There’s one thing particularly alarming about India’s greatest banking heist: cyber crime had nothing to do it. There are no nameless, invisible tech geniuses hacking into computer systems to be blamed. Rather, it was corrupt employees at a single branch using the SWIFT network (The Society for Worldwide Interbank Financial Telecommunication) who carried it out for years.
In today’s day, the narrative of hacking is oddly comforting. It doesn’t imply corruption going all the way to the top, or at the very least, it means there isn’t a complete breakdown of the security of the banking system. Criminals were simply doing what criminals do. Everyone can shake their fists at technology for changing at breakneck speed and move on. (Read: How the SWIFT System Works)
Nirav Modi’s swindle of $1.8 billion from India’s second largest state-run lender, Punjab National Bank (PNB.BO), is much less elegant.
The bank had said in its statement to exchanges that the fraudulent letters of credit that allowed the diamond merchant's companies to avail loans worth $1.8 billion were “made by the branch officials through SWIFT without obtaining approval of the competent authority, necessary applications from Importer, documents of import, legal documentation with bank and also without making entries in Bank's trade finance module of CBS (core banking solution).”
PNB blamed two junior level employees in its statement for issuing the illegal letters and sending the SWIFT messages that weren't recorded on the internal system.
Which raises the question, are all banks using SWIFT vulnerable to this sort of fraud or does the PNB case involve an exceptional level of negligence or collusion?
The SWIFT network, operated by a Brussels-based consortium and used by over 11,000 financial institutions, has been used in bank heists before.
Russia’s central bank recently said hackers stole $6 million from one of the country’s banks using the SWIFT network last year. The hackers took control of a computer at the bank and used it to transfer money to their own accounts. Similarly, in 2016, hackers made away with an eye-popping $81 million from the central bank of Bangladesh by using SWIFT credentials of employees. An Ecuadorean bank said it lost $12 million in a 2015 heist where the cyber criminals used SWIFT codes.
SWIFT rejected taking any responsibility for such incidents. In a letter to bank customers in 2016, the group said banks are solely responsible for the security of their systems. “Customers are responsible for all messages signed with their certificates and, of course, for protecting their certificates and ensuring only duly authorized operators can use them to sign messages," a spokeswoman told Reuters at the time. "SWIFT is not, and cannot be, responsible for messages that are created fraudulently within customer firms.”
Gartner analyst and financial fraud expert Avivah Litan has said in the past that it was shocking to her that SWIFT relied so heavily on authentication instead of “very basic fraud-detection controls” like looking for abnormal payees, looking for remote account takeover and looking for abnormal access.
But the Modi fraud is very different from these heists, because although new details emerge daily, the bank has not alleged hacking and the focus has been on insiders. A week since the fraud first came to light, six employees of Punjab National Bank have been arrested by federal investigators. The highest ranking of these is a man who headed the bank's Brady House branch from 2009 to 2011.
Like Taking Candy From a Baby
The bank’s explanation for how the letters were given without detection for years is that the transactions were not recorded on its internal system because SWIFT wasn’t integrated with it.
“Unless the control environment was very lax or there was collusion, it would be difficult to process SWIFT transactions which are not authorized and entered into core banking. Several controls should have triggered an alert,” said Rakesh Asthana, CEO of World Informatix Cyber Security, whose company was hired to oversee the investigation of the Bangladesh Bank heist.
These controls include segregation of duties – banks using SWIFT usually have one person entering a transaction, a separate person approving the transaction and a third person verifying all transactions. He also said that PNB could have also set up SWIFT Daily Validation Reports to reconcile totals and transactions every morning.
But most importantly, a bank's system not being linked to SWIFT, as was the case at PNB, is very rare in the global financial world, according to Asthana.
There is also the question of how the transactions got past the bank’s auditors.
“Ultimately it is also a cash flow issue,” said Asthana in an email to Investopedia. “So it is not clear to me what the internal and external auditors did, whether they were thorough in their audits. If they did have any audit objections and management did not act that would mean a much larger conspiracy going up the management chain. This needs a full investigation to establish who knew what when.”
“Any business activity undertaken by the bank is audited not only by the internal audit team of the bank, but also the concurrent auditors auditing a single branch, it is shocking that such an incident went unnoticed by not only auditors, but also the senior bank staff as well,” said an anonymous banker to the Economic Times. “Audits look at the companies approved to do business, the bills that are funded, letters of credit issued, short-term funding tools etc.”
Research Analyst Deepak Shenoy of Capital Mind said, “On the face of it, it looks like the ex-employee is being used as a scapegoat. It’s likely that a lot of people were in on this thing. And that it generated massive, fat fees for PNB all these years.”
The incident has also drawn attention to the various previous frauds that have occurred at PNB and India’s other nationalized banks. Reserve Bank of India data obtained by Reuters shows state-run banks have reported 8,670 “loan fraud” cases totaling 612.6 billion rupees ($9.58 billion) over the last five financial years up to March 31, 2017. PNB topped this list with 389 cases totaling 65.62 billion rupees ($1.03 billion) over the last five financial years
Could SWIFT Do More?
SWIFT operates like a complex messaging system and does not take responsibility for the manner in which fraud controls are put in place by its customers.
“SWIFT can make some of the key elements mandatory instead of leaving it up to customers who have varying degrees of controls and cyber security knowledge,” said Asthana when asked if the network could do more to make prevent such costly incidents.
SWIFT has recognized the need to at least be the whistleblower in some cases. In April 2017, it introduced the Customer Security Controls Framework, which describes a set of mandatory and advisory security controls for customers. Banks were asked to self-attest their level of compliance by the end of last year, and SWIFT warned that it reserves the right to inform financial supervisors if they don't. The press release announcing that 89 percent of customers attested their compliance doesn't mention if financial supervisors of the remaining 11 percent have been alerted since the start of the year. From January 2019, it extends its right to report users who have failed to comply with the most crucial security controls.
It’s important to remember that in January 2018, SWIFT recorded an average of 30.32 million messages per day and is used in 200 countries. It is a member-owned cooperative and making sure banks are more disciplined would be a herculean, expensive task to fix what is essentially rot in the administration of individual banks it has little to do with, to protect money of people it doesn’t work for.
SWIFT’s reputation takes a hit after every cyber crime, but there’s plenty of people to take the blame when it comes to the latest PNB fraud. The investigation appears to have just scratched the surface of what experts think is a much bigger conspiracy, and questions regarding the lack of oversight is ultimately something the Punjab National Bank and India’s government will have to answer. SWIFT provided PNB with more tools to protect itself, tools which were unfortunately not used.
On Tuesday, the Reserve Bank of India released a statement saying it had cautioned and alerted banks about the need to prevent any "potential malicious use of the SWIFT infrastructure" at least three times since August 2016. It has now mandated the banks to implement prescribed measures before a stipulated deadline. The central bank has also created a committee to look into "the reasons for high divergence observed in asset classification and provisioning by banks vis-à-vis the RBI’s supervisory assessment, and the steps needed to prevent it; factors leading to an increasing incidence of frauds in banks and the measures (including IT interventions) needed to curb and prevent it; and the role and effectiveness of various types of audits conducted in banks in mitigating the incidence of such divergence and frauds."
Investopedia reached out to SWIFT and received the following statement: “SWIFT does not comment on individual customers or entities. When a case of potential fraud is reported to us, we offer our assistance to the affected user to help secure its environment.” It sent an addition to the statement after publication: “To be clear, there is no indication that the SWIFT network has ever been compromised.”