The ugly underbelly of BoB’s app usage fiasco

The man speaking is apparently a senior information technology (IT) official at Bank of Baroda (BoB). During this conversation with a colleague, in March this year, he explains how to exploit a loophole in the system to open new accounts and inflate onboarding on the bank’s mobile app, called ‘bob World’.

At the time, BoB branch officials could tap a link to open accounts using their personal mobile phones. To thwart any unwarranted use of the link, the bank has a ‘maker and checker’ function, where one person initiates the opening and another verifies it. The account opening had to therefore be authorized at the back-end before transactions could happen. However, in the interim, the bob World app could be downloaded by the registered mobile number, and though it could not be used, the registration would add to the app’s user numbers.

In the recording, the IT official tells his colleague to reach out to his friends and acquaintances and use their voter identity cards to open accounts. It did not matter if these accounts never see the light of day at the verification level since they had already served the account opening purpose and added to bob World activations, ramping up the count.

Under intense pressure from their seniors, some BoB employees used this and other questionable and unethical methods to ramp up registrations. Seniors at India’s second-largest state-owned lender pushed relentlessly to inflate user numbers without assessing if customers actually required the service on offer. More importantly, the seniors did not seem to be aware of what was transpiring on the ground because of their ‘pressure’, with customer consent norms being bypassed in order to comply with their app activation goals.

To be sure, the rise in BoB’s app registrations has been phenomenal. Between the end of 2021-22 and the end of 2022-23, bob World’s activated user base shot up 53%, data from the bank’s presentation to analysts showed. It is not clear how much of this growth has been driven by the questionable onboarding methods. In comparison, India’s largest lender, State Bank of India, saw a 26% growth in registered users on its app, Yono, albeit on a larger base.

Al Jazeera, on 11 July, was the first to report on the onboarding malpractices for bob World. The lender had then put on a brave face and said it had a “current mobile banking activated user base of 30 million customers, all of whom are linked to a unique mobile number seeded with their bank account”.

Not only were users registered on the app without their knowledge, some had money stolen from their accounts. Citing internal audit reports, Al Jazeera reported on 12 October that some BoB business correspondents stole 22 lakh from 362 customers. The Reserve Bank of India (RBI) finally took cognizance of news reports and cut off further onboarding. BoB is now scrambling to set its house in order.

Mint has tried to piece together the events that led to this mindless target-chasing and how different layers of the bank’s administration were aware of the workarounds for some time before it made news. We spoke to two bankers at the state-owned lender and another two at branches of rival banks aware of the goings-on at BoB. None of them wanted to be identified.

View Full Image

(Graphic: Mint)

The ‘pressure’

It all started sometime in 2021, when officials at BoB branches had to come in even on weekends as onboarding targets for bob World had not been met. They were told to go to the field and convince people to download the app and register on it. But some people, particularly in rural areas, neither had smartphones nor saw any reason to give up on branch visits.

“We were told to get 100-200 activations per day. The regional and zonal officers would call us and tell us to go to people’s homes and get bob World activated,” said a branch manager, adding there was immense pressure, regardless of the branch’s potential.

The bank wanted branches to prop up the numbers and it wanted it done quickly. The two bankers from BoB said banks usually have ‘login days’ across the board, a term used to denote days when employees focus on specific products.

“On login days for bob World, employees had to come in at 7am and work till 9-10pm. This especially happened during the yearly closing of accounts. Every hour, there used to be calls from seniors in the regional and zonal offices asking for activation data, putting even more pressure,” said one of the bankers.

The other BoB employee said regional managers started raising targets to unrealistic levels. BoB, like many of its peers, works on a four-tier structure, where branches form the bottom of the pyramid, followed by regional offices, zonal offices, and finally the head office and the corporate office. As per the employee, the regional office he reported to had sent all branches a list of accounts that did not have bob World activated.

BoB used a carrot-and-stick policy in its app push. It even incentivized bankers with rewards such as team lunches or other activities for overshooting targets. As per an internal email from March seen by Mint, a branch with up to four employees would get up to 5,000; those with five-nine employees would receive up to 10,000, and branches with 10 or more staff would get up to 15,000 as an incentive for meeting targets.

“We were called incompetent at meetings if targets for bob World were not met,” said the second BoB source. The first employee said they were threatened with transfers, although nobody from his branch was transferred for not meeting targets.

Insiders said that onboarding pressure continued through 2021, 2022 and the first half of this year. This despite the bank, as per the 11 July Al Jazeera report, conducting a “discreet inquiry” in 2022.

A workaround

The list that regional offices sent to branches was of bank accounts that did not have any registered mobile numbers attached to them, making it easier to add a phone number to these accounts and get them registered on bob World.

Succumbing to pressure, some bankers used their own, and other related mobile numbers, to activate the app without the knowledge of the account holder. They even linked several account numbers to a single mobile number. The problem intensified when business correspondents, some of whose numbers were seeded to unrelated bank accounts, decided to make withdrawals without the consent of the account holder. Business correspondents represent banks and facilitate banking services at locations other than a bank branch and ATM.

When the bank realized what was going on, it tried to cover up the wrongdoing.

“Senior officers started visiting branches, asking us to check how many accounts are seeded to a single mobile number so that it could be removed from the back-end,” one of the BoB employees said and added that while branches can link a number, it is nearly impossible to delete it and this needs authorization from higher-ups.

RBI steps in

On 10 October, RBI said it had come across “material supervisory concerns” in the manner in which customers were brought onto the bob World app and barred the bank from acquiring new customers on the app.

Instead of just imposing a monetary fine on banks and non-banks for wrongdoing, the regulator has been using this approach, which takes away potential revenue and income from digital channels. This was seen in the case of HDFC Bank in 2020, when RBI told the lender to halt credit card issuances and not launch any new digital initiatives. Those bans were reversed in 2021 and 2022, respectively.

According to BoB employees, after the Al Jazeera story broke, RBI asked BoB to submit a report on the incident. The employees Mint spoke to said that RBI’s deadline was so tight that the bank asked senior branch officials to investigate other branches near them to identify instances of malpractices. The seniors submitted their reports on a portal and these were checked by officials at regional offices.

“This seemed like a rare exercise but was perhaps necessitated by the short RBI deadline. We checked limited accounts at some branches while other bankers checked our records,” said a banker who had gone through accounts at a nearby branch.

Experts said that while this is correct in principle, as verification was being carried out by someone who did not initiate the transactions, it was not ideal. “They could have done it through multiple chartered accountants—time may not be a real justification,” said a former RBI official.

The bank’s audit and inspection cell is also looking into the issue, checking suspect bank accounts, especially those where bob World was registered and deregistered quickly.

A BoB spokesperson, in an emailed response to queries from Mint, stated that there were some gaps in terms of the adequacy of documents and data errors, and that the bank has engaged an external agency to audit and further strengthen the onboarding process.

“We would like to reiterate that the bank’s mobile banking platform is fully secure with robust security controls and features in place,” the spokesperson said, and added that the bank is working to address the regulatory concerns at the earliest.

“Since the regulatory process is ongoing, we are not in a position to share any further details at this stage,” the statement added.

The axe

A month after the fiasco came to light, the bank’s chief digital officer, Akhil Handa, resigned. The bank said in a regulatory filing that Handa was being replaced owing to the cessation of his employment. In a post on LinkedIn, Handa bade farewell to former colleagues and said he was embarking on a new journey. However, it didn’t end there.

After the bank’s chief executive Debadatta Chand told reporters on 4 November that Handa’s contract had been terminated, the latter sent out a statement with a screenshot of his resignation email, dated 9 August. His statement said, “The narrative of termination seems a deflection of operational lapses at the branch level….” Handa did not elaborate when he was asked about this and whether he had faced pressure internally. An email sent to him remained unanswered.

Following RBI’s public statement, BoB decided to suspend a clutch of employees, something that the bank has still not officially communicated. As per bank union representatives, about nine people were suspended.

In a comical turn, the bank tried to claw back the incentives it had doled out to employees who had met app activation targets, irrespective of whether they were complicit in the malpractice or not. This was met with resistance and the employees asked their labour unions to take the matter up.

“Bankers were receiving informal instructions to return these benefits (the money received) and that has now stopped after the unions stepped in. It is surprising that the bank wanted to take away something as small as money received for team lunches,” said one of the bankers.

BoB has also now barred access to the account opening link mentioned on personal devices. It can only be accessed on tablets provided by the bank.

‘No material impact’

The bank has posted strong profit and digital growth over the last few quarters and even sees itself competing against private sector lenders. Despite RBI’s directive to stop onboarding new customers on the app, BoB said it does not expect any material impact on its overall business and growth plans.

“The size of this is not quite big in banking terms and therefore the loss is not like some of the earlier instances in India. If you look at some of the earlier scams like Nirav Modi, this pales in comparison,” said a private sector banker on condition of anonymity, adding that what happened was nonetheless unethical and wrong.

Rating agencies are also not too perturbed as far as the financial impact is concerned. “Given the volume of transactions required to make a sizable dent into the profits of the bank, the amount involved in the fraud is unlikely to be much in relation to the profit and capital position of the bank,” said a ratings analyst.

The analyst said that, being a public sector bank, BoB is unlikely to suffer any liquidity issues due to the incident as depositors are likely to take comfort in sovereign ownership. “However, this raises concerns about the effectiveness of the internal audits and control function of the bank,” he added.

Experts say that it is critical to focus on the right metrics while pushing digitization goals. “Getting an app downloaded does not necessarily mean the right users and active use. Staff targets and incentives should also be aligned to the right metrics for a more sustainable rollout,” said Parijat Garg, a digital lending expert and former senior vice president at credit information company Crif High Mark.

Meanwhile, rival lenders, especially those from the public sector, are keenly watching the developments at BoB, given their own commitments to digitization.

Denial of responsibility! is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – at The content will be deleted within 24 hours.

Read original article here

Leave a Comment