Bank of Maharashtra accounts lost Rs25 crore due to UPI bug, says NPCI

Corrective steps have been initiated and the process of recovering money from the 19 banks it has been transferred to is on, says NPCI MD and CEO A.P. Hota


The police is investigating the matter after Bank of Maharashtra registered a complaint last Friday. Photo: Bloomberg
The police is investigating the matter after Bank of Maharashtra registered a complaint last Friday. Photo: Bloomberg

Bank of Maharashtra lost Rs25 crore in one of the biggest Unified Payments Interface (UPI) frauds till date when a few people moved money illegally, taking advantage of a minor bug.

Corrective steps have been initiated and the process of recovering the money from the 19 banks where it has been transferred to is on, said A.P. Hota, managing director and chief executive officer of the National Payments Corporation, or NPCI.

The bug in the UPI system allowed people to send money without having the necessary funds in their accounts.

Even when the core banking solution of the bank declined a transaction, the UPI solution used to send the success message to NPCI. “Thus, we would end up clearing the transaction based on the green signal we received from the solution provider,” said Hota.

About 50-60 people in Aurangabad discovered this loophole, possibly through a trial-and-error method. The fraud was reported first on 22 February, said Hota.

He added that Bank of Maharashtra reported the fraud amount as around Rs25 crore, and that some amount has been recovered.

The police is investigating the matter after Bank of Maharashtra registered a police complaint last Friday.

There were three other banks, including Bank of India, which had bought a similar solution from the same vendor but they have not reported any mishap, Hota said, adding that thorough checks have been carried out.

On 20 March, NPCI issued a statement saying that “... there is no vulnerability or loophole reported in Bharat Interface for Money (BHIM) application or UPI system. NPCI has done intensive testing, robust design of security controls and continuous monitoring of its UPI infrastructure.”

In 2016, the Indian banking system suffered its largest data breach involving 3.2 million debit cards. The breach in the systems of service provider Hitachi Payment Systems was detected when some banks raised an alarm over customers’ card being fraudulently used in China and the US, while these customers were in India.

Hota said NPCI has learnt a lot from this episode.

“The learning from this is that we were not allowing any bank to join UPI unless they’ve a thorough reconciliation process and audited their package by the best of auditors.”

“As many as 44 banks are on UPI and getting the 45th bank will be a tougher job because we will be very circumspect,” he said.

PTI contributed to this story.

More From Livemint