Bank of Baroda has found instances of fraud, in which associates of the bank withdrew money from customer bank accounts by linking their own mobile numbers to customer accounts, Al Jazeera reported in association with The Reporters’ Collective.
The audit was ordered three months ago by the Reserve Bank of India after the two media organizations reported that bank employees were taking advantage of lax safeguards in the bank’s IT infrastructure to connect customer accounts to their own phone numbers. The report had warned that the practice, which was widespread in the bank, would allow employees and bank associates to withdraw money from customer accounts by using mobile banking.
In an update, Al Jazeera said the bank has completed the internal audit, and that the exercise has found hundreds of instances of bank agents stealing from the customers through wrongly linked phone numbers. A whopping 4.2 lakh accounts, belonging to 7,000 branches, were suspected to have been wrongfully registered on the bank’s mobile banking application, the report said.
“India’s Bank of Baroda made it simple and easy for its agents to steal money from the accounts of its customers. And some of them did steal 2.2 million rupees ($27,000) from 362 customers, internal audit reports and records of the bank have revealed,” the report said.
Six customers have lost upwards of 110,000 rupees each, whereas one lost almost 177,000 rupees. One agent has stolen more than 390,000 rupees. The nationwide audit reports of the Bank also show that around 422,000 accounts registered in the mobile app were registered by the bank staff using wrong information.
The latest report by Al Jazeera comes two days after the Reserve Bank of India ordered the Bank of Baroda to stop onboarding new customers onto its mobile banking application, bob World.
“This action is based on certain material supervisory concerns observed in the manner of onboarding of their customers onto this mobile application,” the RBI said in a notice put up on Tuesday.
“Any further onboarding of customers of the bank on the ‘bob World’ application will be subject to rectification of the deficiencies observed and strengthening of the related processes by the bank to the satisfaction of RBI,” it added.
The latest Al Jazeera report also raised questions about the way in which the internal audit was carried out.
“Many bank employees told The Reporters’ Collective (TRC) that this audit was not so much about detecting wrongdoing as about covering it up. They said that under instructions from their regional office, they arranged and forged documents for the audit,” the report claimed.
RBI first intervened in the matter after The Reporters’ Collective and Al Jazeera reported widespread irregularities in the way customers were being registered by bank staff on the bob World application.
In an article in July this year, they exposed how bank staff were blatantly flouting norms by linking mobile numbers belonging to themselves and their family members to customers’ bank accounts and using these numbers to activate bob World applications on the customers’ behalf.
While the practice originated as a response to unrealistic targets imposed on bank employees to find new customers for the app, it also opened up a security loophole, as the apps could be used to withdraw customer funds.
The July report explained the modus operandi: “...fetch the list of bank accounts not linked to mobile numbers, link these accounts to any mobile numbers they could gather – of bank staffers, sanitation and security workers and their relatives – to generate the one-time password (OTP) needed to join the app and sign up these accounts from the back end. The employees would then deregister these customers from the app and reuse the same mobile number in the same manner with other bank accounts.”