Composed by a reader and a well-wisher in verse form!
A banker, she dies, soon after she has deposed
A chairman, he dies, in him trust was reposed
A server, it’s hacked, in it untold secrets composed
Illicit finance and crime coalesce in a thriller proposed
Will all be unravelled as Inspector Ranade disposed?
A roller coaster ride, if ever there was one
A corporate thriller with twists that get undone
Criminals and crooks with scruples none
Keeps you riveted, as the culprits are on the run
Try solving this locked room mystery, it’s fun!
The Reserve Bank Governor is spot on when he says that Indian banking is in the midst of a revolution. The Unified Payment Interface (UPI) launched yesterday is nothing short of revolutionary.
Mobile banking so far has been about doing a few things with your bank account using your mobile phone. It is largely restricted to the bank in which you have your account. UPI now takes it to a new level – it cuts across banks. You can now have a single identifier that can be used across all banks.
The positives are many, as can be gleaned from today’s business newspapers. It can potentially replace digital wallets that impose boundaries on where you can use them. Paytm, for instance, can be used to pay for Uber rides, but not Ola. UPI, once rolled out, will enable you to make mobile-based payments for virtually anything.
But along with this unprecedented convenience comes unprecedented responsibility.
Until a few years ago, your physical signature was your identifier. The advantage was that it couldn’t be ‘stolen’ from you. Yes, a forger could duplicate your signature, but that called for uncommon forging skills. Unfortunately in the digital era, your digital signature can be stolen and replicated if you happen to be careless. And money can vanish in seconds.
Access to our mobile numbers and emails are rapidly taking on a central role in our digital ids, for that is what financial institutions use to validate our identities. Be careless about these, and you will leave yourself open to unprecedented levels of fraud.
One would do well to understand the risks that come with UPI, as there are any number of ways to steal your digital identity. Make sure that you know your way about before jumping headlong into UPI.
The previous post made the case for banks to focus on the proverbial elephant in the room, i.e. fraudulent loans. With loan frauds touching 12% of PSU banks’ net profit, the case cannot be clearer.
Consider the following incidents:
- The stock in a warehouse is pledged for three different loans, and none of the banks knows that the stock is pledged to others.
- A loan is given to ‘ABC Cables’ for factory renovation, but the factory remains shut. The watchman says that the promoter can be found only at the newly refurbished ‘ABC Bar & Restaurant’.
- A property worth 20 crores bears a valuation certificate showing its value as 40 crores.
- An expensive new CNC machine is hypothecated to three different banks, but the machine in reality is a 25-year old fourth-hand wreck.
- The collateral for a loan is stock, but the actual stock is one-fifth of what it is on paper. And the bank doesn’t have keys to the warehouse.
- Newly supplied cartons of computers have only stones and thermocol.
- An auditor certifies the finished goods inventory to be three times the actual inventory.
None of these is of the scale of the alleged Syndicate Bank scam, but few of these, if any, would be unfamiliar to seasoned bankers. It is such frauds, along with some sophisticated ones, that have cost the banking sector Rs. 16,690 crores between 2010 and 2013.
How did this happen? The problem lies as much within banks as in the wider ecosystem, and the weaknesses are both behavioural in nature and systemic.
Basic banking tenets are ignored when operating staff view a bank’s requirements as blind procedures to be followed, or when supervisors pressurise their staff to cut corners. Some are happy to tick the boxes without doing the necessary due diligence. A good part of loan frauds is due to sheer negligence or lack of tools, but another part involves collusion.
While frauds are discovered only when repayment default occurs, their causes lie in weaknesses in the earlier stages of the loan process.
As with any malaise, prevention is better than cure. To do this, we need to improve operating effectiveness within banks, and at the same time, we must implement a central anti-fraud mechanism that can be shared by banks
Improving operational effectiveness
While processes may vary across banks, some key aspects of the loan life cycle are common, and need close attention (see graphic below).
The idea is to make bankers at all levels more accountable and less susceptible to pressure from their bosses. The operating level person who gathers information claims innocence, as he was not the person who had approved the fraudulent loan. At the same time, the bank’s management disclaims responsibility, saying that their decisions are only as good as the information they get. Who then, is responsible? Clearly, it must be both.
According to Deloitte’s Indian banking fraud survey, the top two reasons for frauds are lack of supervision (73%) and pressure to meet targets (50%). This suggests that the management is as responsible as the staff. Unless both are held accountable, provided appropriate tools, and incentivised, it is difficult to see the situation changing.
A bank afflicted by loan frauds must take several steps.
- Firstly, it must commission a fraud risk assessment of the loan process, which will help identify weak areas and take corrective measures.
- Next, it must institute a practice of conducting independent external audits on a random sample of loans. These audits must include surprise physical verification of collaterals, and independent validation of documentation and valuations.
- Third, whenever a fraud occurs, it must trace the histories of colluding employees to identify frauds they may have earlier been perpetrated.
- And finally, it needs to modify employee appraisal systems to bring frauds into focus, and make fraud management central to a bank’s balance scorecard. This must be supplemented with disciplinary action that includes criminal charges.
Even after implementing these steps, the work would only be half done. The other half involves anti-fraud tools.
Do bankers have the necessary tools to detect potential loan frauds? How do they profile loan applicants? How do they inquire into a promoter’s past loan history? How do they know that a collateral is not already pledged elsewhere? For this, we must turn to the second set of actions: implementing a centralised anti-fraud mechanism.
A central anti-fraud system
While RBI has a central fraud monitoring cell, it does not have the necessary tools to prevent frauds. RBI (or some other central agency) must build a centralised system that enables banks to catch potentially fraudulent loans in time by exchanging information on frauds, collaterals, defaults and fraudsters.
Just as a shared claims register helps insurance companies fight duplicate claims, a shared facility will help banks prevent sanctioning fraudulent loans. And if one is sanctioned, it can prevent the disbursal of funds. The central anti-fraud system should have details of all frauds, loans, defaults, defaulters, failed companies, promoters, their close associates, collaterals and fraud schemes. But it must be done in a way that doesn’t compromise the privacy of borrowers.
A promoter or an employee who hits upon a successful fraud scheme is unlikely to stop with one fraud. A shared facility will help nip it in the bud. Similarly, a valuer who overvalues collaterals can be caught sooner rather than later. Wilful defaulters can be pushed out of the banking system.
It is also important to maintain an ‘incident register’ with details of suspicious incidents that are yet to be declared fraudulent. These incidents may be under investigation or under a legal process, but it is critical that other banks are made aware of suspicious activity at the earliest. This incident register must be designed carefully to ensure that privacy and legal rights of customers are not violated. A metadata approach may prove useful in this regard.
The above graphic outlines the concept of a central anti-fraud system. The system must be adaptive, and should be able to flag high-risk promoters, companies and loan applications, after taking into consideration the linkages mentioned in the graphic. In time, it should be able to take in loan application details and give it a risk rating.
Powerful analytic tools are now available, but for them to be effective, they need to be imaginatively combined with an understanding of the fraudster’s methods and the vulnerabilities of our banking systems. Sound design will be key, and the system must have the inbuilt ability to learn on the job. With fraudsters staying a step or two ahead of banks, we will need some sharp minds to participate in this initiative.
There will be those who will seek to thwart the initiative, but the time has come for the banking sector to take some serious steps to fight fraudulent loans.
Here is a stunning statistic: banking fraud has grown eleven times faster than banks’ profits have. PSU banks saw fraud grow at a CAGR of 102% between 2010 and 2013, when their profits grew at 9%.
One may be tempted to think that this unprecedented malaise must be due to across-the-board vulnerabilities in banks. It is not. Banks have contained certain kinds of fraud very well, but have been spectacularly unsuccessful in dealing with some others.
Shareholder wealth eroded
Disaggregated data on frauds for individual banks is not easily available. However, a recent article by S Pai and M Venkatesh, which was based on RTI data, offers an interesting insight. When their information is combined with IBA’s bank performance data, the impact of fraud becomes visibly shocking (see chart below).
One bank has lost more to fraud than its entire profit. Even the country’s largest bank lost a large chunk of its profits to fraud. The banks in between, which are smaller and earn less, have fared worse. But are these banks representative of the banking sector? Or, are they just outliers that make sensational news? What then is the situation in the sector as a whole?
Combining data from RBI and IBA shows that frauds in PSU banks as a whole stood at 12% of their combined profits in 2013. In any company, the management would be willing to go to great lengths to bring 12% additional profitability. Surely, there is a case for banks to look at frauds seriously?
Projecting the impact of this malaise further, we find that effective fraud management could potentially add a whopping Rs 52,000 crores to shareholder wealth. To put it in perspective, that’s more than the GDPs of 40% of India’s states! This is most likely an underestimate, as the market would reward increased diligence with a higher PE ratio.
Further, bear in mind that RBI’s data includes only reported frauds. Even if we assume that all detected frauds were reported, these figures do not include undetected frauds. Nor does it include incidents that are under investigation, or have not yet been declared fraudulent. Bringing all frauds into the equation would only paint a darker picture.
The elephant in the room
But what kind of frauds are we talking about? Bring up the topic of fraud, and what gets spoken about are phishing, credit card misuse, account hacking, and online/ATM frauds – i.e. technology related frauds. With billions of automated transactions taking place every month, it is not humanly possible to monitor such volumes. Banks therefore turn to technology for a solution, and rightly so.
Software vendors have taken note of this. They offer real time fraud detection tools for online banking, sophisticated pattern recognition algorithms, and a whole range of software products to combat technology fraud. This is indeed welcome, as we need these tools.
To be fair, we have not done badly in mitigating technology fraud risk. In some ways, online credit card transactions are safer in India than elsewhere. The additional authentication factor of sending an OTP to the customer’s mobile phone, for instance, has made online transactions considerably safer in India. This additional authentication factor is missing in many countries. If an overseas merchant’s website is hacked, tens of thousands of customers are immediately at risk.
But in all this discussion, we are missing the elephant in the room.
While technology related frauds account for a whopping 98% of the fraud cases reported, they contribute to a mere 2% of the value. The real elephant in the room is what RBI calls ‘advance related frauds’ – i.e. fraudulent loans.
Between 2010 and 2013, we had 1.12 lakh cases of technology fraud adding up to Rs. 357 crore, whereas a mere 2,760 cases of loan fraud set the sector back by a staggering Rs. 16,690 crore. The loan fraudster is enjoying an unprecedented run.
Technology fraud, on which we focus much of our attention, is now a relative fleabite. It is so because of the attention it has received. Banks have waged war on technology fraud, and have succeeded. But in focussing on technology, we have neglected another vulnerable area – loans. It is in the loans and advances business of banks that the fraudster now stalks.
This disparity between the two kinds of frauds is a result of two things. Firstly, the supply base of tools for fighting technology fraud is well developed. Unfortunately, this is not the case with loan frauds – there are few software products that banks can buy off the shelf. Secondly, the human element (along with the vagaries and moral hazards that come with it) is considerably larger with loan frauds, and the fraudster is seldom alone.
Technology fraudsters are like mosquitoes – they come into your house through windows and cracks, but their damage is limited. But the loan fraudster is a burglar – he breaks in through the back door and makes off with the family silver.
The banking sector has done well in mitigating the technology fraud risk, but hasn’t done enough on the loans front. This has left residual vulnerability in the system that fraudsters have exploited. It is to this that the sector must now turn its attention.
This dire need is underlined by a glance back at RBI’s data. While loan related frauds grew at an astonishing CAGR of 87%, technology frauds have been almost static with a mere 2% growth. Besides, a typical loan fraud is a thousand times larger than a technology fraud.
Tackling loan frauds will be a lot tougher than combating technology frauds. Issues of governance, collusion, negligence and a host of moral hazards will need to be addressed. Software packages that are so effective in mitigating technology fraud risk may be of limited assistance. Further, an unprecedented level of cooperation between banks will be called for.
Part 1 of this article has attempted to make the case for banks to turn the spotlight on loan frauds. Part 2 will discuss what they and the RBI must do to combat this malaise.