Insuring of internal fraud at banks
Given the reluctance to part with data and tendency to minimise the risks, those in the segment say banks need to seriously relook at whether they’re covered for a PNB-type case
In the wake of the Punjab National Bank (PNB) scam, banks might take another look at their indemnity policies that cover specific operational risks. Currently, most banks are buying indemnity covers for as low as ~20 million and going up to ~250 million, miniscule, according to analysts.
Public sector banks (PSBs) lost ~227.43 billion due to banking fraud between 2012 and 2016, according to a study at the Indian Institute of Management, Bengaluru. Electronics and information technology minister Ravi Shankar Prasad recently told Parliament there were 25,600 cases of banking fraud totalling ~1.79 billion reported up to December 2017.
Indemnity policies are insurance products designed to address the liabilities of bank managers and professionals, arising out of error, theft or fraud by employees, third parties or criminals (hackers included). The term ‘employee’ in such policies covers all existing ones, permanent or temporary, wholetime or not. It does not include non-salaried directors or principal officers.
The size of the banker indemnity market is around ~1 billion and government-owned general insurers have around 95 per cent of the market in such policies. The policies cover losses incurred for theft occurring within the insured’s premises, in transit, if there is forgery or alteration, criminal dishonesty, if goods are hypothecated, infidelity or criminal acts by appraisers, among other things.
Most insurers provide insurance on all of these basic factors, with each offering different incentives and/or additional cover. For example, one general insurer allows banks to cover losses relating to automated teller machines, expenses for loss minimisation, earthquake, fire or terrorism, as additions to the policy cover.
In the first nine months of 2016-17, this publication had reported that official data showed 455 cases of fraudulent transactions of ~100,000 and above having been detected at ICICI Bank, 429 at State Bank of India (SBI), 244 at Standard Chartered Bank and 237 at HDFC Bank. While the majority of these would comprise small-size fraud, one large fraudulent transaction can make a bank tailspin.
Sanjay Kedia, country head and chief executive at Marsh India Insurance Brokers, says: “Looking at the size of operations of Indian banks, these (cover) amounts are grossly inadequate. Consequently, premiums are also low. Of the total insurance spending of a bank, these account for 5-10 per cent. For other clients, this is as low as 0.5-1 per cent.” Similar-sized banks globally usually have a crime insurance cover of $100-500 million, says Kedia. Deductibles in these (global) insurance programmes are around ~50 million, the size of the insurance cover purchased locally by most banks. This means the Indian banking system has yet to internalise the need for such a cover to the same extent as its foreign counterparts.
Underwriting fraud, risk Underwriters of these insurance products rely on banks to follow the Reserve Bank of India (RBI) guidelines on operational risk management (ORM), Know-Your-Customer norms, guidelines on branches, ATMs and lockers/safes. Also, to appoint valuers, appraisers and lawyers to examine credit and implement an ORM framework that is effective in monitoring and reporting error or fraud.
Potential losses are categorised either as ‘high frequency, low severity’ (HFLS) events like minor accounting errors or bank teller mistakes, or ‘low frequency, high severity’ (LFHS) events, such as terrorist attacks or a major employee fraud. Since HFLS data is easily available to bank risk departments, it is easier to model the operational risk potential and possible losses. LFHS events are uncommon and, therefore, the limited data for modelling is a challenge. Total operational risk loss is calculated as inclusive of the loss incurred and the expenditure to resume normal functioning. One also has to track potential loss, near-misses and attempted frauds even when no loss has been incurred, as such data helps strengthen internal systems and controls.
“While taking the policy, banks provide insurers with information relating to the pre-checks in place, levels of control, whether they differentiate between employees who handle cash and those who do not,” said B
Vaidyanath, underwriting manager, casualty, at SBI General Insurance Company. SBI General Insurance at present does not sell such products. Vaidyanath responded to Business Standard’s questions from past experience. “From a bank’s perspective, whenever they are hiring a candidate, they have a pre-check in place. From an insurance company’s perspective, the underwriter would check on the procedures and controls in place on hiring, process check, prior claim circumstances, etc. Also, they will look at whether the cash is being handled at all times by bank employees or being outsourced to another vendor. If so, is there a contractual agreement between insured and vendor?” he adds.
These are among the details sought by underwriters on a bank’s risk control measures, monitoring and reporting systems, historical loss data and loss reports.
Companies buy a combination of fidelity insurance, crime insurance and a directors’ liability cover, in addition to cyber insurance. Indemnity policies are specific financial institutional products that include a cover for all of these, barring cyber. While technology and software can help the risk and compliance departments monitor fraudulent behaviour, these tools only highlight outlier behaviour or transactions. It is far more relevant and important that banks invest in ‘qualitative’ employee policies that deter wrongdoing, as opposed to solely relying on technology to catch people ‘in the act’. According to a study by Khanna and Arora (2009) which surveyed 253 bank employees in the various districts of Uttarakhand, the staffers did not take the problem of fraud very seriously. They were unaware of the various types of frauds and an environment had fostered where there was no interest in developing the skills required to prevent these.
Current and future
“Fraud/crime accounts for 85-90 per cent of the big losses in the operational risk for Indian banking. Globally, also, it remains the biggest threat. There is an inherent legacy when it comes to insuring crime. Generally, most banks are uncomfortable in sharing data about employee fraud,” says Kedia.
Banks reported a total loss of ~169.19 billion from 29,910 cases at the end of 2013-14.
“Banks need to arrive at the maximum exposure they carry and to calculate the estimated maximum loss, based on which they take a cover (average range is between ~20 million and ~250 million). Whether the cover is adequate or not is hard to say,” said Vaidyanath. This is dependent on their (banks’) historical-risk data with regard to employee behaviour, the associated risk, likelihood of fraud at different levels and probabilities of theft or errors on the part of third-party vendors, among other variables. Operational risk management departments can choose to calculate and model.
Based on which the bank applies for a specific cover. So, the size of this, Vaidyanath says, depends on internal systems, ability to monitor fraud and loss in the past.
So, while there is data released by the RBI every year on the loss incurred by the entire system because of fraudulent transactions, these only give underwriters an understanding of the trend. The main problem for insurers arises while valuing these losses and establishing whether or how the fraud took place, who was responsible and understanding the accountability measures (internal and/or criminal proceedings).