Exclusive: RBI Reports Show HDFC Cleaner than Others, but Regular Lapses in KYC and AML Control
Abhinandan  and  Debashis Basu 12 July 2019
In the fourth and last instalment in our series on inspection reports of the Reserve Bank of India (RBI), called risk assessment reports (RARs), we take a look at the HDFC Bank. Our previous reports were focused on State Bank of India, Axis Bank and ICICI Bank. These reports were procured by Right to Information (RTI) activist Girish Mittal, who doggedly pursued RBI right up to the Supreme Court. 
HDFC Bank is by far the most consistent when it comes to performance and has been the highest value creator, over the past two decades, not only among banks but also among all listed companies. The market expects its operations to be clean and efficient. 
RBI classified the Bank as medium risk and its reports certainly show HDFC Bank in much better light than its competitors. Here are some reasons: 
  • The FY12-13 RAR mentions that HDFC Bank has a very aggressive record in the write off of non-performing assets (NPAs).
  • There were virtually no deviations in the provisions required to be held and the provisions actually held by the bank (in FY13-14, the deviation is around Rs4.7 million which is negligible for its size). In FY14-15 there is no divergence. 
  • No divergence in assessed profits and reported profits.
  • In all the years, RBI has specifically mentioned that considering the capital adequacy to aggregate risk score, no capital add-on is prescribed.
  • In the FY13-14 RAR, RBI mentions that there is no major variance in the past three years' projected and actual figures for HDFC Bank. 
  • RBI notes that a large number of customers of current account (90% in FY14-15) do not have borrower relationship with the Bank. This is greatly beneficial to the bank because its no-risk free money, since banks pay no interest on current accounts and there are no borrowing. 
Serious Lapses in Know-your-customer (KYC) and Anti-Money Laundering (AML) Process: Laxity in compliance with KYC and anti-money laundering provisions reflected in all three years. 
  • In fact, in FY13-14, RBI had imposed a fine of around Rs4.5 crore on the Bank and had also issued a caution notice. There was a fine of Rs2.6 million too by the financial intelligence unit (FIU) subsequent to Cobrapost revelations for which an appeal is pending. This is one of the key areas where the oversight of the board is found wanting, reflecting in higher risk score for governance and oversight in FY14-15.
  • In FY14-15, more than 11,000 accounts were opened under Jan Dhan Yojana in which substantial cash transactions were observed for which HDFC Bank has not exercised the requisite due diligence in monitoring such accounts. 
  • There was delay in updation of risk categorisation in AML tracking system compared to core banking software system of the Bank.
  • The alert generation for suspicious transactions reporting (STR) needs improvement as in many cases the Bank did not file STR or filed it with considerable delay. RBI noticed that there were delays between 10 and 70 days in the filing of STR with FIU after it was approved as a suspicious transaction by a principal officer of the Bank.
  • In FY14-15, RBI specifically comments that the internal audit of the Bank detected a large number of violations in KYC and AML instructions by the branches. 
  • In FY14-15, 32,134 cases were detected for KYC and AML exceptions, reflecting noticeable non-adherence to laid down KYC and AML processes. In 2,124 instances, treasury deals were cancelled or modified due to errors which included those ratified by higher authorities, adding to process risk.
  • Out of 1.92 million accounts that are due for re-KYC, nearly for 64.5% accounts the exercise is not yet completed.
  • A large number of newly opened current accounts in FY14-15 recorded huge high value transfers that had no correlation to business profile and declared turnover. The audit did not flag such sudden spurt in transactions.
Rampant Mis-selling 
Customer complaints revealed that they were charged with premium towards insurance policies of group entities HDFC Ergo and HDFC Life without consent. The charges were reversed only after receipt of the complaint from customers. 
High Attrition Rate 
One of the interesting reasons for a high percentage of operational (non-IT) risk is surprisingly high staff attrition rate. Indeed, in FY14-15, HDFC Bank suffered an attrition rate of as high as 32.75%. The Bank also relies heavily on outsourced or contracted employees. As many as 48% of the employees outsourced or contracted are not on its rolls. The attrition rate of sales and front office employees of the Bank was significantly high at 53.66%. The levels of attrition at HDFC are 93%, of HBL Global Pvt Ltd  at 65% and HDB Financial Services Ltd (HDBFS) at 73%.
Relationship with HDFC 
HDFC Bank has the option to buy up to 70% of the loans sourced for its parent, i.e., HDFC Ltd. While recognising that adequate disclosures are made, RBI has specifically mentioned the need to have a board-approved 'Conflicts of Interest policy'. 
Tricks To Meet the Rulebook 
In March 2014, it accepted a deposit of Rs100 crore from a rural bank and sanctioned a loan with zero mark up over fixed deposit (FD) rate. This resulted in increase in deposits, advances and priority sector advance close to the balance sheet date. The utilisation of loan reduced drastically by 17 April 2014.
  • More than 50% of complaints received at branches were not addressed in the stipulated time, while in 23% of the cases it did not issue an acknowledgement to the customer
  • The largest number of complaints were on account of the mis-selling of insurance products including debit of premium from account without the consent of customers. The complaints related to insurance were closed at the branch without escalation to the head office and also not forwarded to vigilance or fraud for investigation. The Bank needs to step up its efforts to identify and address the causes, which lead to complaints that are recurring in nature.
  • There were instances of mis-selling of third-party insurance products where the amount of premium is not in synchronisation with the income of the customer. The Bank was not adhering to the code of commitment by not providing post sale services to customers, non-specified employees of the banks are engaged in lead generation or solicitation of third-party insurance products in contravention of IRDAI (Insurance Regulatory and Development Authority of India) guidelines.
Audit Lapses 
In FY13-14, certain areas and activities were not covered under concurrent audit. Though the branches were required to respond promptly regarding the bonafides of transactions on the Rs1 crore portal, the same was not being covered by concurrent auditors as they have not been provided access rights
Operational Issues
While the RARs have flagged a number of operational issues, these have reduced over the years.
Issues in FY14-15
  • Considering the thrust in digital banking and risks due to system failures, RBI has remarked that there is no director with an IT background.
  • One of the key reasons for increase in score for senior management as reflected above is that the Bank had reported incorrect exposure data to the central repository of information on large credits (CRILC) and did not take steps to integrate the CRILC data in credit risk framework, i.e., it is not incorporated as a part of standard credit approval memorandum appraisal, review and renewal.
  • The internal audit staff seemed over stretched considering the number of staff and number of audit assignments undertaken.
Issues in FY13-14
Systems and IT
  • System integration tests and user acceptance tests are not conducted stringently. There are a high number of bugs detected.
  • High unscheduled downtime for core banking and internet banking.
  • Manual intervention existed while uploading files in 23 critical systems.
  • Out of 20 sample laptops, 17 had unauthorised software installed on them. This risk was highlighted in previous audits as well but seems to be not addressed.
  • The Bank is yet to address issues pertaining to 72 gaps identified by an external consultant with regard to recommendations of working group on technology risk management and cyber frauds.
  • The capital adequacy computation was not entirely system driven. There were manual interventions required due to system deficiencies.
  • The Bank provided intra-day credit facilities to certain corporates and MF. However these exposures were not reckoned for the purposes of calculating single borrower / group borrower limits.
Credit Risk Issues 
  • The rating of borrowers is supposed to be independent of credit function. However the rating approvers were also part of credit & market risk group and in some cases were credit approvers as well. Thus they are not truly independent of the credit function. 
  • The Bank has multiple systems for different exposures. Therefore, in some cases, even though the account is classified as a non-performing asset (NPA), it may continue to be standard in different sub-systems. There was no process note for the system-driven NPA identification procedure.
  • The retail asset product pricing framework gave a leeway to business to operate within a band of (+)/(-) 3% from the rack rates. This resulted in pricing offered below base rate, which is not permissible.
  • In certain cases, e.g., construction equipment / commercial vehicles the Bank charged interest at a rate lower than the base rate factoring for the incentive received from the manufacturer. However this was not uniform. There was no computation of the interest rate applicable and discounts passed on, which lacks transparency and does not give clear picture to the customer on the applicable interest rate
Issues in FY12-13
  • The investment advisor who recommends third party products was the exclusive point of contact for customers for responding to transaction alerts generated by the AML system. 
  • The bank had sold an “interest rate cap spread” (a product which was not specifically permitted as per the guidelines) to a public sector entity. 
  • The head of internal audit is in charge of vigilance as well. Given the size of the bank it is desirable to have two different people with different reporting lines, said RBI. 
  • The head of operations risk management reported to head of operations, which was in direct conflict with the fact that the risk management function has to be independent of operations and business. 
  • The risk management function was not aggregated to a designated chief risk officer. 
  • The bank had compliance liaison officers who had dotted line reporting to the chief compliance officer while being primarily responsible for operations which was in direct conflict with the compliance role. 
  • The internal audit function was not commensurate with the high level of customer complaints and frauds that the bank was exposed to. In multiple cases, the audit was completed within a day or next day and same auditor was assigned to audit multiple branches simultaneously. In some cases the internal auditor has rated the branch as satisfactory in spite of reporting serious operational errors.
  • The process of auditing insider trading was instituted 15 years back and not reviewed thereafter. The check is limited to stock depository accounts of employees with the bank only and no internal auditing of the Chinese wall between investment banking and commercial banking functions.
  • In the wholesale portfolio, the weighted average interest rates of loans extended to relatively better credit rating grade, was higher than the rates extended to lower credit rating grades. 
  • In retail products, borrowers of products with lower expected loss were charged higher rate of interest vis-à-vis borrowers of products with higher expected loss. The bank had significant pricing power in the retail portfolio due to which it was in a position to price these loans at a rate much above the rate warranted, based on the expected loss history. This has allowed the bank to have an aggressive write off and provisioning policy.
  • In spite of a committee set up by the bank having capped the rate of interest to 24%, the bank continued to have products with interest up to 27.8%.
  • Inadequacies were observed in post disbursement monitoring in respect of gold loans portfolio. However corrective steps were taken in this regard.
  • Breaches in intra-day exposure and controls were found to be inadequate.
  • The system was not able to flag restructured accounts, which dilutes monitoring of the same.
  • The head of private banking had oversight of proprietary equity trading for the bank giving rise to conflict of interest.
Here are the inspection reports of the HDFC Bank as provided by RBI to Girish Mittal under the RTI Act..
You may also want to read…
Abhijit Kanjilal
4 years ago
I think RBI should publish these reports every year to bring in more transparency with investors. Good job Moneylife + Mr. Girish.
Free Helpline
Legal Credit