Almost 55 years ago, Rustom Nagarwala impersonated an authority from the prime minister’s office and persuaded a cashier at the Connaught Circus branch of the State Bank of India to part with ₹60 lakh in cash.
The ruse was quickly discovered, the money recovered, and the culprit arrested. Even then, the explanation rested on an extraordinary claim of coercion and authority.
Move the calendar to February 2026. IDFC First Bank reported on 21st February that it suspected the wrongful withdrawal of a big sum, possibly ₹490 crore to ₹580 crore from the account of the government of Haryana at the Chandigarh branch.
This article does not allege fraud by the Bank’s management. Nor does it prejudge culpability. Its purpose is narrower: to examine whether explanations offered so far sufficiently address basic questions of banking controls, governance and disclosure in a cheque-based fraud of this magnitude.
The Bank reported this incident to the stock exchange and followed it up with an analyst call on 23rd February.
The summary of what the Bank’s management has so far stated is -
- This case is one of collusion between the staff of the Bank and some outsiders.
- No senior-level person in the Bank may have been involved.
- The discrepancy was picked up when the records of the customer and the statement issued by the Bank did not match.
- The unauthorised withdrawal may have happened only over a short period of time (not categorical).
- The amount of loss (post any recovery/insurance claim) will be absorbed in the books and it will not affect the vital parameters of the Bank.
- More details on why and how this happened can be known only after KPMG, engaged to do a forensic study, submits a report.
Just to contrast with another major fraud in a private bank that is just about a year old, that of the IndusInd Bank. It was an inside job of fudging the accounts to show better results. Beyond whatever was shared initially and absorbing the loss in the books, the information of how this happened and escaped everyone’s attention for a long time, remains a suspense.
To revert to the IDFC Bank case, the management has confirmed that they have fully settled the government’s dues (first page ad in most national dailies).
Does this mean further public discussion on this is futile?
Not for those who hold money in banks (where else will one). They have reasons to be concerned with this case.
Though, a one-off or unusual, the fact that money can be moved out of a bank account without the knowledge of the account-holder is enough cause for discomfort. This is quite different from the online scams which also result in losing money from bank accounts.
In this case, the settlement happened rapidly, of restoring the money to the account-holder because of who it was. If it was a common man, no way would anything happen with this alacrity, as many legal formalities, undertakings, indemnities, possible police clearances would be sought before releasing any sum.
Since all the readers of this column may not have accessed the transcript of the analysts’ call, the rest of the article is built on what was stated in the call.
This is not a case of a highly sophisticated fraud to beat a well-developed system of controls and checks that scrutinise and counter-check important and large value transactions.
The management confirms that this is a case of a cheque being forged and the Bank staff in collusion with the outsiders, passing it and no higher-level person checked it or found it out.
There is a reference to a physical transaction of people coming to the bank to commit the fraud. That is surprising as there is no admitted fact of the amount being withdrawn by cash. Why would any person visit the bank if the cheque is encashed in the normal course by routing it through a collecting bank?
And you know, this is basically a case where debit instructions have come supposedly from the client, which our people, which clearly to us indicates a fraudulent activity, have passed the entries and have transferred the money to certain parties outside the bank from the client's account. Now they've also used cheques, when looked in hindsight looks forged, but someone has cleared it.
Irrespective of whether cheques were forged and they were paid out assuming that they were, when you look in hindsight and you check the signature and assuming they're not exactly tallying. And so even if that be so, there is a certain bank balance that is reflecting on the books of the account. That has been sent out to the parties. But like we said these are part of the evaluation of the processes that will come up.
But this is not a digital transaction. This is a physical transaction where people have come, you know, the cheques have been forged. This is, let me say, the oldest kind of fraud probably known to banking.
The next important aspect is that the collusion happened, despite maker/checker system in place. That again is admitting that the system is a weak one and anyone can beat it! Also, these has been no rotation policy which is a basic routine in every bank to break a single person’s control of any sensitive position.
Yes, clearly, clearly employee collusion risk, if a maker checker authoriser everybody in a branch compromise with a counterparty on the outside and clears a fraudulent cheque or clears a fraudulent transaction, maybe in this case even with multiple parties. So this is the kind of a stuff that can happen anywhere, that too in this a traditional the oldest kind of fraud of a cheque and that kind of stuff. But really when we will also introspect on this, we should also think about our staff transfer policy, how maybe their own behaviour, maybe we should be able to figure out more transaction pattern of how employees' accounts and conduct are, we need to think a little deeper about how we could have stopped dealt with the collusion.
The statement that the Bank’s system is running well when a collusion was not checked is a farcical one.
This is not a system failure, this is not electronic system failure, the systems are, you know, running holding us very well. It is a collusion of individuals. So we will reflect on this. We will definitely reflect on this and we will take some very decisive moves about how we will prevent this going forward. And we really would be never want to see another incident like this in our lifetime in this bank again. We will make some very, very decisive moves.
So obviously, let me just say that systems of the Bank are running really very, very well. This is a case of collusion. So this is a case of collusion of our employees with some counterparties outside. And this is a key risk to address is the collusion risk.
In fact, we are absolutely on par with any good bank. This is a collusion that has happened, like we discussed before. And it’s a collusion risk, it can happen anywhere. But of course, we will now reflect on it and see what more we can put in terms of the controls. But to answer your question, yes, of course, not only the processes are the same, we do validation, then there's eye-to-eye checking of the cheque versus the system, so the process are same basically you check the signature on the instrument versus the system of the system, you clear it and then there is a double triple check of a maker, authoriser, verifier etcetera. All that has been followed in this case.
The para below states that the Bank grew too fast and systems were not commensurate with the expansion:
We in the last five years, seven years we put up over 1,000 branches, cumulatively maybe over 1,050 or 1,060 and we have really not seen any incident of this nature that has happened here. So but this incident is a further opener for us. We will check one more time, implement necessary controls and keep going.
Now in terms of, what new controls, we will implement. This is a quick one based on the last three days’ work, but of course, we will do more as the days progress. We are planning to put an explicit system based on confirmation of high value transactions for branch-based transactions exceeding a predefined threshold, we will take an explicit confirmation from the customer and we'll make it mandatory.
The customer's confirmation will then be captured through a verified digital channel with a stipulated window, meaning that the customer, for example, if we want to clear a particular transaction, we don't have to really call you, we will trigger an alert for you to specifically go to your app and say that yes, please clear the transaction. So, this is a specific control we'll bring, extra control.
The above is just a flavour of the bank’s precarious situation in terms of its systems and controls and how the management understands what constitutes a foolproof system, etc, to run a bank.
The transcript is captured in 19 pages. The extracts given are just a few of the points. If there is a doubt of bias in the above compilation, then, it is better to see the full transcript.
The Bank should have in its possession at least the following information which it can share without any major forensic exercise. If this is available, then the need for the forensic may appear superfluous!
- The payees whose accounts were credited, the exact date and amount and the collecting bank;
- Whether the cheques used for forgery were counterfeits;
- Persons who cleared the payment/ higher level authorisation in IDFC Bank;
- Whereabouts of the paid cheque leaves;
- The duration over which the embezzlement took place (goes back to point 1)
The noise around this may die down very soon, even without having to be replaced by any other fresh scam.
Very unlikely, anybody of substance will be finally penalised for causing this loss to the Bank’s shareholders. If any regulator gets involved, it is the Bank that will be levied a penalty, adding insult to injury.
Accountability at a personal level is invariably at the lowest level in the hierarchy. The security staff of the Chandigarh branch may be the first to be replaced. The board, of course, will remain intact!
(Ranganathan V is a CA and CS. He has over 45 years of experience in the corporate sector and in consultancy. For 17 years, he worked as Director and Partner in Ernst & Young LLP and three years as a senior advisor post-retirement, handling the task of building the Chennai and Hyderabad practice of E&Y in tax and regulatory space. Currently, he serves as an independent director on the board of four companies.)
