India’s Bank of Baroda tampered with accounts to flog app

Dehradun, India – A Bank of Baroda officer from Bhopal zone recalls the day he and his colleagues got the order from their regional office to report to work at 7am on March 24 last year.

They were given a task: sign up customers for the bank’s new app, “bob World”, which was launched six months before. The officer’s branch was given a target of onboarding at least 150 existing bank customers.

As the day progressed, the officer and his colleagues struggled to get people to sign up while their regional office kept tabs on them and reprimanded them for poor performance.

The officer, who requested that his identity not be revealed for fear of reprisal from the bank and who will be referred to as Whistleblower 1, got desperate.

He and his colleagues learned of a workaround from peers in other branches: fetch the list of bank accounts not linked to mobile numbers, link these accounts to any mobile numbers they could gather – of bank staffers, sanitation and security workers and their relatives – to generate the one-time password (OTP) needed to join the app, and sign up these accounts from the back end. The employees would then deregister these customers from the app and reuse the same mobile number in the same manner with other bank accounts.

When the nodal officer from the regional office – one officer was deputed at each branch to ensure the success of the task – was told about the tactic, he offered his as well as his wife’s mobile numbers to link with customers’ bank accounts.

Even though such meddling with customers’ accounts is illegal and unethical, the team implemented this strategy and kept at it till late at night.

Bank of Baroda employees from other states – Uttar Pradesh, Rajasthan, Gujarat and Jharkhand – also confirmed this widely prevalent modus operandi to Al Jazeera. A retired executive from Gujarat has sent five emails to the bank’s top management highlighting these irregularities. He shared these emails with Al Jazeera on the condition of anonymity.

The email he sent in February last year, after his retirement, reads: “Activation of bob World is given so much pressure that almost a fraud-like situation is arising and in the accounts of customers, mobile number of branch head is updated for activation … A very big fraud is in the offing.”

The bank’s customer care department replied to this email, insisting that one mobile number can be linked with only one bob World account.

In one of his subsequent emails – sent between March and June of last year to the managing director and chief executive officer as well as executive directors – the retired executive wrote that he visited a few branches in his city and suggested that he learned that the staff at these branches were not only adding their own mobile numbers to customers’ accounts but also buying new SIM cards to inflate the number of registrations of bob World. One of his emails says that internal inspection reports of some branches have even made a note of these shenanigans.

Ashish Mishra, general secretary of We Bankers Association, a trade union of bank employees, told The Reporters’ Collective their union had received many complaints about the March 24 “Maha Login Day” – including of employees who were reprimanded for speaking up about methods that were being pushed to boost app registration. We Bankers had shared screenshots of a few of these complaints on Twitter.

Even though many customers were deregistered right after they were signed up – meaning using these practices to sign them up did not automatically lead to an increase in the number of active users of the app – it did boost the number of downloads and the number of sign-ups. These metrics are also cited to gauge an app’s success.

Tell-all emails

Internal emails of Bank of Baroda, India’s second-largest government-owned bank, acknowledge that the safety of tens of thousands of bank accounts was at risk since they were linked with strangers’ mobile numbers. Whistleblower 1 provided Al Jazeera screenshots of the emails sent by the operations department of his regional office in the Bhopal zone to the branches under it.

The emails, which were first sent in January 2022, show that branches were asked to conduct a discreet inquiry about mobile numbers linked to multiple accounts and, in light of those inquiries, to recommend whether the mobile numbers should be withdrawn. The cleanup was to take place in stages. First, the phone numbers that were illegally linked to a maximum number of accounts – 100 or more – had to be de-linked. This was followed by mobile numbers linked with 50-plus accounts and later those with 30 or more accounts.

The bank has issued show-cause notices to its employees for a low number of registrations in bob World, and hence many vie to turn in high numbers by hook or by crook [Screen grab]

‘Controls in place’

Since Bank of Baroda’s internal emails ask branches to recommend bank accounts from which bogus mobile numbers must be unlinked, Al Jazeera, under India’s Right to Information law, asked the bank how many branches sent recommendations for the same and how many accounts were recommended in 2022.

Al Jazeera also sought a copy of every email, letter, and circular sent to branches and/or zonal offices regarding the deletion of duplicate mobile numbers. The bank replied that it does not maintain such data even though a whistleblower’s regional office’s emails to branches state that “the process of removal/correction of mobile number is to be carried out centrally from the back”.

Additionally, Al Jazeera asked the Bank of Baroda for a month-wise list of the number of users joining bob World and quitting the app. The bank declined, saying that it is a trade secret and is exempted from disclosure.

In response to Al Jazeera’s questions, a spokesperson for the bank said in an email: “The bank has a robust system with the necessary controls in place. The bob World mobile banking app cannot be linked to the same mobile number more than once. Further, to register or update a mobile number in a bank account, customers need to visit the bank branch in person and follow a two-factor authentication process, post which the mobile number is activated after 24 hours.

“With regard to your question on the linking of bank accounts to one mobile number, the bank has restricted the seeding of one mobile number to eight customer IDs, provided that the registered [postal] address is the same. This facility offers convenience to customers belonging to the same family.”

The bank did not deny the authenticity of the emails Whistleblower 1 has shared, and did not answer how so many accounts got linked with the same mobile numbers despite a restriction on how many accounts a phone number can be linked to.

Whistleblower 1 expressed deep disappointment at being drawn into this. “I was so crestfallen for this,” he said. “I’m sitting till 10pm in the office, and a person is coming from the regional office to make us do this … Is this a bank or something else?”

Hemant Gairola is an associate member of The Reporters’ Collective.

Related posts

Leave a Comment