Dr. Rana Kapoor, President, ASSOCHAM and MD & CEO, Yes Bank; Shri M. J. Joseph, Additional Secretary and Chief Vigilance Officer, Ministry of Corporate Affairs, Ms. Preeti Malhotra, Chairperson, ASSOCHAM National Council for Corporate Affairs; senior members from the financial services industry; delegates to the conference; members of the print and electronic media; ladies and gentlemen. It is a pleasure to be here this morning to deliver the inaugural address at the National Conference on “Financial Frauds -Risk & Prevention.”

2. We all know that fraud, and more so, the financial frauds have been in existence for a very long time. Some may be surprised, but, it is interesting to note that Kautilya, in his famous treatise “Arthashastra” penned down around 300 BC, painted a very graphic detail of what we, in modern times, term as ‘fraud’. Kautilya describes forty ways of embezzlement, some of which are: “what is realised earlier is entered later on; what is realised later is entered earlier; what ought to be realised is not realised; what is hard to realise is shown as realised; what is collected is shown as not collected; what has not been collected is shown as collected; what is collected in part is entered as collected in full; what is collected in full is entered as collected in part; what is collected is of one sort, while what is entered is of another sort.” As you would all agree, some of the above actions continue to be the modus operandi adopted in many instances of financial fraud that have hit the headlines in recent times. This shows that very little has changed over such a long period in the basics of fraud and brings me to the question why has ASSOCHAM now been forced to devote an entire day for deliberating the issue.

3. Statistics quoted in a recent report by the Association of Certified Fraud Examiners’ (ACFE) 2012 titled “Report to the Nation on Occupational Fraud and Abuse” may have some answers.The report has estimated that a typical organization loses 5% of its revenues to fraud each year and cumulative annual fraud loss globally during 2011 could have been of the order of more than $3.5 trillion. The amount involved in the frauds reported by the banking sector in India has more than quadrupled from Rs. 2038 crore during 2009-10 to Rs. 8646 crore during 2012-13. Similarly, another report has estimated the losses of the Indian insurance companies at a whopping Rs.30, 401 crore in the year 2011 due to various frauds which have taken place in the life and general insurance segments. The losses work out to about nine per cent of the total estimated size of the insurance industry in 2011. Enron, Worldcom and more recently, the Libor manipulation scandals, have caused major upheavals in western nations and their impact has been felt not only in the individual institutions or countries but across the global financial system. India too has witnessed a spate of fraudulent activities in the corporate sector over the last decade in the form of Satyam, Reebok, Adidas, etc. The ACFE report further mentions that as in the previous years, banking and financial services industry continues to be among the most commonly victimized sectors as far as fraud is concerned. What the above statistics reveal is that the frequency, volume and the gravity of instances of fraud across various sectors, particularly in the financial sector, has gone up tremendously over the past few years. With the sweeping changes in the scope and magnitude of banking transactions witnessed in the past few decades, the emergence of hybrid financial products, the increasing trend of cross border financial transactions and the dynamics of real-time fund movement and transformation, the vulnerability of the system to the menace of fraud has become higher than ever before. Against this backdrop, in my address today, I intend to primarily focus on the trend of frauds in the banking sector, the causative factors, share my concerns as the banking supervisor and highlight the touchstones of a robust fraud risk management and control framework in banks.

Definition of Fraud

4. Before I proceed any further, let us revisit the definition of the term ‘Fraud.’ Fraud can loosely be defined as “any behavior by which one person intends to gain a dishonest advantage over another". In other words, fraud is an act or omission which is intended to cause wrongful gain to one person and wrongful loss to the other, either by way of concealment of facts or otherwise. Fraud, under Section 17 of the Indian Contract Act, 1872, includes any of the following acts committed by a party to a contract, or with his connivance, or by his agents, with intent to deceive another party thereto or his agent, or to induce him to enter into the contract:

• the suggestion as a fact, of that which is not true, by one who does not believe it to be true;

• the active concealment of a fact by one having knowledge or belief of the fact;

• a promise made without any intention of performing it;

• any other act fitted to deceive;

• any such act or omission as the law specially declares to be fraudulent.

5. RBI had, per se, not defined the term ‘fraud’ in its guidelines on Frauds. A definition of fraud was, however, suggested in the context of electronic banking in the Report of RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, which reads as under:-

‘A deliberate act of omission or commission by any person, carried out in the course of a banking transaction or in the books of accounts maintained manually or under computer system in banks, resulting into wrongful gain to any person for a temporary period or otherwise, with or without any monetary loss to the bank’.

Frauds in the banking sector: Some statistics

6. Though RBI had not given a specific definition of the term, it has, for quite some time now, been monitoring the nature, volume and magnitude of frauds in certain sections of the financial sector that fall under its jurisdiction. The reporting of fraud cases by banks was prescribed by RBI way back in July 1970. In 2005-06, the prescription of reporting of fraud cases was extended to urban cooperative banks and deposit taking NBFCs registered with RBI. In March 2012, NBFC-ND-SIs (systemically important, non-deposit taking NBFCs) having asset base of Rs. 100 crore and above were also brought under the reporting requirements. While online reporting and monitoring of fraud cases by the banks has been in place since May 2004, the reporting by UCBs and NBFCs is still in manual format.

7. A comparative picture (Table 1) of total number of fraud cases and amount involved as on March 31, 2013 for scheduled commercial banks, NBFCs, Urban Cooperative banks, and Financial Institutions is as under:

8. As is evident from the above table, the cumulative number of frauds reported by the banking sector and the total amount involved in these fraud cases have a major share in the frauds reported by all entities under RBI’s supervisory jurisdiction. A year-wise break up of fraud cases reported by the banking sector together with the amount involved is given in Table 2 below:

9. It may be observed that while the number of fraud cases has shown a decreasing trend from 24791 cases in 2009-10 to 13293 cases in 2012-13 i.e. a decline of 46.37%, the amount involved has increased substantially from Rs 2037.81 crore to Rs. 8646.00 crore i.e. an increase of 324.27%. A granular analysis reveals that nearly 80% of all fraud cases involved amounts less than Rs. one lakh while on an aggregated basis, the amount involved in such cases was only around 2% of the total amount involved. Similarly, the large value fraud cases involving amount of Rs.50 crore and above, has also increased more than tenfold from 3 cases in FY 2009-10 (involving an amount of Rs 404.13 crore) to 45 cases in FY 2013 (involving an amount of Rs 5334.75 crore) (Annex 1). Further, a bank group wise analysis of frauds reveals that while the private sector and the foreign bank groups accounted for a majority of frauds by number (82.5%), the public sector banks (including SBI Group) accounted for nearly 83% of total amount involved in all reported frauds (Table 3 below).

A bank group wise distribution of fraud cases in terms of amount involved and details of year wise closure of fraud cases is also enclosed at Annex 2 and 3 respectively.

10. While the sheer number of frauds and the amount involved, when seen in isolation, may appear overwhelming, it is important to view the incidence of frauds in the banking sector in the context of the massive increase in the number of deposit and credit accounts in banks and the staggering volume and value of transactions that are processed by the banks every day. To put things in perspective, let me quote some statistics again. The number of deposit accounts in the banks over the last ten years (between end 2002 and end 2012) has gone up from 43.99 crore to 90.32 crore while the number of loan accounts in the same period has also more than doubled from 5.64 crore to 13.08 crore. A quick estimate puts the average number of all transactions that happen every day in the banking system at approximately 10 crore, which is enormous. The number of frauds per million banking transactions was about 0.4, which is not a very high figure. Likewise, besides increase in the number of brick and mortar branches, additional service delivery points like ATMs and Point of Sale (POS) terminals have also gone up significantly. While the number of ATM machines has grown from 34789 in March 2008 to 114014 in March 2013, the number of POS terminals has also more than doubled (from 423667 to 845653) during the same period. The point I am trying to drive home here is that on a standalone basis the quantum of frauds, both in terms of number and amount involved, may appear to be very high, but when one weighs it against the sheer magnitude of accounts and transactions handled by the banking system, they are not alarming.

Category of Frauds

11. Broadly, the frauds reported by banks can be divided into three main sub-groups:

1. Technology related
2. KYC related (mainly in deposit accounts)
3. Advances related

A closer examination of the reported fraud cases has revealed that around 65% of the total fraud cases reported by banks were technology related frauds (covering frauds committed through /at internet banking channel, ATMs and other alternate payment channels like credit/ debit/prepaid cards) while the advances portfolio accounted for a major proportion (64%) of the total amount involved in frauds. Table 4 below shows that relatively large value advances related frauds (> Rs. 1 crore) have increased both in terms of number and amount involved over the last four years.

Technology Related Frauds

12. The substantially larger proportion of technology related frauds by number is only expected as there has been a remarkable shift in the service delivery model with greater technology integration in the financial services sector.  Banks are increasingly nudging their customers to adopt newer service delivery platforms like mobile, internet and social media, for enhanced efficiency and cost-cutting. But while banks’ customers have become tech-savvy and started using online banking services and products, evidence suggests that even fraudsters are devising newer ways of perpetrating frauds by exploiting the loopholes in technology systems and processes. There have been several instances of low value frauds wherein the fraudsters have employed hostile software programs or malware attacks, phishing, Vishing (voicemail), SMSishing (text messages), Whaling (targeted phishing on High Networth Individuals) techniques apart from stealing confidential data to perpetrate frauds. Bank group-wise detail of the number of technology related fraud cases with the amount involved therein over the last 4 years is as under in Table 5:

13. The predominance of the new private sector banks and the foreign banks in the number of technology related frauds is intuitive as they lead the technology enabled service delivery in the Indian banking sector. From the above it is evident that though the incidence of cyber frauds is extremely high, the actual amount involved is generally very low. However, let me emphasize that while the amounts involved may be small from banks’ perspective, these are significant from the viewpoint of individuals, who are victims of such frauds. The small value of frauds, therefore, cannot be a comfort to the banks. The banks must realize that the community that uses online banking services is a very powerful group capable of launching scathing attacks using the social media, which can irreparably tarnish the reputation of banks. It is, therefore, in banks’ own interest to ensure that they are constantly on the guard and up to the challenge of providing a secure environment for customers to conduct banking transactions. For this purpose, the banks would need to constantly monitor the typology of the fraudulent activities in such transactions and regularly review and update the existing security features to prevent easy manipulation by hackers, skimmers, phishers, etc. With cyber attack becoming more frequent, RBI has advised banks in February 2013 to introduce certain minimum checks and balances like introduction of two factor authentication in case of ‘card not present’ transactions, converting all strip based cards to chip based cards for better security, issuing debit and credit cards only for domestic usage unless sought specifically by the customer, putting threshold limit on international usage of debit/ credit cards, constant review of the pattern of card transactions in coordination with customers, sending SMS alerts in respect of card transactions etc., to minimize the impact of such attacks on banks as well as customers.

14. The electronic modes of payment like NEFT and RTGS have gained traction due to their almost real time impact and also comparatively lower cost. These transactions are generally undertaken remotely, through internet banking, by using specific ID and password provided to the users. Though, it is the responsibility of the user to ensure that his unique ID and password are properly secured and do not get misused due to his laxity, the banks, on their part, should also ensure that these payment channels are safe and secure. Towards this end, RBI has advised banks to introduce preventive measures such as putting a cap on the value/ number of beneficiaries, introducing system of issuing alert on inclusion of additional beneficiary, velocity checks on number of transactions effected per day/ per beneficiary, considering introduction of digital signature for large value payments, capturing internet protocol check as an additional validation check for any transaction, etc.

15. I am sure many of you have heard of recent instances of frauds by way of replication of data contained in genuine debit/ credit cards onto duplicate cards. Without getting into much detail, it is sufficient to say that the banks need to improve the peripheral and system security in ATM locations and, at the same time, educate their customers about using their payment cards with due caution. Similarly, cases of circulation of fraudulent e-mails and sms messages conveying winning of prize money have become matter of common occurrence in recent times. Many a times, gullible people fall prey to such e-mails and pay money in designated accounts, which is then quickly siphoned off through ATMs located in far flung areas of the country. For this purpose, the fraudsters generally use deposit accounts in banks with lax KYC drills or accounts which remain inoperative for long. Banks, therefore, not only need to caution their customers to guard against such temptations for easy money but should also ensure that deposit accounts maintained with them are fully KYC compliant. In fact, inadequacy of KYC drill would render any subsequent investigation process meaningless. The banks should also have a system of generating alerts to monitor transactions in accounts which are inoperative for long or where transactions are not in conformity with general trend and customer risk profile. RBI, as a part of its financial literacy programme, constantly seeks to caution the general public through print media, electronic media and on its web site not to get enamored by the false promises made in such e-mails.

16. I would like to reiterate here that though the amount involved in technology related frauds may not appear to be menacing when viewed in the backdrop of the total value of daily transactions and overall business prolife of the Indian banks, any dent in the confidence of the stakeholders in the banking system will result in huge reputational and operational risks for the banks, adversely affect public perception and undermine faith in the financial system. If the banks are not able to proactively manage the technology risks in their delivery systems, they may have to face litigations on customer protection and also incur the wrath of the regulators and customer interest groups. Apart from enlisting active co-operation from their technology vendors, banks must look to build a close rapport with other banks, investigative agencies and regulators to ensure that there is prompt and coordinated exchange of information, whenever required. With the spread of mobile banking, banks would also need to closely engage with the telecom service providers for reducing the technology related fraud risk. Banks could also consider seeking insurance coverage as a risk transfer tool and a mitigant for the financial losses arising from technology induced fraudulent customer transactions.

Frauds in Banks’ Advances Portfolio

17. As I mentioned earlier, frauds related to the advances portfolio accounts for the largest share of the total amount involved in frauds in the banking sector. Increase in the cases of large value fraud (involving amount of Rs. 50 crore and above) in accounts financed under consortium or multiple banking arrangements involving even more than 10 banks at times, is a newly emerging, but unwelcome trend in the banking sector. Another point that needs to be highlighted here is that public sector banks account for a substantial chunk of the total amount involved in such cases.

18. Another glaring issue in this context is the considerable delay in declaration of frauds by various banks in cases of consortium/ multiple financing. We have on occasions observed more than 12-15 months lag in declaration of the same case as fraud by different banks, which not only enables the borrower to defraud the banking system to a larger extent, but also allows him considerable time to erase the money trail and queer the pitch for the investigative agencies.

19. Our analysis has highlighted that majority of the credit related frauds are on account of deficient appraisal system, poor post disbursement supervision and inadequate follow up. The absence of an orderly system of information sharing among the lender banks further exacerbates the problem. The laxity in post disbursement supervision and inadequacy of follow up of advances portfolio by banks is clearly underlined by the fact that majority of the fraud cases come to light only during the recovery process initiated after the accounts have been classified as NPA. Quite often the banks are confronted with the fact that the title deeds are not genuine or that the borrowers had availed multiple finance against the same property. Although RBI has advised banks to ensure proper exchange of information between lenders on the borrowers financed under multiple banking arrangements/ consortium arrangements, cases of multiple financing against the same security are still reported to us indicating utter disregard in conforming to the basic safeguards. Reserve Bank has also advised banks to subject the title deeds in respect of securities charged to them to legal audit periodically so that cases of multiple financing may be detected in the initial stages itself. Due diligence on other professionals like Chartered Accountants, valuers and advocates involved in the loan assessment and sanctioning processes is also an essential safeguard as there have been instances where some of these professionals have also facilitated the perpetration of frauds by colluding with the borrowers to fabricate fudged financial statements, inflated security valuation reports, defective search reports for title deeds of mortgaged property, based on which banks have been led to overestimate the funding requirements and security cover for the same.

20. In the context of advance related frauds, I wish to raise a fundamental issue for wider public debate. At what stage should the banks declare a loan account as fraud? Should diversion of funds be a basis for defining a borrowal account as fraud? In my opinion, so long as the borrower does not dispute that he owes money to the bank, it may not be termed as ‘fraud.’ I believe there is a good enough reason to revisit the definition of ‘fraud’ in the banking context.

Fixing of Staff Accountability

21. Another area demanding urgent attention of banks is fixing of staff accountability. Our analysis has revealed that this is a neglected area so far as public sector banks are concerned. The general trend in such cases is to include a large number of officials in the probe so that the investigation is both delayed and diluted. Even in instances where investigations are concluded, there is a tendency to hold only the junior level officials involved in post disbursement supervision accoun and ignore the lapses on the part of higher officials who were involved in sanctioning of the advances, unless of course, the case becomes a high profile one or if some personal vengeance is involved. Our experience is that the accountability examinations do not comment on lapses of sanctioning officials even while the fraudulent intentions of the borrower might have been overlooked by the sanctioning officials ab initio. I have heard arguments such as how can the Board or the Top Management be expected to conduct post disbursal supervision? It can, at best, create a structure that ensures that the post disbursal supervision is properly conducted. I can accept the argument to a certain extent but if the structure created by the Board/Top Management fails to do its job properly, who should be held accountable? The limited point that I want to make is, if the Board/Senior Management does not have the time to conduct post disbursal supervision, why not delegate the sanction authority also to a lower level.

22. I have another issue regarding fixing of staff accountability in advance related fraud cases. We have observed that in the same case of consortium/ multiple financing, while staff accountability is established in a few banks, in several others, the banks do not find any staff involvement.  To me, this defies logic. How can the banks shift the onus of conducting due diligence on the consortium leader and blindly follow whatever the latter does?

23. I believe there is a pressing need to probe staff accountability in a fair and objective manner and take it to its logical conclusion. This is necessary to instill a sense of responsibility amongst the officials for complying with the laid down procedures. Many a times, the internal investigation is put on hold when the probe is handed over to external investigation agencies. The completion of internal probe would also assist in prompt investigation by the law enforcement agencies and the perpetrators of fraud can be brought to book. Our analysis also shows that the law enforcement agencies are, at times, reluctant to accept the cases for probe, either on technical grounds or other constraints, due to which precious time is lost in initiating the probe leading to consequential dilution in quality of evidence, increased complexity in tracking money trails and deterioration in enforceable collateral.

24. While it is important that the probing and fixing of staff accountability be done in all seriousness, I also wish to add a note of caution here. We all know that the banks are in the business of taking risk and consequently, there may be occasions when the risk crystallizes and bank suffers losses on some of their credit decisions. Herein lies a need to differentiate between the losses which the bank suffers in its normal course of business and those which might have resulted from fraudulent actions. While fixing accountability, there would be a need to categorically establish mala fide intention/ malfeasance on the part of the erring employee involved in fraud cases so that the other officials do not become wary of sanctioning even good credit proposals.

Expectations of the Supervisor

25. Good Corporate Governance serves as a very important factor in control of fraudulent activities. RBI has clearly indicated that fraud risk management, fraud monitoring and fraud investigation function must be owned by the bank's CEO, Audit Committee of the Board and, in respect of large value frauds, the Special Committee of the Board. The role of the Chairmen and Managing Directors(CMDs)/ Chief Executive Officers (CEOs), Audit Committee of the Board and the Special Committee of the Board in evolving robust fraud risk management systems and in implementing effective fraud risk mitigating measures is of paramount importance. They are responsible for effective investigation of fraud cases and prompt, accurate reporting to appropriate regulatory and law enforcement authorities. The Boards of the banks/ ACB should ensure periodical review of the procedures and processes to ensure that the bank’s interests are not impacted adversely due to loopholes in their policy guidelines. It is imperative that the Top Management puts in place targeted fraud awareness training for its employees focusing on prevention and detection of fraud.

26. It is a matter of concern that the audit systems prevalent in banks have not proved effective in detecting fraud cases due to factors like inadequacy of time allotted for audit, inefficient sampling of transactions to be checked during audit, lack of trained personnel with the required aptitude for audit work, etc. Providing individuals a means to report suspicious activity is a critical part of an anti-fraud program. Towards this end, a system of protected disclosure scheme has been evolved which is regulated by CVC in case of public sector banks and RBI in case of private and foreign banks. Reserve Bank has also advised private and foreign banks operating in India to upgrade their internal vigilance mechanism to the same level as is applicable in case of public sector banks in terms of CVC guidelines in the matter.

27. Information sharing is a vital fraud prevention and alert mechanism. On its part, Reserve Bank promptly shares information with all banks detailing the modus operandi of fraud cases reported by any bank together with details of the entities involved in the perpetration of such frauds in the form of confidential caution advices. This also serves to encourage periodic review of existing guidelines, identify loopholes on the basis of caution advice, if any, and initiate corrective steps. Reserve Bank has also issued instructions requiring banks to report negligence or involvement of entities like Chartered Accountants, valuers and advocates resulting in perpetration of frauds, to their professional oversight bodies for appropriate deterrent action.

28. Today, most banks have put in place a system of checking the credit history of the borrower through credit information companies like the CIBIL. Considering that fraudulent borrowers could still seek credit from the banking system even after defrauding one bank, it may be worthwhile to consider setting up a fraud registry on the lines of credit information bureau. This, coupled with stringent deterrents such as prohibition of banking facilities to fraudulent borrowers, may serve as a strong antidote to the malaise.

Conclusion

29. The impact of frauds on entities like banks, which are engaged in financial activities, is more significant as their operations involve intermediation of funds. The economic cost of frauds can be huge in terms of likely disruption in the working of the markets, financial institutions, and the payment system. Besides, frauds can have a potentially debilitating effect on confidence in the banking system and may damage the integrity and stability of the economy. It can bring down banks, undermine the central bank’s supervisory role and even create social unrest, discontent and political upheavals. The vulnerability of banks to fraud has been heightened by technological advancements in recent times.

30. I would like to recapitulate some of the key issues that I have sought to highlight in my address today:

• While the number of frauds reported each year is actually coming down, the amount involved is going up substantially. The increase in amount involved is largely attributable to the few large value advance related frauds that come to light each year. The small value technology related and other transactional frauds, as a proportion to the number of daily banking transactions, are very miniscule and are manageable.

• The large value advance related frauds, which pose a significant challenge to all stakeholders, are mainly concentrated in the public sector banks.

• While there is a pressing need to overhaul the system of monitoring, control, supervision and follow up of advances related frauds, their incidence in public sector banks in a large measure can also be trailed to comparatively poor corporate governance standards and lack of firm resolve by the Board and the Top Management in fighting this menace.

• There is a need to improve exchange of information between all stakeholders to instill and maintain financial discipline among the users of funds and prevent negative information arbitrage to the detriment of the system

• Board oversight of the audit processes and the internal systems and control must be able to identify vulnerable areas, raise red flags and plug loopholes quickly and effectively

• There are considerable delays in reporting frauds to appropriate authorities, conducting investigation and fixing of accountability, which in effect leads to shielding of the main culprit while the blame is shifted to the junior level officials. This trend needs to be curbed immediately. Close liaison must be maintained with investigating agencies and courts to ensure timely completion of investigations and closure of cases

• Society should demand stringent action against the perpetrators of financial frauds and should socially ostracize them

• Banking system should collectively ensure that the fraudsters do not have access to banking facilities

31. To sum up, I would like to emphasize that the advantages of technology, communication and accessibility of data must be leveraged to put in place a system wide fraud mitigation mission. Any house is only as strong as its foundation and as weather proof as its insulation. It is necessary, therefore, that a strong foundation is built by leveraging robust IT systems, framing effective policies and procedures, laying down strict compliance processes, setting high integrity standards, developing  efficient monitoring capabilities and initiating strict punitive action against the culprits in a time bound manner. It is also imperative that we insulate ourselves from unscrupulous activities by strengthening the fraud detection, mitigation and control mechanism through prompt identification, investigation and exchange of information. This is necessary not just for the safety of banks but for ensuring the stability and resilience of the overall financial system and sustaining the confidence that various stakeholders have in its strength and integrity. To my mind, in improved Governance standards in the public sector banks and greater commitment by the Board and Top Management in fighting the scourge of fraud lies the ‘holy grail’ of success.

I thank ASSOCHAM for inviting me to the Inaugural session of this conference and wish the conference deliberations a grand success.

Thank you!

Annex 1

Year wise fraud cases reported by commercial banks
(As on March 31, 2013)

Annex 2

Bank Group wise fraud cases reported
(As on March 31, 2013)

Annex 3

Year wise details of fraud cases closed