OCTOBER 14, 2024

By Mr M G Kodandaram, IRS. Assistant Director (Retd) ADVOCATE and CONSULTANT

Timely De-Mapping - a Measure in Fraud Prevention

FRAUDULENT activities within administrative and financial systems often emerge from negligence, lack of vigilance, or weak internal controls by supervising authorities. A recent case involving a former officer fraudulently sanctioning a refund due to delayed de-mapping from the Goods and Services Tax (GST) portal illustrates the dangers of such oversight failures. Similar vulnerabilities could occur across other administrative platforms, such as the Indian Customs Electronic Gateway (ICEGATE) or the Income Tax Portal, which are all governed by the Department of Revenue.

In response to this incident, the Central Board of Indirect Taxes and Customs (CBIC) has issued Instruction No. 04/2024-GST on October 4, 2024 mandating systemic improvements in the mapping and de-mapping processes for officers on the GSTN portal. This case emphasizes the critical need for implementing strict security protocols, ensuring accountability, and adopting proactive management strategies in granting system access to internal personnel. These measures are essential to mitigate future fraud risks and protect the integrity of the system.

The GST system and similar tax administrative digital facilities act as a foundation of India's tax administration. The digital platform manages all front-end and backend activities, among others includes tax collection, monitors compliance, facilitates scrutiny and audits, and processes refunds. While this digital infrastructure has brought significant improvements in efficiency, it is vulnerable to exploitation if access rights are not strongly controlled. In this case, the former officer fraudulently approved a refund because the delay in de-mapping allowed him to retain access even after his official duties had ended. Whether the delay resulted from oversight or deliberate negligence, it exposed serious risks tied to improper access management. In this case, the failure to revoke the officer's access in a timely manner enabled him to exploit the system and authorize a fraudulent refund. Timely de-mapping is thus a fundamental control mechanism that mitigates the risk of unauthorized access, fraud, and system manipulation, ensuring the overall integrity of the GST framework.

Consequences: Financial Loss and Erosion of Trust

The fraudulent refund incident is a vivid example of the far-reaching consequences of negligence in the de-mapping process. The delay in removing the officer's access led to the unauthorized approval of a refund, causing financial loss for the government and undermining public trust in the GST system's security and reliability. Moreover, the potential for fraud extends beyond refunds. If access controls are weak, fraud can occur in other areas such as assessments, adjudications, enforcement actions, and recoveries. Similar incidents, whether unreported or unnoticed, may be happening, exacerbating the risks of weak internal controls and administrative negligence.

In this case, the failure to promptly de-map the former officer allowed him to exploit his knowledge of internal systems, jeopardizing the credibility of the GST system. The damage extends beyond financial loss; it erodes public confidence in the regulatory framework, making it harder for the government to maintain effective oversight of public resources and tax administration.

Strengthening Controls and Accountability

In response to the fraudulent refund incident, the CBIC's subject Instruction mandates that officers be immediately de-mapped from the GST portal upon their retirement or transfer. This directive, based on recommendations from the Directorate General of Vigilance (DGoV), emphasizes the importance of strengthening controls to eliminate vulnerabilities caused by delayed de-mapping.

The CBIC instruction provides clear guidelines for supervisory officers, particularly those at the Joint Commissioner or Additional Commissioner level, to monitor the de-mapping process. These officers are tasked with ensuring timely removal of access rights, maintaining detailed records, and submitting compliance reports to jurisdictional commissioners within specified timeframes. These accountability measures aim to foster a culture of responsibility, transparency, and vigilance among supervisory authorities. However, a critical concern arises from the lack of consequences for supervisory officers who fail to enforce these procedures. Ensuring that supervisors are held accountable for negligence is crucial in creating a system of checks and balances, promoting transparency, reducing risks, and cultivating a diligent approach to access control.

The fraudulent refund incident reinforces the urgent need for vigilance and proactive measures in managing access to the GST portal and similar sensitive and critical digital facilities. In 2020, the Ministry of Finance declared the GST database and associated infrastructure as a "protected system" under Section 70(1) of the Information Technology Act, 2000. This designation aims to safeguard critical information infrastructure from threats that could impact national security, the economy, public health, or safety. Only authorized individuals - GSTN employees, government tax officers, and vetted third-party vendors - are allowed access to this system, with severe penalties for unauthorized access. Despite this legal protection, the incident shows that systemic weaknesses, such as delayed de-mapping, can still be exploited, leading to fraud and abuse. The CBIC's directive is a crucial step toward securing the system by tightening control over access rights, particularly for officers who are no longer in service.

Digital Governance and Fraud Prevention

In digital governance, vigilance is paramount. Access to sensitive data and financial systems can be manipulated if adequate safeguards are not in place. By emphasizing timely de-mapping and regular oversight, the CBIC aims to prevent future exploitation by removing individuals who no longer have legitimate roles within the system. This case highlights critical concerns for digital governance and fraud prevention, emphasizing the importance of integrating cyber-security principles into public administration systems. As government systems increasingly transition to digital platforms, safeguarding access points becomes paramount. The failure to properly manage access rights, as seen in this instance, not only exposes systems to financial losses but also erodes public trust.

Effective fraud prevention must incorporate core cybersecurity principles such as access control, least privilege, and regular audits, ensuring that only authorized personnel have the minimum necessary permissions to perform their duties. Robust internal controls, including encryption, multi-factor authentication, and intrusion detection systems, further strengthen security. Additionally, maintaining a culture of accountability and vigilance is essential, with clear procedures for de-mapping, regular system monitoring, and swift responses to potential breaches. By prioritizing proactive measures and embedding cyber-security best practices, public systems like the GST portal can protect sensitive information, prevent fraud, and uphold system integrity in an increasingly digital landscape.

[The views expressed are strictly personal.]