The RBI ban on banks issuing LoUs and “comfort letters” has come not a day too soon. That should put an end to any new violations of the kind that have jolted the entire banking system and raised new questions on the quality of supervision and governance. While the PNB case is being investigated (and this will hopefully help the nation trace the funds taken by Nirav Modi or his associates), there can be no comfort until all the LoUs issued by all banks over the last decade are reported and analysed. The nation can afford nothing less than a full-fledged and transparent account of the letters so issued, the liabilities they raised, how many of such liabilities are still outstanding and how many of them stand extinguished and how. This is, in short, a fit case for a forensic audit across banks. In fact, many banks have already begun such a process and those that have not should be compelled to do so without any further delay, if necessary by a regulatory order.
The macro approach should include a deeper check in all cases where the relevant staff has not been transferred out for a period of over three years. Any particular employee or groups of employees who have been too long in the LoU or credit appraisal function without rotation will merit an investigation.
But the audits are by no means an easy task given the complex nature of the transactions, compounded further by reports of deep rooted connivance between multiple parties at various levels to defeat checks and balances in the system. Most forensic auditors are currently busy in:
i) LOU reconciliations: Examining and reconciling data for the last seven to ten years relating to LOUs given, settled, and outstanding,
ii) Data analysis: Performing the appropriate LoU and fund movement data analysis,
iii) Evaluation of the control environment: By making appropriate inquiries with bank staff, customers and their employees, and,
iv)Documentary checks: Verifying all relevant documentary evidence in a conventional manner.
All these steps are excellent and much needed, but may not be enough to get a comprehensive evaluation and to quantify the magnitude of the fraud, the modus operandi and existence of other related frauds. The obvious “papers-amounts-people” checks must therefore be alongside a macro-cum-micro analysis to ferret out the full nature of what has been going on under the guise of LoUs.
For an example, the macro approach should include a deeper check in all cases where the relevant staff has not been transferred out for a period of over three years. Any particular employee or groups of employees who have been too long in the LoU or credit appraisal function without rotation will merit an investigation. During this period, if any consultant, third party or contractual staff have been regularly included, rights and privileges given to them must be checked and investigated.
The services of the digital forensics expert would have to be used imaginatively to determine any system breaches, log analysis, use of overriding instructions to bypass system controls. A trend analysis and pinning down authorisation with respect to such abuse would help to rope in the wrongdoers quickly.
All banks are supposed to report instances of attempted fraud to the RBI. This data for the last 10 years relating to all attempted frauds (and already available in all banks and with RBI) must be studied, especially cases concerning LoUs, guarantees and LCs. This is a very effective method of understanding the mind set of fraudsters and exposing other unknown methods of fraud adopted and it would be useful for the RBI itself to pursue further investigations because that may disclose an organised crime on a larger level.
On a micro approach, forensic auditors must use unconventional methods. An example of this is the simple “juxtaposition test” wherein two or more documents, pictures, letters, records are placed side by side to study differences and similarities. These tests have been applied in several situations successfully. In one instance, subtle differences were found between two copies of the minutes in possession of different Directors. No one would imagine that the LoU copies within departments of the bank, as well as those with the overseas bank, and the customers, may be different! If this simple test of juxtaposition is performed, not only on LoUs but also on important agreements, LCs, etc., the results may be unbelievable and reveal fraud previously not envisaged.
A version of the Relative Size Factor (RSF) test, used to check for unusual fluctuations in ledger entries, could be used to spot outliers customer-wise in the number of days’ usage of LoUs, amounts granted in excess with approved limit, margins waived, etc. to show favouritism. Data congruency tests on even non-financial data such as addresses and telephone numbers of customers with addresses and telephone numbers of employees would also possibly expose the nexus between customers and employees. The services of the digital forensics expert would have to be used imaginatively to determine any system breaches, log analysis, use of overriding instructions to bypass system controls. A trend analysis and pinning down authorisation with respect to such abuse would help to rope in the wrongdoers quickly.
It may be worthwhile for the regulatory agencies like the RBI to bring in a co-ordinating forensic expert to understand and evaluate the reports and views of various forensic experts appointed by various banks and the enforcement agencies. This will bring greater clarity, enable quicker picking up of lines of further investigation and facilitate incorporation of better and stronger control systems. If the credibility of the system has to be preserved, it is critical that not only are frauds prevented in the future but this one is dealt with in a manner that sends out clear signals that the guilty will be pursued and brought to book, no matter what it takes.
(The writer is a Mumbai-based forensic auditor who has worked with corporates and government agencies to investigate large value financial crimes)