$1.8 Billion Fraud Case at PNB Raises Security QuestionsSecurity Experts Analyze What May Have Gone Wrong
Some security practitioners are questioning the audit standards and internal controls maintained by state-run Punjab National Bank in the aftermath of the bank's Wednesday announcement that it had detected fraudulent transactions totaling more than $1.8 billion (INR 11,500 crore).
See Also: 2021: A Cybersecurity Odyssey
The country's second biggest state-run lender said in its regulatory filing that the transactions were "for the benefit of a few select account holders with their apparent connivance" and that "based on these transactions other banks appear to have advanced money to these customers abroad."
PNB has filed a complaint with the Central Bureau of Investigation alleging that billionaire diamond merchant Nirav Modi, and companies linked to him, fraudulently acquired PNB guarantees that they later used for obtaining loans from abroad. The bank alleged that Modi worked with some junior PNB officials to get the guarantees.
It all apparently began with Modi's diamond firms approaching PNB to open letters of credit (a letter issued by a bank to another bank, especially one in a different country, to serve as a guarantee for payments) to fund the import of rough stones, according to The Economic Times.
Under the terms of the letter of credit, PNB would pay the overseas suppliers on behalf of Nirav Modi's firms within a certain period (typically three months) and recover the money from Modi, the newspaper reports.
This is normally done on the basis of letters of understanding, or LoUs. But in this particular case, PNB employees issued fake LoUs, on the basis of which foreign branches of Axis Bank and Allahabad Bank gave loans to PNB. Based on unauthorized LoUs, the PNB employees misused the SWIFT network to transmit messages to Allahabad Bank and Axis Bank on fund requirements, according to news reports.
"Punjab National Bank has come across certain fraudulent Letter of Undertakings issued by two of its employees, namely Gokulnath Shetty and Manoj Hanument Kharat, in connivance with a firm belonging to Nirav Modi, Nishal Modi, Ami Nirav Modi and Mehul Chinubhai Choksi partners of M/S Diamond R US, M/S Solar Exports and M/S Stellar Diamond," the bank said in a statement.
"In the bank, these transactions are contingent in nature and liability arising out of these on the bank shall be decided based on the law and genuineness of underlying transactions," PNB said.
Meanwhile PNB CEO Sunil Mehta says the bank is continuing its investigation. "We have also taken action on the supervisory lapses," Mehta told The Hindu. "We have suspended some, and our inquiry is on. We are not going to allow any wrongdoing to continue and will remove this cancer. From 2011, this cancer has continued. We are doing surgery and are removing it."
The lack of monitoring and control exercised by top management at banks and the lack of controls by concurrent auditors can lead to fraud, some security experts say.
"In this particular case, one can identify the failure of the internal controls of PNB in not properly recording the message sent out of SWIFT," says Na. Vijayashankar, a cyber law expert.
Rakesh Goyal, managing director at Sysman Computers, an auditing firm, says: "Senior level officers cannot escape responsibility for not monitoring and controlling all transactions. These transactions happened in the SWIFT system, which has a clear audit trail. Why wasn't the audit trail matched with corresponding entries in core banking system?"
And C.N.Shashidhar, founder of SecurIT Consultancy, contends: "This incident shows lax implementation of AML at this bank. One also wonders how system alerts must have been stopped by insiders when such incident occurred without the top brass of the bank not being aware."
PNB did not respond to Information Security Media Group's request for comment.
Banking Software Failure?
Security experts say banks need to ensure that the digital banking software they use has a fraud prevention mechanism built in.
"Unless Banks in India and the software companies providing CBS software don't understand the fraud prevention requirements to be built into the software, we will continue to see more of such frauds not only in the banking domain but also in other fields," Vijayashankar says.