In the recent days some of the new generation banks have been opening Bank accounts for customers online with an Aadhaar based eKYC.
Naavi has highlighted several times that eKYC is only as secure as the security of a mobile and if the mobile of a person gets compromised, eKYC is compromised. If Banks open accounts on the basis of eKYC, then the integrity of the Bank account will also be diluted to the level of the mobile security. The OTP which is used for verifying the mobile is itself a degraded security system in US and it is unfortunate that we in India are according it a status which has made OTP a replacement for digital signature.
Recently, Naavi has come across a complaint that RBL, has been opening Fake Bank accounts in the name of fraudsters who are using the accounts to transfer fraudulent crime funds from other Banks. In other words, these Bank accounts are being used for “Money Laundering”. This will render RBL liable both in civil and criminal terms.
RBL may not be alone in this game and there could be other Banks. But in order to verify the same, I checked out the process of opening of a Bank account in Kotak Bank, Axis Bank and in RBL.
Out of these and several other Banks procedures screened, only Kotak was accepting Virtual Aadhaar ID and set up a call from the Bank.. Axis and RBL are taking the real Aadhaar ID. Some Banks like Central Bank of India require visit to the Branch.
In the case of RBL, the account is opened with an eKYC based on the Aadhaar and opened with minimal restrictions as shown below.
The Complete terms are available as a hyper link here This indicates that the account is a limited KYC account with relevant restrictions.
As a matter of convenience, this online opening of account may be fine. But it appears that this facility is being misused by fraudsters and dragging these Banks into picking up liabilities on behalf of the fraudsters.
It is necessary for these Banks to ensure that there are robust security processes to ensure that the process is not misused.
I draw the attention of the Reserve Bank of India also to instruct the Banks to follow proper security measures to ensure that the online e-KYC process is not misused. For this purpose the following procedures need to be introduced.
- Banks should stop obtaining the real Aadhaar numbers and work only with Virtual Aadhaar number.
- UIDAI should cancel the authorization provided to Banks for e-KYC unless they are registered for full KYC process using biometrics which require the physical presence of the Aadhaar owner at the branch where the account is being opened
- The OTP system should be ideally discontinued completely or at least restricted for use in non critical services and not for opening of Bank accounts.
- Banks should be reminded that as per the comprehensive reading of the RBI guidelines, Banks are liable in case of such misuse of the Aadhaar ID and they need to bear the loss and cover it with Cyber Insurance.
I personally warn the Bank officials that they will be liable for criminal prosecution in cases of fake accounts being opened by fraudsters which may send them to jail for a term of 3 years and above.
In such cases, even UIDAI and the e_KYC agent will also be liable for being complicit in money laundering through forged documents.