Monday, February 19, 2018

Tip of the iceberg?

The headlines are screaming about the 11000 crore loss of public funds and honest tax payers money, and understandably so. There is no doubt that this is one of the single largest case of fraud – which has come to light - I must add.  We don’t know how many more are hidden in the closets or should we say bank lockers.
But I am surprised as to why no one is talking about the 7+ Lakh Crores NPAs (doubtful debts) of public sector banks..isn’t that loot of the public funds? The 11000 Crores in question is only a fraction of this bounty. Why aren’t the honest tax payers questioning this? The RBI has recently rolled out a new NPA rules for banks, but is it too late? How did it allow the problem to grow to such huge numbers? I have serious doubts on the quantum of recoverability of these NPAs. If properly investigated, many of these NPAs could turn out to be frauds similar to the case in hand.
Is this a failure of governance and risk management systems in banks or something more sinister?
Coming back to the case in the spotlight and assuming it’s a case of controls failure, let’s see what could have gone wrong:
People
-        There was no role rotation for the employee for years together
-        There was collusion between the manager and clerk, possibly few others in the hierarchy as well
-        The bank employees shared passwords of bank systems with bank clients
Technology
-        No integration between SWIFT and core banking. There could be other peripheral systems used in banks which have no integration with core banking platform
-        Poor identity and access management systems
Process
-        No or ineffective reconciliation between the Core banking and SWIFT systems
-        Collaterals were not taken against the LoUs 
Assurance & Governance
-        Risk Management, Vigilance, Internal Audit did not detect/report any discrepancies in controls
-        HR appraisal system did not detect discrepancy in job rotation
-        Regulatory and External audits also did not find any discrepancies
-        Whistleblower system was not effective, suspicions had been reported but no action taken

There could be more control failures which may emerge during the course of the investigation. If so many controls were either not implemented or ineffective, or even worse – discrepancies detected and suppressed, then it’s more a systemic risk and not just an operational risk. If it is a systemic issue, then merely reinforcing controls will not help mitigate this risk, it needs a complete redesign. If we try to retro-fit modern facade on archaic architecture, there will be always be gaps.  
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)