HDFC Bank has sacked 12 senior and middle-level executives for negligence in duty. It is now going through the transaction records of millions of its customers with a toothcomb and shooting off letters to those involved in transactions of suspicious nature. The new-generation private sector bank wants to know its customers.
The trigger point is the scam in allotment of shares of initial public offers. The Reserve Bank of India first imposed a penalty on HDFC Bank and eight others for violating the know-your-customer norms and breaching prudent banking practices, besides failure to adhere to the established norms for granting loans against shares and IPOs.
At the second stage, the capital market regulator, Securities and Exchange Board of India, came down heavily on some of the banks and barred them from opening new dematerialised accounts till further notice.
The RBI penalised nine banks for their role in the scam. The interim order by Sebi listed six new banks (besides naming three which had already been implicated by the RBI) for not complying with customer identification and anti-money laundering norms, while functioning as a depository participant.
How does a bank know its customer? In August 2002, the RBI directed commercial banks to implement the KYC guidelines for all "new" accounts. Subsequently, in November 2004, the banking regulator issued another set of detailed guidelines. This time, the guidelines covered all existing accounts and the deadline for putting in place the mechanism to know one's customer was fixed at December 31, 2005.
Let's take a look at some of the norms.
First, all new customers of a bank must carry a reference from an existing account holder.
Second, the bank must insist on seeing the prospective customer's passport or driving licence. In absence of such documents, "verification by existing account holders or introduction by a person known to the bank may suffice".
The RBI directive also urges banks to ensure that "the procedure adopted does not lead to denial of access to the general public for banking services". Bank boards are also required to formulate policies to monitor transactions of "suspicious nature".
There is also a ceiling for cash transactions. Travellers' cheques and demand drafts cannot be issued against cash if the amount if Rs 50,000 or more. The permanent account number is mandatory for such transactions.
The November 2004 guidelines were based on the recommendations of the Financial Action Task Force and a paper issued on customer due diligence by the Basel Committee on Banking Supervision.
The four key elements of the guidelines are customer acceptance, customer identification, monitoring of transactions and risk management. The guidelines asked banks to define risks in terms of the nature of business activity, location of customer and his social and financial status, among other things.
For instance, "politically exposed" people belong to the very high-risk category. The RBI also made it clear that where "the bank is unable to apply appropriate KYC measures due to non-cooperation by the customer, it may consider closing the account after issuing due notice to the customer explaining the reasons for taking such a decision."
How has the banking system been abused in the IPO scam? A few operators cornered the bulk of the retail shares in IPOs by making multiple applications jointly with others. The account holders do exist and the documents provided by them to bank branches are also genuine.
However, they are not the real beneficiaries of any transaction. In other words, they have lent their names to the operators who have meticulously exploited the loopholes in the system over a period of time. Some of the accounts were opened in 1999.
The permanent addresses given by the account holders were different but the mailing addresses of thousands of them were the same. Essentially, the bank executives followed the KYC norms in letter but chose to ignore the spirit behind the guidelines.
They also abuse the discretion enjoyed by bankers while conducting business. For instance, there is no rule on how many accounts an individual can open in one branch.
Similarly, the RBI does not specify how many co-applicants the main account holder can have. A branch manager can allow one person to have a dozen accounts and a few hundred joint-account holders without violating any norm.
Even, the regulator's diktat banning cash transaction for buying Rs 50,000 worth of bank drafts cannot stop the flow of black money in the system as millions of drafts have been bought every week for Rs 49,000 in cash. Banks do not say no to such cash transactions as they earn commission selling bank drafts.
Knowing one's customer is the biggest challenge of the banking system at this juncture. In their obsession to acquire customers, some of the aggressive players in the system have been following the KYC norms only in letter, not spirit.
Others do not have the technology in place to create profiles of millions of their customers. The solution lies in establishing a clear verifiable identity of the users of the banking system - a social security number, for instance - since the number of PAN cards issued still cover only a fifth of those with bank accounts.
Of course, neither the PAN nor any other identification can be of much use as long as people are allowed to skirt the law, buying bank drafts by paying Rs 49,000 in cash on the counter.
