Mumbai’s winter is usually a collection of four-day spells of nippiness. December 2016 started with a promise of early onset of cooler weather. On December 9, Friday, the minimum temperature in the city fell to 17 degrees centigrade, four degrees below average. A cricket test match had started at the Wankhede Stadium a day before. Barely a few km away from the Wankhede, at the Trident Hotel in Nariman Point, a gathering of banking sector honchos were discussing a chill of a different order.Top CEOs of the Indian banking industry were meeting with experts in vigilance and compliance, in a closed door seminar to discuss banking fraud. It was just over a month after Prime Minister Narendra Modi had declared the demonetisation of the Rs 500 and the Rs 1,000 notes, on November 8, starting a huge process of replacing lakhs of crores worth of currency with new ones. In the intervening month, in spite of a rationing of currency, troves of illegally accumulated new notes worth lakhs and sometimes even crores have been found with several individuals across India. Bank employees were allegedly in collusion. End-November and early-December saw the Central Bureau of Investigation and other government agencies registering multiple cases against bank employees. The Indian private banks, so far seen as a cut above their public sector cousins in terms of processes and checks and balances, were also under the scanner (see Worrying Figures). Already, Axis Bank had sacked 19 employees, HDFC four.Samir Bhatia, a former private sector banker who had worked with Citibank , HDFC Bank and Barclays before turning entrepreneur, feels the root of the problem is rapid growth. “While Indian private banks have grown fast over the last decade their supporting structures of systems and processes have not kept pace.”“Banks in India have never seen so much cash. There is bound to be increased greed,” a forensic investigator who consults with Indian banks said on conditions of an onymity. “What you have found so far is just the tip of the iceberg.”It’s a common notion that corruption breeds in the sluggishness and red tape of the public sector banks ( PSB ). Can they also flourish in the private sector, where there is always a premium on growth and a bonus on the horizon?December 9 was International Anti-Corruption Day. At the seminar in Trident, hosted by Union Bank of India , the theme was how the PSBs and the private banks could forge a partnership to combat fraud. Among those who attended were ICICI Bank MD Chanda Kochhar , Bank of Baroda CEO PS Jayakumar, Central Vigilance Commissioner KV Chowdary and RBI deputy governor SS Mundra . While the focus was on sharing of data and experiences, the PSU bankers lamented how it took them a year or longer to implement any new software or tool, something the private banks could do in a couple of months.Such differentiators, however, now meant nothing as Indian private banks were shown to be as vulnerable to fraud as their PSU counterparts. The chaotic hustle of demonetisation, the continuous pressure of attending queues, and especially a deluge of branch transactions seem to have shaken up the sector. Axis Bank was particularly in a spot, leading CEO Shikha Sharma to put out a statement saying she was embarrassed by what some employees have done. In the first week of December a couple of Axis Bank employees were arrested and two gold bricks that were used for bribery were seized. In other cases, scores of fake accounts were discovered along with cases of identity theft where these account holders were found to be manual labourers.The modus operandi was clearly of opening fake accounts and using them to change old notes and withdraw money, circumventing the restriction on daily withdrawals. In one such case that came to light on December 15, Rs 60 crore was found to have been deposited in accounts of 20 fake companies with their accounts in a Noida branch of Axis Bank. Earlier this week, the income tax department conducted an inspection at an Axis Bank branch in Ahmedabad after it received complaints of black money being laundered through dummy accounts.As Helios Capital Management founder CEO Samir Arora pointed out in a tweet, for banks knowing their own employees is becoming more important than knowing their clients (KYC).Bhatia, who had led the corporate banking division of HDFC Bank in the past before leading the retail and commercial banking for Barclays Bank in India, feels the private banks have a three-fold challenge ahead of them. One, there is a need to bolster the background checks that banks do while hiring. “With rapid growth there is high attrition and therefore hiring too had to keep pace creating needs for a better background checks regime.” Second is the need to enhance the size of the compliance unit that each bank has. Bhatia points out that manpower of compliance units needs to go up, in proportion to the bank’s growth. Third, Bhatia feels that private banks need to take their internal audit process to more locations. “Often audits can get done off dashboards, instead the internal audits should be more physical, more location based.”Compliance departments typically have 20-30 people, and if internal audit is included that adds up to around 100. Till disaster strikes, this group is often seen as a cost burden and questions are asked about what returns it is bringing in. In fact, many executives in compliance confess that in the first few days after demonetisation they were pulled out of their regular roles and were asked to help bank operations in exchanging money. Right now, there is a degree of unease prevailing in these departments as money-laundering and currency exchange scams have tumbled out.Dhruv Chawla, partner for forensics at PricewaterhouseCoopers, says: “Compliance is often seen as a cost centre. Seen in that light, the unit may not show returns on investments like a typical business investment. Only when it is treated as a strategic investment, with the right operating model, the compliance employees will feel motivated and it will work well.”Axis Bank has now appointed KPMG to do a forensics audit of its operations and the transactions. It would not be the only one to do so. Most banks are speaking to the forensic services of the Big Four audit and accounting firms. One of the key services that these firms provide is that of mystery shopping — somewhat akin to what is done in the retail context. Here, a team of forensic experts approaches bank branches incognito, seeking loans or other services and takes note if the particular branch or officials are observing their own norms and rules.This might remind one of the sting operations done by Cobrapost in 2013 that targeted three private sector banks, HDFC Bank, ICICI Bank and Axis Bank, and ended up with the RBI imposing fines on each bank. The sting showed bank officials, in their eagerness to provide services to clients, stretching their own rule books. Mystery shopping, in a way, is the banks’ own sting on its own branches.One can add here that banks’ clients too are using novel methods — for instance in Pune, currency notes were recovered from the lockers of an MNC client of Bank of Maharashtra.Apart from mystery shopping the forensic players are also being asked to look at the millions of transactions that have taken place in the frenzy of the last month, and see if patterns emerge that show fraudulent activity. The RBI has also sought daily reports from banks, and the banks themselves have reported some of the fraudulent patterns to the RBI and the government in the our own systems regarding detection of such practices have worked well. The spokesperson insisted that a handful of instances should not lead to generalisations and added: “ICICI Bank has implemented a multipronged approach to create a robust and state-of-the-art system encompassing data protection and access control, even for employees. This ensures that the bank undertakes large number of transactions every day in a seamless and secure manner.”In July 2016, the RBI imposed a fine on HDFC Bank of Rs 2 crore (Bank of Baroda was also fined Rs 5 crore) in a foreign exchange scam where Rs 6,000 crore was found to have been transferred to accounts in Hong Kong using the two accounts. The trail of this investigation conducted by the enforcement directorate had led to a host of other banks and finally 13 banks including both PSU and private banks were fined and a host of others were asked to tighten their KYC norms.In response to emailed queries, an Axis Bank spokesperson said: “As a part of regulatory compliance, like all banks, we have been proactively informing and regularly filing suspicious transaction reports (STRs) with the financial intelligence unit (FIU). We have witnessed a sudden surge in STRs during the demonetisation period. Some of the potential suspect accounts identified by investigative agencies were already part of these STRs filed by the bank.” The spokesperson reiterated that the bank has a zero tolerance policy for any deviation from norms.The spokesperson added: “We are constantly reviewing our systems and processes along with KPMG and have already set up additional alerts post-demonetisation. We have identified and taken strict action against erring employees at various levels in hierarchy across the country, for alleged deviations.”An HDFC Bank spokesperson, when contacted, also reiterated the stance that the bank proactively reported suspicious transactions to the government.An IIM-Bengaluru report published in March 2016, on banking fraud, by a team led by RBI chair professor Charan Singh, found that while the quantum of money involved in PSU banks frauds was larger, the number of frauds reported by private banks was greater. Singh (now also a director of Nabard Financial Services) and his team wrote: “The data reveals that more than 95% of the number of fraud cases and amount involved in fraud comes from commercial banks. Among the commercial banks, public sector banks account for just about 18% of total number of fraud cases, whereas in terms of the amount involved, the proportion goes as high as 83%. This is in stark contrast with private sector banks, with around 55% of the number of fraud cases, but just about 13% of the total amount involved in such cases. The PSBs are more vulnerable in case of big-ticket advance related frauds (Rs 1 crore or above) in terms of both number of fraud cases reported and total amount involved.”One of the key recommendations of the report is for banks to have an intelligence gathering unit or fraud detecting agency within the banks along with services of specialised agencies that have experienced people from government law enforcement arms. Vikram Babbar, executive director at Fraud Investigation & Dispute Services at Ernst & Young LLP feels that banks would require to be ready for unknown situations.Example: regulatory decisions such as demonetisation, which can significantly impact risk profiles of clients. “The Jan Dhan accounts are an example of how a low-risk profile can suddenly become high-risk,” Babbar points out. A n easy conclusion from the IIM-B report seems to be that at PSUs fraud often involves collusion at higher levels of the management, leading to big-ticket malfeasance, whereas in the private sector the malpractice happens lower down the order. The proverbial tone at the top remains good, and it is a question of driving it down.