In what is possibly the biggest financial frauds in recent years, NPCI on Thursday said Rs 25 crore has been moved out of Bank of Maharashtra (BoM) accounts due to a bug in UPI. All the corrective steps have been initiated and the process of recovering the money from 19 banks where it was transferred to, is on, it said.
“Total amount of loss, as reported by BoM, is about Rs 25 crore. They’ve recovered some amount and some amount is still pending. They’ve filed a police complaint also and the investigation is on,” National Payment Corporation managing director and chief executive AP Hota told reporters.
Explaining the fraud, Hota said BoM had procured a Unified Payment Interface (UPI) solution from a vendor (reported to be city-based InfrasoftTech) which had a bug that resulted in the fund moving out of the accounts without the senders account having the necessary funds.
“Even if the core banking has declined a transaction, the UPI at the bank-level used to send a success message to NPCI. At NPCI, even if the CBS said no, based on UPI of the bank, we used to do the clearing and settlement,” Hota said, adding the fraud was first reported to it on February 22.
He said about 50-60 people in Aurangabad discovered this loophole possibly through trial and error method. “They have collected a good deal of money. They’ve accounts in 19 other banks. Theyre trying to recover money now,” he said.
There were three other banks, including Bank of India, which had bought a similar solution from the same vendor but they’ve not reported any mishap, Hota said, adding thorough checks have been carried out. The fraud was first reported in the media last week after a few arrests in Maharashtra, but the total amount transferred was under Rs 2 crore.
It can be noted that breach of card details due to a compromise at Hitachi’s end last year, which led to a replacement of 3.2 million debit cards, had a financial loss of under Rs 2 crore. Maintaining that it is up to BoM to take action on its vendor, Hota said NPCI has learnt a lot from this episode.
“The learning from this is that were not allowing any bank to join UPI unless they’ve a thorough reconciliation process and audited their package by the best of auditors. As many as 44 banks are on UPI and getting the 45th bank will be a tougher job because we will be very circumspect,” he said.
Till now, individual banks used to give a declaration that its application meets all the necessary security norms but now they will be audited by professionals enlisted by the CERT-IN (Computer Emergency Response Team), Hota said.
A working group has been set up to create a CERT exclusively for the financial sector. NPCI is a part of the deliberations, he added.