RBI/2009-10/159
DBS. CO. FrMC. BC. No. 7 /23.04.001/2009-10

September 16, 2009

The Chairman / Chief Executives of
All Scheduled Commercial Banks (excluding RRBs)

Dear Sir / Madam,

Fraud Risk Management System in banks – Role of Chairmen / Chief Executive Officers

As you are aware, the incidence of frauds in the banks has been showing an increasing trend over the recent years, both in terms of number of frauds and the amounts involved. It has been observed that the trend is more disquieting in retail  segment especially in housing and mortgage loans, credit card dues, internet banking, etc. Moreover, it is a matter of concern that instances of frauds in the traditional areas of banking such as cash credit, export finance, guarantees, letters of credit etc remain unabated. While certain structural factors in the banks' operating environment could account for this rising trend in general, adoption of aggressive business strategies and processes by the banks for quick growth and expansion without ensuring that adequate / appropriate internal controls are in place could, in specific, incentivize operating staff to lower the standards of control while attempting to meet business targets. Also, a continuously rising trend in the cases of frauds is indicative of the fact that the steps taken by banks in investigating the frauds and identifying the fraudsters for eventual criminal prosecution and appropriate internal punitive action for the staff members involved in the frauds have not been adequate. While discussing certain cases of frauds of exceptionally large amounts, the Board for Financial Supervision (BFS) has expressed grave concern that fraudsters with the involvement of bank officials could engineer system wide break down of controls across months while putting through fraudulent transactions.

2. Taking into consideration the concern expressed by Central Vigilance Commission and Central Bureau of Investigation, banks were advised in January 2004 to constitute a Special Committee of the Board for monitoring and follow up of large value frauds involving amounts of Rs 1.00 crore and above. However, the feedback received by us in the recent times and growing incidence of frauds indicate that in matters of large value frauds, the Committee headed by the CEO of the bank might not have played the role as envisaged in our circular DBS.FGV(F)No. 1004/23.04.01A/2003-04 dated January 14, 2004.

3. Taking into account the above position the BFS has felt that the Chief Executive Officers (CEOs) of the banks must provide singular focus on the "Fraud Prevention and Management Function" to enable, among others, effective investigation in fraud cases and prompt as well as accurate reporting of fraud cases to appropriate regulatory and law enforcement authorities including Reserve Bank of India. The Board has observed that in terms of higher governance standards, the fraud risk management and fraud investigation function must be owned by the bank's CEO, its Audit Committee of the Board and the Special Committee of the Board, atleast in respect of high value frauds. And accordingly, they should own responsibility for systemic failure of controls or absence of key controls or severe weaknesses in existing controls which facilitate exceptionally large value frauds and sharp rises in frauds in specific business segments leading to large losses for the bank.  

4. In view of the above observations made by the BFS, banks are advised to initiate necessary action at their end at the earliest. Banks may, with the approval of their respective Boards, frame internal policy for fraud risk management and fraud investigation function, based on the above governance standard relating to the ownership of the function and accountability for malfunctioning of the fraud risk management process in their banks. The broad governance framework dictated by the above standard for ownership and accountability may rest on defined and dedicated organizational set up and operating processes, some of which have been set out in the following paragraphs:

5. The banks' Special Committee of the Board, which is chaired by the CEO, should own the Fraud Investigation and Monitoring Function and discharge the relative oversight responsibility in a pro-active manner. Presently, the Special Committees are apprised by the banks' Senior Management of the occurrence of the large value frauds. It has been observed that the said Committees give routine instructions on follow up actions. Essentially, the Committees' directions are not mandated to be implemented by any dedicated operating unit of the banks. The banks may, therefore, delineate in the policy document the processes for implementation of the Committee's directions and the document may enable a dedicated outfit of the bank to implement the directions. In this regard, the banks may have to review the roles and responsibilities of the Vigilance Function, Internal Audit Function and Risk Management Function. On the basis of the review, it may be decided as to what realignments and modifications are needed to ensure that "monitoring and investigation of large value frauds" are recognized as a distinct 'function' and the dedicated unit which is adequately enabled and free from potential conflict of interest is assigned the responsibility to undertake the function.

6. From the operational point of view, banks may take certain measures as detailed below in order to ensure effective quick investigation, monitoring and follow up of frauds:

1. The above operating unit should own specialized fraud monitoring, investigation and follow up function for large value frauds or frauds which occur across the bank. The function will have to be, therefore, discharged in a centralized manner instead of leaving it to the Regional Office where such specialization may not be available.
   
   
2. Fraud investigation requires competence in 'forensic audit' and also technical / transactional expertise. In this regard, banks may take immediate steps to identify staff with proper aptitude and provide necessary training to them in forensic audit so that only such skilled staff are deployed for investigation of large value frauds.
   
   
3. The banks may build up a data / information pool of large value frauds and analyse them periodically which may act as knowledge repository for policy responses.
   
   
4. Detection of serious irregularities with systemic and system-wide implications, as also post facto "Fraud Investigation", gathering of information / data / evidences and creation of credible records that are useful for internal management action or legal prosecution against the 'wrong doers' require typical skills. The skills range from expertise in analysis of transaction through audit trail to competence in "forensic audit" supported by specialization in IT based data abstraction, data filtering and data sanitization. While banks may have certain manpower with such skills / competence / expertise, their systematic and organized utilization to detect serious irregularities and frauds has apparently not been ensured in many banks. In some banks, the above skills / competence / expertise are scarce or nearly absent. In view of the increasing incidence of frauds in banks, it is necessary that the banks set up dedicated and well organized "Special Surveillance and Investigation Function", which would, on continuous basis, exercise surveillance over potentially fraud prone areas and investigate into large value frauds with the help of skilled manpower for internal punitive action against the staff and external legal prosecution of the fraudsters and their abettors.

7. Given the thin line of difference between serious wrongdoings and frauds, the bank should immediately put in place an adequately enabled and efficient 'internal oversight framework' that can prevent the wrongdoings and take the punitive measures against the wrongdoers.

Please acknowledge receipt.

Yours faithfully,

(P. K. Panda)
Chief General Manager