NEW DELHI/MUMBAI, March 5 (Reuters) - Gokulnath Shetty, a middle-aged bank manager of middling rank, spent his days in the foreign exchange department on the mezzanine floor of Punjab National Bank's Brady House branch in Mumbai.
It was there, past the loan desk and up a flight of stairs, that federal police say Shetty hatched India's largest-ever bank fraud, which the bank values at nearly $2 billion and says was engineered between 2011 and 2017.
The room where Shetty worked was visited on a quarterly basis by external auditors approved by the central bank, who sifted through documents but failed to spot any problem, according to interviews with two bank employees with first-hand knowledge of the department's operations.
In the three weeks since details of the alleged fraud was disclosed, Indian authorities and the media have squarely blamed Punjab National Bank, and a group of high-flying jewellers including diamond tycoon Nirav Modi.
But Reuters has uncovered new evidence that shows the Reserve Bank of India (RBI) also failed for years to either detect the fraud, respond adequately to red flags in the banking system, or correct a breakdown of normal practices at the nation's second-largest state-run bank. The RBI is in charge of supervising lenders and meant to act as the bottom-line guarantor that the banking system is sound.
That heightens worries about what other problems might lurk within India's state-run lenders, which hold some 70 percent of the sector's assets in the world's fastest-growing major economy.
The RBI, presented with a list of findings and questions for this story sent to a spokesman, did not respond.
Punjab National did not respond to a similar request.
Shetty's lawyer, Vikram Sutaria, said his client "is not guilty".
Interviews with 12 current and former officials at the RBI and senior executives at some of the country's largest banks, and a review of dozens of pages of internal central bank circulars, reveal a system that in many cases had little hope of catching criminal activity.
The reporting shows:
- The RBI takes a hands-off approach: Its inspections concentrate on whether the broader systems are sound, not the details of what's happening in a particular banking operation.
- External auditors approved by the RBI, known as statutory auditors, in many cases only do top line reviews, not in-depth inspections. In Punjab National's case they have been changed regularly - 18 different firms used over seven years. Though the auditors swapped hand-off notes, no one auditor was able to delve into the bank's operations for any extended period.
- Those external auditors met with Shetty, but their audits of Punjab National published in the bank's annual reports from 2011 to 2017 did not raise alarms.
- The RBI knew by 2016 there was a laundry list of problems at Indian banks that the central bank said "exposed the bank to heightened risk of fraudulent activities".
- The central bank did not compel state banks to link their banking software with the SWIFT global interbank messaging network, a key vulnerability in the Punjab National fraud.
A current senior RBI official involved in the scrutiny of banks acknowledged there were shortcomings.
"This has been going on for six years and nobody pointed it out - not the auditors and not the RBI inspection," he said.
In Punjab National Bank's initial criminal complaint, and then court documents filed in February by India's Central Bureau of Investigation (CBI), deputy manager Shetty is accused of having sent letters of undertaking, essentially credit guarantees, over the SWIFT network without logging those transactions in the bank's internal software.
Two internal auditors who sat with Shetty in the branch have also been arrested, among more than a dozen people picked up by law enforcement so far.
Asked about the specifics of allegations against Shetty, who has been arrested but not charged, his lawyer, Sutaria, declined to discuss them.
The alleged beneficiaries of the transactions were companies controlled by Nirav Modi, whose diamond creations have glimmered across the flesh of film stars, and his uncle Mehul Choksi, who also owns a large jewellery operation. Neither man has been charged with a crime. Both are currently outside the country and have denied the allegations.
Two co-workers described Shetty as a socially taciturn man who, after starting the work day by moisturizing his face and hands with Pond's cream, began sipping a seemingly endless series of cups of tea and dialling up customers on his iPhone.
Shetty, they said, declined to show others how to operate the SWIFT system.
"No one would work on SWIFT in his absence," said one of the co-workers. "Even customers used to say if 'Shetty sir' is not around let's not proceed with anything."
Representatives of Modi, the jeweller, would spend hours in the office, sometimes eating lunch there, two employees at the branch said. "It was as if they were bank employees," said one banker who still works in the currency exchange office.
The framework for auditing India's banks is set up to provide three levels of scrutiny: continuous monitoring by internal auditors, quarterly inspection by statutory auditors and an annual inspection by the RBI, according to interviews with officials at the central bank.
The bank's cornerstone internal, or concurrent auditors, are expected to run daily checks on all SWIFT transactions, according to RBI officials.
But a former senior RBI official with direct knowledge of the central bank's oversight of foreign exchange transactions said they often do not provide much of a backstop.
"Sometimes the concurrent auditor just blindly signs whatever is given to him without verifying what is going on," the official said.
Asked about the RBI's annual audit, a current official who previously worked in its supervision division said the central bank has moved away from doing annual branch inspections, instead relying primarily on data from the lender's headquarters.
"Earlier, the branches of banks were at least scared that RBI might catch any malpractice," the official said.
R. Gandhi, deputy governor at the RBI from 2014 to 2017, said the statutory audit process, which is carried out by private accounting firms, was not meant to be comprehensive.
"A 100 percent audit is specified only for high-risk areas," he said.
Explaining the RBI's approach overall, he added: "We are supervisors. The prime objective of RBI's audit should be to see that systems and procedures are there and those are functioning."
Two of the RBI-approved statutory auditors who inspected the Mumbai branch confirmed they met Shetty in the foreign exchange room.
One auditor, who inspected the branch on a quarterly basis between October 2011 and September 2012, said he raised the question of why Nirav Modi was getting so much credit.
The auditor, who asked not to be named, said his concerns were raised to the bank's audit committee but he was told by Punjab National executives: "Let this go this time, we will note this and take steps."
The details, he said, would have been available to RBI officials through his subsequent report, but as far as he was aware no action was taken.
Reuters called the other 16 accounting firms listed in the bank's annual report from the 2010-11 fiscal year to the most recent. The calls were either unanswered or met with refusal to discuss particulars of the audits.
Documents show that the RBI knew more than a year before the current scandal that there were warning signs about how Indian banks administered the SWIFT network.
Transactions such as the letters of undertaking sent by Shetty result in credit being given to a borrower in an account known as a "nostro", which is owned by the issuing bank - in this case Punjab National - but hosted by another bank overseas.
A letter on Aug. 3, 2016 from the RBI to bank executives warned of "a recent incident involving attempted unauthorized transfer of funds from the nostro account of a bank".
The RBI asked the top management of Indian banks to not only ensure that appropriate controls were in place, but also to reconcile their nostro account transactions – that is, to check that they matched their banks' internal records.
A Nov. 25, 2016 letter from the RBI listed what it described as problems that banks reported after receiving the August communication - a number of which were to show up in the Punjab National case.
Several Indian state-run banks had followed a "decentralized set up for SWIFT", meaning that multiple branches and, as a result, "significantly higher number of users" had access to sending money across the global network.
In some cases, the RBI said, that meant more than 1,000 people being able to log on, which "exposed the bank to heightened risk of fraudulent activities".
Several banks, the RBI wrote, had "no/little audit oversight on the SWIFT framework despite significant financial ramifications".
Last month, after the fraud was discovered, the reserve bank set a April 30 deadline for integrating banks' internal software and SWIFT.
Most big global banks began to connect SWIFT - originally standalone terminals like the telex machines they replaced - to their central systems in the 1990s.
Three executives with experience of the cash payments industry said this means transactions are automatically recorded and reconciled within the bank and, ideally, with counterparties. The chief executive officer of SWIFT from 1992 until 2007, Leonard Schrank, said: "I can't imagine not incorporating SWIFT payments as part of overall reconciliation."
Reporting by Krishna N. Das, Suvashree Choudhury, Devidutta Tripathy and Tom Lasseter Additional reporting by Rajendra Jadhav, Rafael Nam, and Abhirup Roy, in Mumbai, Aditya Y. Kalra, Neha Dasgupta, and Manoj Kumar in New Delhi, and Tom Bergin in London Writing by Tom Lasseter Editing by Alex Richardson