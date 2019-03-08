The RBI circular forbade banks to directly send financial messages from the SWIFT system.

By Romit Dasgupta

India’s banking industry must be watching with concern how RBI has gone on a penalising spree in the last week, fining 19 banks for failing to comply with its guidelines on the use of the global payments network SWIFT. The very fact that penalised banks include the largest private and public banks operating in India makes one wonder just how hard it must be for banks to comply with the RBI mandate, as encapsulated in the ‘SWIFT related Operational Controls’ circular issued on February 20, 2018.

From information available in public domain, we know the PNB fraud involving Nirav Modi occurred because the bank faltered on three levels: people, process, technology. But the primary reason why the fraud could be engineered on such a big level and over such a long time is because there was no real-time integration between the PNB’s Core Banking Solution (CBS) and the SWIFT system. Simply put, what went on in the SWIFT system had no ‘real-time’ reflection (or no record) in the bank’s CBS. Hence, SWIFT discrepancies went unchecked and unnoticed for years. Some experts have claimed that had the bank taken previous RBI advisories seriously and detected the fraud even a year earlier, it could have kept the loss to the bank limited to under $800 million.

The RBI circular forbade banks to directly send financial messages from the SWIFT system. The circular mandated Straight Through Processing (STP) between a bank’s CBS and its SWIFT system, besides listing down various other controls for fraud detection and prevention at the general, pre-transmission, post-transmission and technological levels.

A thorough analysis of the RBI circular reveals that the guidelines encompass the three factors of people, process and technology—with a dominant focus on process improvement. However, not all of the guidelines or controls are easy or straightforward enough to adopt.

First, let us look at those controls that are easy to adopt, provided financial resources are not a constraint. Concerning ‘people’, RBI asked banks to ensure the users entering, passing or authorising transactions in CBS are different from those operating in SWIFT, in case CBS-SWIFT integration is pending, or if the final authorisation of transactions is still done on SWIFT. Further, banks should have the list of authorised SWIFT users, along with user privileges, readily available at any point of time, and monitor their usage closely.

To adhere to these controls, all that a bank needs to do is to separate SWIFT administration from operations. In other words, the users with operational rights should not have admin rights and vice versa.

Similarly, under ‘process’, RBI has asked banks to implement time restrictions for accessing SWIFT (banks can simply shut down SWIFT services at the end of business hours) and asked them to quickly implement STP between CBS and SWIFT messaging system. While technically feasible, STP implementation can still be costly, particularly for small and midsized banks. It is also important to note that SWIFT levies a penalty for every incorrectly-formatted transaction message that gets rejected, and, therefore, CBS must generate accurately-formatted SWIFT messages.

Under ‘technology’, banks have been asked to put in place a system to generate alerts on breach of control limits as well as other unusual features in transaction messages. A mandate like this necessitates either an upgrade of existing systems or the use of additional software. Of the 100-plus banks offering SWIFT-based international transfers in India, a significant fraction can be termed as small. Even though affordable middleware solutions exist that can ensure technical compliance with RBI-mandated guidelines, we find only large or midsized banks show an inclination to adopt these.

Coming to the more challenging parts of the RBI circular, the mandate to reconcile Nostro on real-time basis, with a stipulation to immediately escalate differences, if any, is problematic. Nostro statements from correspondent banks are received on the next working day, and reconciliation is, therefore, undertaken only on the next business day by back office staff involved in daily accounting of transactions. How can banks transform this once-a-day reconciliation into a real-time process is a question nobody has a good answer to.

Further, banks are mandated to subscribe to online monitoring services of correspondent banks so as to monitor the transactions as they happen. As of today, there is no online access available to view Nostro accounts with a correspondent bank abroad, and the only way for banks to comply with this requirement is to set up separate systems and agreements with each correspondent bank—a daunting task.

In conclusion, Indian banks have, no doubt, found it challenging to fully comply with the RBI guidelines, resulting in penalties being imposed by the central bank. But do these lapses mean banks still remain vulnerable to more scams in the future? We do not have an easy answer for this question yet, but smaller banks in particular remain vulnerable.

(Founder & MD of the fintech firm Globsyn 3rd.Life)