The $1.77 billion (over Rs11,000 crore) fraud at Punjab National Bank (PNB) has sent shock waves across Indian banking.

A multi-agency probe is now gradually unveiling the modus operandi followed in the country’s biggest banking scam. SWIFT, short for Society for Worldwide Interbank Financial Telecommunications, and letter of undertakings (LoU) are the two instruments allegedly manipulated by PNB employees to let diamond merchant Nirav Modi channel the money illegally.

It is still unclear precisely how these transactions remained unnoticed for seven years since March 2011.

SWIFT and LoUs are used by banks to facilitate cross-border transactions. While scammers have managed to find loopholes in the LoU facility earlier, too, SWIFT is supposed to be a relatively secure medium. And PNB is not the only Indian bank whose systems were breached in the recent past.

In a notice issued on Feb. 17, private lender City Union Bank informed stock exchanges that its SWIFT system, too, had come under a cyber attack recently. “On Feb. 07, 2018, it was found that three fraudulent remittances had gone through our SWIFT system to our correspondent banks, which were not initiated from our bank’s end.” Hackers tried to transfer nearly $2 million in these transactions.

What is SWIFT?

Simply put, SWIFT is a messaging system used by lenders the world over to transfer money between banks, particularly foreign currency funds. The messages are sent via an encrypted channel to ensure that transactions remain secure.

Brussels-based SWIFT was formed in 1973 by a group of seven banks, and it went live four years later. It replaced Telex, the then existing system used to send financial messages, which was prone to human error. Under SWIFT, the automated messages in standard format drastically reduced the room for error.

Now, SWIFT is trusted by over 11,000 financial institutions—banks, brokerages, mutual fund firms, and securities dealers—in more than 200 countries.

A unique identification code of between eight and 11 characters is provided to every bank branch to make wire transfers. If a customer wants to transfer money from the home branch to an international account, both the bank account details and the SWIFT code of the recipient’s home branch are required to authorise the transaction.

In PNB’s case, LoUs were issued via SWIFT in favour of Nirav Modi. An LoU is a bank guarantee from PNB (or any other bank) on the basis of which the overseas banks grant loans. The PNB employees reportedly shared the SWIFT password with Modi’s aide, allowing fraudulent authorisation of transactions.

Typically, clearing a SWIFT transaction involves three people: a maker, checker, and verifier. The maker initiates the transaction, and inputs from the checker and verifier are used to authorise it. These act as additional layers of security to minimise frauds.

“It is similar to accessing your locker in a bank account. The customer has one key and the other is with the bank, you need both to open the locker,” a retired public sector banker explained. ”Once the transaction goes through, a confirmation message is sent to the bank, as it happens in other banking transactions. Now, this message isn’t necessarily sent to the people who authorised the transaction.”

So this raises the question: How could SWIFT transactions of a significant amount be carried out at PNB’s Brady House branch with the connivance of only two officers—Gokulnath Shetty and Manoj Kharat—who have been named in the FIR filed by the bank?

Moreover, the mandatory reporting of SWIFT transactions probably didn’t happen in the Modi case. Officials at PNB had told Quartz earlier that its SWIFT system isn’t linked to the core banking system (CBS), a centralised database of all transactions. Therefore, these transactions went unnoticed.

Even SWIFT insists on multiple checks by firms to ensure that employees don’t game the system. In case of a fraud due to a security breach (like in the case of PNB), the onus lies with the company using SWIFT’s services.

“…any given transfer needs to be checked for compliance purposes not once, but multiple times, by all the banks involved in processing the transfer, and not against one set of rules, but against multiple sets of rules. Serial checks need to be made throughout the process to ensure that each entity is compliant with the rules and regulations applicable to it,” SWIFT said in a paper (pdf).

In an emailed response to Quartz, SWIFT said:

“When a case of potential fraud is reported to SWIFT, we offer our assistance to the affected user to help secure its environment. We subsequently share relevant information on an anonymised basis with the community. This preserves confidentiality, whilst at the same time assisting other SWIFT users to take appropriate measures to protect themselves. We would like to reassure our customers that there is no indication that our network and core messaging services have been compromised.”

Warning bells

SWIFT-based frauds aren’t entirely unprecedented, though.

For instance, in February 2016, Bangladesh’s central bank lost $81 million after its system were hacked and orders were sent out to make payments via SWIFT.

“While SWIFT’s network, software and services have not been compromised, each of these incidents took place after a customer suffered security breaches within its locally managed infrastructure,” the Belgian firm said on its website. “SWIFT customers are individually responsible for the security of their own environments, however, the security of the industry as a whole is a shared responsibility.”

Earlier, SS Mundra, a former deputy governor of the Reserve Bank of India, had raised an alarm over the lack of adequate security protocols for SWIFT transfers. “We have also come across instances of fraudulent messages confirming documentary credits being transmitted using SWIFT infrastructure,” Mundra said at an event in Mumbai in September 2016. Such transactions, he said, were being carried out because the checks and balances were not being followed.

Clearly, the warnings weren’t heeded.