Data risk management key to preventing bank scams

The Nirav Modi-PNB scam and various other bank scams have left many questions unanswered. The loss is being projected to be in the range of Rs 11,300 crore to Rs 20,000 crore in the PNB fraud, with a margin of error of 50%! That is beyond acceptable limits for any 21st-century risk assessment service. More than three months have elapsed and still there is no definitive public disclosure of the loss. The reason for this pathetic situation is the lack of robust mechanisms of multi-layered Data Risk Management in the nationalised banks. The banking regulator, Reserve Bank of India, is expected to establish the standard processes for data risk management, but such processes are neither known to the public nor the investigating agencies. We discuss here some of the issues to elaborate the causes of failure, and the need for and methods of data risk management system.

Bank frauds are not unknown, and do take place often. But their magnitude is growing. Reserve Bank of India data shows that state-run banks have reported 8,670 "loan fraud" cases, involving Rs 61,260 crore ($9.58 billion) over the last five financial years up to March 31, 2017. The banks have internal vigilance divisions and the RBI regulates various operations of the banks. But they are yet to find a foolproof mechanism to prevent bank frauds. Where is the gap? They have not put in place a robust data risk management system (DRMS). Since we cannot go back to the manual system of banking, having an efficient DRMS is imperative.

While banks have been adopting IT, core banking systems and digital transformation enthusiastically, their lack of desire to have a DRMS in place is rather intriguing. The reasons for this may be many; avoiding the culpability of the bank management as they may be sometimes party to some degree of fraud or are ignorant of the risk magnitudes or to avoid accountability. Why do bank managements and other authorities not appear to have initiated long-term deterrence measures? No moral responsibility has been ever owned by the management of any top bank in India. Thus, the standards of morality have suffered, causing significant erosion in the credibility of banks.

If there were to be a good data risk management in PNB and other Indian banks, would we be searching and scouring around just to figure out the rough extent of the loss, the interconnections and the full layers of this multi-layered system-wide mega banking scam? Some say Rs 11,000 crore, others say it's Rs 20,000 crore. Where is the digital data grid? The RBI's rather forced silence in this regard speaks volumes.

If only the SWIFT Digital data about the Letter of Undertaking transactions had been available with the Finacle core banking solution and the other global limit appraisal systems of the PNB, is it not certain that someone in the long data chain would have discovered, or stumbled upon or found it difficult to feign ignorance of, at least, a few irregular LoUs over the last several years?

If only data risk management had been managed well in Allahabad Bank, could the dissent note and warnings of the whistleblower director Dinesh Dubey have been ignored with impunity?

Did the famed RBI-OSMOS (Offsite Surveillance & Monitoring System), connected with bank databases, throw up any alerts regarding the irregular LOUs?

The Nirav Modi fraud is not a failure of technology or a computer server failure. Punjab National Bank has the best of technologies, like Finacle CBS and IBM Banking Data Warehouse. The bank had won the 'Best Bank' award for vigilance system in 2017! It is a plain case of data risk management failure. Who knows what the position is in other banks and establishments and when the frauds will unravel?

There is no use parroting the E-KYC/CKYCR or process failure or system failure line whenever we encounter scams. We need to understand and remedy data risks.

Digital transformation is the order of the day. Risks are inherent in a digital setup and they are multi-dimensional. Traditionally, the Information Technology/Information Systems risk management focusses on the technology system and security issues through processes and protocols.

While these are required measures, they are not sufficiently capable of tackling the hydra-headed monster that data risk is. We need to make a systematic effort to identify the risk dimension of all activities, from digital data collection, storage, retrieval, restoration and transaction processing and analytics. The need to put in place preventive measures for data assurance proactively will protect the nation against authentication failures, wrong disclosures and the gaps in the information chain.

Proposals

Digital data is growing at exponential speed in India. The increasing digitisation of government and the corporates alike, Digital India and Cashless India policies, the explosive growth of mobile phone use and emergence of new technologies such as distributed computing, the omni-channel online delivery of services and the entry of global e-commerce platforms, and increasing digitisation of services delivery are the important factors responsible for the inexorable growth of newer and greater vistas of data.

The magnitude of this growth is matched only by the increase in the risk associated with them. The increase in databases has already started adversely affecting the government, enterprises and people in general. In this context, there is a critical need to establish the legal framework formulation of standard operating procedures and the development of data risk management skills and promotion of data risk management culture in all entities. With a view to ameliorating the situation, we would like to put forth the following suggestions for data risk management in the Indian context:

One, recognise the importance of database management in government and outside. In the context of increasing digitisation in the nation, the Information Technology Act, 2000, may be suitably amended to make data risk management mandatory in government departments, public sector entities and the private sector.
Two, the Government of India may like to initiate measures for development of the institutional infrastructure for research, conducting and providing data risk management services within a defined period on a sufficiently large scale.

As IT adoption by organisations and people is growing at a fast pace, there is a need for concerted efforts to establish data risk management as a distinct practice with a well-defined charter to promote the specialised interdisciplinary skills of multiple domains, technology, audit and cyber forensics.

(Sogala is director, Srichid Global Risk Hub, Bengaluru; Sharma is ADGP and MD, Karnataka State Handicrafts Development Corporation)

Liked the story?

  • 0

    Happy
  • 0

    Amused
  • 0

    Sad
  • 0

    Frustrated
  • 0

    Angry