In February 2018, after one of the largest frauds in Indian banking was reported by a public sector bank, one of the systemic deficiency identified was the core lack of integration between banking platforms of banks and the SWIFT messaging system. This unanticipated operational risk caused a very large financial loss to the concerned bank but also had an impact on its reputation due to perceived governance lapses.
The Reserve Bank of India swiftly came out with guidelines to plug the identified gap and mandated banks to implement these on utmost priority. Banks took the necessary steps and met the regulatory directive of integrating the two systems mentioned earlier in this note.
Another key mandate from the regulator was to improve governance of relatively higher value transactions which required banks to add a further two step control:
1. Centralised senior level authorization / checker at location independent of the processing centre/branch
2. Seek confirmation, once transaction has left bank’s SWIFT gateway, from an external source (e.g.foreign currency correspondent). The threshold for such confirmation, referred as Positive Pay by the RBI, was to be decided by individual banks.
For the second requirement, most banks promptly reached out to their foreign correspondent banks to set up a Positive Pay mechanism where payments above a pre-agreed threshold were expected to be stopped by the correspondent bank for additional confirmation from the transaction-initiating bank.
While in theory this seemed to be a logical ask, it led to bilateral arrangements between some banks and few of their correspondents. Each Indian bank therefore had multiple such arrangements given different requirements specified by individual correspondents across different currencies. Also not all foreign correspondent banks, particularly offering payments in currencies that see lowtransaction volumes, agreed to support this requirement. This is because almost all banks globally have a straight through processing of SWIFT messages limiting manual interventions only to very limited scenarios such as incorrect message formatting or financial crimes related screening hits. So the process/technology change costs to meet requirements for payments from a single market was not economically viable or faced internal operational risk concerns within correspondent banks.
Further, with multiple arrangements in place that differ across each correspondent bank, there is a possibility of operational lapses, given dependence on manual interventions as well as inaccurate confirmations thereby not addressing the risks satisfactorily even where such arrangement exist.
So even after making strong efforts, while trying to address the operational risk that led to the fraud and with the intention to meet RBI requirements, some banks continue to expose themselves to other forms of operational risks.
Having said that, there are quite a few banks, which have managed this risk very well. They have leveraged some of the available technology solutions that are agnostic to correspondent banks and currencies but meet the RBI requirement completely in a robust and sustainable manner. In addition to internal processes augmented byadditional checks, banks also implemented technology based tools offered by a global payment messaging intermediary that all banks use for international payment transactions. These solutions provides flexibility to user banks in defining control parameters, to suit their individual business models, so as to introduce an additional review mechanism for payments released from the bank systems but before being processed by the receiving correspondent bank. Solutions like these ensure that all necessary diligence is done within the payment initiating bank as well as in an external environment which, in my view, was the fundamental intent of RBIs mandate.
Unlike bilateral arrangements with correspondent banks, third party technology solutions, come at an incremental direct cost and hence tend to face resistance in adoption. But given the banks’ overall foreign currency payment volumes, across all currencies they transact in, it probably adds a few cents per transaction costs annually. The benefit though clearly far outweighs the risk of potential large loss on account of operational risks remaining unaddressed through bilateral arrangements.
While most banks have subscribed to such a service, they seem to be challenged in managing regulatory dialogue as the regulatory notice does mention that banks should seek a confirmation from correspondent bank. Hence inspite of having taken the decision to incur the small incremental cost of a technology based comprehensive solution, they are not exploiting the complete value of the expense.
Banks who have not only adopted such solutions successfully but have also cleared regulatory scrutiny of this requirement can help support the community by sharing its experiences through various fora including interactions organized by the Indian Banks Association.
Managing operational risk may seem easier than managing compliance risk by taking a ‘tick in the box’approach. But banks need to take a pragmatic view when implementing regulatory mandates such that they are able to manage both risks in a robust and sustainable manner.
(The author is Chief Representative – India, Wells Fargo Bank. Views are personal)
