At the first monetary policy statement of the Reserve Bank of India (RBI) for 2018-19, it seems impossible to believe that the previous bi-monthly on 7 February marked a high point in the relationship between the Union finance ministry and the RBI. There was on that date a regulatory add-on of a 180-day window of forbearance for payment dues from small borrowers, and abolition of loan limits in the MSME (medium, small and micro enterprises) segment. Those initiatives followed the supportive measures for the small-scale sector in the Union budget on 1 February, through the corporate tax cut, and additional funding for the Micro-units Development Refinance Agency (Mudra).
The appearance of team play was shattered after the Punjab National Bank (PNB) fraud broke in mid-February. The PNB fraud has variously been placed as having been in operation since 2011, perhaps even earlier. Union finance minister Arun Jaitley, speaking at the Economic Times Global Business Summit on 23 February, blamed the top management and auditors of PNB, but was also quoted as having added: “Regulators ultimately decide the rules of the game and regulators have to have a third eye which is to be perpetually open. But unfortunately in the Indian system, we politicians are accountable, the regulators are not.”
RBI governor Urjit Patel came back forcefully on the occasion of a 14 March address at the Gujarat National Law University, pointing to the lack of ownership-neutrality in the Banking Regulation Act of 1949. The act as amended withholds the RBI from imposing certain types of penalties for errant conduct on public sector banks, like firing the chief executive officer, removing directors or superseding the board. The speech lists seven of them. Patel was right to have pointed them out, appropriately in an address to young entrants into the legal profession. That kind of unevenness in the regulatory landscape clearly has to be swept away.
That said, two issues immediately arise. First, instances where those powers were actually imposed have so far involved smaller banks for the most part. Perhaps the governor was trying to convey that the existence of those powers acted as a sufficient deterrent for them not to have been needed for the larger private sector banks (so far). Perhaps he was also justifying why he could not do what the public in its anger would like to see happen to the senior management of PNB.
Second, deterrence is exercised more by a layered supervisory mechanism—such that what escapes the net at one layer is sure to get snagged in another—than through the threat of removal from office of senior management. Indeed, a regulatory penalty can be imposed only when the supervisory mechanism catches the lapse at some level. In the PNB case, the scam was caught within the bank and self-reported. It is this which has led to questions about the supervisory mechanism of the RBI.
Regulation and supervision are attended to by different departments within the RBI. A department of banking supervision was created in 1993, distinct from the department of banking regulation. In 2009, even their reporting channels were directed towards different executive directors under different deputy governors. One of those posts fell vacant in July 2017, and has not yet been filled, so presently both departments report to the same deputy governor.
The departmental separation of portfolios is exactly as it should be. Regulation sets prudential rules. Supervision is a function which, if not quite adversarial, ideally looks critically at regulation and spots risks not yet taken on board. Supervision got further separated into surveillance and enforcement in the regulatory policy add-on to the February 2017 monetary policy statement. The new enforcement department has been functioning from 1 April 2017.
The PNB fraud is said to have started rolling in 2011. As it happens, RBI that year appointed a high-level steering committee chaired by then deputy governor K.C. Chakraborty (a past chairman of PNB), to upgrade banking supervision to global best practices. Its report recommended that supervision be expanded in scope to go beyond a narrow focus on regulatory compliance or bank solvency, towards assessing the riskiness of a bank’s operations, and its risk mitigation strategies. Independently, an inspection of select overseas branches of Indian banks was also conducted in May 2012, the previous one having been done in May 2008, but the findings are not publicly known.
The Chakraborty Committee report was submitted in June 2012. Its recommendations were accepted, and the supervisory system overhauled on to a new risk-based supervision (RBS) platform. Training was initiated for senior officers of the major banks. The new framework went into operation in 2013-14, renamed SPARC (supervisory programme for assessment of risk and capital). An initial set of 28 banks from across the ownership spectrum, accounting for 60% of total banking assets, was covered that year. PNB may well have been among them. Eight more banks were added over the next two years, and by 2016-17, all scheduled commercial banks were covered. SPARC specifically calls for ongoing interaction between banks and supervisors, not just periodic inspections. Finally, there is a further overlay since 28 February 2017 of a standing committee on cyber security.
In a parallel development starting in 2012-13, memoranda of understanding (MoUs) were signed with 16 overseas regulators, which the annual report for that year says led to “substantial progress in supervisory information sharing and cooperation within jurisdictions where Indian banks are operating”. By the close of reporting year 2016-17, the number of such MoUs had expanded to 40, and there was also a statement of cooperation with three US financial regulators. Since overseas jurisdictions were another point from which the PNB fraud could have been spotted, these agreements do not seem to have led to information exchange of any diagnostic value.
Further to the MOUs, supervisory colleges were set up specific to each of six banks with considerable overseas presence, consisting of regulators from the jurisdictions where the bank was active. PNB was one of the six. The annual report for 2016-17 says all six colleges met during 2016-17 to “enhance information exchange and cooperation among supervisors to improve understanding of the risk profile of the banking group, thereby facilitating more effective supervision of the internationally active banks”. Surely the threat of cyber risk to letters of undertaking (LoUs) from a home branch should have come in for review by the PNB supervisory college when it met?
The importance given by the RBI to effective supervision is further underscored by the structuring of its central board of directors, which includes (along with the top management of the RBI) 14 non-official directors, and two government of India officials. Central board members are assigned to a number of committees to oversee the multiple functional responsibilities of the RBI. Of these, two are rated so important as to have been given the status of boards—the board for financial supervision (BFS) established post-reform in November 1994, and the board for payment and settlement systems (BPSS).
Bank supervision has thus carried immense prestige and importance within the RBI. BFS members were chosen for their experience in banking or information technology, and typically served for the entire duration of their appointment to the central board. (Full disclosure: I served on the central board for a full four-year term 2011-15, and was a member of other committees of the board, but never of the BFS).
Governor Patel’s speech cites three circulars issued in 2016 to banks to eliminate hazards arising from cyber risk, and blames the internal processes at PNB for having allowed the “operational hazard to remain in place in spite of clear instructions to close it”. Only one of the three circulars is in the public domain, dated 2 June 2016. Section 8.4 of Annex 1 to that circular called for protecting password access with multi-factor authentication, but sadly carried no reporting template with deadlines for action to be taken on that or other injunctions. The only two reporting templates (Annexes 2 and 3) were for cyber attacks from outside the system. There was just a fairly loosely-worded para 16 in the circular, asking that gaps identified, and measures proposed to close them, be reported to the RBI by a deadline of 31 July 2016.
If PNB did comply by the deadline, and supplied correct information, RBI would have learned about the absence of multi-factor authentication for password access to the SWIFT (Society for Worldwide Interbank Financial Telecommunications) network at PNB. An immediate demand for correction of that could have put a hard stop to the scam then and there. CEO removal comes in only much later, if it is discovered that the information supplied was not correct.
Two other circulars issued in August and November 2016 were confidential, and therefore not on the RBI website. But they were marked to CEOs of all commercial banks, and are therefore very widely available. They dealt with the need to connect SWIFT transactions to the core banking database, which was another layer at which the scam could have been spotted, but the fundamental problem was lack of enforcement of SWIFT password protection. It sprang a hole in the supervisory net big enough for the whales to swim through.
The PNB and all the other bank frauds have happened despite the more recent overlay of an enforcement department, on top of SPARC, MoUs with overseas regulators and bank-specific supervisory colleges. The devil continued to reside in the details.