Listen to this article:
This is part two of a series on the RBI’s risk assessment reports for Punjab National Bank. Read part one here on the red flags the regulator failed to wave one year before the scandal broke.
New Delhi: If the Reserve Bank of India (RBI) felt all was relatively well at Punjab National Bank (PNB) a year before the Nirav Modi scandal was discovered, its assessment of the state-run lender just a year later indicates that almost nothing was right.
The central bank’s confidential annual inspection report for PNB in FY’18, obtained by The Wire through a right to information (RTI) request, takes a dim view of various aspects of the state-run lender’s functioning.
The report includes adverse remarks on a number of key areas including red-flagging of accounts, reporting of frauds, general classification of NPAs (non-performing assets), collateral management, internal auditing and market risk management.
In particular, the RBI notes that the Nirav Modi scam “widened the gap” between the bank’s “core values” and the “actual behaviour” displayed by the board and senior management.
Notably, an internal staff accountability report that was put together in the aftermath of the scam resulted in the bank issuing more than 70 show-cause notices to its employees, both serving and retired.
However, the report grimly notes, “no case had been brought to finality as yet.” ‘Yet’ refers to late 2018.
These inspection reports, more formally referred to as ‘risk assessment reports’ (RAR) take place under the RBI’s ‘SPARC’ framework through which oversight is maintained over scheduled commercial banks.
The SPARC process is fairly comprehensive; the assessments also have an on-site inspection component. Ultimately, they are supposed to bring out the deficiencies in a bank’s risk management and processes, as well as provide an effective report card of the lender’s overall functioning.
The RBI’s clear perspective in the FY’18 report is forged through the power of hindsight. The sharp assertions seen in its FY’18 assessment are a sharp contrast to the FY’17 report, which was analysed and covered in part one of this series. Put together, they raise serious questions over the utility and efficacy of the reports themselves.
In the first half of 2018, heads started to roll at PNB after the Central Bureau of Investigation got to work. Two executive directors were sacked, while former CEO Usha Ananthasubramanian (who in early 2018 had moved onto the top position at Allahabad Bank) was formally booked and named in the charge-sheet that was filed.
Despite this intense glare, the RBI’s report notes, PNB’s board audit committee bizarrely failed to update the scope of its ‘audit’ and take a broader view of the issue.
“Despite the large value fraud detected at Brady House Branch (BHB), the scope of the audit had not been updated and made robust by factoring the learnings from the fraud,” the report notes.
“There was inadequate focus in addressing systemic issues to remedy persistent irregularities, enforce timely compliance and design appropriate parameters for evaluating the performance of auditors,” it adds.
Some of this may have been due to the fact that the PNB board had four vacancies throughout FY’18 – six if you include the two directors who were sacked in May 2018. According to the RBI, the “persistent vacancies impacted the competencies and experience available to the board”.
In addition to this, the report points out, the directions of the board and risk management committee, with regard to exposure to the jewellery sector, were not being followed by the bank’s senior management.
“The framework of oversight by ACB was not comprehensively reviewed despite gaps observed in the light of the frauds. The directions of the Board and Risk Management Committee with regard to exposure management, particularly exposure to the jewellery sector, were not followed by the Senior Management,” the RBI notes.
The bank’s board, the report says, also failed to exercise appropriate oversight on the following matters (emphasis added by The Wire):
Collateral management remained largely deficient on account of non-updation of correct value of security in the system, which in turn led to inadequate provisioning.
RMPs (risk management plan) of the previous year’s ISE (inspection for supervisory evaluation) pertaining to collateral management, NPA identification, KYC implementation, gaps in cyber security, timely reporting of frauds and accurate reporting of data in CRILC remained uncomplied. Some of these had remained un-compiled since ISE 2015.
Continued deficiency in NPA/NPI identification was observed as the bank failed to comply with this observation which was highlighted in the past years as well
The model scores in sectors such as infra, iron and steel, and NBFC were manually changed, ignoring the high levels of NPAs.
In comparison to the FY’17 report, the FY’18 report contains a lot more details on cybersecurity and the bank’s lack of competence in this area – a subject of particular importance, given the technology loopholes that Nirav Modi and his uncle Mehul Choksi were able to exploit.
In particular, the report notes that the:
Board’s oversight of cyber security functions was inadequate as the baseline controls stipulated in RBI’s cybersecurity framework were not implemented fully.
Further, a show-cause notice (SCN) was issued to the bank on August 23, 2018 for non-compliance of SWIFT related controls.
The CISO was not reporting to ED or equivalent executive, contrary to extant guidelines. The CISO’s office was inadequately staffed and was dependent on the IT division for budgetary requirements.
The sharpest observations in the FY ’18 RAR report are reserved for PNB”s internal auditing policy.
In one section, the report lays out three failures by PNB’s internal auditing team, all of which directly allowed the Nirav Modi and Mehul Choksi scam to mutate and expand rapidly over nearly a decade.
Firstly, the internal and statutory audits failed to identify control gaps in sensitive branches, which “facilitated issuance of unauthorised LoUs [letters of undertaking]” at the Brady House Branch.
Secondly, the “non-rotation of employees” at PNB was not commented upon in the internal audit reports even though the policy specifically requires internal auditors to comment on the same. This observation is particularly crucial because many aspects of the PNB fraud ultimately boiled down to one or two bank officials who ran the alleged LoU scheme seemingly under the noses of everyone else.
Finally, the internal audit simply did not scrutinise all the “renewals/rollovers of LoUs/FLG/ILG/FLC” to ensure that they were in line with RBI and other internal policies.
Some of these issues could be chalked up to a lack of resources and incompetence, rather than malice.
For instance, the RBI report notes that while the bank’s policy clearly lays out the proper coverage and frequency for all audits, the actual allocation of resources (both for internal audits and third-party audits) was “not commensurate” with the number of transactions in a branch and substitution needs during leave.
“For instance, a single concurrent auditor was allotted to a branch (except a few places such as SWIFT Centre, CBOTF) irrespective of the number of transactions and replacement due to planned or unplanned absence,” the report notes.
But this issue naturally created a concerning backlog of work.
“On a sample check of credit audits in 32 taken over accounts of Rs 100 million and above, it was observed that audit was not undertaken in 23 accounts as per the specified timelines, with 19 of them spilling over to the next financial year. Similarly, audits of key processes within treasury, banking operations, loans and advances and foreign exchange business was not undertaken,” the FY’18 RAR observation notes.
On a final note with regard to PNB’s internal audit mechanisms, the RBI notes:
“The quality of internal audit was weak as reflected in i) large divergences in NPA and collateral management identified by the present ISE, ii) increase in number and amount of MOCs, iii) mis-classification of priority sector loans and continued deficiencies and non-compliance to KYC guidelines, iv) delay in internal audit of overseas branches was observed. Position of single/group borrower concentration in overseas branches was not put up to Senior Management.”
As the screenshot below notes, the RAR report spends some time going through PNB’s lax behaviour with regard to cracking down on defaulters.
In another section, the RBI shockingly notes that PNB failed to initiate criminal action against “eight out of 10 wilful defaulters who had diverted funds”.
A few more observations, all with serious implications:
“In some instances (7 of 23 cases reviewed), the bank neither classified the borrower as wilful defaulter or nor had completed the identification process even though two years had elapsed since the initiation of the process.”
“Staff accountability was not examined in cases where sanctioning of loan and post-sanctioning monitoring process was found to be deficient.
“No borrower was classified as a non-cooperative borrower.”
“Though mandated by internal guidelines, there was no mechanism to examine or fix accountability of auditors of the borrowers who were negligent or deficient in conducting the audit.”
Spotlight on senior management,
The report takes its time in pointing out problems with PNB’s senior management, noting that there was “inadequate involvement”.
“Persisting concerns like deterioration in the asset quality, weakness of internal audit framework and laxity in implementing risk management practices like mandatory leave/transfer/rotation policy indicated failure to address causative issues through systematic changes,” the report says.
“Non-reconciliation of recovery amount in the BHB fraud, lack of mechanism for implementing the new resolution framework of stressed loans, non compliance of RMPs and lack of integrity of data submitted under SPARC indicated inadequate involvement of senior management.”
In a curious aside, the FY’18 report also highlights how there were “instances of taking over three borrowal accounts without due approval from the board or proper justification from other banks, where the present MD and CEO and EDs had been posted”.
In the senior management’s defence, the RBI’s risk assessment team offers up a curious anecdote, sadly, which is partly censored – apparently due to confidentiality reasons.
As the screenshot below notes, the report presumably refers to a particular development at the bank and notes that this impacted the senior management’s ability to lead by example and provide an “environment which encouraged ethical business practices”.
Other key points
Risk governance framework:
“Critical control functions like compliance, internal audit and risk management were working in silos and there was no framework for regular interaction and structured information sharing among these verticals. “
“The role of the Chief Risk Officer as an adviser or a decision maker was not clearly defined and delineated in the risk governance framework. The appointment of the CRO was not for a fixed tenure and the minimum qualifications, tenure and experience required were not defined, contrary to extant guidelines.”
Compliance, in general
“The bank had a weak compliance culture as reflected in lack of compliance to both internal and regulatory guidelines on several aspects. From ACB agendas on Compliance Review of Circle Offices, it was evident that the internal compliance level was not satisfactory. The bank had breached the timelines prescribed by RBI for the pending RMPs of 2017. There was no assessment of compliance risk for formulation of plan to manage them. The Compliance Division was not preparing any annual report on compliance failures/breaches for placing before the Board/ACB and circulating to functional heads.”