R Gandhi: Financial frauds - prevention: a question of knowing somebody

Speech by Mr R Gandhi, Deputy Governor of the Reserve Bank of India, at the "2nd National Conference on Financial Frauds Risks & Preventions", organized by the Associated Chambers of Commerce and Industry of India (ASSOCHAM), New Delhi, 26 June 2015.

The views expressed in this speech are those of the speaker and not the view of the BIS.

Assistance provided by Ms N. Mohana is gratefully acknowledged.

Ladies and Gentlemen, it's a great pleasure for me to be amidst all of you this morning to inaugurate the conference on Financial Frauds - Risks and prevention.

Introduction

2. "There are three things in the world that deserve no mercy - hypocrisy, fraud, and tyranny" - Frederick William Robertson.

There is no universally accepted definition for the term "fraud". The laws in many countries do not define fraud; it actually needs no definition; it is as old as falsehood and as versatile as human ingenuity. Fraud is a generic term embracing all the multifarious means which human ingenuity can devise and are resorted to by one individual to gain an advantage over another by false suggestions or by suppression of the truth.

3. Section 25 of the Indian Penal Code (IPC) states that a "person is said to do a thing fraudulently if he does that thing with intent to defraud but not otherwise." IPC also does not specifically define what a fraud is; but we all know that certain offences like cheating, concealment, forgery, counterfeiting, mis-appropriation, breach of trust and falsification of accounts involve elements of fraud in their commission.

4. Can frauds be wished away? Obviously, we can't wish them away. We can only be consciously on our vigil to ward off frauds and initiate exemplary action on the perpetrators of fraud which will serve as deterrents to intending fraudsters.

5. Banks and financial institutions are easy prey to fraudsters. As long as banks and financial institutions handle huge sums of money as financial intermediaries they will always be the target of ingenious fraudsters trying to relieve them of the money. But our endeavour, as I just mentioned, has to be to prevent it, detect it at the earliest if it happens and minimise its negative fallout. This entails a constant state of vigil against frauds and emerging fraud risks in the economy.

Type of frauds

6. The bank frauds are primarily deposit related, advances related and services related. Of these, the deposit related frauds which used to be big in number though not in size, have been on the wane, thanks to the improvements in cheque and payment processing, usage of technology and tightening the provisions of the Negotiable Instruments Act. The advances related frauds continue to be the major concern for banks, especially because of their size and far reaching implications to their financial soundness and integrity. A special variety of frauds, which are increasing in number and in terms of speed, are the cyber frauds. Yet another special type relates to trade or documentary credit related, special because of cross border implications.

7. When we discuss about bank frauds, we will not discuss about bank frauds committed by third parties which can suitably be classified as thefts. These types include cyber frauds committed by tricksters, or techsters. For our discussions, we will include bank frauds committed by some connected parties like the depositors, the borrowers, the users of bank services or by their own staff, their outsourced agencies, their vendors, their agents like assayers, valuers, auditors, etc.

Root cause of financial frauds

8. Financial frauds, more specifically the advances related frauds, occur because of breach of contract and trust. It could be because of the pledged or mortgaged assets are compromised or divested off; or the documents are forged; or the funds availed are diverted or siphoned off; or the documentary credits like the letters of credit or guarantees are misused, etc.

9. The root cause of financial frauds can be reduced to one single phenomenon. It is failure to Know Its Somebody - i.e. failure to Know Its Customer, or failure to Know Its Employee, or failure to Know Its Partner / Vendor.

Bankers' response to frauds

10. What the fraudsters do not understand is the systemic response of banks when they have been tricked into facing the consequences of frauds. The bankers' reactions include withdrawal from lending, being risk averse, losing confidence in documentary credit, excessive collateralisation or documentation, demands on personal guarantees, collapse of need based lending systems like MPBF, Tandon and Chore Committee norms, etc. These are in addition to the bankers' efforts to recoup the losses through higher interest rates and charges.

The three KY principles

11. When banks are faced with frauds, their financials are expected to bear the immediate impact. Because of this implication, and if uncontrolled it can cause systemic risk, the regulators usually have an extra oversight on banks about frauds. More often than not, the frauds lead to tighter regulations. These aim towards bringing in both corrective and preventive measures. As I said earlier, if a bank has to prevent fraud, it must follow the three KY Principles. It must Know its Customer; it must Know its Employee and it must Know its Partner i.e. Know Your Customer, Know Your Employee and Know Your Partner, the Three KYs.

The first KY - Know Your Customer (KYC)

12. When one thinks of KYC norms frequently the emphasis is on the different type of documents to be obtained from an account holder which will establish that KYC norms have been followed. In a scenario where many frauds are committed by submitting forged and fabricated documents, such an emphasis is too narrow and will result in us missing the wood for the trees.

13. A bank, apart from obtaining the relevant documents, should make an effort to "know the customer" in the real sense - his background, his stated activities / profession, what his signature style of operation is or digital foot print is, in case of online transactions, etc. A robust KYC system envisages such an understanding. This observation of his pattern of transactions will let the bank draw up a customer profile. Once this is established any exception to the norms can raise a red flag and tracked or confirmed with the customer. Banks should become adept in pattern recognition and do discreet investigations on the suppliers / buyers to check if they are in the same line of business or are bogus entities. Such timely checks help identify frauds at an early stage.

14. Banks need to invest in data analytics and also intelligence gathering to make fraud detection as near to real time as possible. Data analytics solutions can crunch huge data and give us the patterns, that too in a visual, easily understandable format.

15. Another strong trend in the future would be the profiling of the customer across different channels or medium - online, offline, corporate loans, personal loans, etc. At least in respect of customers perceived to be of high risk, very large advance accounts, we need to use Big data for analysing information from disparate sources e.g. data available with the banks, the social network activities, identifying relationships that are usually invisible. This way we may be able to analyse transactions and be able to predict the likelihood of a fraud happening.

16. On a bank level, each bank should segment its customers based on their risk profile and transaction patterns and develop appropriate response systems for exceptional patterns noticed and fortify systemic level controls.

17. But one word of caution though. I don't think banks can sit back after investing in a software or establishing a fraud risk management system. The business landscape is generally dynamic and with ingenious fraudsters we are dealing with people who always change their strategies to be one step ahead of bankers and regulators and the police. As such, when it comes to fraud risk management, a bank has to be like a referee in a football game, always moving with the players and be alive to changes in the game and take action.

The second KY - Know Your Employee (KYE)

18. Several frauds are insider jobs; or at least with the abetment of insiders. Bankers are generally people of integrity. The selection process is highly sensitized in this respect. Still, some bad apples do escape or become rotten. Banks have to take extra care to have continuous vigil on their staff. Background checking for antecedents, checks and balances, periodic rotations, vigilance assessments, internal audits, etc. techniques will have to be employed to know the employees better and as preventive measures.

The third KY - Know Your Partner

19. Modern day banking necessitates that a bank join hands with partners, agents, vendors. Outsourcing peripheral and several operational activities involves deploying and trusting somebody else's employees. Varied activities as diverse as cash logistics to IT and data management are being entrusted to third parties. Banking Correspondents and Banking Facilitators are emerging as another set of persons closely associated with a bank. If frauds are to be prevented effectively, banks have to know their partners.

Regulatory response

20. The Reserve Bank has been issuing instructions from time to time on the preventive and corrective measures that banks should adopt. One set of instructions relate to information sharing. The importance that the Reserve Bank had always attached to is information sharing among banks, which has been again reinforced and made an integral part of the monitoring of potential frauds.

21. To facilitate this, banks have been advised to assign Unique Customer Identity Numbers (UCIN). Database on credit information, centralized registry for recording security interests Central Registry of Securitisation, Asset Reconstruction and Security Interest (CERSAI), centralized know your customer registry, Central Repository of Information on Large Credits (CRILC), etc have been established or being built to share information among the bankers. A Central Fraud Registry is also being planned.

22. Another initiative in this respect is the List of Wilful Defaulters. Fraudsters are included in this list. With this List in hand, the banks get not only cautioned about the fraudsters, they can also bring in certain deterrent action against them.

The new framework to deal with frauds

23. Recently, we had constituted an Internal Working Group that went into the causes for delays in detecting frauds, suggest ways to compress the time between occurrence of fraud and detection and also to remove any other impediments that may prevent deterrent actions taking place. The Group after wide consultations had recommended for a new framework to deal with frauds. The study revealed that there were a lot of delays in detecting a fraud and in quite a few large value frauds, the time taken was more than five years. Further to this initial delay, in case it was a consortium or multiple banking facility, the divergent opinion among the financing bankers on whether an account was a fraud or not also contributed to further delays. Any delay in detection of fraud entails further delays in filing of complaints with law enforcement agencies and other consequent actions. Such delays, it is needless to add, enable a fraudster to enjoy banking facilities with impunity and ensnare more bankers and other innocent individuals in his net. The money trail gets cold and prospects of recovery becomes dim as each day passes. This scenario calls for a focussed response from the regulators, bankers and other stakeholders.

24. The best way to prevent frauds especially, loan frauds is to tone up the appraisal process. A good appraisal can weed out many undesirable or flawed proposals that may eventually turn out to be fraud. A good appraisal does not mean only analysing the financial statements and projections submitted by the potential borrowers. It requires going beyond the given and independently gathering intelligence on the potential borrower. This requires accessing public databases, news reports on any adverse governmental action like raids, etc. A good appraisal should also take into account problems brewing in the industry, in the promoters' group, etc. which may show the direction in which a company's operations will go and whether there is inherent resilience in the promoters and the project to face rough weather and come out unscathed.

25. While diligent appraisal is a major factor in eliminating dodgy borrowers, subsequent monitoring also plays a vital role in identifying potential frauds. In many cases we find that the discovery that stocks have been clandestinely sold, diversion to related parties and siphoning off of funds have taken place and documents provided had been fabricated, is made after the account shows stress and becomes an NPA. Any action taken at that stage is as useful as locking the proverbial stable doors after the horse has bolted.

26. It is obvious that if anyone wants to identify potential frauds before they happen, it is possible only by continuous monitoring. We have therefore prescribed stage wise actions in the life cycle of a loan account and also prescribed actions that a bank may take in each stage to safeguard its interest. A system of identifying Red Flagged Accounts based on Early Warning Signals has been put in place. A red flagged account is one where a suspicion of fraudulent activity is thrown up by the presence of one or more Early Warning signals. The presence of these signals should trigger a detailed investigation into the RFA.

27. As one of the major problems in fraud risk management was time delays in dealing with a fraud, we have prescribed time limits within which certain actions like investigating for fraud should be completed and a decision on whether an account is indeed a fraud or not is made. Similarly the delays and divergent stands taken by banks in a consortium or multiple banking arrangements have also been tackled by spelling out time lines for actions like informing other banks of a Red Flagged Account, commissioning a forensic audit and arriving at a consensus/majority decisions, etc. If frauds have to be minimised it is not enough to tighten the actions incumbent on banks alone. In preventing frauds a major part is played by the deterrent actions and punishments that are meted out to the fraudsters. Towards this end henceforth the fraudster borrowers will not be able to avail bank finance for five years after full repayment of the dues. This is of course in addition to the criminal complaints to be filed with police or CBI. This is expected to build in a disincentive for any borrower to consider committing a fraud on banks.

28. As I mentioned earlier, containing frauds means focussed action by all stakeholders, not leaving any flank uncovered. One of the flanks was the criminal investigations done by law enforcement agencies and bringing to book fraudsters soon after a fraud is committed. To facilitate this and smoothen the process of commencing the investigations the Reserve Bank has been working with the Ministry of Finance and coordinated actions have been initiated.

Fraud prevention

29. I have dwelt on loan frauds at length as they form a major portion of frauds reported by banks. However the aspects of continuous monitoring and timely action on the basis of any early warning signals apply equally well to other types of fraud like deposit frauds, cyber fraud, etc.

30. It is here that I am sure that adhering to the KYC norms and real time transaction monitoring, transaction analysis, centralized databases, etc. rigours will come in handy for banks.

Fraud risk and governance

31. It is when we think of the dynamic nature of frauds' landscape that we need to pay attention to certain systems and enduring values in a bank. Without a strong system guiding the anti-fraud initiatives of a bank, the responses to quick changing fraud risks may end up being knee jerk reactions than the flexible and appropriate measures that are called for. This requires a look at the corporate governance in banks and board level ownership of the anti-fraud initiatives.

32. The Board of a bank should be proactive in understanding the fraud risks facing the bank and also put in place a robust anti-fraud machinery. They should have a deep understanding of the institution's strengths and weaknesses and be able to steer the institution in the right direction. For this they need to retain their common sense in the face of an information overload. As a famous saying goes, you can find out if a man is clever by his answers, but you can find out if a man is wise by his questions (Naguib Mahfouz). As another saying goes, the wise man doesn't give the right answers, he poses the right questions (Claude Levi-Strauss).

33. The Board needs to ask the right questions. They need to assess the robustness of the internal controls, with each new threat detected and be in a position to get the data analysed in a holistic fashion.

34. Our recent initiatives in separation of the post of Chairman and Managing Director in banks is also aimed at giving the much needed breadth of vision to the Chairman without being harried by the day to day running of a huge organisation.

35. The Board needs to show the way by enunciating the ethical values of the bank and by exemplary actions when frauds and insider collusions are detected. Another way to empower the employees is to put in place a whistle blower policy and having a standard and impartial procedure to deal with such complaints. That the bank will deal firmly and consistently with any fraud and employees can without fear escalate their concerns and insights on potential frauds to the Top Management will send out a strong message and convince each employee to own the anti-fraud initiative of the bank. It will not be the preserve of the Board, the chief executive officer or the fraud monitoring department of a bank alone.

Conclusion

36. To conclude, let me say that the fraud preventing and corrective measures and principles are not confined only to the Boards of banks. As the members of ASSOCHAM can readily empathise, these are needed in all the enterprises. The ethical values in business serve as beacons for businesses; though buffeted by economic downturns, and by the pressures to be profitable, the ethical values will dictate the enterprises avoid the perilous temptations of the fraud triangle - that of pressures, opportunities (gaps in systems ) and rationalisation.

37. I thank ASSOCHAM for giving me the opportunity to share my perspectives on Financial Frauds and wish the conference all success.

38. Thank you very much for your patient attention.