Blog Archives

In ourselves we trust

Let me state at the outset that I believe the current uproar about Facebook (FB) and Cambridge Analytica (CA) is justified. Whether it leads to anything substantial or not, a public conversation about how private data is harvested and used was long overdue.

Of course, a key reason it has garnered so much attention is that it was a US election that was allegedly meddled with. Many other elections may have been manipulated in the past as this article suggests, but little notice has been taken of the matter.

With that context, here is a perspective:

As long as there is money to be made by influencing individual choices, people will try to shape those choices, both overtly and covertly. FB and CA are just recent instances. It may well have been some other firm. Even if these two firms are “dealt with”, the future will see more firms misusing our private data. To that extent, FB and CA are almost incidental. As long as there are ways to pry into our lives and manipulate us, people will attempt to do so.

Consequently, it is up to us voters and consumers to guard against it, and not take the easy option of assigning the entire blame to FB or CA. Yes, there is an urgent need for an entirely new set of standards around how private information is harvested and used. And hopefully, we will see something on that very soon.

Meanwhile, as a private individual, I have little or no ability to influence what Facebook, Google and their like do with my data. Nor can I meaningfully influence what our lawmakers will come up with. My only way forward is to look inward and reassess my own response. And be less gullible.

But first, let me take a step back.

Influencing voters is not new. It has been happening for as long as politics has been around. Be it strident TV anchors drowning our views with their clamour, or wily columnists putting out polished pieces that appear balanced and objective, or whisper-campaigners insidiously biasing us, manipulating our choices has been an established occupation for a long time. The issue under discussion is just the next chapter in the same sordid drama.

Stripped of jargon and technology, isn’t CA also doing the same old thing? They too tried to influence voters, just as some in the established media have been doing. Some have even gone to the extent of setting up fake think-tanks and trying to manipulate Wikipedia’s content to boost one person’s reputation and tarnish another’s. This is in addition to “placing” articles and op-ed in the traditional press.

Thus, what we are seeing in the social media now, is nothing new. FB and CA are mere actors in the latest episode of an ongoing saga (check out this and this article).

Are such machinations the preserve of any one part of the political spectrum? I think not. Some employ crude methods because they know no better. Others take a nuanced and a less obvious approach, wherein they appear erudite and independent (and therefore more credible). And a few even resort to planting crass posts that have ostensibly been authored by their opponents.

At the end of the day, we, the voters and consumers, are the victims of it all. This flood of duplicity will take newer forms as time goes by. Our best defence would be to develop the ability to see through such manipulations and to erect mental defences.

The first step is to become sceptical – even cynical – about anything I receive on social media or through the traditional media. I must not accept something just because it is neatly typed out and formatted. Nor should I blindly accept opinions without first understanding the writer’s and/or the publisher’s predispositions.

Among the most virulent of campaigns are the ones executed on messaging platforms such as WhatsApp, where there is no practical way of tracing back malicious posts to their sources. Anonymity, we have seen, spawns irresponsibility.

Unfortunately, many of us knowingly abet this malice. We don’t think twice before forwarding (and thereby propagating) venomous messages that resonate in our own echo chambers. Sometimes, our conscience troubles us just enough for us to add “forwarded as received” to the message, and we hold ourselves absolved.

This deception is not the preserve of politics. A WhatsApp message has been circulating over the past year about a certain breakfast cereal brand. The message tries to malign the brand by suggesting that the manufacturer uses pork and beef gelatine in its products. Who authored such a message, is anyone’s guess. But the person who stands to gain the most would be a competitor.

In summary, this is not just about FB or CA – they are mere examples. The issue is much larger. Trust is rapidly becoming a scarce commodity in this hyper-connected world of ours. Publishers, platforms and content creators are adapting to this changed reality (and opportunity).

So should we, as voters and consumers. In this endeavour, scepticism would probably be our best ally.



A rhyme about FRAUDSTER from a reader

Composed by a reader and a well-wisher in verse form!

A banker, she dies, soon after she has deposed
A chairman, he dies, in him trust was reposed
A server, it’s hacked, in it untold secrets composed
Illicit finance and crime coalesce in a thriller proposed
Will all be unravelled as Inspector Ranade disposed?

A roller coaster ride, if ever there was one
A corporate thriller with twists that get undone
Criminals and crooks with scruples none
Keeps you riveted, as the culprits are on the run
Try solving this locked room mystery, it’s fun!

A Wounded Unicorn

As cash crunches strike e-tailers, valuations plummet and down-rounds loom large, the stark reality facing e-commerce unicorns become clear for all to see. Protestations that all is well, and attempts to talk up valuations become less credible by the day. As boardroom conflicts escalate and the day of reckoning fast approaches, a shake-out in the sector becomes imminent. The e-commerce sector becomes a pressure cooker.

Against this backdrop, take a hypothetical e-tailer unicorn that is facing a cash crunch. What if the e-tailer suddenly discovers bugs in its offices and finds that it is the target of corporate espionage? To make matters worse, an investor disappears and a massive data theft follows.

The all-important funding round stalls.

As the stakes escalate and risk surges inexorably, murder follows.

This is the fictional tale narrated in SABOTEUR, the latest corporate thriller set in Bangalore. As bots mimic humans in the Indian cyberspace, men risk millions in Hong Kong. A story of a wounded unicorn and its venture fund investors.

Institutionalizing Insider Trading?

Insider trading, I’ve often thought, must be one of the easiest white-collar crimes to pull off. Even easier than procurement fraud, which must be one of the most pervasive.

Someone in the accounts department of a listed company tells his friend or relative: ‘We’ve done better than expected this quarter. We’ll beat market expectations.’ The friend promptly buys a hundred shares of the company. And when the results come out and the share price surges, the friend is a few thousand rupees richer.

Now, how do prosecutors even begin to establish that price-sensitive information was used to profit from the trade? Unless, of course, the insider was foolish enough to put his tip on an email or a text message. Not only is insider trading easy to pull off (at least on a small scale), it is also horrendously difficult to prove.

There are tens of thousands of people in listed companies who possess such price-sensitive information from time to time. It’s not just the blokes in the accounts department, but also others too – both employees and outsiders (auditors, consultants, I-Bankers, advisors, etc.).

During my tenure at the Big Four audit/consulting firms, this was something we had to constantly look out for. The law explicitly prevents auditors and consultants from divulging such information – inadvertently or otherwise – to any party who may benefit from it. And we were prohibited from owning stocks of companies we audited or advised. Independence/propriety is indeed a big deal at these firms.

Be that as it may, many do believe that insider trading is prevalent in India. On a small scale, at least.

A couple of years back, I was wondering how insider trading could be ‘institutionalized’ (by a hypothetical Indian Prof. Moriarty, if you will) and scaled up. I sat down and ‘designed’ a suitable mechanism. To my delight, I found the scheme eminently workable, and reasonably watertight. And more importantly, it could be implemented with simple technology that is widely available.

I then put on another hat (that of an investigator or SEBI), and began looking at how one would go about discovering and unraveling the insider trading scheme once it was implemented. Clearly, that would require sifting through tons of stock market data, and possibly the use of analytics.

Once I had both ends of the scheme figured out, I built a murder mystery around it. That became Insider, the novel that Hachette has just released. If you do get to read it, please drop me a note. I’d like to hear what you think of the workability of the little scheme.

Banking: Unprecedented convenience brings unprecedented responsibility

The Reserve Bank Governor is spot on when he says that Indian banking is in the midst of a revolution. The Unified Payment Interface (UPI) launched yesterday is nothing short of revolutionary.

Mobile banking so far has been about doing a few things with your bank account using your mobile phone. It is largely restricted to the bank in which you have your account. UPI now takes it to a new level – it cuts across banks. You can now have a single identifier that can be used across all banks.

The positives are many, as can be gleaned from today’s business newspapers. It can potentially replace digital wallets that impose boundaries on where you can use them. Paytm, for instance, can be used to pay for Uber rides, but not Ola. UPI, once rolled out, will enable you to make mobile-based payments for virtually anything.

But along with this unprecedented convenience comes unprecedented responsibility.

Until a few years ago, your physical signature was your identifier. The advantage was that it couldn’t be ‘stolen’ from you. Yes, a forger could duplicate your signature, but that called for uncommon forging skills. Unfortunately in the digital era, your digital signature can be stolen and replicated if you happen to be careless. And money can vanish in seconds.

Access to our mobile numbers and emails are rapidly taking on a central role in our digital ids, for that is what financial institutions use to validate our identities. Be careless about these, and you will leave yourself open to unprecedented levels of fraud.

One would do well to understand the risks that come with UPI, as there are any number of ways to steal your digital identity. Make sure that you know your way about before jumping headlong into UPI.

Corporate India is great for crime fiction

This blog was originally published as a guest post at Printasia.

A question I frequently get asked is whether I had any specific purpose behind writing Fraudster. Was I irked by the atmosphere in corporate India, one newspaper journalist asked. Did I want to expose their wrongdoings, another interviewer wanted to know.

The answer is an unequivocal ‘No’.

I’ve had lots of fun during my three decades in the corporate world, and some of my best experiences have been there. Not to mention some of the brightest minds and the finest human beings I met, and the many friends I made there. Far from being irked, I am thankful to the corporate world for showing me an avenue in which to try my creativity.

Why then did I choose to write a novel about some murky realities of the banking world?

The fact of the matter is that the corporate world is a fertile ground for stories – inspirational or fictional. It is a melting pot of many types of people; men and women driven by different sets of values, priorities and motivations. Each one has a different worldview, and the environment has far more than fifty shades of grey.

It has a fascinating interplay of every emotion one can think of, and every kind of conflict. Fiction, after all, is about emotive conflict. Consequently, the corporate world lends itself wonderfully to crime fiction.

The stakes are high too. A person who is worth a million dollars in his private life may be running a 500 million dollar business. A banker who may be worth even less, could be handling a loan portfolio worth billions. A peculiarity of banking is that ordinary men and women handle vast amount of other people’s wealth. Billions upon billions of dollars of it.

If a banker falls to temptation and siphons off a small part of the money he oversees, he can gain a lot more than he can hope to gain by any deception in his private life. The potential payoffs for crime, especially white-collar crime, is huge.

That, in turn, provides one of the essential ingredients for crime – motive.

That’s not all. The corporate world also provides a virtually unlimited supply of the other two key ingredients as well – opportunity and means. With all three main elements covered, it becomes an ideal milieu for crime fiction.

But merely setting a murder in a corporate office, or robbing an ATM, does not make it a corporate crime. The nature of the deception and the modus operandi of the crime must have business processes at its heart. It must find or construct credible loopholes in the way businesses are run, and must take advantage of them.

To do that, a writer must have spent sufficient time in the corporate world and observed its failings. There must be millions of people who have done that, but yet, we have very little corporate crime fiction in bookstores. Apart from John Grisham, there are very few authors who write good fiction of this variety. I wonder why?

Elephant in the Room – Part 1

Here is a stunning statistic: banking fraud has grown eleven times faster than banks’ profits have. PSU banks saw fraud grow at a CAGR of 102% between 2010 and 2013, when their profits grew at 9%.

One may be tempted to think that this unprecedented malaise must be due to across-the-board vulnerabilities in banks. It is not. Banks have contained certain kinds of fraud very well, but have been spectacularly unsuccessful in dealing with some others.

Shareholder wealth eroded

Disaggregated data on frauds for individual banks is not easily available. However, a recent article by S Pai and M Venkatesh, which was based on RTI data, offers an interesting insight. When their information is combined with IBA’s bank performance data, the impact of fraud becomes visibly shocking (see chart below).

Fraud as percentage of net profit

One bank has lost more to fraud than its entire profit. Even the country’s largest bank lost a large chunk of its profits to fraud. The banks in between, which are smaller and earn less, have fared worse. But are these banks representative of the banking sector? Or, are they just outliers that make sensational news? What then is the situation in the sector as a whole?

Combining data from RBI and IBA shows that frauds in PSU banks as a whole stood at 12% of their combined profits in 2013. In any company, the management would be willing to go to great lengths to bring 12% additional profitability. Surely, there is a case for banks to look at frauds seriously?

Projecting the impact of this malaise further, we find that effective fraud management could potentially add a whopping Rs 52,000 crores to shareholder wealth. To put it in perspective, that’s more than the GDPs of 40% of India’s states! This is most likely an underestimate, as the market would reward increased diligence with a higher PE ratio.

Further, bear in mind that RBI’s data includes only reported frauds. Even if we assume that all detected frauds were reported, these figures do not include undetected frauds. Nor does it include incidents that are under investigation, or have not yet been declared fraudulent. Bringing all frauds into the equation would only paint a darker picture.

The elephant in the room

But what kind of frauds are we talking about? Bring up the topic of fraud, and what gets spoken about are phishing, credit card misuse, account hacking, and online/ATM frauds – i.e. technology related frauds. With billions of automated transactions taking place every month, it is not humanly possible to monitor such volumes. Banks therefore turn to technology for a solution, and rightly so.

Software vendors have taken note of this. They offer real time fraud detection tools for online banking, sophisticated pattern recognition algorithms, and a whole range of software products to combat technology fraud. This is indeed welcome, as we need these tools.

To be fair, we have not done badly in mitigating technology fraud risk. In some ways, online credit card transactions are safer in India than elsewhere. The additional authentication factor of sending an OTP to the customer’s mobile phone, for instance, has made online transactions considerably safer in India. This additional authentication factor is missing in many countries. If an overseas merchant’s website is hacked, tens of thousands of customers are immediately at risk.

But in all this discussion, we are missing the elephant in the room.

While technology related frauds account for a whopping 98% of the fraud cases reported, they contribute to a mere 2% of the value. The real elephant in the room is what RBI calls ‘advance related frauds’ – i.e. fraudulent loans.

Fraud value  in Indian Banks

Between 2010 and 2013, we had 1.12 lakh cases of technology fraud adding up to Rs. 357 crore, whereas a mere 2,760 cases of loan fraud set the sector back by a staggering Rs. 16,690 crore. The loan fraudster is enjoying an unprecedented run.

Technology fraud, on which we focus much of our attention, is now a relative fleabite. It is so because of the attention it has received. Banks have waged war on technology fraud, and have succeeded. But in focussing on technology, we have neglected another vulnerable area – loans. It is in the loans and advances business of banks that the fraudster now stalks.

This disparity between the two kinds of frauds is a result of two things. Firstly, the supply base of tools for fighting technology fraud is well developed. Unfortunately, this is not the case with loan frauds – there are few software products that banks can buy off the shelf. Secondly, the human element (along with the vagaries and moral hazards that come with it) is considerably larger with loan frauds, and the fraudster is seldom alone.


Technology fraudsters are like mosquitoes – they come into your house through windows and cracks, but their damage is limited. But the loan fraudster is a burglar – he breaks in through the back door and makes off with the family silver.

The banking sector has done well in mitigating the technology fraud risk, but hasn’t done enough on the loans front. This has left residual vulnerability in the system that fraudsters have exploited. It is to this that the sector must now turn its attention.

This dire need is underlined by a glance back at RBI’s data. While loan related frauds grew at an astonishing CAGR of 87%, technology frauds have been almost static with a mere 2% growth. Besides, a typical loan fraud is a thousand times larger than a technology fraud.

Tackling loan frauds will be a lot tougher than combating technology frauds. Issues of governance, collusion, negligence and a host of moral hazards will need to be addressed. Software packages that are so effective in mitigating technology fraud risk may be of limited assistance. Further, an unprecedented level of cooperation between banks will be called for.

Part 1 of this article has attempted to make the case for banks to turn the spotlight on loan frauds. Part 2 will discuss what they and the RBI must do to combat this malaise.

Elephant in the Room – Part II