By R. Gandhi, Former Deputy Governor- Reserve Bank of India
“There are three things in the world that deserve no mercy – hypocrisy, fraud, and tyranny”
– Frederick William Robertson
There is no universally accepted definition for the term ‘fraud’. The laws in many countries do not define fraud; it actually needs no definition; it is as old as falsehood and as versatile as human ingenuity. Fraud is a generic term embracing all the multifarious means which human ingenuity can devise and are resorted to by one individual to gain an advantage over another by false suggestions or by suppression of the truth.
Section 25 of the Indian Penal Code (IPC) states that a “person is said to do a thing fraudulently if he does that thing with intent to defraud but not otherwise.” IPC also does not specifically define what a fraud is; but we all know that certain offences like cheating, concealment, forgery, counterfeiting, mis-appropriation, breach of trust and falsification of accounts involve elements of fraud in their commission.
Can frauds be wished away? Obviously, we can’t wish them away. We can only be consciously on our vigil to ward off frauds and initiate exemplary action on the perpetrators of fraud which will serve as deterrents to intending fraudsters.
Banks and financial institutions are easy prey to fraudsters. As long as banks and financial institutions handle huge sums of money as financial intermediaries they will always be the target of ingenious fraudsters trying to relieve them of the money. But our endeavour, as I just mentioned, has to be to prevent it, detect it at the earliest if it happens and minimise its negative fallout. This entails a constant state of vigil against frauds and emerging fraud risks in the economy.
Type of Frauds
The bank frauds are primarily deposit related, advances related and services related. Of these, the deposit related frauds which used to be big in number though not in size, have been on the wane, thanks to the improvements in cheque and payment processing, usage of technology and tightening the provisions of the Negotiable Instruments Act. The advances related frauds continue to be the major concern for banks, especially because of their size and far reaching implications to their financial soundness and integrity. A special variety of frauds, which are increasing in number and in terms of speed, are the cyber frauds. Yet another special type relates to trade or documentary credit related, special because of cross border implications.
. When we discuss about bank frauds, we will not discuss about bank frauds committed by third parties which can suitably be classified as thefts. These types include cyber frauds committed by tricksters, or techsters. For our discussions, we will include bank frauds committed by some connected parties like the depositors, the borrowers, the users of bank services or by their own staff, their outsourced agencies, their vendors, their agents like assayers, valuers, auditors, etc.
Root Cause of Financial Frauds
Financial frauds, more specifically the advances related frauds, occur because of breach of contract and trust. It could be because of the pledged or mortgaged assets are compromised or divested off; or the documents are forged; or the funds availed are diverted or siphoned off; or the documentary credits like the letters of credit or guarantees are misused, etc.
The root cause of financial frauds can be reduced to one single phenomenon. It is failure to Know Its Somebody – i.e. failure to Know Its Customer, or failure to Know Its Employee, or failure to Know Its Partner / Vendor.
Bankers’ Response to Frauds
What the fraudsters do not understand is the systemic response of banks when they have been tricked into facing the consequences of frauds. The bankers’ reactions include withdrawal from lending, being risk averse, losing confidence in documentary credit, excessive collateralisation or documentation, demands on personal guarantees, collapse of need based lending systems like MPBF, Tandon and Chore Committee norms, etc. These are in addition to the bankers’ efforts to recoup the losses through higher interest rates and charges.
The Three KY Principles
When banks are faced with frauds, their financials are expected to bear the immediate impact. Because of this implication, and if uncontrolled it can cause systemic risk, the regulators usually have an extra oversight on banks about frauds. More often than not, the frauds lead to tighter regulations. These aim towards bringing in both corrective and preventive measures. As I said earlier, if a bank has to prevent fraud, it must follow the three KY Principles. It must Know its Customer; it must Know its Employee and it must Know its Partner i.e. Know Your Customer, Know Your Employee and Know Your Partner, the Three KYs.
The First KY – Know Your Customer (KYC)
When one thinks of KYC norms frequently the emphasis is on the different type of documents to be obtained from an account holder which will establish that KYC norms have been followed. In a scenario where many frauds are committed by submitting forged and fabricated documents, such an emphasis is too narrow and will result in us missing the wood for the trees.
A bank, apart from obtaining the relevant documents, should make an effort to ‘know the customer’ in the real sense – his background, his stated activities / profession, what his signature style of operation is or digital foot print is, in case of online transactions, etc. A robust KYC system envisages such an understanding. This observation of his pattern of transactions will let the bank draw up a customer profile. Once this is established any exception to the norms can raise a red flag and tracked or confirmed with the customer. Banks should become adept in pattern recognition and do discreet investigations on the suppliers / buyers to check if they are in the same line of business or are bogus entities. Such timely checks help identify frauds at an early stage.
Banks need to invest in data analytics and also intelligence gathering to make fraud detection as near to real time as possible. Data analytics solutions can crunch huge data and give us the patterns, that too in a visual, easily understandable format.
Another strong trend in the future would be the profiling of the customer across different channels or medium – online, offline, corporate loans, personal loans, etc. At least in respect of customers perceived to be of high risk, very large advance accounts, we need to use Big data for analysing information from disparate sources e.g. data available with the banks, the social network activities, identifying relationships that are usually invisible. This way we may be able to analyse transactions and be able to predict the likelihood of a fraud happening.
On a bank level, each bank should segment its customers based on their risk profile and transaction patterns and develop appropriate response systems for exceptional patterns noticed and fortify systemic level controls.
But one word of caution though. I don’t think banks can sit back after investing in a software or establishing a fraud risk management system. The business landscape is generally dynamic and with ingenious fraudsters we are dealing with people who always change their strategies to be one step ahead of bankers and regulators and the police. As such, when it comes to fraud risk management, a bank has to be like a referee in a football game, always moving with the players and be alive to changes in the game and take action.
The Second KY – Know Your Employee (KYE)
Several frauds are insider jobs; or at least with the abetment of insiders. Bankers are generally people of integrity. The selection process is highly sensitized in this respect. Still, some bad apples do escape or become rotten. Banks have to take extra care to have continuous vigil on their staff. Background checking for antecedents, checks and balances, periodic rotations, vigilance assessments, internal audits, etc. techniques will have to be employed to know the employees better and as preventive measures.
The Third KY – Know Your Partner
Modern day banking necessitates that a bank join hands with partners, agents, vendors. Outsourcing peripheral and several operational activities involves deploying and trusting somebody else’s employees. Varied activities as diverse as cash logistics to IT and data management are being entrusted to third parties. Banking Correspondents and Banking Facilitators are emerging as another set of persons closely associated with a bank. If frauds are to be prevented effectively, banks have to know their partners.
The Reserve Bank has been issuing instructions from time to time on the preventive and corrective measures that banks should adopt. One set of instructions relate to information sharing. The importance that the Reserve Bank had always attached to is information sharing among banks, which has been again reinforced and made an integral part of the monitoring of potential frauds.
To facilitate this, banks have been advised to assign Unique Customer Identity Numbers (UCIN). Database on credit information, centralized registry for recording security interests Central Registry of Securitisation, Asset Reconstruction and Security Interest (CERSAI), centralized know your customer registry, Central Repository of Information on Large Credits (CRILC), etc have been established or being built to share information among the bankers. A Central Fraud Registry is also being planned.
Another initiative in this respect is the List of Wilful Defaulters. Fraudsters are included in this list. With this List in hand, the banks get not only cautioned about the fraudsters, they can also bring in certain deterrent action against them.
The new framework to deal with Frauds
It is obvious that if anyone wants to identify potential frauds before they happen, it is possible only by continuous monitoring. We have therefore prescribed stage wise actions in the life cycle of a loan account and also prescribed actions that a bank may take in each stage to safeguard its interest. A system of identifying Red Flagged Accounts based on Early Warning Signals has been put in place. A red flagged account is one where a suspicion of fraudulent activity is thrown up by the presence of one or more Early Warning signals. The presence of these signals should trigger a detailed investigation into the RFA.
As one of the major problems in fraud risk management was time delays in dealing with a fraud, we have prescribed time limits within which certain actions like investigating for fraud should be completed and a decision on whether an account is indeed a fraud or not is made. Similarly the delays and divergent stands taken by banks in a consortium or multiple banking arrangements have also been tackled by spelling out time lines for actions like informing other banks of a Red Flagged Account, commissioning a forensic audit and arriving at a consensus/majority decisions, etc. If frauds have to be minimised it is not enough to tighten the actions incumbent on banks alone. In preventing frauds a major part is played by the deterrent actions and punishments that are meted out to the fraudsters. Towards this end henceforth the fraudster borrowers will not be able to avail bank finance for five years after full repayment of the dues. This is of course in addition to the criminal complaints to be filed with police or CBI. This is expected to build in a disincentive for any borrower to consider committing a fraud on banks.
As I mentioned earlier, containing frauds means focussed action by all stakeholders, not leaving any flank uncovered. One of the flanks was the criminal investigations done by law enforcement agencies and bringing to book fraudsters soon after a fraud is committed. To facilitate this and smoothen the process of commencing the investigations the Reserve Bank has been working with the Ministry of Finance and coordinated actions have been initiated.
I have dwelt on loan frauds at length as they form a major portion of frauds reported by banks. However the aspects of continuous monitoring and timely action on the basis of any early warning signals apply equally well to other types of fraud like deposit frauds, cyber fraud, etc.
It is here that I am sure that adhering to the KYC norms and real time transaction monitoring, transaction analysis, centralized databases, etc. rigours will come in handy for banks.
Fraud risk and governance
It is when we think of the dynamic nature of frauds’ landscape that we need to pay attention to certain systems and enduring values in a bank. Without a strong system guiding the anti-fraud initiatives of a bank, the responses to quick changing fraud risks may end up being knee jerk reactions than the flexible and appropriate measures that are called for. This requires a look at the corporate governance in banks and board level ownership of the anti-fraud initiatives.
The Board of a bank should be proactive in understanding the fraud risks facing the bank and also put in place a robust anti-fraud machinery. They should have a deep understanding of the institution’s strengths and weaknesses and be able to steer the institution in the right direction. For this they need to retain their common sense in the face of an information overload. As a famous saying goes, you can find out if a man is clever by his answers, but you can find out if a man is wise by his questions (Naguib Mahfouz). As another saying goes, the wise man doesn’t give the right answers, he poses the right questions (Claude Levi-Strauss).
The Board needs to ask the right questions. They need to assess the robustness of the internal controls, with each new threat detected and be in a position to get the data analysed in a holistic fashion.
Our recent initiatives in separation of the post of Chairman and Managing Director in banks is also aimed at giving the much needed breadth of vision to the Chairman without being harried by the day to day running of a huge organisation.
The Board needs to show the way by enunciating the ethical values of the bank and by exemplary actions when frauds and insider collusions are detected. Another way to empower the employees is to put in place a whistle blower policy and having a standard and impartial procedure to deal with such complaints. That the bank will deal firmly and consistently with any fraud and employees can without fear escalate their concerns and insights on potential frauds to the Top Management will send out a strong message and convince each employee to own the anti-fraud initiative of the bank. It will not be the preserve of the Board, the chief executive officer or the fraud monitoring department of a bank alone.