While the Reserve Bank of India (RBI) and State Bank of India (SBI) are asking customers to refrain from sharing know-your-customer (KYC) related information over phone, via email or SMS, the Bank, however, is confusing customers, that too after banking hours and over a weekend. A very senior citizen was made to spend two days on a weekend with anxiety, tension and mental agony just because an official from SBI called from a mobile number and asked him to share KYC over an email.
Here is what happened over the weekend…
The day and date: Saturday, 4th June; time: 12noon; customer: 79-year-old; the event: an urgent phone call from an unknown mobile number of someone who identifies herself as XXX from SBI requesting the customer to urgently send scanned images of his Aadhaar and PAN card to confirm the date of birth as some audit work was going on at the Bank.
The officer from SBI mentions that it was very urgent and the documents were needed ASAP.
The customer, being a very senior citizen and not tech-savvy enough to scan the documents on his own, goes to the neighbour and gets it done and sends them to the email ID given by the SBI officer. When he tries to call back the number to confirm receipt of the scanned copies, there is no response.
If someone narrated this to you, wouldn’t your immediate response be – this is spam/phishing fraud! This was my response too—typical modus operandi of a fraudulent call.
The customer, who is my sister’s husband, happened to mention this to me in the evening at about 7pm when we met for some other work. I got alarmed and told him that the events have all the underpinnings of a KYC fraud.
Immediately, we rushed around to find out the steps that need to be taken. As always, the toll-free numbers given on SBI’s as well as RBI’s website did not work. Either they do not connect or if they do, the intelligent (!) voice response system (IVRS) gives you a recorded message that you are on hold – indefinitely!
After an anxious two hours of trying unsuccessfully to register a complaint and to block the account and the debit-cum-ATM card, he gave up. By this time, it was past 11pm. They spent a sleepless night.
In the meantime, I approached Yogesh Sapkale, our deputy editor. As always, he came to our rescue. One of the numbers he gave us, finally responded and my brother-in-law was able to block the ATM card next morning only at about 6am.
But he could not block his account or my sister’s account in which he is also a joint-holder and we were afraid that a fraudster or hacker could misuse the documents to hack into that account also.
The thought of having to file a police complaint, along with all the hassles involved, was enough to drive any senior citizen’sblood pressure up!
On Monday morning, they were at SBI branch at 9.30 and the manager met them at 9.45. Everyone at the branch was very polite and helpful. They attended to the complaint immediately; checked and found that the funds in both the accounts were safe. So they heaved a sigh of relief.
But imagine how baffled they were when they were told that it was, indeed, a call from SBI and the email ID, on which they sent the KYC documents, was genuine.
When they called me to inform that all was OK, we said a prayer—that the money was safe.
But the next minute, we were all so angry for having undergone those hours of anxiety and tension. I wonder if anyone will be held to account for this?
Why was SBI calling a customer directly on a Saturday and asking for this information on phone?
Isn’t this in direct contravention of the repeated messages they send to customers—that they never ask for KYC details on the phone? And why then does the Reserve Bank advertise so heavily in the media to warn customers about phishing calls?
RBI advises regulated entities (REs) to adopt a risk-based approach for periodic updation of KYC. However, periodic updation is to be carried out at least once in every two years for high-risk customers, once in every eight years for medium risk customers and once in every ten years for low-risk customers from the date of opening of the account or last KYC updation. If there is no change in KYC information, the bank can ask the customer to submit a self-declaration through her email ID or mobile number registered with the RE. The customer can also use digital channels such as online or internet banking, and mobile application of the RE to submit the self-declaration. (Ref: RBI Master Directions on KYC updated on 10 May 2021
The memorandum highlighted lack of clarity on frequency and basis of KYC updation by banks. "There is no clarity to the account holder about her risk-categorisation and how often KYC needs to be updated, especially for bank accounts that are regularly in operation and clearly used only for routine personal or business transactions," the memorandum had stated.
This is a true story and I am sharing with our readers as it provides evidence for the lax implementation of RBI’s supervision by public sector banks.
Every such case of breach of mandated procedures encourages unscrupulous pranksters and gives them opportunity to play on this doubt in the customer’s mind – what if it is a genuine call and my account gets blocked. And people fall prey to phishing scams!