said. He added that the approval process would would have been evaded or there would have been collusion for the CBS to be manipulated as part of a fraud.
Mukul Shrivastava, partner-forensic and integrity services at EY India, said changing the ‘rule-engine' without proper authorisation is a common occurrence in fraud cases.
For example, the rules for classifying the loan as a default needs to be in place first before the account can be ‘flagged' as a non-performing asset. If the rules for NPA classification are changed at the back-end, for example from 90-days overdue to 100-days overdue, the CBS would not flag the default on the 91st day, Shrivastava explained.
A senior forensic partner at a consultancy firm, who spoke on condition of anonymity, said that in order to create 21,049 dummy accounts in the CBS, as alleged in the case of PMC Bank, the KYC documentation or counter-checks to see if the account is connected to other borrowers of the bank or if they have outstanding loans would not have been performed by the CBS.
This is only possible if the rule-engine was changed or if the CBS system isn't linked seamlessly with other systems like the loan management system, treasury software or customer on-boarding software or database, the expert said.
A second forensic auditor, who also spoke on condition of anonymity, said that since access to back-end software systems is restricted to a few people, if those people are involved in a fraud, others in the bank may not immediately notice any wrongdoing.
The Investigation Process
In the case of PMC Bank, former Managing Director Joy Thomas has admitted to hiding the volume and status of loans given to the HDIL Group. In a confession letter to the RBI, Thomas said that all decisions were taken by him.
As such, the burden of investigators may reduce.
Typically, in a case of this nature, investigators would try and determine who changed the rules of the CBS, since the software automatically creates logs for all users, Shrivastava said.
But this is function, too, can be tampered with.
In several such cases, EY has found that logs are often not enabled in the first place, or are disabled later, or even purged after a short duration, Shrivastava said, adding that, “as a proactive step, organisations should maintain all critical logs for, say up to three years.”
The government has appointed Grant Thornton India LLP as forensic auditors in the PMC Bank case, The Economic Times reported. The firm declined to comment.
Queries sent to the Reserve Bank of India and National Bank for Agriculture and Rural Development on Monday went unanswered.
Essential Business Intelligence, Continuous LIVE TV, Sharp Market Insights, Practical Personal Finance Advice and Latest Stories — On NDTV Profit.
