Bank of Maharashtra accounts lost Rs 25 cr due to fraud through UPI: NPCI

Process of recovering the money from 19 banks is on

Don't want to miss the best from Business Standard?

In what is possibly the biggest financial frauds in recent years, National Payment Corporation of India (NPCI) on Thursday said Rs 25 crore has been moved out of Bank of Maharashtra (BoM) accounts due to a bug in its Unified Payment Interface (UPI) application.

All the corrective steps have been initiated and the process of recovering the money from 19 banks where it was transferred to, is on, it said.

"Total amount of loss, as reported by BoM, is about Rs 25 crore. They've recovered some amount and some amount is still pending. They've filed a police complaint also and the investigation is on," NPCI Managing Director and Chief Executive Officer A P Hota told reporters in Mumbai.

Explaining the fraud, Hota said BoM had procured a UPI solution from a vendor (reported to be city-based InfrasoftTech) which had a bug that resulted in the fund moving out of the accounts without the sender's account having the necessary funds.

"Even if the core banking has declined a transaction, the UPI at the bank-level used to send a success message to NPCI. At NPCI, even if the CBS said no, based on UPI of the bank, we used to do the clearing and settlement," Hota said, adding the fraud was first reported to it on February 22.

He said about 50-60 people in Aurangabad discovered this loophole possibly through trial and error method. "They have collected a good deal of money. They've accounts in 19 other banks. They're trying to recover money now," he said.

There were three other banks, including Bank of India, which had bought a similar solution from the same vendor but they've not reported any mishap, Hota said, adding thorough checks have been carried out.

The fraud was first reported in the media last week after a few arrests in Maharashtra, but the total amount transferred was under Rs 2 crore.

It can be noted that breach of card details due to a compromise at Hitachi's end last year, which led to a replacement of 3.2 million debit cards, had a financial loss of under Rs 2 crore.

Maintaining that it is up to BoM to take action on its vendor, Hota said NPCI has learnt a lot from this episode.

"The learning from this is that we're not allowing any bank to join UPI unless they've a thorough reconciliation process and audited their package by the best of auditors."

"As many as 44 banks are on UPI and getting the 45th bank will be a tougher job because we will be very circumspect," he said.

Till now, individual banks used to give a declaration that it's application meets all the necessary security norms but now they will be audited by professionals enlisted by the CERT-IN (Computer Emergency Response Team), Hota said.

A working group has been set up to create a CERT exclusively for the financial sector. NPCI is a part of the deliberations, he added.