There were plenty of systems in place to prevent the Punjab National Bank-Nirav Modi case, but they failed. A blockchain-based system might have been more effective at preventing it.
The Nirav Modi case took place under the gaze of an army of risk controllers, a fully functioning supervisory system, a watchful regulator Reserve Bank of India, internal committees, a Board of Directors, external rating agencies, and everyone partaking in round-the-clock relentless scrutiny. This supervision looks pretty decentralised already. Then why did it fail?
Separation of duties is a proven security protocol usually reliably deployed in human institutions, where the duties are divided among participants that are considered independent, and therefore not colluding.
This would involve:
- People who would propose a loan (or LOU or FC in Nirav Modi’s case) are different from those approve it.
- People who produce liability reports on a daily basis are different from those who need to sign off. Auditors are independent third parties who have no stake in the P&L of the company, and are supposed to be impartial scrutinisers of any potential wrong-doings.
- Independent Directors on the company board are appointed for oversight, alongside other executive directors to watch over CEOs who may be going off track.
- Independent rating agencies, who are supposed to be proactive in assessing credit risk and not reactive.
However, scams take place due to human complicity or incompetence – where those in charge of controlling risk knowingly let someone exploit a vulnerability. Another reason is due to incompetence in monitoring and assessing risk correctly in time, or because some clever hackers or bankers exploit a few broadsides. But since banking IT infrastructure is pretty robust, and has evolved over several decades of running reliably, we can assume that most frauds happen due to complicit connivance.
The strength of any risk control measures will come down to the robustness of the security protocol you build. And blockchain is a security protocol.
Many mundane functions of commercial banking institutions can be substituted by a series of smart contracts. Each of these would translate business logic with necessary checks and balances by way of human intervention, where required. The process need not be fully mechanised to reap the benefits of blockchain.
A caveat. Though blockchain is a technology built on the premise of decentralised nodes, just using a blockchain ledger within banks cannot prevent scams. A risk system has to be built specifically reducing vulnerabilities, and one way to achieve that is through a smart contract-based information system with decentralised oversight.
Smart contracts can safeguard not only against risks arising from mismatched accountability, but can also ensure that bad actors stand to lose pre-specified damages if they are found misbehaving.
The internal risks a blockchain-based system faces:
Blockchains are very good at preserving the integrity of information fed to them, transmitting information diligently to intended recipients, tracking accountability over time, and over infinitesimal steps. However, it cannot detect or stop fraud at the point at which it is fed.
For example, you can make every beneficial owner of a diamond record their ownership on the blockchain to prove provenance. But at the point of entry – where the information on a diamond was fed the first time, blockchain takes for granted the original information fed in. So, one can reliably track changes to ownership from a given point, but not what is fed to it at genesis.
Ensuring independence of parties involved
A smart contract-based system can automatically flag exceptions, if you feed it rules on when to raise one. However, it cannot flag a new contingent liability being created for the first time, like in the case of Nirav Modi, and if there’s a failure to record it as a liability on or off balance sheets. So different kinds of checks and balances are required.
In essence, this system tries to contain risk by decentralising the decision making. However, the decentralisation between multiple parties is only as good as the degree of independence, and the extent to which they are not colluding.
You could build a blockchain ledger where you would record every entry – liabilities, contingent liabilities and all sorts of defined risks. The state of the ledger could be replicated across multiple nodes across the bank, so it would be impossible to tamper with them without getting caught. However, someone would still need to sign off wherever there is an exception. These would be the points of vulnerability from the human world.
You could also make them transparent, and flag exceptions to senior management on dashboards.
Ensuring managerial efficiency
Managers are incentivised and socially hardwired to window-dress performance and compliance of their divisions. There are further behavioural risks to account for. Such as, if a manager is seeing the same exception everyday, and is approving it either due to habit or compulsion, he gets desensitised to the fact.
You could have another manager from a different region take over the duties for intermittent periods, with a view to reporting back any exceptions. This is quite common in the private sector, where one manager fills in for another during vacations. It helps senior management get an alternative and curtain-less view of the health and performance of a unit.
The possibility of external attacks will be reduced by:
a. Better reporting of exceptions:
You could make it mandatory for banks to report these exceptions to independent third parties such as auditors, rating agencies, and the regulator on an ongoing basis. Audit, instead of being an annual event, could be an ongoing process where someone reviews exceptions everyday. This is made possible by blockchain-based reporting. On a blockchain, the added value would be that if someone were hiding something it would be clear which managers signed off on them, when they did, and the first point of error.
b. Making it easier to detect hacks
Unlike the crypto economy where a few billion dollars have been lost to hacks and heists, this isn’t real inside risk management systems because funds would not be stored in any online wallets. For example: what if a rogue hacks into a manager’s private keys to game the system and signs off an additional billion dollar loan?
Theoretically this is possible, but the manager would spot it immediately if his keys were stolen or an impersonator has signed off on his behalf. His seniors would have to sign off on exception reports too. So this would still prevent prolonged abuse for years, which seems to have taken place in the Nirav Modi case.
c. Preventing out-of-system liabilities:
Another vulnerability would be to omit a category of contingent liabilities out of the system. A fraudster could invent a new liability and offer it without it being recorded on the system. What is not recorded does not get monitored, and no exceptions get reported. So, banks have to make sure that such an incident cannot arise.
In a robust system where someone is in-charge of signing off on every exception, it would be hard to invent a new loophole that does not require any authorisation. Over time, we can hope to see blockchain-based risk management systems that incorporate machine learning and artificial intelligence, which would tell us something smells like a fraud.
Preventing future scams through blockchain
The right approach to risk measurement is not a contingent probability calculated on actual past occurrences, but a systemic risk – of what is possible in the future. So will you be able to foretell Black Swan events like a Nirav Modi scam? This is just a simple information and decision network system that is decentralised and hard to tamper with, and that throws up exceptions that are hard to ignore.
The idea would be to prevent a Nirav Modi from making fools of 1.5 billion Indians and not let taxpayers’ money leave banks, rather than making sure heads roll in those poor national banks. Making those heads roll is neither saving the bank, nor preventing such a thing from recurring. We need better systems relying on mathematical laws that are impervious to human perversions, rather than those that rely on fear of law.
Arifa Khan is a crypto pioneer, and India Partner of Ethereum. She tweets as @misskhan