Share the article
twitter-iconcopy-link-iconprint-icon
share-icon
Asia-PacificDecember 1 2017

Nepal’s banks hope for stability as elections loom

Nepal’s banks have survived two years of upheaval, contending with violent earthquakes and India’s border blockade. Today, the sector hopes to address more systemic issues such as overbanking, political instability and cyber security threats. Stefania Palma reports.
Share the article
twitter-iconcopy-link-iconprint-icon
share-icon
Nepal Rastra Bank

The past two years have not been easy for Nepal’s banks. In 2015, a 7.9 magnitude earthquake killed about 9000 Nepalese citizens (and injured many thousands more). Five months later, India closed its border with the country and stopped all imports, including basic goods such as fuel, from entering Nepal for as many months. “We had a 7.9 [magnitude] earthquake and then a 9.9 earthquake,” says Joseph Silvanus, CEO of Standard Chartered Nepal, referring to the border blockade.

Two years later, the Nepal banking sector has bounced back. But today’s challenges are more systemic, including policy unpredictability, overbanking and vulnerability to cyber attacks, which resulted in an attempted $4.4m heist targeting NIC Asia Bank in October.

Nonetheless, December’s parliamentary and provincial elections, as well as the introduction of a federal government system, leave Nepalese bankers hopeful. The former will be the latest attempt to bring political stability to a country that has had 26 governments in its 25 years as a democracy. The latter could trigger new economic activity at a local level.

Too many banks?

Nepal’s banking sector is relatively strong: its biggest banks are profitable and non-performing loan ratios are low. But one of the biggest challenges for the country's banks is the sheer number of them. Nepal Rastra Bank (NRB), the central bank, regulates 196 banks and financial institutions. Of these, 28 are mostly local commercial banks – a significant number for a $21bn economy. Malaysia, an economy 14 times larger (at $297bn) than Nepal, only has eight local commercial banks.

These numbers do not even include Nepal’s financial co-operatives, the 8000 to 10,000 institutions that take deposits and offer loans but are not regulated by the NRB. “All the risky ventures are going there, such as real estate financing,” says Ashoke SJB Rana, CEO at Himalayan Bank.

Nepal’s bank chiefs largely believe overbanking creates systemic risks. “[It] reduces margins, service quality depletes, unfair competition prevails and customers take advantage,” says Janak Sharma Poudyal, acting CEO at Global IME Bank, while Nepal Investment Bank (NIBL) chairman Prithivi Bahadur Pande says: “We should have no more than eight or 10 banks... with strong capital [bases] of $100m.” 

Paying up

Today’s paid-up capital requirement for Nepal’s commercial banks sits at NRs8bn ($76m), after the NRB increased the threshold fourfold in 2015 in the hope that banks would merge to meet this tougher directive. But most merger and acquisition activity so far has involved small financial institutions, mainly because the NRB allowed banks to meet the requirement via rights issues, which some market participants say was a result of external pressure. In Nepal, many banks are still owned or controlled by the political and business elite.

Sashin Joshi, CEO at Nabil Bank, thinks that allowing banks to raise capital through rights issues might have been a mistake. “If it had not been allowed, forced mergers would have happened without the central bank having to say it,” he says, while Mr Rana says: “It made the whole system riskier because now returns will be lower.”

Indeed, in what is widely considered to be an overbanked market such as Nepal, competition is fierce and lenders are under pressure to generate returns for their shareholders. This leaves little room for investing in things such as cyber security or human resources development. Some market participants argue this is partly why a cyber attack hit NIC Asia in October 2017.

Under attack

In mid-October 2017, hackers installed malware in one of NIC Asia’s computers that allowed them to generate Swift messages using stolen Swift usernames and the passwords of some of the bank’s staff.

These messages called for transfers totalling $4.4m. Only $811,000-equivalent ended up leaving NIC Asia accounts for accounts at Lloyds Banking Group in the UK, Bank of America Merrill Lynch (BAML) and PNC Bank in the US, Kuveyt Turk KatilimBankasi and Vakıfbank in Turkey, Bank of East Asia (BEA) in China as well as a German and a Japanese bank, according to Laxman Risal, CEO of NIC Asia. The largest payment ($215,330) was wired to a BEA account, he says.

No depositor accounts held by NIC Asia were affected by the heist. The funds were extracted from NIC Asia accounts at five banks in multiple jurisdictions.

The cyber attack was well timed. According to Mr Risal, hackers attempted to send the first Swift message on October 19, a national holiday in Nepal celebrating Diwali, but a working day in all the jurisdictions hosting the compromised NIC Asia accounts. “[Starting on the 19th], we had a three-day holiday. Some people came [into the office] during the holiday and when they attempted to send payments they [realised] the Swift server was not working,” he says. NIC Asia staff restored the server on October 21, and then realised it had been tampered with.

“[Swift] has no indication that our network and core messaging services have been compromised,” says a Swift spokesperson, suggesting the Swift messages used in the heist were authentic, but generated with fraudulent intent. “Swift does not comment on individual entities. When a case of potential fraud is reported to us, we offer our assistance to the affected user to help secure its environment. We subsequently share relevant information on an anonymised basis with the community. This preserves confidentiality, while assisting other Swift users to take appropriate measures to protect themselves,” adds the spokesperson.

Retrieval attempts

As The Banker went to press, NIC Asia was still trying to recuperate $655,000-equivalent. Kuveyt Turk and Vakıfbank were the only banks that had returned the stolen funds. “We are having difficulty contacting [the other] banks. The response we get is ‘the money has already been credited to the beneficiary’s account, the beneficiary is not giving us authority [to withdraw money] and we are closing our file’, despite us telling [these banks] that these are not genuine [payments]. The Japanese and Chinese language are [also] an issue,” says Mr Risal.

Lloyds confirms it has identified the account involved in the heist, to which the perpetrators transferred £25,800 ($32,125) from an NIC Asia account at Standard Chartered. A part of these funds had already left the account in question when Lloyds was notified of the cyber attack by Standard Chartered, the agent that is communicating with Lloyds on behalf of NIC Asia. “Funds remaining in the account were secured as soon as we were notified by the agent on October 23. We have been seeking to recover funds that had been sent onwards by the fraudsters and are in the process of returning these,” says a Lloyds spokesperson.

A PNC Bank spokesperson says: “We are prohibited by law from publicly commenting on specific banking transactions. However, PNC always co-operates with any and all law enforcement inquiries.” Meanwhile, a BEA spokesperson says: “While we are unable to comment on [this] specific case... suspicious transactions are more closely reviewed and reported to the relevant authorities. If deemed appropriate, [BEA] will close the account or terminate the business relationship according to the risk assessment.” BAML declined to comment.

There is a risk NIC Asia will find it hard to recuperate the full sum of $811,000 as the perpetrators might have moved the money further after the first fraudulent transfers; and because the sums of each payment are small relative to illicit transfers that large banks typically deal with. By comparison, the 2016 cyber attack on Bangladesh’s central bank resulted in a theft of $101m. Nonetheless, Mr Risal is hopeful that NIC Asia will recuperate most of the stolen funds.

At the time of publication, the perpetrators of the NIC Asia heist were still unknown. Mr Risal says the malware that attacked his bank included Russian language. “But we don’t know from where. [We are] still not sure [who is behind all this],” he adds. The bank reported the theft to Nepal’s central bank, the Nepalese police and Interpol. NIC Asia also asked Nepalese embassies in the US, the UK, Germany, Japan and China to report the incident to local police. KPMG was carrying out an internal investigation at NIC Asia as The Banker went to press.

Enough security?

October’s cyber attack has shaken the Nepali banking market. Some participants say NIC Asia’s cyber security was not up to international standards. Himalayan Bank’s Mr Rana claims the lender’s Swift system was not in a secure area; that the hard drive hosting the system had a private e-mail running off it; that NIC Asia allowed regional centres to send e-mails directly to the Swift server; and that the bank had no time-lock restrictions on the server nor one-time passwords (OTPs), which are unique codes valid for just one log-in session or transaction. “Everything it shouldn't be doing, it was doing,” he says.

But NIC Asia’s Mr Risal refutes all these statements, save for one. At the time of the hack, NIC Asia had no OTP system in place. “It could have helped. But using OTPs at times takes too long. It is [received on a] mobile device [and is] generated overseas,” says Mr Risal. NIC Asia will be using OTPs in the future and cyber security will be discussed in each of the bank’s training sessions.

The NIC Asia heist is perceived as symptomatic of Nepal’s banks not prioritising cyber security. “People are reluctant to invest in cyber [security]. They think it is useless to use that money in that way. We have to change their mind,” says Chiranjibi Nepal, the NRB governor. The central bank is updating its technology directives and working on a new directive asking banks to invest a percentage of their profits – not more than 1% – on cyber security.  

Limited access to skilled labour is part of the problem, and exacerbated by an overbanked sector fighting for scarce human resources. “There is a dearth of skilled human capital at all levels, and instead of creating their own supply chain of training, [banks] focus on poaching,” says Sanjib Subba, CEO of Nepal’s National Banking Institute, a banking and finance academy.

The lack of trained manpower is “the biggest impediment to growth”, adds Mr Rana.

SME focus

In a competitive market such as Nepal’s, banks tend to focus on businesses yielding high returns, such as small and medium-sized enterprise (SME) lending and retail. Lending to SMEs can be challenging. Know your customer procedures are costly and small businesses typically have poor or non-existent financial records. But in Nepal, SMEs need to put up assets against their loans, diminishing risks for lenders.

Global IME’s Mr Poudyal deems SME lending more sustainable and profitable than corporate lending. “Big corporates are very tough in terms of pricing and security demands, unlike any other SME segment,” he says. Corporates used to account for 80% of Global IME’s lending portfolio but that proportion could drop to 50% by 2019, according to Mr Poudyal.

In NIC Asia’s case, corporates account for only 19% of the bank’s lending portfolio. “Corporate accounts are high in volume but very low in margin. SME and retail [customers] provide collateral [while] in corporate accounts it is based on cashflow,” says Mr Risal. NIC Asia’s net interest margin has increased from 2.6% to 3.65% in the past two years.

New federal system

Building up SME and retail portfolios is crucial in light of Nepal’s new federal system, which will be fully operational after December’s provincial elections (see article, page 63). To ensure equal financial coverage across Nepal’s seven new provinces and boost financial inclusion (only 40% of Nepalese adults have a bank account), the NRB has asked local lenders to set up branches in nine districts identified as remote. Lenders will now only be allowed to open a new urban branch after opening four branches in remote areas.

Bank CEOs have mixed feelings about this initiative. “About 60% to 70% of deposits are in [Kathmandu] valley, so nobody wants to go out,” says NIBL’s Mr Pande. And Nepal’s remote areas often lack electricity, basic infrastructure and adequate security measures. But Mr Nepal says he has told the government “that [banks] carry people’s money, so [they] are not going [to these areas] without any infrastructure and security”. To sweeten the pill, the central bank will give NRs10m to banks that open 2500 new accounts in remote areas.

While market participants worry that federalism might exacerbate inequality among provinces and enable fiscal mismanagement, this system might also boost government spending and local economic activity. “In the past 10 to 15 years, the government has been sitting on NRs2200bn of funds without a system for capital expenditure. [A decentralised] federal system might make government expenditure smoother,” says Sunil KC, CEO at NMB Bank.

Implementation struggles

Indeed, Nepal typically struggles to spend its government budget and does so in spurts, generating violent liquidity and interest rate cycles. “Nepal does not lack capital. There are several multi-national corporations and [governments] who are quite willing to cut the cheque and support the country’s journey to modernisation. But unfortunately the [issue] is [about] empowering ministries to devolve the responsibility given to them,” says Standard Chartered’s Mr Silvanus.

A further concern, especially for foreign banks such as Standard Chartered, is reaching financial closure in infrastructure projects when Nepal’s local currency remains unstable. “The [Nepali rupee] is weak. It is essentially pegged to the Indian rupee, which is also not strong. No developer will have the risk appetite to take on Nepali cashflow,” says Mr Silvanus.

A functional cross-currency long-term swap market, an interest rate swap market, a sovereign rating and a deepening of the secondary securities market could help solve this issue. But with a coalition government lacking a common vision, it has been hard to reach these objectives.

The Secured Transaction Act, which standardises the logging of collateral in the Nepali financial system, is an example of political instability getting in the way of policy implementation. The act was passed in 2006 but implementation only started nine years later. The online database where creditors register interest on borrowers’ assets launched only in 2017.

The issues of unstable politics, overbanking and cyber security threats are far from resolved in Nepal. But December’s parliamentary elections and a brand new federal system might finally bring about the political stability needed to fulfil the economy’s potential.

Was this article helpful?

Thank you for your feedback!

Read more about:  Asia-Pacific , Asia-Pacific , Nepal , Regulations