Referring to the recent mobile payment service (IMPS—immediate payment service) glitch resulting in an erroneous transfer of Rs820 crore to various account-holders of UCO Bank, Bank Bachao Desh Bachao Manch (BBDBM or Manch), a civil society organisation, has suggested four measures to protect banks, India's financial system and banking customers. UCO Bank has said that it blocked recipients' accounts and has been able to retain and recover Rs649 crore out of Rs820 crore, which is about 79% of the amount.
The Manch, in a letter to Shaktikanta Das, governor of the Reserve Bank of India (RBI), says, "As stakeholders of the banking industry, we express our serious concerns about the glitch in the systems leading to erroneous transfers of this scale and also the fact that the glitch could go undetected for several days. Incidentally, it is pertinent to mention that all banks shut down their IMPS facility for a few hours on 14 November 2023 following the detection of this technical glitch in UCO Bank system."
"We also express our consternations about the security of the systems of all banks as this glitch could have been caused by a cyber-attack by external forces targeting the core of the financial system of our country. If IMPS glitch in one bank could cause erroneous transfers of Rs820 crore in just four days, it is a matter of conjecture what could be the scale if the same happened for national electronic fund transfer (NEFT) and real-time gross settlement (RTGS), where there is no limit to transfer of funds unlike in IMPS where the maximum amount of transfer has been capped at Rs2 lakh. This could be a wake-up call for all banks and financial institutions to insulate their information technology (IT) vertical," the Manch says.
Here are a few measures suggested by BBDBM to protect the interest of bank stakeholders and the financial system of the country...
i) Strengthen security measures such as firewalls, encryption and multifactor authentication.
ii) Conduct security audits by independent information security (IS) auditors at regular intervals and penetration testing to identify vulnerabilities and to address the weaknesses detected in a timebound manner.
iii) Banks can set up endpoint verification to corporate devices and bank applications to increase operational resilience.
iv) To comply with RBI guidelines to enhance the cyber security posture, banks should continue to invest in cyber security to stay ahead of the curve.
Over the past few years, India has witnessed several high-profile cyberattacks and data breaches. In August 2018, a cyberattack on Cosmos Bank, one of the oldest cooperative banks, led to a loss of Rs94 crore. A data breach occurred in January 2021, where the personal data of millions of customers of State Bank of India (SBI) was supposedly exposed following a security weakness in the Bank's mobile banking app.
BBDBM says that even the Supreme Court has raised concerns about cyber security in the Indian banking system. In the cases of RBI vs Jayantilal N Mistry, K Sputnik vs Union of India and KS Puttuswamy vs Union of India, the apex court has held that banks must safeguard the security of their customers' information, ensure that mobile banking apps are secure and customers are protected against cyber fraud and theft, right to privacy is a fundamental right and the individuals have the right to protect their personal data from cyber threats, the Manch says.
Earlier this month, UCO Bank revealed that due to technical issues in IMPS, certain transactions initiated by other bank account-holders resulted in credit to its account-holders without actual receipt of money from these banks.
In a regulatory filing, UCO Bank says it has initiated requisite actions to recover the balance of Rs171 crore and the matter has also been reported to law enforcement agencies for necessary action.
According to the lender, between 10th November and 13 November 2023, it observed money being credited to its account-holders through certain transactions initiated by other bank account-holders using IMPS. "The Bank, as a precautionary measure, has made the IMPS channel offline and is working closely with the stakeholders to resolve the issue and restore the IMPS services at the earliest."