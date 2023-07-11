Bank of Baroda, India’s second largest state-owned lender after SBI, Tuesday denied that its officials used phone numbers of strangers to inflate registrations for its mobile banking app BoB World.

Earlier in a report, Al Jazeera said Bank of Baroda official linked bank accounts to unrelated mobile numbers in order to achieve stiff onboarding targets.

A spokesperson for the bank told Mint in an emailed response that it has a current mobile banking activated user base of 30 million customers, all of whom are linked to a unique mobile number seeded with their bank account.

The Al Jazeera, in its report has alleged that in March 2022 the Bank of Baroda officer from Bhopal zone were given a target of onboarding at least 150 existing bank customers for the bank’s new app, “bob World", which was launched six months before. The officials were struggling to get people to sign up while their regional office kept tabs on them and reprimanded them for poor performance.

The report said an official, on request of anonymity, told that he and his colleagues fetch the list of bank accounts not linked to mobile numbers, link these accounts to any mobile numbers they could gather – of bank staffers, sanitation and security workers and their relatives – to generate the one-time password (OTP) needed to join the app, and sign up these accounts from the back end. The employees would then deregister these customers from the app and reuse the same mobile number in the same manner with other bank accounts.

Al Jazeera claimed that the Bank of Baroda employees from Uttar Pradesh, Rajasthan, Gujarat and Jharkhand also adopted this widely prevalent modus operandi to achieve the target. A retired executive from Gujarat sent five emails to the bank’s top management highlighting these irregularities. He shared these emails with Al Jazeera on the condition of anonymity.

The email he sent in February last year, after his retirement, reads: “Activation of bob World is given so much pressure that almost a fraud-like situation is arising and in the accounts of customers, mobile number of branch head is updated for activation … A very big fraud is in the offing."

Emails

Internal emails of Bank of Baroda acknowledge that the safety of tens of thousands of bank accounts was at risk since they were linked with strangers’ mobile numbers.

The emails, which were first sent in January 2022, show that branches were asked to conduct a discreet inquiry about mobile numbers linked to multiple accounts and, in light of those inquiries, to recommend whether the mobile numbers should be withdrawn.

The cleanup was to take place in stages. First, the phone numbers that were illegally linked to a maximum number of accounts – 100 or more – had to be de-linked. This was followed by mobile numbers linked with 50-plus accounts and later those with 30 or more accounts.

Accounts compromised

Linking unauthorised mobile numbers exposes customers to the risk of fraud as the person with the registered mobile number gains access to the account and can change online banking passwords, get hold of new ATM cards, wipe clean bank accounts and much more.

A Bank of Baroda customer from Uttar Pradesh lost ₹1.5 million ($18,150) in 2021 as his registered mobile number lapsed and got reassigned to someone else, who exploited the mobile banking access to the hilt.

Al Jazeera found tweets from Bank of Baroda customers alleging that money sent to them via their mobile number-linked bank account ended up in someone else’s bank account since their phone number was apparently registered with multiple accounts. While one wrote he lost ₹25,000 ($302) in this manner, another wrote she has lost ₹2,500 ($30), ₹1,500 ($18) and more over a year.

Aggressive enrolment goals

As the Indian government intensely promotes digital banking and pushes for the transition towards a less-cash economy, the scandal casts a shadow on the safety of customers’ money and spotlights the ham-handed way in which banks handle sensitive financial information. But this aggressive enrolment goals spurred bad behaviour.

Imposing app on the poor

Several Bank of Baroda employees from different branches told Al Jazeera about another workaround they found to boost app registrations: targeting the working-class customers who were still using feature phones and wouldn’t be able to download the bank app. Bank employees took the SIM card of such users and inserted it in the branch’s official tablet or an employee’s smartphone, with their permission, to sign them up. The officers said they would call such customers to the branch and sign them up individually like this.

“At the end of the day, to meet the number [target] and save your bread and butter, you have to do such things."

Failing to get the job done in such campaigns puts employees at the risk of disciplinary action and abusive tirades from seniors.

‘Controls in place’

Since Bank of Baroda’s internal emails ask branches to recommend bank accounts from which bogus mobile numbers must be unlinked, Al Jazeera, under India’s Right to Information law, asked the bank how many branches sent recommendations for the same and how many accounts were recommended in 2022.

Al Jazeera also sought a copy of every email, letter, and circular sent to branches and/or zonal offices regarding the deletion of duplicate mobile numbers. The bank replied that it does not maintain such data even though a whistleblower’s regional office’s emails to branches state that “the process of removal/correction of mobile number is to be carried out centrally from the back".

Al Jazeera asked the bank for a month-wise list of the number of users joining bob World and quitting the app. The bank declined, saying that it is a trade secret and is exempted from disclosure.

In response to Al Jazeera’s questions, a spokesperson for the bank said in an email: “The bank has a robust system with the necessary controls in place. The bob World mobile banking app cannot be linked to the same mobile number more than once. Further, to register or update a mobile number in a bank account, customers need to visit the bank branch in person and follow a two-factor authentication process, post which the mobile number is activated after 24 hours.

“With regard to your question on the linking of bank accounts to one mobile number, the bank has restricted the seeding of one mobile number to eight customer IDs, provided that the registered [postal] address is the same. This facility offers convenience to customers belonging to the same family."