In any organization internal controls are a very essential mechanism to ensure people, processes and systems function in a desired manner and flag any actual or potential deviation from accepted norms. Some types of internal controls relate to “horizontal” functions like Processes and Systems while other types relate to “verticals” like in the Finance, Purchase, Manufacturing etc.
At the heart of every internal control is a set of clearly defined steps which tell us the checkpoints which a function must pass through. For example, making a car part involves many processes involving many people. If that is not enough, making a sub-assembly consisting of many parts is more complex. Furthermore, using many sub-assemblies in the manufacture of a vehicle is incredibly more complex. Now that you have some idea of how complex some processes can be, just imagine the hyper complexity of assemblies put together in the making of the Chandraayan rocket to the moon.
The thought that should keep senior management up at nights is “What if a tiny part in the assembly should fail? Or, what if a line of code in the software overlooks a condition or is not designed to handle that condition? In a manufacturing assembly that would mean stoppage of the line, leading to many angry senior management faces, not to mention huge loss of money. In a mammoth endeavour like a spacecraft a tiny fault can result in hundreds of crores of losses, not to mention the time lost, and dreams shattered. In case of an aircraft, it may result in loss of lives. Moving on to finance industry, such scenarios may cause millions of dollars of losses to the company, the public and other institutions in the value chain. These failure-points can be either intentional, as in rogue traders in financial firms or can be accidental such as in an undiscovered part failure in an assembly.
So how does a company take proactive measures to avoid such failures? The answer lies in strict internal controls. A key aspect of internal controls deals with Risk of failure, Quantification of the risk and how to minimize and manage that risk. How to determine at which point one must insert controls? Rather, at what points in the process will a failure expect to cause significant losses? Enlightened companies use data driven methodology to identify the vulnerable points in the process. Other tools like sensitivity analysis aid in getting an understanding of potential losses and therefore play a leading role in designing appropriate control mechanisms to restrict failure.
Internal controls form part of Operational Risk control and mitigation strategies. They are essential no matter which industry the company operates in. In most cases Operational Risk arises out of inadequate checks and balances or failure of operational data / information to be communicated to all appropriate functions within the organization. This failure occurs due to faulty design of operational software. In today’s age where information technology has pervaded into every aspect of an organization’s workings, wrong or inadequate design of critical software can leave the organization exposed to disastrous situations. Following is a description of the famous Nirav Modi scam that occurred as a result of lack of internal controls in banking operations at PNB, India’s 2nd largest bank at that time.
Punjab National Bank – Nirav Modi and Mehul Chokshi Scam
Perhaps there is no other scam in Indian banking history as the $2 Billion PNB-Nirav Modi scam.
The plot of the scam was hatched in the Brady House branch of PNB in Mumbai, as early as 2010. While diamond billionaire Nirav Modi was the “brain” behind the scam, the execution of the scam was faithfully and quietly being done by “worker bee” and Deputy Manager Gokulnath Shetty. Shetty joined PNB in 2010 in the forex division. As early as March 2011, he became the vortex of the scam when he issued $15 million worth fake bank guarantees (Letters of Undertaking or LOU) to many Nirav Modi firms. Usually when someone wants a bank guarantee from a bank, it would look for collateral or a security deposit. Corrupt bank officials bypassed this requirement and “gifted” Modi with bank guarantees without any collateral.
This is where the first failure occurred – there was no oversight on the process of issuing these LOUs nor was there a red flag that travelled up the corporate hierarchy. As part of a well thought out plan, none of these fake transactions were entered into the bank’s Core Banking System (CBS). The CBS would have caught this scam at some point or other. However, Shetty and gang very cleverly bypassed the CBS and entered the details only in the SWIFT system of the bank. SWIFT is a worldwide financial information messaging system used by most banks and financial institutions in the world. By not entering the data in the CBS, corrupt officials hoped to be insulated from oversight within other parts of the bank. In effect the SWIFT system and the CBS were two isolated “Islands of Automation” with no communication between them.
Modi in turn took those bank guarantees or LOUs and used them as collateral in obtaining billions of dollars of loans from the foreign branches of Indian banks. Now why would not these foreign branches issue loans to Modi, when he is showing bank guarantees from a top Indian bank? With that money he and his uncle, Mehul Choksey closed out their previous loans and siphoned out money to 130 shell companies across the world. For seven years, this gang operated in the shadows, while the bank was completely oblivious of the scam right under their noses. This tight gang acted in a complimentary manner and comprised of people across the hierarchy – from clerks to forex managers, regional office heads and auditors. Lack of strict controls, paper trails, monitoring and integration of the SWIFT system with CBS provided a golden opportunity to the scamsters to execute their plan.
Investigators revealed that PNB’s international banking operations were not integrated with its CBS, leading to islands with no communication. A simple act of daily reconciliation of SWIFT messages with the CBS would have resulted in reports transmitted across senior management and risk management groups, which would have identified the fraud. In addition, false compliance certificates were issued signalling that the branch’s controls were adequate. Funnily, senior managers visited the branch 10 times between 2010 and 2017. None of them questioned the lack of paper trail and existence of so many LOUs issued to the same firms. According to media reports, in 2016, the same Brady House branch flagged 18 observations as critical, and out of that 5 being “zero-tolerance” issues. However, nothing was done by senior management to address this lacuna.
Another contributor to the scam was fact that Shetty, being a junior official had permission to authorize transactions only upto 2.5 million rupees. However, a lack of internal controls and oversight allowed him to far exceed his limits. It was also revealed that a few weeks before his retirement, Shetty used his personal email 22 times to reconcile 18 forex transactions to whitewash his crimes. This was in clear violation of banks email policy. This too went unnoticed by the bank’s internal controls. PNB’s HR policy clearly stated that no officer should remain in the same position for more than 3 years, but Shetty seemed to have dame luck shining on him – his tenure was extended to 7 years – adequate time to issue around 1200 fake transactions, for Nirav Modi.
Such a big scam which cost the bank and ultimately the taxpayer, $1.2 Billion occurred due to either absence of or lax internal controls, breakdown of existing controls, lack of integration of disparate systems and platforms, and senior management either wilfully or otherwise, failing to provide oversight across the branch, region and bank. Cumulatively these issues led to severe losses, dramatic drop in stock price, and a jolt to the banking system. Unfortunately, only 3 people including Shetty were arrested while senior management including Sunil Mehta, MD downwards to Rajesh Jindal, GM of Brady House branch, were either untouched or were granted bail. A government which means business would have ideally sacked the MD of the bank to set an example to other banks to tighten its internal controls.