[Their Own League, Regional Banks]②Head Office Monitoring and Regulatory Supervision Failed... Regional Banks Became a 'Blind Spot'

Following the 300 billion KRW real estate project financing (PF) embezzlement incident at BNK Gyeongnam Bank, calls for strengthened financial supervision and internal controls over regional banks are growing louder. At Daegu Bank, which is preparing to transition into a commercial bank, some branch employees created false documents to meet key performance indicators (KPIs), opening 1,662 illegal securities accounts, shocking the local community.

Both incidents share the commonality of failures in both preemptive prevention through head office-level internal controls and post-incident detection through external supervision by regulatory authorities. The industry points to the lax internal control culture of regional banks and the physical distance from central offices leading to negligent management and supervision as primary causes.

A real estate project financing loan embezzlement incident involving approximately 56 billion KRW occurred at BNK Gyeongnam Bank. The photo shows a BNK Gyeongnam Bank branch in downtown Seoul on the 3rd. Photo by Jinhyung Kang aymsdream@

In the Gyeongnam Bank embezzlement case, the perpetrator, Mr. Lee (51), after joining the bank in 1990, was appointed head of the real estate finance team in December 2007. He then moved through positions as manager of the investment finance department in 2008, deputy general manager in 2010, deputy head in 2014, head of investment finance department 2 in 2021, and this year became head of investment finance planning department. From the time the full extent of the embezzlement was revealed in April this year until he was placed on standby, he had worked in the same department handling PF projects for approximately 15 years and 5 months.

Notably, during his long tenure in the department, he managed real estate PF loan contracts and also handled the withdrawal and repayment management of the loans. In other words, there was no job separation, as he was responsible even for post-management of the PF loans he handled. To make matters worse, no mandatory leave system was implemented for him. The mandatory leave system requires employees engaged in high-risk financial tasks to take forced leave so that their potential misconduct or incidents can be inspected during that period.

There were many gaps in credit management and post-inspection processes as well. There was no procedure to control loan disbursements to be made only through accounts specified in loan agreements, nor were there defined procedures for loan repayment processing. Even the process of notifying borrowers during loan execution and repayment was absent.

A bank official working in the region said, “For proper internal control, the person designing the system, the person executing it, and the person monitoring it must be distinct. If such job separation does not function well, risks can exist anywhere, whether in commercial banks, regional banks, or internet-only banks.”

Some attribute the issue to a shortage of specialized personnel in regional banks, including Gyeongnam Bank. The total workforce of regional banks varies but is roughly between 1,000 and 2,700 employees (excluding Jeju Bank), which is significantly smaller than commercial banks with 10,000 to 14,000 employees. Given that capital market expertise is concentrated in Seoul, it is not easy to recruit specialized personnel in local areas.

A regional bank official said, “Although there are differences in scale, regional banks perform the same tasks and processes as commercial banks. In such circumstances, due to personnel limitations, it is true that sometimes the person responsible for internal control training is also the trainee, resulting in the ironic situation of self-training.”

However, the financial sector points out that personnel shortages are not the fundamental problem. A regulatory official stated, “Nowadays, most banks establish a three-line defense system for high-risk PF projects, involving front office, middle office (risk management), and back office (compliance). If a bank cannot operate such a system due to lack of specialized personnel or organizational capability, it might be better not to engage in such business.”

Control by holding companies was also insufficient. The current Enforcement Decree of the Financial Holding Companies Act designates ‘internal control and risk management of subsidiaries’ as a duty of holding companies. In the case of Gyeongnam Bank, BNK Financial Group conducted written inspections related to internal controls, but since Gyeongnam Bank joined the holding company in 2014, it did not inspect PF loans classified as high-risk business or their handling and management. Except for on-site inspections, the holding company’s internal audits at Gyeongnam Bank showed no performance in accident prevention inspections at the head office.

In a different case, Daegu Bank introduced a service to open multiple securities accounts in 2021 but did not establish separate internal regulations or procedures for this. Moreover, although securities account opening performance was included in individual and branch KPIs, the possibility of improper handling was not reflected in branch audit criteria. Branch audits refer to self-inspections by branches to check whether their operations comply with regulations and guidelines.

A Daegu Bank branch in Beomeo-dong, Suseong-gu, Daegu. Photo by Kwon Hyunji

There are also criticisms that weaknesses in IT systems contributed to the repeated incidents. For example, Daegu Bank’s IT system allowed customers’ electronically signed documents to be printed even when there was no exceptional case such as a system error, and these printed copies could be used to open accounts at other securities firms. Additionally, only when opening securities accounts could staff change the customer’s mobile phone number.

Employees involved in the Daegu Bank incident exploited these weaknesses to secretly open additional securities accounts without customers’ knowledge. When a customer completed an electronic securities account opening application for Securities Firm A at the counter, the staff would print a copy and secretly create an application for Securities Firm B, processing it through the system.

Although the cases differ, it is also observed that the large-scale embezzlement at Gyeongnam Bank could have been detected relatively early if a more robust IT system had been in place. A regional bank official said, “After Gyeongnam Bank joined BNK Financial Group, conflicts over integration delayed IT system improvements. Relying more on people than systems allowed the perpetrator’s forged documents to be entered into the system without verification. Ultimately, whether accident prevention works well depends on how automated and finely controlled the IT system is designed.”

However, building such IT systems is a costly challenge for banks. Developing and managing comprehensive systems costs hundreds of billions of KRW, which is a significant burden for regional banks whose annual net profits do not even reach 1 trillion KRW. A commercial bank official said, “Even commercial banks headquartered in Seoul struggle to recruit IT development personnel due to competition with large IT companies. Therefore, regional banks usually outsource development, but cost-cutting makes it difficult to guarantee quality.”

Financial Supervisory Service, Yeouido, Seoul. Photo by Jinhyung Kang aymsdream@

Another commonality between the financial incidents at Gyeongnam Bank and Daegu Bank is the failure not only of preemptive monitoring but also of post-incident supervision by inspection authorities. In the Gyeongnam Bank embezzlement case, the Korea Deposit Insurance Corporation requested prosecution investigation, and after the prosecution conducted a search and seizure, the bank and authorities belatedly began to investigate the circumstances. The Daegu Bank incident also started from consumer reports.

According to the Financial Supervisory Service’s (FSS) regular inspection cycles by bank, financial holding group-affiliated commercial banks are inspected every 2.5 years, while internet-only banks and regional banks are inspected every 3.5 to 4.5 years. Commercial banks have shorter inspection cycles due to their greater impact on the overall financial system. Daegu Bank and Gyeongnam Bank, where illegal securities account opening and embezzlement incidents occurred, have not undergone regular inspections since 2014 and 2015, respectively.

Of course, the FSS faces practical limitations. The physical gap between central and regional areas cannot be ignored. Currently, under the Bank Supervision Division 2, which oversees banks other than commercial banks, four inspection teams operate excluding the permanent inspection team. Team 2 is responsible for BNK Financial Group, Busan Bank, and Gyeongnam Bank; Team 3 covers DGB Financial Group, JB Financial Group, Daegu Bank, Gwangju Bank, and Jeonbuk Bank. The remaining teams handle special banks and policy financial institutions.

Regular inspections usually involve 2 to 3 teams forming an inspection group, including the responsible team, so expanding inspection cycles is not easy. Some teams have been busy with year-round regional business trips due to the series of major incidents this year. Especially for serious incidents like large-scale embezzlement or illegal account openings, perpetrators set multiple layers of ‘safety devices’ to avoid detection, making it inevitable that detection takes considerable time.

An official from the authorities said, “Regional banks have all the complexities of organs and systems, so inspections are not necessarily easier than those of commercial banks. Also, since the inspection system was reformed years ago to guarantee financial companies’ defense rights, there are limits to what can be scrutinized. To expand inspection cycles, either more personnel or shorter inspection periods are needed, but both have pros and cons, so it is not an easy decision.”

There are 11 FSS regional offices nationwide, but their roles differ and mostly assist inspections. A regional office chief said, “The main function of each regional office is financial consumer protection, focusing on complaint handling. Except for inspections of unit cooperatives in mutual finance associations, most regional offices can only assist inspections.”

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.