NPCI (National Payment Corporation) said Rs25 crore has been moved out of Bank of Maharashtra (BoM) accounts due to a bug in its UPI application. All the corrective steps have been initiated and the process of recovering the money from 19 banks where it was transferred to, is on, it said.
"Total amount of loss, as reported by BoM (Bank of Maharashtra), is about Rs25 crore. They have recovered some amount and some amount is still pending. They have filed a police complaint also and the investigation is on," National Payment Corporation managing director and chief executive AP Hota told reporters.
Explaining the fraud, Hota said BoM had procured a Unified Payment Interface (UPI) solution from a vendor (reported to be city-based InfrasoftTech) which had a bug that resulted in the fund moving out of the accounts without the sender's account having the necessary funds.
"Even if the core banking has declined a transaction, the UPI at the bank-level used to send a success message to NPCI. At NPCI, even if the CBS said no, based on UPI of the bank, we used to do the clearing and settlement," Hota said, adding the fraud was first reported to it on February 22.
He said about 50-60 people in Aurangabad discovered this loophole possibly through trial and error method. "They have collected a good deal of money. They have accounts in 19 other banks. They are trying to recover money now," he said.
There were three other banks, including Bank of India, which had bought a similar solution from the same vendor but they've not reported any mishap, Hota said, adding thorough checks have been carried out.
The fraud was first reported in the media last week after a few arrests in Maharashtra, but the total amount transferred was under Rs2 crore.
It can be noted that breach of card details due to a compromise at Hitachi's end last year, which led to a replacement of 3.2 million debit cards, had a financial loss of under Rs2 crore.
Maintaining that it is up to BoM to take action on its vendor, Hota said NPCI has learnt a lot from this episode.
"The learning from this is that we are not allowing any bank to join UPI unless they have a thorough reconciliation process and audited their package by the best of auditors."