In what is a grim reminder of the Nirav Modi/Mehul Choksi scam where they plugged and played with PNB’s financial system with gay abandon, the CVC points out the level and degree of defalcation in another such case where firewalls and filters were breached with ease. The fraud was perpetrated by staff member of a bank in buyers’ credit transactions. The matter came to light when the main branch of bank received intimation from overseas branches of the bank that payment towards buyers’ credit was not received by them. When branch records were verified, it came to light that no such buyers’ credit had been raised from those banks. It was further observed that several other buyers’ credit had also been raised from those banks through fake Letters of Comfort (LOC) via SWIFT which became due for payment from July 1, 2016 onwards. It was reported that the branch had issued 20 buyers credit for Rs 429.33 crore due for payments up to January 2017.
The Letters of Comfort were fraudulently conveyed through SWIFT messages which emanated from the main branch of bank where there was involvement of staff members.
On July 25, 2016, the main branch received a message from overseas branches of PSU banks that payments towards buyers’ credit were not received by them. On verification, it was observed that no such buyers’ credit had been raised from these banks.
It was reported that the branch had issued 20 buyers’ credit for Rs 429.33 crore due for payments up to January 2017. On verification, it was found that there were no documents and sanction letters of credit facilities for such transactions. Further, the transactions were not routed through the bank’s Nostro Account as per prescribed guidelines. The SWIFT messages sent were reportedly fraudulent.
*SWIFT transactions were not linked to the Core Banking Solution (CBS) of the bank, which contain transaction histories and other data of the customers.
*The transmission of the messages is usually a three-layer process that did not take place either at the branch or its office.
*SWIFT transactions were therefore automatically recorded and were not seen by officials of the controlling offices.
*In SWIFT system one bank official is designated as a maker, another verifier and third as authoriser. All have different logins and passwords and work independently of each other. But in this case all functions were performed by a single person.
*CBS-Finacle should be integrated with SWIFT (STP-Straight Through Processing) for all payment messages.
*Each and every login into SWIFT system would be only through biometric authentication thereby virtually preventing any unauthorized login through password compromise.
*SMS alert feature should be introduced wherein all SWIFT users will get an alert message in their mobile phones for every login into the SWIFT with their roll number and password including failed login attempt.
*The access to SWIFT connect should be restricted based on IP address-only 2 PCs per branch should be permitted.