Paytm Payment Bank restricted by RBI

PBBL: Supervisory Non compliance -
Continuation of an unending series of IT lapses by FIs

When core banking solution (CBS) was introduced in my Bank in 2005, I was heading a major branch in a metropolitan centre. After the bank successfully migrated to CBS, we were canvassing customers for availing personal and corporate internet banking facilities. When I approached the ED of one of the most reputed NBFCs, enjoying comprehensive credit facilities with a consortium of banks (our bank was a member of the consortium), he flatly refused to have an internet banking facility for his personal account even for viewing purposes. He said, "Viswanathan, I do not have faith in the capability of the bank to safeguard my account and protect the data, without being misused". He was very firm and did not even take an ATM debit card. Whether he changed his mind now, I am not aware. 

When Reserve Bank of India (RBI/regulator) directed Paytm Payments Bank Ltd. (PBBL) to stop onboarding of new customers with immediate effect (31.01.24) and also not accept further deposits or credits or top ups in any existing customer accounts, prepaid instruments, wallets, FASTags, NCMC cards, etc. after February 29, 2024, other than some exceptions detailed, due to non-compliance of supervisory directions, I am reminded of the above episode yet again. 

Non-compliance of regulations or non performing of supervisory duties in respect of operational risk parameters, especially in CBS environment, where the fed information/data of customers is available not only across the bank, but among its entire group exposes the customers' accounts for hacking as well as misuse of their data for wrong purposes. This is not the first instance, where abusive use of seamless transfer of data, thanks to exponential growth in IT, placed the organisation and its customers into existential threat. Let me narrate a few instances in the last six years.

(i) In January 2018, one of the major public sector banks (PSBs) reported that two employees of its Mumbai branch issued fake letter of undertakings (LOUs) using the international financial communication system, SWIFT since 2011, by passing the bank's core banking system in the process. The bank lost Rs.11,400 cr.

(ii) The regulator stopped operations of an urban co-operative bank in 2019, as the bank lent Rs. 6400 cr. (73% of its total assets) to a single borrower through irregular lending practices and the non performing assets were under-reported. The IT system was abused, as there were mismatches between the data uploaded on the RBI server and  the manual entry data maintained by the bank. The bank was taken over by a NBFC, which got the licence to become a Small Finance Bank, with conditions to be met to bail out the depositors of the co-operative bank, as per terms laid down by the regulator.

(iii) In March 2020, the regulator imposed moratorium on one of the private banks, significant in size at that time, for 30 days, due to serious governance issues including under-reporting of NPAs/NPIs for a long time by manipulating its system and established practices. The bank was restructured with major contribution of equity pumped in by PSBs.

(iv) In October 2023, RBI directed a major PSB to suspend any further on-boarding of its customers onto its 'mobile app' with immediate effect, due to material supervisory concerns observed in the manner of on-boarding of their customers onto this 'mobile app'.

All the instances including the latest PBBL episode are the result of the failure to follow the operational risk guidelines, more particularly relating to IT (information technology). Opening thousands of accounts with a single PAN (in the present case) or adding the mobile numbers of unrelated customers for creating accounts in the mobile app (in the fourth case referred above) or marking a 'non-performing account' as 'performing' at the back end of the system, super-ceding the duties of front end staff are perfect examples of the failure of operational system or the absence of IS (information system) audit. (IS audit evaluate whether the controls to protect information technology assets ensure integrity and are aligned with organizational goals and objectives. It verifies compliance of protection of customer privacy and data)

My observations are:

(a) Failure of the Financial Institutions’ Board in ensuring corporate governance: The head of risk management committee (RMC) reports to the managing director (in his capacity as the head of the board and not in his capacity as chief executive officer heading the management) and is answerable to the board. Whether the RMC had a free hand in pointing out deficiencies and compel the operating staff to correct abuses? The supervisory concerns and non-compliances pointed out by the regulator are very serious in nature and it is very difficult to believe that the top management or the MD was not aware of the deficiencies in compliance. 

(b) Convenience/Targets have preceded safety and established practices: I am not against fintechs ruling the banking space in the future. In my banking experience of nearly four decades, with the first two decades of executing banking functions manually,  I always found 'hassle free /seamless' terms are used for speed with safety somewhere compromised in the process. Using a PAN of a customer obtained, as part of KYC to update his profile, with hundreds of other customers is a perfect example that necessary 'fire walls' were not in place to protect the data privacy of a customer. Linking the mobile numbers in the customers' profiles (obtained for updating KYC as well as to use it as a lead for selling some of the banks' products to him - with his consent of course) with fictitious names in the 'mobile app' is a glaring example of non-existence of audit trails. While digital banking is a faster and seamless  way to lend, accept deposits, send remittances and complete transactions, the recent episodes (including the unregistered mobile apps for lending) do not lend confidence in the minds of transacting public. Let proper encryption and firewalls be in place to protect the customer accounts from being hacked and his data privacy from being stolen. Let the IS audit function include reports on inflating business figures also, even if does not affect the customers concerned materially. Let the RMC Head of a financial institution have a dotted line reporting to the regulator also. 

(c) Security and systemic risk precedes business sentiments: In the press conference held after the announcement of the decision of Monetary Policy Committee of RBI on 08.02.24, the governor and the deputy governors were flooded with questions on PBBL. I could feel the apprehension in the minds of media people as to whether the restrictions will be pursued as a negative by the investors/stock market and might be seen as a move to tighten up the growth of fintechs in general. The answers given by the governor and the deputy governors removed any doubt that the regulator is against the growth of the economy. While I echo the sentiments expressed by the media, I wish to state that the country will do well to ensure a 'safe tomorrow' than a 'comfortable today'. Let the growth of today happen, duly keeping in mind that the said growth do not follow systemic risk, endangering future security. Environmentalists always say that the present generation, while enhancing their living conditions, should always remember to conserve natural reserves and resources for the future generations also. The same is true here also. Let convenience and safety complement each other. In case of doubt, always fall back on safety. 

Regards

V.Viswanathan

11th February 2024.