Between November 10 and 13 last year, over 8,53,049 IMPS (Immediate Payment System) transactions took place in which Rs 820 crore was wrongfully transferred to the accounts of over 41,000 UCO Bank account holders. The transfers emanated from 14,600 accounts in seven private sector banks curiously without their accounts being debited.
On November 15, UCO Bank filed an FIR with the Central Bureau of Investigation (CBI) against two of its support engineers and other unidentified individuals. UCO Bank has recovered Rs 705.31 crore out of the Rs 820 crore that was mistakenly credited to numerous accounts in November, said Union Minister of State for Finance, Bhagwat Karad, on December 25, 2023.
The transfer of funds to 41,000 UCO Bank accounts was a consequence of a technical glitch in the bank's IMPS payment channel operated by the National Payments Corporation of India (NPCI), an RBI promoted company, also credited with putting India’s own desi RuPay card on the map as well as with ushering in the revolutionary UPI cashless payments. If it was a glitch, the system should have thrown up frantic and screaming alerts and NPCI should have acted proactively. Instead, it took UCO bank to take the lead. That the wrong credit of Rs 820 crore took place through a staggering 8,53,049 transactions involving 14,600 accounts shows on an average each account holder perpetrated the same mistake or fraud 58 times or 59 times. Spread over four days, the average number of transactions done per day by these account holders works out to 14.75. Was it a typical insider job? That the UCO Bank suspects the involvement of its own support engineers fortifies this prima facie impression. Was the system designed to shrill only when the Rubicon of 15 transactions per day was crossed? Only a thorough systems cum forensic audit would throw full light on whether it was a technical glitch or insiders working around the system. What is more baffling is the IMPS software did not throw up immediate alerts when more than eight and half lakh credit entries into a particular bank didn’t have matching debit entries traceable to the 14,600 account holders of seven private banks given the fact that every credit has a matching debit and vice versa is the mool mantra of the time-tested double entry accounting. Be that as it may.
If as much as Rs 705 crore has already been recovered what explains the massive raids carried out by the CBI on the March 6, 2024 at various places in Rajasthan and Maharashtra. Certainly, the raids do not simply prima facie square up with the finding of technical glitch already pronounced by the Minister Bhagwat Karad. For all one knows, the technical glitch might have been contrived.
It is well known that in the past bank staff have been involved in pinching small-small amounts left in dormant accounts. While that might still be continuing, in this day and age, it is the backroom boys operating the system who get ideas about cracking the system for nefarious purposes. It is not as if IMPS involves only the originating and destination banks. They involve the RBI, the bankers’ bank, too. When an IMP’S transaction is consummated, the cell phones of both the receiver and payer ping almost simultaneously on real-time. All the more reason to question how the RBI’s IMPS server didn’t shrill and alert the authorities that something massive is afoot. Had such an alert been made by the system after the very first transactions, the more than 8.5 lakh transactions that followed could have been foiled.
Looks like the geeks who perpetrated this fraud were innocent of the foolproof nature of double entry accounting that would have called their bluff sooner or later.
The author is a freelance columnist and writes on economics, business, legal and taxation issues
