19 March 2018

Indian banks with outdated software: Easy targets for fraud

Rohan Jahagirdar

The timing of the recent Punjab National Bank — Nirav Modi scam couldn’t have been worse. After just having committed to pay for a giant recapitalization package to bail out the banks’ for bad loans, the public trust in banking system is at its lowest. Some commentators have suggested big bang reforms like complete privatization of banking systems while others think we need better regulatory oversight. However, very few have focused on a crucial aspect that enabled the fraud: the bad, old tech used by the bank.

Unpacking the details of the scam reveals that it was carried out by two PNB employees who used the international payment system, SWIFT messages, to send out guarantees to private persons, bypassing the main accounting system of the bank. Why were these SWIFT messages not being represented in the accounts? This seems like an elementary thing a bank’s software system is supposed to do.

There are multiple elements to this scam. The media and experts have rightly questioned the role of the supervisors, auditors and management of PNB. But the story that a couple of branch employees of a large bank could actually commit a fraud by easily bypassing the systems points to a fundamental problem; it reeks of poor software design.

This is not the first time banks have fallen prey to incompetent software design practices. A recent study by IIM Bangalore noted that Public Sector Banks in India lost at least Rs. 227.43 billion (Rs 22,743 crore) owing to fraudulent banking activities between 2012 and 2016.

Indian customers are among the unhappiest in the world as indicated by customer satisfaction scores. Source: a study conducted by the Indian Customer Satisfaction Index in 2016.

While it certainly is true that all frauds can’t be fixed with better software systems alone or that systems can never be completely fraud proof, there clearly is significant room for improvement.

Legacy systems, lumbering dinosaurs

Most banks rely on old school banking technologies that haven’t changed at all. If you were looking to count the number of tech innovations to have come from banking industry in the last few years, you wouldn’t need more fingers than the ones on one hand. A quick comparison between your bank’s internet banking interface and that of other tech companies like Uber or Netflix will tell you that our banking tech has been stuck in a time warp.

The rise of challenger banks

It’s not that banking systems in India alone have been slow to adapt to changes; many banks in the US still use COBOL — read Latin in programming languages — while several in the EU and the UK still employ old mainframes, a technology developed in the 60s. But regulators in the EU recently rose to address some of these challenges by mandating banks to open up their backend systems to third party apps through the PSD-2 directive. This means that tech companies like Facebook and Google would be able to offer services only banks could otherwise offer.

In the UK, financial regulator, FCA (Financial Conduct Authority) has set up an encouraging environment for FinTech startups that has engendered a slew of app-only startup banks like Monzo, Atom, Starling among others.

Challenger banks like Monzo are seeking to build new banking systems grounds-up. Source: Monzo Press Kit

Compare this with India, where starting a bank requires promoters to have over 10 years of experience in banking and finance at a senior level and a minimum paid capital of Rs. 5 bn.

The new digital banks, often dubbed as “challenger banks” are unencumbered by old tech that keep banks from innovating. Instead, they are building core banking systems from scratch that are responsive, agile and acknowledge the differentiated needs of the smartphone generation. With an estimated value of £20 billion, FinTech is now the UK’s fastest growing industry and London has become the FinTech capital of the world.

Lessons for now

First, let us recognize that banking is a technology-intensive operation and give tech it’s due. To think of technology as an ancillary thing that merely supports banking functions doesn’t do justice to the reality. Considering how everything else online — with the exception of banks — is constantly improving, we need to seriously increase our expectations from banks.

Second, regulators need to start providing banks that want to change a fail-safe environment to do so. The back-end of the banks today are black-box systems that operate in silos. They remain inaccessible to external parties and the regulatory overtures make them wary of trying out anything new. The FCA in the UK, for example, has set up a “sandbox” for tech companies to try out products. This helps startups gain a better understanding of the regulations while the FCA benefits from seeing what’s out there, and establishing an environment that’s conducive to innovate.

As for the PNB scam, the question remains whether reconciliation between SWIFT and core banking transactions could have saved taxpayers a massive bill of Rs 11,450 crore. At the very least, the incident behooves us to demand genuine improvements in practices that can put India on a path to a better functioning financial system. 





No comments: