Preventive and Punitive Action:
The preventive action as deemed necessary to address the ‘system failure’ and/ or punitive action as prescribed internally for ‘human failure’ should
be initiated immediately and completed expeditiously by the banks.
Generally, in the current system driven environment in banks, wherever transactions occur in breach of/ overriding “Controls”, they get reflected in the “end of day exception report”. Accordingly, all such exception reports should be perused by the designated officials and a post facto authorization for the transactions accorded.
In certain cases the process may not have got duly implemented reflecting the poor internal control mechanisms. Therefore, banks should ensure
that they bring in the needed refinement in this process and also specify the levels/ authority to whom the exception reports will be invariably submitted and the manner in which the authority will deal with the exception reports.
The entire gamut of the manner in which the exception reports are generated, transactions contained in the reports are examined/ scrutinised, and
the reports submitted to higher authorities for necessary authorizations for breaches should be periodically subjected to review and oversight by the bank’s management/ Board of Directors.
In addition to the above, banks have also been advised by RBI to take steps to put in place certain controls and disincentives in their HR processes and
internal inspection/ audit processes as part of their fraud risk management framework. These include:
(a) For key and sensitive posts such as those in dealing rooms, treasury, relationship managers for high value customers, heads of specialized
branches, etc., selecting only such officers who satisfy the “Fit and Proper” criteria. The appropriateness of such postings should be subjected to
periodical review.
(b) Putting in place the “staff rotation” policy and policy for “mandatory leave” staff. The internal auditors as also the concurrent auditors must be
specifically required to examine the implementation of these policies and point out instances of breaches irrespective of apparent justifications for non-compliance, if any. The decisions taken / transactions effected by officers and staff not rotated/ availing leave as per policy should be
subjected to comprehensive examination by the internal auditors/ inspectors including concurrent auditors. The findings thereon should be documented in a separate section of the audit/ inspection reports.
(c) Building up a database of officers/ staff identified as those having aptitude for investigation, data analysis, forensic analysis, etc. and expose them to appropriate training in investigations and forensic audit. For investigation of frauds, only such officers/ staff should be deployed through the “fraud investigation unit/ outfit”.