Wanted - tighter oversight on banks
Author: George Mangion - Senior Partner PKF Malta
Published on Business Today: 5th May 2023
Recent overseas bank failures have had international regulators step up on their toes amid fears of contagion with investors shedding risk assets across Europe. Asian stocks diverged on US pledges to backstop troubled lenders after the collapse of SVB was followed by the failure of Signature Bank.
Such news has not caused concern on local financial observers, it appears no deep furrows on the foreheads of official regulators who seem to label the news as a passing hindrance. Who would have expected UBS to take over its troubled Swiss rival Credit Suisse for $3.25 billion following crunch talks aimed at preventing a wider international banking crisis.
The deal, in which Switzerland's biggest bank will take over the second largest, was vital to prevent economic turmoil from spreading throughout the country and beyond. No ripples on the banking spheres in Malta, even though one reads about a number of scams and belt tightening measures that resulted from harsh ECB directives. All this occurred in the past five years. A glaring example of a serious breach in security was reported on Times of Malta concerning how an HSBC manager who has admitted to an audacious swindle involving unauthorised withdrawals from client accounts using forged signatures. Bank admitted that it was “indeed possible” that a rogue banker had forged client signatures.
Typically, the heist involved topping up funds withdrawn from one client’s account by replacing them with funds illicitly withdrawn from another client’s account. This case involved falsifying and forging bank and client records and misappropriating funds.
The bank is seeking to recover €1 million in misappropriated funds and damages from a former mortgage protection manager, who worked for the bank from 1989 until he was fired in August 2021. He was dismissed, after complaints began to trickle in from HSBC’s clients over unexplained withdrawals and transfers, triggering an internal bank investigation and a criminal complaint.
One must stop and reflect how in this modern age of strict governance based on digital protocols, internal staff at HSBC can perpetrate such a scam for over two years and this was halted mainly as a result of complaints by defrauded depositors. It is unbelievable, how such an international bank has admitted in civil court proceedings that to this very day, it has been unable to establish the full extent of the fraud, and there may be other clients who were impacted that they are not yet aware of. The standard crime of “teeming and lading” brings me memories of studies in auditing journals of twenty years ago when at that time transactions were physically monitored and ECB and Basel 111 rules did not attempt to regulate European banking practices. It does not rain, it pours.
This case involved a senior bank manager who over-rode the rules, as he started carrying out unauthorised withdrawals and stealing cash deposits in 2019.
It is unbelievable in these days of computer security mechanisms that the bank was only alerted to such actions two years later. One may attempt to blame internal auditors who overlooked such a weakness but then again, the external auditors did not spot this scam. It had to be the defrauded customers who sounded the alert. HSBC quickly eliminated the possibility that the funds had been transferred out of client accounts due to some sort of administrative error.
In its defense, HSBC said the bank's internal investigation has been concluded and all impacted customers identified and contacted. This is not an isolated fly in the ointment for banks in Malta.
The Reuters news media reports how Bank of Valletta failed for years to detect or address risks involving thousands of payments. It said BOV had not dealt with a litany of risk management failings despite repeated warnings from the Frankfurt-based ECB regulator stretching back to 2015. The report adopted by the ECB in the summer after a recent inspection called for remedial measures, including assessing if BOV’s top managers are fit for their jobs, and reducing exposure to risks posed by foreign clients.
In a particular but not isolated case, a customer has revealed how he lost thousands of euros in a number spoofing scams after believing he had received an SMS from his bank. It goes without saying, that the victim said he felt "embarrassed" to have been duped by the sophisticated cybercrime but decided to share his story to warn others. In this age of computer surveillance and digital oversights, one is surprised how such fake messages appear to be authentic.
In a particular case, it started with an SMS from what appeared to be a genuine BOV number, which he had previously received authentic messages. Such a notorious scam is known as number or ID spoofing. In the scam message, the customer was warned that their mobile device has had its access limited for security purposes and asked to either visit a branch or re-authenticate their device by visiting the BOV website.
A MFSA warning letter is quoted to read that despite various interactions, BOV is perceived as lacking in effectively addressing the spirit as well as the actual concerns raised, and does not show the required sense of urgency expected in these circumstances to address the issues at hand.
The MFSA told the bank’s management that BOV had issues when it came to taking on new clients, and “major deficiencies” when it came to the effectiveness of its internal governance. This letter included the effectiveness of the bank’s board in providing strategic and governance oversight.
Despite warnings, BOV kept scant details about the source of wealth of the shuttered Pilatus’ bank directors and no documentation was provided when its owner Ali Sadr opened an account in 2014. Again, BOV authorised a €36 million loan facility to Stewards Healthcare which were found in a Court judgement to have entered into a fraudulent commercial agreement with government to run three state hospitals. Most, probably such loans were secured by the State yet the top credit manager authorizing such a bad debt had quietly resigned his post.
In another case, BOV allowed CenturionBet, a gambling company which the ECB said had its license withdrawn in Britain in 2009, to continue transferring money even though its licence had also been revoked by Maltese authorities in 2017. In a reaction to the ECB report, BOV’s de-risking exercise has taken on a much wider dimension. The bank is today engaged in a priority process - agreed with, and monitored by its regulators - to deal with the legacy issues highlighted by the report.
As a government-controlled bank (the state holds the largest share) it has made strong progress in addressing the specific issues within the relevant timelines, and is confident that its processes will be substantially enhanced as a result.
Author: George Mangion - Senior Partner PKF Malta
Published on Business Today: 5th May 2023
Get in touch: info@pkfmalta.com