India’s Bank of Baroda tampered with accounts to flog app

Dehradun, India – A Bank of Baroda officer from Bhopal zone recalls the day he and his colleagues got the order from their regional office to report to work at 7am on March 24 last year.

They were given a task: sign up customers for the bank’s new app, “bob World”, which was launched six months before. The officer’s branch was given a target of onboarding at least 150 existing bank customers.

As the day progressed, the officer and his colleagues struggled to get people to sign up while their regional office kept tabs on them and reprimanded them for poor performance.

The officer, who requested that his identity not be revealed for fear of reprisal from the bank and who will be referred to as Whistleblower 1, got desperate.

He and his colleagues learned of a workaround from peers in other branches: fetch the list of bank accounts not linked to mobile numbers, link these accounts to any mobile numbers they could gather – of bank staffers, sanitation and security workers and their relatives – to generate the one-time password (OTP) needed to join the app, and sign up these accounts from the back end. The employees would then deregister these customers from the app and reuse the same mobile number in the same manner with other bank accounts.

When the nodal officer from the regional office – one officer was deputed at each branch to ensure the success of the task – was told about the tactic, he offered his as well as his wife’s mobile numbers to link with customers’ bank accounts.

Even though such meddling with customers’ accounts is illegal and unethical, the team implemented this strategy and kept at it till late at night.

Bank of Baroda employees from other states – Uttar Pradesh, Rajasthan, Gujarat and Jharkhand – also confirmed this widely prevalent modus operandi to Al Jazeera. A retired executive from Gujarat has sent five emails to the bank’s top management highlighting these irregularities. He shared these emails with Al Jazeera on the condition of anonymity.

The email he sent in February last year, after his retirement, reads: “Activation of bob World is given so much pressure that almost a fraud-like situation is arising and in the accounts of customers, mobile number of branch head is updated for activation … A very big fraud is in the offing.”

The bank’s customer care department replied to this email, insisting that one mobile number can be linked with only one bob World account.

In one of his subsequent emails – sent between March and June of last year to the managing director and chief executive officer as well as executive directors – the retired executive wrote that he visited a few branches in his city and suggested that he learned that the staff at these branches were not only adding their own mobile numbers to customers’ accounts but also buying new SIM cards to inflate the number of registrations of bob World. One of his emails says that internal inspection reports of some branches have even made a note of these shenanigans.

Ashish Mishra, general secretary of We Bankers Association, a trade union of bank employees, told The Reporters’ Collective their union had received many complaints about the March 24 “Maha Login Day” – including of employees who were reprimanded for speaking up about methods that were being pushed to boost app registration. We Bankers had shared screenshots of a few of these complaints on Twitter.

Even though many customers were deregistered right after they were signed up – meaning using these practices to sign them up did not automatically lead to an increase in the number of active users of the app – it did boost the number of downloads and the number of sign-ups. These metrics are also cited to gauge an app’s success.

Tell-all emails

Internal emails of Bank of Baroda, India’s second-largest government-owned bank, acknowledge that the safety of tens of thousands of bank accounts was at risk since they were linked with strangers’ mobile numbers. Whistleblower 1 provided Al Jazeera screenshots of the emails sent by the operations department of his regional office in the Bhopal zone to the branches under it.

The emails, which were first sent in January 2022, show that branches were asked to conduct a discreet inquiry about mobile numbers linked to multiple accounts and, in light of those inquiries, to recommend whether the mobile numbers should be withdrawn. The cleanup was to take place in stages. First, the phone numbers that were illegally linked to a maximum number of accounts – 100 or more – had to be de-linked. This was followed by mobile numbers linked with 50-plus accounts and later those with 30 or more accounts.

The emails show that in the Bhopal zone, close to 1,300 mobile numbers were tied to anywhere from 30 to 100 bank accounts, putting nearly 62,000 bank accounts at risk. That’s on average 47 bank accounts linked to a single mobile number. The bank’s policy states that one mobile number cannot be linked with more than eight accounts, and only if all these accounts are of the same family.

The actual number of bank accounts mapped with strangers’ mobile numbers would be much higher if the details were available for phone numbers linked with 100 or more accounts, too.

As much was indicated in an email shared by Whistleblower 1 from his regional office to all the branch offices under it: “In the last letter, mobile numbers seeded in more than 100 Customer IDs were communicated with advice to do [a] discreet inquiry on mobile numbers and send clear recommendation whether it should be continued or [if the] mobile number should be withdrawn from such accounts immediately.”

Another email from the same office admits the risk of fraud: “It is a fraud-prone area, and if any fraud happens, the officials from the branch, as well as regions, will be held responsible.”

Al Jazeera acquired screenshots of the spreadsheet attached to this email containing the details of mobile numbers linked with 30-50 bank accounts.

Whistleblower 2, whose name has also been withheld to protect him from retaliation from the bank, works in a regional office of the Bank of Baroda in another state. He executed such a cleanup drive last year and told Al Jazeera that most of the duplicate numbers turned out to belong to bank staff. Al Jazeera has a copy of the letter wherein Whistleblower 2’s office recommended to its zonal office that these numbers be unlinked.

Even as higher offices were removing bogus mobile numbers, branches were allegedly adding bogus numbers in bulk to meet their bob World targets.

Whistleblower 1 said the bob World fraud is the major reason why an inordinate number of bank accounts get linked with the staff’s mobile numbers.

Whistleblower 2 gave one more reason: When a person who does not own a mobile phone opens a bank account, the bank employee enters their own or the branch’s official mobile number as the customer’s number as some of the officers insisted on having one on the record.

Whistleblower 2 said this practice is an open secret and came in handy during the bob World enrolment campaign last year. He was one of the people deputed to a branch as a nodal officer for the campaign, and his zonal office asked nodal officers that all such accounts be signed up on the app using the mobile phone numbers of the staff.

Many accounts are having bank branch mobile number and due to this branch staffs are able to onboard them to #BOBWorld and the customers are totally unaware.
Such list of Multiple Customer id with same mobile numbers are being forwarded to them from Zonal offices

— Chandan Kumar Singh (@_ChandanKSingh) March 25, 2022

It is not clear what triggered the cleanup exercise.

Accounts compromised

Linking unauthorised mobile numbers exposes customers to the risk of fraud as the person with the registered mobile number gains access to the account and can change online banking passwords, get hold of new ATM cards, wipe clean bank accounts and much more. In short, they can become account holders in the digital world. A Bank of Baroda customer from Uttar Pradesh lost 1.5 million rupees ($18,150) in 2021 as his registered mobile number lapsed and got reassigned to someone else, who exploited the mobile banking access to the hilt.

Forensic accountant and Certified Fraud Examiner Nikhil Parulkar, co-founder of forensic advisory services firm Ocurisc Consulting, said there are only two possible explanations for why 1,300 mobile numbers were linked with 62,000 bank accounts: data-entry errors or internal fraud.

Parulkar, who has been in the banking and consulting sector for two decades, added: “There cannot be a scenario where you have one mobile number linked with 30-odd accounts or so many accounts. Rarely can it be justified as an oversight.”

He said that if the allegation of app registrations from the back end is true, this is a case of gross misconduct on the part of the bank. He pointed out that adding bogus mobile numbers to bank accounts has security implications, including information security compromise, privacy concerns and fraud.

“It will compromise the account holder’s money at some point of time. Money can vanish,” he said.

Al Jazeera found tweets from Bank of Baroda customers alleging that money sent to them via their mobile number-linked bank account ended up in someone else’s bank account since their phone number was apparently registered with multiple accounts. While one wrote he lost 25,000 rupees ($302) in this manner, another wrote she has lost 2,500 rupees ($30), 1,500 rupees ($18) and more over a year.

Aggressive enrolment goals

As the Indian government intensely promotes digital banking and pushes for the transition towards a less-cash economy, the scandal casts a shadow on the safety of customers’ money and spotlights the ham-handed way in which banks handle sensitive financial information. Parulkar concurred that the push to increase numbers – in this case, app registrations – by any means possible would imply the lack of internal controls, regular monitoring and reporting mechanisms to detect and prevent unfair business practices.

Whistleblower 1’s branch itself has undergone the mandatory, periodic auditing of a range of bank activities, such as record-keeping, adherence to rules and regulations, and safe banking practices. But the internal auditors apparently failed to flag the unethical process despite it being their responsibility to crosscheck customers’ consent forms.

Instances of banks using unlawful methods to pad numbers have been on the rise, breaking fiduciary trust. Previously, an investigation by The Reporters’ Collective revealed how banks across India had been charging customers for the federal government’s multiple insurance and pension schemes they didn’t need or hadn’t requested. They enrolled customers in the insurance and pension schemes directly from the back end or by obtaining consent signatures through mis-selling, schemes for which these account holders are still paying.

When it comes to bob World registrations, Bhopal and Baroda zones (where large-scale malpractices have been alleged by Whistleblower 1 and the retired executive, respectively) were cited as the benchmark by other zonal offices to their regional managers.

The Bank of Baroda launched bob World in September 2021 as a part of its ambitious push to go digital. The bank claims the app now has five million users. In 2021, the Bank of Baroda was recognised as the Best Technology Bank at the Indian Banks’ Association Banking Technology Awards. Also, in the last two editions of Business Today-KPMG Best Banks Awards, it was named the Best Bank in Fintech Initiative.

But aggressive enrolment goals spurred bad behaviour. Internal chatter about what allegedly transpired during the March 24 sign-up campaign spilled out on social media the next day, and bank employees openly called out the bank’s management (here, here and here). The outrage died in Twitter’s echo chamber of a few bank employees and was not reported in the media. Whistleblower 1 said his regional office stopped harassing branches for bob World enrolment thereafter, but he heard from a colleague in the bank’s branch in rural Uttar Pradesh later last year that they still faced pressure for bob World sign-ups and were resorting to deceptive solutions.

Imposing app on the poor

Several Bank of Baroda employees from different branches told Al Jazeera about another workaround they found to boost app registrations: targeting the working-class customers who were still using feature phones and wouldn’t be able to download the bank app. Bank employees took the SIM card of such users and inserted it in the branch’s official tablet or an employee’s smartphone, with their permission, to sign them up. The officers said they would call such customers to the branch and sign them up individually like this.

@nsitharaman @RBI big fraud waiting to happen in BOB.Customer hving number pad bsc mobile,their Sim is removd and installd in bank smartphone to activate #bobworld.If sm wrng transaction happn in cust. a/c will @bankofbaroda HO tk respnsiblity or RBI @officialAIBOC @CNBCTV18News

– Nikhil Kansal (@NikhilK45879940) March 28, 2022

Whistleblower 2, who oversaw the enrolment campaign at a branch last year, said ideas for such shortcuts came from the zonal office and the head office. He said the higher offices would learn about such tactics from the branches that were turning in good numbers, and advise nodal officers to emulate these. He said regional offices would even send branches lists of customers of the same family and with the same registered mobile number, so that by convincing one such customer, a mobile number could be registered and deregistered on the app multiple times.

Requesting anonymity due to fears of reprisal, an employee of a rural branch in Bhopal zone told Al Jazeera that he got such a list from his regional office for last year’s March 24 enrolment campaign. Al Jazeera has a copy of the email and the list. The employee would call up the villagers, request that they come to the branch and then register all the account holders in their family on bob World. Upon his insistence, a few villagers came in as late as 9pm, though begrudgingly.

An officer from Rajasthan, requesting anonymity, described another gimmick to Al Jazeera. He said his branch launched a campaign to open zero-balance accounts to attract unskilled labourers and daily wagers, signing up all of them on bob World without consent. He said the staff did inform the labourers that the app is linked to their money and readily uninstalled it for those who were wary.

The officer noted the irony of enabling digital banking for those who barely make ends meet.

“At the end of the day, to meet the number [target] and save your bread and butter, you have to do such things.”

Failing to get the job done in such campaigns puts employees at the risk of disciplinary action and abusive tirades from seniors.

‘Controls in place’

Since Bank of Baroda’s internal emails ask branches to recommend bank accounts from which bogus mobile numbers must be unlinked, Al Jazeera, under India’s Right to Information law, asked the bank how many branches sent recommendations for the same and how many accounts were recommended in 2022.

Al Jazeera also sought a copy of every email, letter, and circular sent to branches and/or zonal offices regarding the deletion of duplicate mobile numbers. The bank replied that it does not maintain such data even though a whistleblower’s regional office’s emails to branches state that “the process of removal/correction of mobile number is to be carried out centrally from the back”.

Additionally, Al Jazeera asked the Bank of Baroda for a month-wise list of the number of users joining bob World and quitting the app. The bank declined, saying that it is a trade secret and is exempted from disclosure.

In response to Al Jazeera’s questions, a spokesperson for the bank said in an email: “The bank has a robust system with the necessary controls in place. The bob World mobile banking app cannot be linked to the same mobile number more than once. Further, to register or update a mobile number in a bank account, customers need to visit the bank branch in person and follow a two-factor authentication process, post which the mobile number is activated after 24 hours.

“With regard to your question on the linking of bank accounts to one mobile number, the bank has restricted the seeding of one mobile number to eight customer IDs, provided that the registered [postal] address is the same. This facility offers convenience to customers belonging to the same family.”

The bank did not deny the authenticity of the emails Whistleblower 1 has shared, and did not answer how so many accounts got linked with the same mobile numbers despite a restriction on how many accounts a phone number can be linked to.

Whistleblower 1 expressed deep disappointment at being drawn into this. “I was so crestfallen for this,” he said. “I’m sitting till 10pm in the office, and a person is coming from the regional office to make us do this … Is this a bank or something else?”

Hemant Gairola is an associate member of The Reporters’ Collective.