Officials of Bank of Baroda (BoB), India’s second-largest public-sector bank (PSB), reportedly used fake mobile numbers to meet targets for new registrations to the bank’s new app, Bob World, when it was launched last year. According to an investigative report by Al Jazeera, one officer in each branch had been given the target of taking on board at least 150 existing bank customers. When the registrations were lower, the officials came up with the idea of linking the mobile numbers of random unknown people to boost the registrations. It appears that BoB officials followed this modus operandi across the country. They first fetched the list of bank accounts not linked to mobile numbers. They then linked these accounts to any mobile numbers they could gather to generate the one-time password (OTP) needed to join the app from the back-end. The employees claim that they deregistered these customers from the app and reused the same mobile number in the same manner with other bank accounts to meet targets, the report says. In many cases a single mobile number was linked to more than 100 bank accounts. BoB’s own policy states that one mobile number cannot be linked to more than eight accounts, and only if all these accounts are of the same family/address. (The bank has denied the report.)
While this may shock most people, claiming fake hits on websites, boasting high but bogus app downloads and fake registrations are common underhand tactics among digital companies. In 2021, Japanese investment giant SoftBank invested over $170 million in a little-known social media app called IRL, valuing it at $1.17 billion. It turns out that 95 per cent of its claimed 20 million user base was fake. But when employees of India’s second-largest PSB with a market valuation of over Rs 1 trillion reportedly participate in fake app registrations to meet steep targets, it is not only reprehensible but has much bigger implications for customers of banks and financial services. This episode raises three issues in the Indian context.
Safety of customers: If a fake contact number can be inserted from the back-end to generate bogus registrations for a genuine bank customer, it is obvious that the customer’s safety is compromised. According to Al Jazeera, internal emails from BoB acknowledged that the safety of tens of thousands of bank accounts was at risk since they were linked with mobile numbers of strangers. One internal email shows that in the Bhopal zone, close to 1,300 mobile numbers were tied to anywhere from 30 to 100 bank accounts, putting nearly 62,000 bank accounts at risk. That is, on average, 47 bank accounts linked to a single mobile number. This is a serious breach of fiduciary responsibility, which assumes significance in the light of widespread digital frauds happening on bank customers.
Integrity of bankers and breach of trust: The genesis of this problem is steep compulsory targets, which automatically lead to bad behaviour. The same target-oriented approach and high incentives for selling life insurance as a protection-cum-savings product have led to massive mis-selling and fraud. Apart from dubious incentives, we have also come across cases of bank fraud where the role of insiders is highly suspect. Ajay Sood, a non-resident Indian (NRI) settled in the US, found Rs 1.33 crore withdrawn from his account in Bank of India, that too when the original cheques ostensibly used for withdrawal remained with him. His registered mobile number was changed and an Aadhaar number which does not belong to him was added to the account. This simply could not have happened without the involvement of bank insiders. There was a fraudulent communication with the bank in “my” name via a non-registered email before a bank official approved the transfer of funds, he told us. He had kept this large sum in the bank for his mother, who lived in India.
Now consider how BoB has made tens of thousands of people extremely vulnerable. A BoB official told Al Jazeera that many staffers had inserted their own mobile numbers with customer accounts. He also said the bank staff often entered their own mobile numbers to bank accounts if customers had not registered their numbers, in order to fulfil mandates. What are the implications? Digital transactions are driven by one-time passwords (OTP) that would go to that fake mobile number. Indeed, an internal email admits the risk of fraud: “It is a fraud-prone area, and if any fraud happens, the officials from the branch, as well as regions, will be held responsible.”
Redress for customers: In the financial services business (also health care services), the service provider is the king and the consumer is at his/her mercy. In the case of bank fraud, the default response of banks is to blame the customer and deny wrongdoing. In Dr Sood’s case, he ran from pillar to post, calling and speaking to several officials at Bank of India and even the Reserve Bank of India (RBI). His calls and email complaints to the bank chairman and managing director, nodal officer, and assistant general manager at Chandigarh did not elicit any response. The RBI’s Consumer Education and Protection Department never bothered to answer his calls and emails. Dr Sood finally got his money back after our intervention. But the fight for justice is a tortuous process of escalation to the internal and external banking ombudsman (BO), which requires enormous effort, time, and patience and is largely ineffective.
The bank is apparently working on a clean-up, but that is not enough. The regulator is also investigating the case, but what will come of it? The culpability of banks (especially in mis-selling) is hard to pin down. When proven, monetary penalty is never high enough and never personal, and penalty alone can act as deterrence. Fraud and malpractices will escalate and many customers may find their accounts cleaned out.
The RBI is fully aware of mis-selling by banks and digital fraud by staff but is moving with glacial speed. We as customers have to be conscious and careful to sidestep numerous types of frauds made possible under a mindless shift to a digital ecosystem without customer-redress procedures.
The writer is editor of www.moneylife.in and a trustee of the Moneylife Foundation; Twitter: @Moneylifers