A government probe report says Punjab National Bank had discussed putting in place safeguards to prevent fraud in 2016, but did not act on it.
New Delhi: More than a year before the Nirav Modi loan scandal was discovered, Punjab National Bank had apparently held a high-level internal meeting to discuss security flaws in its systems and identified internal threats related to malware and human activity.
The bank, however, did little to address the issues, an internal government probe report has found.
The internal meeting was held in mid-June 2016 in the aftermath of a heist at the Bangladesh central bank which saw hackers make off with about Rs 525 crore as PNB was keen to assess its security flaws and prevent a similar incident.
The report has also said that the necessary checks and balances needed to undertake transactions on the Society for Worldwide Interbank Financial Telecommunications (SWIFT), something that could have prevented the Nirav Modi scandal, were inadequate at Punjab National Bank.
It has underlined the security lapses that could have allowed businessmen Nirav Modi and Mehul Choksi, along with some Punjab National Bank (PNB) officials, to allegedly cheat the bank.
The report points out how despite clear warnings, the management of the state-owned bank did not employ measures to fix the security lapses.
The 2016 meeting is also said to have underlined the need for “checks and balances” of transactions conducted through the core banking system (CBS), and SWIFT.
The Reserve Bank of India has now made it mandatory for public sector banks to link their core banking systems with Society for Worldwide Interbank Financial Telecommunications or SWIFT by 30 April.
The Swift Issue
The Reserve bank of India has issued warnings in the past about risks from the “potential malicious” use of the SWIFT infrastructure. In the case of PNB, of the nearly 7,000 branches, only 172 are authorized to conduct foreign exchange transactions.
The Information and Communication Technology (ICT) infrastructure for SWIFT transactions is completely segregated from the other dealings of the bank. PNB’s core banking software apparently does not have the features to connect with the SWIFT software and system. Third-party software could have helped navigate this problem.
When SWIFT is used to log a transaction, messages are delivered using the independent SWIFT network, and are not recorded in the bank’s central banking system. PNB has largely been carrying out its foreign dealings using this unstructured messaging system, which made it easier to entirely dodge screening.
The fact that PNB used a two-level authentication process, which involves the use of two passwords shared by the deputy manager and his clerk, is suspected to have helped the fraud.
While a number of state-run and cooperative banks are yet to link their central banking systems with SWIFT, the RBI has said it has cautioned banks of possible misuse and asked them to implement the safeguards.