If a Bank of Baroda branch activates 30 connections on the BoB World app in a day, they get to host a celebration with the branch staff and customers, with a daily budget of ₹ 500 for a cake. If a region completes 1,500 daily activations, the reward goes up to ₹ 1,000.
What started as an innocuous celebration of daily activation targets soon turned into a heaping mess of operational issues, fraudulent manipulation of technical loopholes to win further incentives and a war of words between the senior management at the bank.
On Saturday, BoB’s Managing Director and Chief Executive Officer Debadatta Chand surprised reporters on a conference call by openly calling out the lender’s former Chief Digital Officer Akhil Handa.
When reporters quizzed Chand on Handa’s sudden exit on Nov. 1 even as the bank was dealing with the aftermath of regulatory censure, he said that the exit was a termination of services. Chand also said this was part of a series of administrative actions taken by the bank in the BoB World app case as it found irregularities.
This was the exact opposite of Handa’s claim that he resigned on his own as part of a long-planned exit.
Once the story came out, Handa quickly reached out to BQ Prime to confirm that he had indeed resigned, sharing a screenshot of his one-line resignation letter as proof. BQ Prime is not revealing the screenshot as the reason for his resignation is not clarified in the letter. Handa also shared the same message with reporters from other news organisations the same evening.
“My exit was a personal decision that I conveyed to the top management in August and since then I had been serving my notice period. The narrative of termination seems a deflection of operational lapses at the branch level issues (sic),” Handa said in a separate statement on Saturday.
So, who is in the right here?
A leaky app with poor security, employees and third-party workers gaming the system to earn incentives, both played crucial parts in this case, according to four people with direct knowledge of the matter who spoke on the condition of anonymity.
It’s not possible to do something like this unless there is a loophole in the app, according to a senior cybersecurity expert who works with banks regularly and who didn’t want to identified out of business concerns.
The App At Fault
On July 11, Al Jazeera reported an expose alleging that BoB employees were inflating registration numbers on the BoB World app by fraudulently linking phone numbers to some bank accounts. The following day, the lender denied that its officials were engaged in any such activities.
“The bank has a current mobile banking activated user base of 30 million customers, all of whom are linked to a unique mobile number seeded with their bank account,” the bank had said.
According to data shared by the bank in its investor presentation for the quarter ended March 2023, the BoB World app was downloaded 53 million times and there were 30 million active users. There were over 4 million daily active users performing over 8 million transactions every day.
But within two weeks, on July 26, the lender issued an internal circular highlighting fraudulent financial transactions taking place on the app as users were sharing their credentials with others. The dynamic one-time passwords shared on email were being leaked, leading to fraudulent transactions.
The circular, issued by the digital group at the bank’s headquarters in Bandra Kurla Complex, stated that the bank was removing email-based OTPs and focusing on SMS only. The circular shows that the lender was internally aware of fraudulent financial transactions. BQ Prime has reviewed a copy of the circular.
According to two BoB officials, who who spoke on condition of anonymity, employees and business correspondents colluded to exploit loopholes in the mobile app’s build. The primary flaw was that the app could let someone register the same mobile number with various bank accounts, according to both these officials.
While business correspondents could use their SIM to connect up to eight accounts in the normal course of business, there were 100-200 activations happening on one phone number, these people said. Ideally, a mobile app should throw up red flags when abnormally high activations happen, the cybersecurity expert quoted above said.
Dhiraj Gupta, co-founder and chief technology officer of mFilterItIt, said that it is important to practice default security guidelines. This means if a user who is already registered from one device shifts to another, then the first device should ideally get de-registered.
“The moment you register from another device, the app would increase the security, ask you more questions to ensure that you are a genuine user, and remove the older devices,” he said. “So, from a safety point of view, the tech team must have missed it.”
Incentives Drove The Fiasco
According to the second person quoted above, certain regional offices announced specific targets for employees and business correspondents for BoB World app activations. On achieving targets at a branch level and regional level, cakes would be cut for daily celebrations. The cost of these cakes would be added to the sundry accounts of the respective branch or regional offices.
But soon, the cake cutting was not enough.
On Feb. 28, the digital group at the bank announced an “ambitious” target of 3 crore BoB World app activations. For this, it approved the “invite and earn instant” feature for customers and business correspondents from March 1 to March 31, 2023. BQ Prime reviewed a copy of this circular as well.
While the staff was not eligible, business correspondents and customers who participated in the scheme could earn up to ₹ 10 per activation.
The rules of the game suggest that business correspondents can’t open an account or onboard a customer on their own, the fourth person quoted above, who runs a business correspondent agency, said.
Business correspondents are only authorised to do documentation, e-KYC and other formalities. They can’t independently register mobile numbers on the app. For that, authorisation needs to come from the branch employee dealing with them, the person said.
The Aftermath
While the RBI’s order to block further onboarding of customers on the BoB World app is still at play, the bank has also been taking internal action.
Handa’s exit, according to the bank’s management, is part of this. Additionally, BQ Prime previously reported that at least nine employees were suspended and others were being investigated.
According to a circular issued on Aug. 25-shared with zonal heads of Ahmedabad, Bareilly, Baroda, Bengaluru, Bhopal, Jaipur, Kolkata, Lucknow, Patna and Rajkot-the bank had identified 362 bank accounts across 68 branches where irregularities were reported. An amount exceeding ₹ 22 lakh was reported to have been debited from these accounts.
Chand, in his address to reporters, had noted that there would be no material impact on the bank’s financials owing to the BoB World app fiasco. That may as well be true. However, the reputational hit would be difficult to quantify.