The recent cyber-attack against a private bank targeting SWIFT, a network used by banks to transfer information and money worldwide, is a glaring wake-up call to Nepali banks. This incident follows multiple cases of global cyber heists and local ATM and other frauds. Hacking of dormant customer accounts and misappropriation taking advantage of inadequate reconciliation have been a common phenomenon in the industry. While recurring loan losses for want of good governance and lack of proper loan administration have nearly bankrupted a few banks, and thus increased focus on credit risk, operational risk issues do not often get adequate board and management oversight.

Keeping the industry healthy

Since banking is a sensitive organisation, frequent embezzlement of public monies or account hackings may create distrust. Banking is a business of trust and history has shown that breach of trust can be fatal for even the largest of banks. With the massive growth in the number of banks in the past decade and the recent hike in capital, the banking industry is truly flourishing in Nepal. Banks mobilise scattered funds and channel them where there is demand. However, there is a major concern whether banks are properly addressing the risks that come with expansion and decentralisation.

As internet based banking has been spreading in Nepal, so has the possibility of cyber-attacks and other frauds. Checking possible scams and safeguarding depositors’ money requires greater scrutiny of security measures, technology upgradation and updates in compliance with international standards. Needless to say, banks have a risk appetite, but large risks are hazardous to the health of the industry. It must be ensured that the risks banks take to make profits are properly calculated. Board members should always drive banks towards long-term sustainability instead of focusing on short-term profits.

The Basel Committee defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. To begin with, the banking business has been profiting from risks. Today, new transactional technological devices are in place to expedite work processes and curtail operational costs. However, these processes or systems may be vulnerable to failures or lapses. Some procedural failures cannot be entirely addressed no matter how robust the system. A good example would be bank tellers who are expected to expedite work processes since cost control and cost effectiveness are some of the measures the uppermost management stratum is always concerned with. The teller at a counter is not a robot but a person with feelings, and therefore, mistakes are somehow inherent in this job profile.

Plugging the gaps

The solution seems to be engaging in operations by being less human. However, this should be backed up by updated systems and work standards. Human capacity for output is limited by various psychological and social conditions. The first line of defence is providing a capable workforce along with adequate supervision and a good degree of subversion. All this, and an ideal work environment is required. In Nepal, the highest degree of risks, as experienced in the last couple of decades, is people related risks. Before a person is assigned to a set of charges and duties, a comprehensive study should be carried about the person’s background, financial standing and ethical issues.

Banks have two types of staff: one permanent and the other contractual. Permanent staff are paid five or six times more than contractual employees. This kind of immense disparity could increase the likelihood of poorly paid staff engaging in financial fraud. Other people related risks are observable in a situation where bank owners appoint family members or other close persons to top management positions. Even though employees who feel protected may engage in fraudulent activities, the major risk is their possible incapability to prevent or tackle operational issues.

With regard to work processes, banks have been gradually automating their systems; and now most fund transfers are done electronically. There are other payment systems in the form of credit and debit cards. There is also internet and mobile banking. However, big sums of money are transferred through SWIFT internationally. While these electronic banking systems are often certified ‘highly secure’, there are certain inherent limitations.

Password secrecy, periodic password changes, trustworthy staff, dual checking systems, regular system auditing and inaccessible SWIFT operating area are wanting in many banks in Nepal. Furthermore, it is of utmost importance that IT systems are updated with the latest technology. Banks often fail to keep up with the latest updates with regard to SWIFT and their core banking systems. Training and regular information system audits can address many security lapses, but banks often consider investments in secure technology to be expensive. However, should lack of such investment result in a major financial loss, banks may find themselves in a situation beyond their control.

Acharya is a retired banker with a Master’s degree in English literature