Ashfaq, a small-time businessman from Melattoor of Kerala’s Malappuram district, had received an amount of Rs 2,000 from a friend, Varghese of Nilambur, in November 2002 via Google Pay. After some days, he found out that his current account with the Federal Bank, Melattur branch, had been frozen. Reason? His friend Varghese had received an amount from another UPI account, which was linked with an online fraud registered somewhere outside Kerala.
Ashfaq received a letter from the Federal Bank on November 30, 2022, seeking the source of two debits, stating that there is a pending enquiry with respect to those transactions. He provided all the necessary information, including the source of the transaction, but the bank has taken no further action. In fact, the account was deactivated even before the said communication.
Akhil Mansoor, network engineer from Manjeri Malappuram, who works in Bengaluru, has an even more embarrassing story.
Also read: Cyber criminals use PAN details of Dhoni, Abhishek Bachchan for credit card fraud; 5 arrested
He received an e-mail communication from Federal Bank, Manjeri Branch, stating that a complaint was registered in National Cyber Crime Reporting Portal (NCCRP) and a police enquiry is underway. The bank had his account frozen beforehand. Interestingly, the bank has provided communication details of the person who allegedLY lodged the complaint with NCCRP and advised the second complainant herein to settle the matter by communicating with him.
“I contacted the complainant who is in Odisha, but he has not filed any complaint against me. His complaint was against a man named Sajid Malik, whom I have no information about. The bank had deactivated both my Jupiter and Fi accounts (Indian Neo Bank projects that came alive in 2021) along with my main salary account. It was done in January 2023 and for the next two months, I could not draw my salary. I had to open a new account to draw my last month’s salary,” Akhil says.
“Even after the man from Odisha withdrew his complaint, my account has not yet been activated,” he adds.
Akhil’s and Ashfaq’s are among the hundreds of accounts that banks had frozen after they were flagged by the NCCRP, under the Union ministry of home affairs. There are many people, ranging from cryptocurrency dealers to elderly homemaker women, who have been affected by this strange turn of events. This has been happening for some years now but came to light only when some traders from Ernakulam chose to approach the media.
According to a bank official who does not want to be named, in the last couple of years, hundreds of bank accounts in Kerala have been ‘frozen’ on directions from police from other states investigating online frauds registered on the NCCRP. Most of these complaints of online fraud are from states like Gujarat, Punjab, Delhi Karnataka and Odisha.
Initially, such cases were limited to UPI transactions, but now cases related to NEFT and RTGS transactions also have started popping up.
Some of the victims have approached the Reserve Bank of India (RBI), with a petition seeking remedial action.
Also read: Online gaming: Centre must tighten norms while states must find a balance
According to the petition: “Police authorities can only issue notices as per Section 102(3) of CrPC. It is evident that all these aforesaid notices have been issued without even registering an FIR. It is very evident that the police authorities are issuing directions to banks to freeze debit activities without conducting an investigation. Upon enquiry, it is learned that many complaints were registered on fake addresses by obtaining transaction ID details of the customers. In certain other cases, FIR has been registered but no further details are available. After freezing the accounts, no further investigation has been conducted by the police or bank authorities. This creates a bad impression on all digital money transactions, which may adversely affect the national economic interest.” (sic)
Traditional banking vs UPI
Anivar Aravind, a technologist, says, “A bank account was traditionally a private space in which you had complete control over who could make deposits into your account. After UPI’s implementation, an account’s discoverability was made public. Anybody with access to your phone number, UPI handle or a QR code can deposit money into your account; for which you are completely responsible for. Anybody who has your phone number can derive your UPI handle as well.”
According to legacy banks’ SOPs, banks branches were where a customer could obtain information and conduct transactions. Customers trusted the branch staff members who handled their accounts. With the growing popularity of API (Application Programming Interface) banks and neo banks which offer digital-only accounts, this is fast becoming a thing of past, adds Anivar.
Jiyas Jamal, a lawyer who specialises in cyber-crime laws, says deactivation of accounts is done to stop any further diversion of stolen funds into other accounts. When a complaint of online financial fraud is registered on the NCCRP, the cyber police of the state concerned directs the bank to freeze the accounts of all those who have received a portion of the defrauded money and the banks are doing exactly what they are asked to do, he says.
The Federal Bank, which had many of its clients’ accounts deactivated, had released a statement on April 10 stating that it was its duty to follow what the police ordered as a law-abiding organisation. “When a cyber fraud occurs, the state police concerned give banks instructions to freeze all accounts, not just the one to which the money was originally defrauded. This applies to NEFT, RTGS, and check payments in addition to UPI transactions,” the statement said.
Worried bank customers
“This has created total chaos among the bank account holders who use UPI for transactions, which is a very serious situation,” says Ameen Hassan, a lawyer representing 20-odd victims. This could easily be used to target vulnerable sections. At this point in time, there is hardly any proof of an organised attack, but nothing could be ruled out, adds the lawyer.
“Some of my clients even had offers of out-of-the-court settlements from people who claimed to be from the police department. This is clearly illegal as the police is not registering any case but imposing debit-freeze on accounts using the banks,” says Ameen Hassan.
Also read: Delhi Police busts international cyber fraud gang duping job aspirants with WFH roles, 4 held
“The cases that have come to light thus far point to a modus operandi that is being used by someone, including various police departments, for extortion-style tactics. The lack of proper standard operating procedures for the NCCRP, the banks’ knee-jerk reaction, coupled with the overreaching power of the police department are to blame for this.”
“There’s a danger of such incidents increasing exponentially as they have exposed a cyber security vulnerability and a modus operandi utilizing the failures in the system. It is primarily the responsibility of National Payments Corporation of India (NPCI), RBI, and Reserve Bank Information Technology Pvt Ltd (ReBIT), along with the ministry of home affairs, to stop this, feels Anivar Aravind.
K N Balagopal, Kerala’s Finance Minister, says the government will take up the issue with the Centre.
“It’s a very serious issue as people with no connection to any online fraud are getting affected. The government will take it up with the RBI and the Centre,” said Balagopal.