Punjab National Bank Officials Shared Passwords Compromising Data Security

Punjab National Bank Officials Shared Passwords Compromising Data Security

Last month, Punjab National Bank, known as PNB, filed an initial criminal complaint with the country’s Central Bureau of Investigation (CBI) accusing celebrity jeweller Nirav Modi and others of defrauding the bank and causing it a loss of 2.8 billion Indian rupees (more than $43 million).

New Delhi/Mumbai: The Punjab National Bank branch in south Mumbai sits just down the road from both the Bombay Stock Exchange and the Reserve Bank of India, at a physical centre of one of the world’s fastest-growing major economies.

Read more   ↓

The branch, clad in a stately colonial edifice, is now also at the heart of a fraud case linked to billionaire jeweller Nirav Modi that has shaken confidence in a state banking sector that accounts for some 70 percent of India’s banking assets.

It was here, according to accounts from Punjab National Bank executives and government investigators, that alone middle-aged manager, later aided by his young subordinate, engineered fraudulent transactions totalling about $1.8 billion from 2011 to 2017.

The bank says it is still investigating how they were able to do so and go undetected for so long. The accounts given by current and former executives who spoke to Reuters suggest an answer as simple as it is alarming: no one was paying attention.

The still unravelling story of how the fraud happened — which includes the alleged misuse of the SWIFT interbank messaging system and incomplete ledger entries — points to a breakdown in checks and balances, and standard banking practices, they said.

The apparent failure of anyone to notice the largest fraud in Indian banking history until this January reveals a “rot” in the state financial sector that goes beyond one lender, said Santosh Trivedi, who spent nearly four decades at Punjab National Bank before retiring in 2016 as a senior manager of audit and inspection in the New Delhi head office.

“Unless this rot is controlled at this stage, to the satisfaction of the international community, it is dangerous for the Indian system,” Trivedi said.


Last month, Punjab National Bank, known as PNB, filed an initial criminal complaint with the country’s Central Bureau of Investigation (CBI) accusing celebrity jeweller Nirav Modi and others of defrauding the bank and causing it a loss of 2.8 billion Indian rupees (more than $43 million).

The allegations against a man whose diamond creations have draped Hollywood stars such as Kate Winslet and Dakota Johnson generated a flurry of coverage across India’s TV screens and newspapers. Modi has not publicly commented on the case.

He and his family left the country in earlier January, according to Indian officials, and a call on Sunday to a corporate spokesperson who has handled media for Modi in the past went unanswered. No charges have been filed against him.

But as more details surfaced about what is alleged to have happened at the state-run bank, which was founded in 1894, the stakes have gotten higher.

A review of bank and government documents related to the case – and interviews with current and former PNB executives, bank auditors, and experts — points to a lack of accountability and standards in the country’s public banking system.

As of last September, those banks held about 87 percent of the Indian banking system’s 9.46 trillion rupees (about $147 billion) of soured loans that are non-performing, restructured or rolled over.

A preliminary investigation by the nation’s tax authority said of the PNB fraud that “the hit Indian banks would take in the end may well exceed” $3 billion, according to an internal note seen by Reuters.

“Yes, there is a problem. We have recognised it,” bank Chief Executive Officer Sunil Mehta said during an investor call on Friday. “We are in the process of fixing it up. We’ll see wherever the loopholes are there. The people-related risk, we are going to mitigate.”

But despite that promise of action, one current senior executive at the bank’s headquarters in New Delhi said further problems could not be ruled out.

“In Indian banks, we don’t work under ideal situation,” the executive, who declined to be identified, said during an interview at his office. “We are in the business of risk, you can’t say there won’t be road accidents.”


According to court documents filed on Saturday by the CBI, branch deputy manager Gokulnath Shetty issued a series of fraudulent Letters of Undertaking – essentially guarantees sent to other banks so that they would provide loans to a customer, in this case, a group of Indian jewellery companies.

These letters were sent to overseas branches of banks, thought to be almost all Indian, that would then lend money to the jewellery firms.

Shetty did so using the bank’s SWIFT system to log in with passwords that allowed him, and in at least some instances a more junior official, to serve as both the person who sent messages and as the person who reviewed them for approval, according to court documents and interviews with bank executives.

“The involvement and connivance of more staff members and outsiders at this stage cannot be ruled out,” said a CBI document submitted to the court in Mumbai.

Shetty is now in custody and he has not publicly responded to the allegations. Calls to a cell phone listed for his wife on court documents were not answered.

Asked about the password sharing, the senior Punjab National Bank executive said it was not best practice but in the everyday bustle of Indian banks, it happens.

 “When you are flooded with customers in the morning, with 101 demands, you look for shortcuts,” he said. “You do somebody else’s work, somebody else does your work. You are not working in an ideal situation.”

A second senior executive at the bank’s headquarters, who also asked that his name not be used, echoed that sentiment.

After entering the transactions on SWIFT, the CBI documents said, Shetty – who worked at the same branch from 2010 to 2017 despite normal bank practices of regular rotations — did not record them on the bank’s internal system.

Because PNB’s internal software system was not linked with SWIFT, employees were expected to manually log SWIFT activity. If that was not done, the transactions did not show up on the bank’s books.

A SWIFT spokeswoman said in a statement last week that the company does not comment on individual customers.

Altogether, there were at least 150 such fraudulent Letters of Undertaking during a seven-year period, according to a CBI official who spoke on the condition of anonymity.

In addition to detaining Shetty and the junior employee, the CBI has arrested a man who it described in court documents as both being “aware about the modus operandi of the entire scams” and serving as a director in “15 to 16 companies of Nirav Modi Group”.

An older brother of the man, Hemant Bhatt, said outside a courtroom on Saturday that he was innocent and the allegations were the result of a “media trial”. The brother did not give his name.

An uncle of the junior bank employee, Manoj Kharat, told a Reuters reporter outside the court that his nephew was “just following orders of superiors” and added, “he wasn’t aware of what he is doing”.

All three are to be held in custody until March 3. No charges have so far been laid against them.


A Feb. 12 note seen by Reuters, sent from PNB to other banks and marked “confidential”, said: “None of the transactions were routed through the CBS system” – the bank’s internal network – “thus avoiding early detection of fraudulent activity.”

The Reserve Bank of India did not respond to a request for comment about whether it had earlier detected any anomalies in Punjab National Bank’s operations or whether it would take additional action in auditing banks.

In a statement, late on Friday, the central bank called the fraud at PNB “a case of operational risk arising on account of delinquent behaviour by one or more employees of the bank and failure of internal controls”. It also said the central bank “has already undertaken a supervisory assessment of control systems in PNB and will take appropriate supervisory action”.

The CBI paperwork says the fraudulent Letters of Undertaking are likely to add up to “the vicinity of” 60 billion rupees, or more than $930 million. Bank executives say the amount tallied by working back through internal records is $1.77 billion.

With assets of about $120 billion as of December, according to bank filings, PNB will be able to cover any associated losses, though it is still a huge hit for a bank whose stock market value was only $6.1 billion before it revealed details of the alleged fraud last week. It has since seen $1.4 billion wiped off that market capitalisation.

The mechanics of how the fraud happened, and what it says about the underlying industry culture, are worrying, said Abizer Diwanji, national leader for financial services in India at accounting firm Ernst & Young.

“Checks and balances are there in public banks as well but they are not followed earnestly,” said Diwanji, who has tracked India’s financial services industry for more than two decades.

“This is where the discipline, the culture is not there. I always believe that we don’t have the culture to manage risks, even operational risks. PNB is not an outlier in this.”

To control such risks, most private sector banks require branches to route SWIFT messages through their central offices, Diwanji said. They also usually integrate their own software systems and SWIFT, meaning that activity such as a Letter of Undertaking being sent would get automatically recorded.

Neither is the case at PNB or most state-run banks in India, Diwanji said.

Representatives of two of the external audit firms listed on PNB’s annual report for the 2016-17 fiscal year said they could not have known what happened.

“It was off-books, so auditors will not be in a position to detect it,” said Sudesh Punhani, a partner at Chhajed & Doshi.

Asked whether the bank’s failure to integrate its software system and SWIFT was a cause of concern, Neeraj Golas, a partner at R. Devendra Kumar & Associates, also an external auditor of the bank, said: “True, true – we have to really get into it and understand what all these things are.”

Source by news18..