Dehradun, India – India’s Bank of Baroda made it simple and easy for its agents to steal money from the accounts of its customers. And some of them did steal 2.2 million rupees ($27,000) from 362 customers, internal audit reports and records of the bank have revealed.
The audits come after an expose by The Reporters’ Collective (TRC) and Al Jazeera, which showed the bank’s employees had linked unauthorised mobile numbers to customer accounts that were missing a registered mobile number to onboard them on the bank’s new mobile banking app, bob World. These unauthorised mobile numbers were of bank staff, managers, guards, their relatives and bank agents in remote areas.
The story warned that the bank’s underhand tactics, devised under pressure to boost registrations on its app, could lead to identity theft and pose a grave risk to the money of customers. The bank admitted as much in internal emails last year. “It is a fraud-prone area,” multiple emails about the bogus mobile numbers noted.
Now, internal documents of the bank’s head office acknowledge this malpractice and show that the bank’s agents, called business correspondents, have withdrawn tens of thousands of rupees from customers’ accounts by using mobile banking. Six customers have lost upwards of 110,000 rupees ($1,330) each, whereas one lost almost 177,000 rupees ($2,140). One agent stole more than 390,000 rupees ($4,750).
The bank’s head office has asked the managers concerned to “initiate necessary action for recovery and restoration of money in customer accounts”.
The admission of fraud came after the Reserve Bank of India (RBI), the country’s central bank, ordered an audit following The Reporters’ Collective-Al Jazeera investigation.
On Tuesday, the RBI said that it has directed the Bank of Baroda to stop registering new customers on bob World because of “certain material supervisory concerns observed in the manner of onboarding of their customers onto this mobile application”.
In its nationwide audit, the Bank of Baroda verified documents of about 422,000 accounts that were suspected to be wrongfully registered on the app by the bank staff. The bank’s branch staff audited these accounts spread over nearly 7,000 branches across the country on July 29 and 30, with each employee auditing documents of another branch.
While final audit reports have duly pointed out discrepancies, indicating proper scrutiny at a higher level, these reports also establish the shoddy nature of the internal audit.
Many bank employees told The Reporters’ Collective (TRC) that this audit was not so much about detecting wrongdoing as about covering it up. They said that under instructions from their regional office, they arranged and forged documents for the audit.
One such employee, who himself procured documents from customers, said: “The bank knows it’s in the wrong [with regard to bob World enrolment]. Now, it is in damage-control mode.”
Experts from the field of bank auditing and forensic accounting say the Bank of Baroda should not have deputed its branch staff for the audit in the first place. They say this task should have been outsourced for a fair investigation.
The bank asked its internal auditors to mainly look for bob World request letters that show customers requested the online app service on their phones, and forms that customers signed to change mobile numbers linked with their accounts. The presence of these forms is proof that bank staff did not perform the fraudulent workaround to flog the app.
In most of the cases, the documents were not found, audit reports accessed by TRC show.
Serious gaps
Audit reports of eight regions found bob World request letters for barely one-third of the bank accounts under investigation.
These reports note that in many accounts that were signed up on bob World, the registered mobile number belonged to the respective branch, to the branch manager or to “business correspondents” – freelancers who operate as the bank’s agents and provide banking services in rural and remote areas through customer service points.
The audit found that many accounts were linked with the mobile numbers of strangers. The bank has since instructed branches to immediately block mobile banking on such accounts.
The reports also found that in many accounts registered on bob World, unauthorised mobile numbers were linked and later removed from the back end. There are even instances wherein a customer provided one mobile number in the account-opening form but some other number was linked to his account and registered on bob World.
Further, while the bank’s policy states that one mobile number can be linked with eight bank accounts at most – only if all accounts are of the same family – the audit reports flag many instances of violation of this policy.
They list many mobile numbers, mostly those of business correspondents, linked with 10–60 accounts. One region’s report recommends that mobile numbers be unlinked from about one-fourth of the audited accounts.
The pan-India findings, too, seem to share these concerns. In a letter sent to all zonal and regional heads on August 10, Bank of Baroda’s Chief General Manager B Elango wrote: “The results of the audit have revealed that there are gaps with respect to the availability of basic essential documents and we cannot allow to continue with the gaps that were noticed.”
He adds: “Looking at [the] seriousness of these findings, we have initiated the process to get the irregularities rectified as soon as possible.”
The letter said that branches must approach customers to obtain the missing documents, which have to be preserved after verification by higher offices.
Damage control
While the bank has acknowledged the case of unauthorised debits and missing documents, evidence and anecdotes shared by employees suggest that some regional offices prodded their junior staff to forge these documents in an effort to salvage the situation.
One of the cover-up tactics was to hurriedly add in the signatures and thumbprints of the bank customers on the mobile banking consent forms, many of which were arranged with a backdate – to enable the auditors to certify that all the documents were in place.
Employees from three states told TRC that at the branches they inspected or work at, these documents did not exist for many accounts and were fudged – in some cases, the signatures were forged and in others, the paperwork was done after the account had been registered on the app with branch staff going to account holders’ residences with the papers to obtain signatures ahead of the auditing.
TRC has seen copies of such documents created for a few account holders from the states of Uttar Pradesh and Gujarat.
For instance, several documents from one branch in Uttar Pradesh had only the signatures of the account holder and no other details. The internal auditor who shared these forms with TRC said it was the branch staff that filled up the details, including the crucial ones such as the mobile number and the date of the application.
This auditor said his regional manager, in a video conference, had asked all the auditors to “cooperate” with the branch staff and strive to certify that all accounts are OK. Because of such instructions, the auditor said he approved even the forms he knew were freshly obtained.
From another bank branch in Uttar Pradesh and one in Gujarat, TRC saw copies of audited forms with customers’ thumbprints on them instead of signatures.
Bank employees who shared these forms said they do not know how these farmers, who cannot even sign their names, could use a mobile banking app. The employees said thumbprints were obtained on these forms just ahead of the auditing, and the branch staff filled in these forms.
The audit reports viewed by TRC also highlight that many illiterate customers were registered on bob World. Many of them were registered through a business correspondent’s mobile number linked to their account.
One audit report flagged that illiterate customers are not eligible for the app. Similarly, children under the age of 15 are also not eligible, but many minors’ accounts have been registered.
Many of the accounts under scrutiny for app enrolment were opened under Pradhan Mantri Jan Dhan Yojana. This scheme launched by Prime Minister Narendra Modi aims to link the poor to the banking system by waiving minimum balance requirements and paying subsidies into their accounts.
One bank employee said he and his colleagues used pressure tactics to get these customers to sign the forms. He said the staff told customers they needed to sign the documents urgently to update account details, or else the accounts could get closed or the subsidy could stop. They were kept in the dark about bob World auditing.
This employee highlighted another anomaly. Auditors had been asked to verify account-opening forms, too, as these would have the customer’s mobile number, but many accounts did not have those forms. So, along with the other documents, some branch staff obtained customers’ signatures/thumbprints on these forms, too.
Since employees of this branch did not want to risk inviting scrutiny by higher-ups on why they had been backdating these forms – even though those were their oral instructions – they either left the date blank or entered the date of the auditing on some of the freshly obtained forms.
Thus, these account-opening forms show the date of opening the account as July 29 or 30 (the dates of the auditing), even though these accounts have existed for at least a couple of years.
The audit reports seen by TRC show that this workaround was followed fairly commonly.
These reports not only highlight discrepancies, but also establish the shoddy nature of the internal audit. These reports are littered with remarks about customers’ documents that are unfilled, partially filled, unsigned, undated, unverified or invalid for other reasons.
In a fair audit at the branch level, such documents would have been rejected, say experts.
Red flags
Regarded as a pioneer of forensic accounting in India, Certified Bank Forensic Accountant Mayur Joshi told TRC that in auditing, investigators ought to watch out for inconsistencies, such as a new, crisp form bearing an old date; or a new format of form bearing an old date.
He said there are auditing firms that specialise in the kind of document verification for which Bank of Baroda engaged its branch staff. He said the bank should have hired an external auditor for this case.
Certified Fraud Examiner Nikhil Parulkar, who has two decades of experience in the banking and consulting industries, said the gravity of the allegations warranted an independent and impartial audit.
“How can you ask a branch manager to conduct an audit when that’s outside his scope of work? Is he a competent authority to conduct audits?” he asked.
If customers’ documents have indeed been procured and manipulated as described, it is an unhealthy and predatory practice, he added.
Joshi said freshly obtained forms and backdated forms are perceived as red flags in the world of auditing. He said the very need to obtain basic documents anew is a serious issue since it indicates the bank did not have these documents, which violates the RBI’s directions and can incur a penalty.
The number game
On July 25, two weeks after TRC and Al Jazeera published the expose, a regional office in the Bhopal zone sent to its branches an email bearing the subject line: “URGENT REMINDER: Staff Mobile Number entered in Customers Accounts”.
The opening line of the email reads: “We refer to the captioned subject and share the list of customer ids having mobile numbers of staff and Bank’s CUG [Closed User Group] number seeded in customer’s accounts and subsequently, bob World is activated using such mobile numbers.”
The email asks these branches to investigate these cases and rectify the situation. The trail mail shows that this email originated at the bank’s head office.
On August 1, Bank of Baroda’s head office sent an email to the zonal head of Bhopal. The mail’s opening line reads: “As instructed to us, we are sharing herewith the list of mobile numbers of Staff and Business Correspondents (BCs) which have been found to be linked with 316 & 1283 Customer IDs respectively in your Zone…”
The mail further says that the head office had earlier sent such a list of 313 and 4,118 Customer IDs.
Bank employees say that when customers approach business correspondents to open a bank account and do not have a mobile phone, business correspondents tend to enter their own mobile number as the customer’s phone number.
Now, branches have asked their agents to provide a list of bank accounts in which their mobile numbers ought to be retained, such as the accounts of their family members, and a list of accounts from which their numbers must be unlinked.
These emails and documents contradict the bank’s response to the Al Jazeera story about bob World enrolment. At the time, the bank claimed: “The point raised on using unauthenticated, stranger’s or non-customer mobile numbers boosting app registrations is not factually correct.”
Further, Al Jazeera’s previous story showed that last year, hundreds of mobile numbers were linked with dozens of accounts each in the bank’s Bhopal zone itself. The bank’s policy allows one number to be linked with no more than eight accounts, but a new set of internal emails further proves that this policy is not enforced.
On July 19, the bank’s head office sent an email to all zonal and regional offices with a pan-India list of mobile numbers linked with more than eight customer IDs.
According to this list, many mobile numbers stood linked with more than two dozen, three dozen and even four dozen accounts as of July. The number of such accounts stood at 225,001.
The head office had sent a similar email a day earlier as well, asking zonal and regional offices to “provide us the confirmation along with the proper justification for retention of same mobile number in more than 8 customer IDs. Subsequently, if same mobile number in more than 8 customer IDs is not required, kindly provide your recommendation for removal of the same from back end”.
Regional offices sent out this email to branches with lists of accounts from which unauthorised mobile numbers needed to be unlinked. TRC has reviewed copies of the emails.
Employees frustrated
The scandal at the Bank of Baroda has taken a toll on its employees. A number of them told TRC that they faced double jeopardy: First, the bank sets targets to register customers on bob World by any means possible, and now it puts pressure on them to produce documents showing customers asked for the service.
The bank employees involved in the cover-up during auditing said that while they might land in trouble in the future if the RBI picks up their forms for further scrutiny, they would certainly have landed in trouble had they disobeyed their regional manager and prepared a genuine audit report.
Several employees gave first-hand accounts of how the pressure has affected them and the ethical shortcuts they and their colleagues were forced to adopt.
The head of a rural branch in Uttar Pradesh asked how consent forms would be available when mobile banking was activated under duress by adding someone else’s mobile number to customers’ accounts.
Another officer from the same state called this reporter agitated on the day of the auditing. He revealed that in his branch, the hapless staff were not only filling up customers’ forms but also forging customers’ signatures on them.
Bank of Baroda Employees’ Union (Karnataka) has raised these concerns in its letter sent to the bank’s managing director and CEO on July 30.
It states: “We are aghast with this internal audit since all these deviations have been carried out by the clerical staff on the oral instructions of the Branch Managers and with the knowledge of the Regional Authorities and now, the very same people are conducting the audit. It is possible that many records may be created or destroyed during this audit in order to shift the blame entirely on lower-level functionaries and particularly the clerical staff.”
The letter adds that the union has long tried to draw the management’s attention to issues about mobile banking and other irregularities, but to no avail.
“The ones responsible for this mess, they should be held accountable,” said a bank employee. “Dictatorship has been going on for a long time here.”
TRC asked the RBI in an email about its course of action, but did not receive a reply. TRC called Jesudas Pradeep G from RBI’s Department of Supervision but he declined to comment, saying he is not authorised to speak with the media. Bank of Baroda, too, did not reply to TRC’s questions about the internal audit and its findings.
Hemant Gairola is an associate member of The Reporters’ Collective.