Recently, Kotak Mahindra Bank hired a new CEO, Ashok Vaswani, who was the first to acquaint Europe with digital banking with the introduction of ‘Pingit’ a decade ago, the first mobile payments service in the continent. His appointment reflects the digital ambitions of Kotak Mahindra Bank which are, of course, shared by its peers, the private as well as public sector banks. Indian banks have pulled out all stops in their digitisation race. In July, state-owned Punjab National Bank announced the launch of a virtual branch, PNB Metaverse. It will offer an immersive 3D experience to customers who will perform traditional banking activities through their digital avatars.
Amid the rush to digitise banking, the news that employees of Bank of Baroda (BoB), India’s leading bank, tampered with bank accounts to inflate the number of digital users flags serious gaps in banking digitisation and lack of oversight as well as foolproof standard operating procedures. A blind race for racking up big digital numbers will only undermine India’s exceptionally successful digital payments journey.
What exactly went wrong at BoB
BoB, with an ambitious plan to digitise its banking, announced the launch of a digital banking app ‘bob World’ in September 2021, aimed at providing all banking services through the app under four key pillars — Save, Invest, Borrow and Shop. BoB planned to position ‘bob World’ as the main banking platform, added to which all the other banking channels will function. It was following another state-owned bank, SBI, which was integrating all its services on its YONO digital platform.
‘bob World’ was an ambitious and a much-required move. But then something went utterly wrong with the drive to add customers to ‘bob World’. In a race to meet unrealistically high targets to move existing BoB customers to ‘bob World’, the bank staff started fudging the onboarding process. A report by a news channel, based on accounts of whistle-blowers, highlighted in July this year how the bank staff found an easy workaround for a tedious process to persuade the clients, most of them in rural and semi-rural areas and not digitally savvy, to join ‘bob World’. They would list accounts not linked to mobile numbers, link these accounts to any mobile numbers they could gather — of bank staffers, sanitation and security workers and their relatives — to generate the one-time password needed to join the app, and sign up these accounts from the back end, the report had claimed. The employees would then deregister these customers from the app and reuse the same mobile numbers in the same manner with other bank accounts.
Even though customers were deregistered after they signed up on the app, it led to an artificial increase in the number of downloads and sign-ups, thus inflating artificially the digital success of ‘bob World’.
While the bank staff linking strangers’ mobile numbers to accounts amounted to tampering, it had far more serious implications. The owner of the linked mobile number could get access to the account and change password and withdraw all the money from the account.
At that time, BoB refuted allegations of misusing customer data to promote its mobile banking app and emphasized that a fully system-authenticated and customer consent-based process had always been followed for mobile banking app registrations. About two weeks ago, the news channel claimed that internal documents of the bank’s head office acknowledged this malpractice and showed that the bank’s agents, called business correspondents, have withdrawn tens of thousands of rupees from customers’ accounts by using mobile banking. The bank’s head office asked the managers concerned to “initiate necessary action for recovery and restoration of money in customer accounts”, the report claimed.
Around the same time, the Reserve Bank of India (RBI) had banned BoB from onboarding any new customers onto ‘bob World’ app with immediate effect. The action was based on certain material supervisory concerns observed in the manner of taking on customers by the bank so far, the RBI said. In a press release, it said that any further onboarding of customers on the ‘bob World’ application will be subject to rectification of the deficiencies and strengthening of the related processes by the bank to the satisfaction of the regulator. However, existing customers on ‘bob World’ would continue to enjoy uninterrupted services. In a stock market notice, the bank said it will work closely with the RBI to address their concerns at the earliest.
A week later, BoB reportedly suspended more than 50 employees across states, including several at the level of assistant general manager, as part of its action against irregularities in onboarding customers onto ‘bob World’.
The rot within digital banking?
To be sure, BoB is among the banks leading the digitisation race. The bank had 53 million app downloads and 30 million activated users as of March 2023. Nearly 98 per cent /91 per cent of SA/CA acquisitions are currently done through digital channels, according to a report by Motilal Oswal Financial Services. Moreover, 58 per cent of FDs and 42 per cent of RDs are also booked via digital channels by BoB, the report said.
On the lending front, 61 per cent of credit cards and 89 per cent of personal loans are sourced digitally. Even in other retail products, 67-68 per cent of home and auto loans are sourced digitally and the bank has been guiding to increase the mix of the RAM (risk assessment model) segments in total loans, the report said.
In June this year, BoB announced the launch of Interoperable Cardless Cash Withdrawal (ICCW) facility wherein a customer can withdraw cash using UPI from the bank’s ATMs without using the debit card. It became the first public sector bank to launch this innovative digital service.
The lapses in onboarding customers to ‘bob World’ in no way diminish BoB’s or the banking sector’s digitisation achievements. Yet, they have set alarm bells ringing and flagged the risks of a blind race to digitise banking. Banks are experiencing stiff competition and are engaged in a rat race, setting ambitious targets, Devidas Tuljapurkar, general secretary, Maharashtra State Bank Employees Federation, told TOI recently. To achieve these goals, they are, at times, mistreating field staff without providing adequate resources and infrastructure.
BoB’s is not the first case where digitisation lapses were found by the RBI. While BoB case amounts to tampering and possibly fraud by employees or business correspondents of the bank, in a different case, HDFC Bank’s digital processes were found to be wanting. The RBI had barred HDFC Bank from launching new digital banking initiatives and issuing new credit cards in 2020. The restrictions were imposed due to multiple glitches in the bank’s internet and mobile banking systems over the past two years. At the time of imposing the restrictions, RBI said it would relax on norms only when the bank managed to address the issue of glitches in its online banking systems. It lifted the ban in March 2022.
Scanning the apps
The BoB case highlights the need to scan the app operations of other banks. Many think it could be just the tip of the iceberg and there could be largescale fudging of digital subscriptions in other banks too, The mega drives to onboard customers to digital platforms, which have led to abuse of processes, also point at the regulatory failure. Now there is a demand for security audit in all banks that have mobile banking apps.
That the greed for higher and higher numbers can lead to fudging has now emerged as a real danger and many banks must be scanning their numbers to spot malpractices — well before the RBI does. While the central bank has not yet sent any specific queries or sought new disclosures from other banks, bankers expect that the RBI will henceforth scrutinise digital data more closely and not take anything at face value.
“This has created a strong sense of urgency in every bank to plug loopholes and relook at their systems,” a senior executive at a public sector bank in charge of its digital channels has told ET. “We voluntarily conducted a review, and I am sure others have, too. In the BoB case, it looks like a few rogue employees have misused the systems to fulfil their targets. Though the violations have not really had a loss-making impact, its implications could be widespread.”.
It’s not just frauds, as in the case of ‘bob World’ app, but also security loopholes that can make digital banking vulnerable. In a letter to the RBI, Bank Bachao Desh Bachao Manch has flagged the need for closer scrutiny of banking apps. The civil society platform has asked the RBI to implement an information security (IS) audit mechanism for mobile banking apps.
The RBI’s stern action banning BoB from onboarding any new customers onto ‘bob World’ app has struck a loud warning note in the banking sector. Such RBI bans can seriously jeopardise a bank’s business. Earlier, the RBI had banned HDFC Bank from issuing credit cards in 2020, lifting the ban only in 2022. While there may not be any near-term asset quality implications of the RBI ban for BoB, given the rising mix of digital sourcing and the higher cross-sell rate that BoB has been focusing on via ‘bob World’, the ban can affect the growth trajectory in the retail product segments over the near term, as per the report by Motilal Oswal Financial Services.
It is expected that the BoB case might slow down the banking digitisation race in near term and lead to stricter processes and harder user verification. It can also dent user confidence in banking apps to some extent, but only to make the users more cautious while transacting digitally. The most expected result of the BoB case, however, would be a stricter scrutiny regime by the RBI for baking apps.