In the wake of the public outrage following the dissolution of five more banks within a year of the liquidation of two others, the discussion about blame and responsibility has degenerated into a dispute over facts and records.
Shareholders of some of the collapsed banks have questioned the entire foundation of evidence upon which the actions of the Ghanaian Central Bank have been based. Some have suggested therefore that there simply isn’t enough solid information in the public realm for any serious analysis of wrongdoing and remedies, and that all of us must wait until such, supposedly irrebuttable, evidence becomes available.
The truth though is that there are facts that are beyond dispute; and some matters are largely agreed upon by all parties. And some of these facts provide us with more than enough grounds to conclude that “organised mediocrity”, expressed through wanton disregard for tried and tested standards, was a major contributor to the bank failures, and a continued source of risk in the ongoing financial sector crisis.
This is irrespective of whether or not criminal or incompetent conduct can be established against the individuals who were at the helm of these banks at the time of their collapse.
One of these “facts” should suffice to make the point.
In paragraph 32 of the Statement of Claim accompanying the Writ of Summons filed by some of Unibank’s former shareholders in their suit against the Bank of Ghana, the plaintiffs (the former Unibank shareholders) acknowledge that Unibank had failed to disclose about $180 million of loans advanced before September 2017 due to “system challenges arising from a software migration”.
They make this acknowledgement in a bid to rebut the Regulator’s accusations that Unibank advanced these facilities between September 2017 and December 2017 in breach of the Central Bank’s clear directives not to.
Unibank did undertake a major software transition in early July 2016 when it migrated from the T24 R8 platform it was then using to a T24 R15.
Software Challenges
The attribution to software migration challenges of the failure to disclose these large amounts of money to the Regulator, if we decide to take the claim at face value as we intend to do going forward, would suggest that the record-lapses persisted for a period of more than 18 months.
In simple terms, up till that point in February 2018 when the Bank of Ghana wrote to ask Unibank why it had not disclosed these loans in its periodic returns and reports to the Central Bank, Unibank itself was not aware of these loans, or more plausibly it had lost track of them, and was not properly accounting for them between July 2016 and February 2018 following the onset of the unfortunate “system challenges” arising as a consequence of the cut-off from Temenos 24 R8 to R15.
The question that arises then is how many other transactions, credit origination & recovery processes, and balance reconciliations were mixed up, neglected, overlooked or mishandled in the 18-month period during which these problems prevented Unibank from correcting or amending its filings to the Regulator? Typically, because of the risk associated with noncompliance, regulatory filings are some of the most carefully managed processes within any financial or other highly regulated entity.
One must suppose therefore that Unibank must have suffered worse data problems in those aspects of its operations unrelated to regulatory reporting and disclosures.
That supposition is vindicated by another incredible fact: $500 million of customer deposits were not recorded in Unibank’s official books at all. That means the full extent of its liabilities was not visible to auditors, Regulators, and, if we are to assume lack of malice, then to management itself.
The implication of all of these uncontested matters is that for more than 18 months, the management and directors of Unibank were running the 5th largest bank in Ghana half-blind and fully handicapped in their decision-making.
It is a fact that Unibank’s record management systems had not been certified to International Standards Organisation (ISO) 13008, ISO 18128, ISO 15489, ISO 30300, and ISO 30301 standards. No one under current Ghanaian law, not even the Standards Authority, could have forced this on them. But the primary responsibility for driving the uptake of non-statutory standards always falls on the professional association, in this case, the Ghana Association of Bankers.
It is also a fact that in a standards-compliant core banking environment, the risks of any upgrade are very well understood and provisioned for. Therefore, such serious malfunctions and anomalies could only have persisted in the presence of extreme non-conformance with standard “go live” and “cut off” precautions. No bank operating according to relevant standards should have suffered such an extended blackout. A serious bank should not need pressure to do things necessary for the preservation of its own business.
To be fair, Unibank’s vendors for this upgrade project, MCB Consulting and Global Solutions, have a reasonable track record working on the Temenos T24 platform. It is certainly safe to say that Unibank must have delegated many important technical decisions to these specialists.
Inability to observe regulatory obligations.
Unibank’s inability to meet its regulatory obligations can however not be passed on to vendors. Vendors/agents managing a core banking upgrade are not responsible for the client’s data backup, recovery, business continuity, and data integrity standards compliance and conformance outside the technical specifications agreed upon, which enforcement remains the duty of the principal/paymaster/client. The ultimate responsibility, from a regulatory point of view most of all, rests entirely with the principal, in this case Unibank. This is what brings Unibank’s lack of ISO certification for its records management system into sharp focus. Vendors work with what they find.
It is for this reason that stringent Regulators, such as the European Central Bank, make certain information technology and records management standards mandatory for industry players during critical migrations to shared, harmonized and regional platforms.
The sorry episode described above, of a large bank operating for more than a year blind to the full ramifications of hundreds of millions of dollars of liabilities and obligations, is a wakeup call for all Regulators and corporations in Ghana that the days of “organised mediocrity” must come to an end.
Law Enforcement
The need for and enforcement of appropriate standards is clear and evident. In neighboring Cote d’Ivoire, a recently enacted legislation makes it mandatory for organisations in several sectors to be ISO certified. In the banking industry, these include ISO 9001 (quality management systems) and ISO 27001 (Information security management system). ISO 27001 in particular ensures information and data security and allows organisations to conform to regulatory requirements.
If the recent cyber-fraud incidents and the “software glitch” episodes at Cal Bank and Unibank, respectively, have taught us anything, it is that “standards mediocrity” represents serious risks in sensitive sectors of our national life like the financial services, medical services, and educational services and industries.
Industry must embrace voluntary standards from a simple risk management perspective, and where systemic risks are possible, frontline Regulators should not be shy about making once voluntary standards mandatory. Standards enforce trust and they ensure reliability, sustainability and profitability. Standards protect consumers, companies and governments.
Taking a cue from this emerging wisdom, the Ghana Standards Authority shall from this week onwards revamp the certification framework for critical services in Ghana, thus extending its longstanding focus on products to management systems and process conformity as well. Hopefully Ghanaians across all sections of our society shall lend their strong support to this endeavor.
By Alex Dodoo and Bright Simons