You are using an older browser version. Please use a supported version for the best MSN experience.

Bank of Maharashtra accounts lost Rs25 crore due to UPI bug, says NPCI

LiveMint logoLiveMint 30-03-2017 PTI

Mumbai: In what is possibly the biggest financial frauds in recent years, National Payments Corporation of India (NPCI) on Thursday said Rs25 crore has been moved out of Bank of Maharashtra (BoM) accounts due to a bug in its unified payments interface (UPI) application.

All the corrective steps have been initiated and the process of recovering the money from 19 banks where it was transferred to, is on, it said.

“Total amount of loss, as reported by BoM, is about Rs25 crore. They’ve recovered some amount and some amount is still pending. They’ve filed a police complaint also and the investigation is on,” National Payment Corporation managing director and chief executive AP Hota told reporters in Mumbai.

Explaining the fraud, Hota said BoM had procured a Unified Payment Interface (UPI) solution from a vendor, which had a bug that resulted in the fund moving out of the accounts without the sender’s account having the necessary funds.

“Even if the core banking has declined a transaction, the UPI at the bank-level used to send a success message to NPCI. At NPCI, even if the CBS said no, based on UPI of the bank, we used to do the clearing and settlement,” Hota said, adding the fraud was first reported to it on 22 February.

ALSO READ: RBI may keep rates unchanged in April; cut 25 bps in August: BofAML

He said about 50-60 people in Aurangabad discovered this loophole possibly through trial and error method. “They have collected a good deal of money. They’ve accounts in 19 other banks. They’re trying to recover money now,” he said.

There were three other banks, including Bank of India, which had bought a similar solution from the same vendor but they’ve not reported any mishap, Hota said, adding thorough checks have been carried out. The fraud was first reported in the media last week after a few arrests in Maharashtra, but the total amount transferred was under Rs2 crore.

It can be noted that breach of card details due to a compromise at Hitachi’s end last year, which led to a replacement of 3.2 million debit cards, had a financial loss of under Rs2 crore.

Maintaining that it is up to BoM to take action on its vendor, Hota said NPCI has learnt a lot from this episode. “The learning from this is that we’re not allowing any bank to join UPI unless they’ve a thorough reconciliation process and audited their package by the best of auditors. As many as 44 banks are on UPI and getting the 45th bank will be a tougher job because we will be very circumspect,” he said.

Till now, individual banks used to give a declaration that it’s application meets all the necessary security norms but now they will be audited by professionals enlisted by the CERT-IN (Computer Emergency Response Team), Hota said.

A working group has been set up to create a CERT exclusively for the financial sector. NPCI is a part of the deliberations, he added.

More From LiveMint

image beaconimage beaconimage beacon