One afternoon, Sudha, a senior citizen and wife of writer and activist Veeresh Malik, was startled to receive two emails from Axis Bank about an account having been opened. She is neither a customer of Axis Bank nor had she opened an account with the Bank. One of the two emails said, "Your KYC record 5xxxxxxxxxxxx8 registered with Central KYC Registry has been updated by Axis Bank Ltd." This email from Axis Bank also had an account statement that needed the account holder's date of birth (DoB) to open the attachment. As expected, it did not match with Ms Malik's DoB.
While the Maliks were still trying to understand the spate of emails, she received one more email about a demat account having been opened at Axis Bank's Pune branch!
You may think this is a rare case of a mistaken email ID. But it is not. An ex-banker, who is a friend of Mr Malik, shared a similar experience that happened with HDFC Bank. He told Mr Malik, "The problem emanated from how Gmail interprets email IDs. Mails to another person with my name kept coming to me. HDFC Bank has no mechanism for a non-customer to report this."
Since Mr Malik was aware of the issue, as the former head of an IT company, he brought this problem to the attention of Axis Bank at several levels in the organisational hierarchy.
The Bank reacted with a standard response, blaming Gmail for the mistake. He wrote back to the Bank saying, "Not my place to offer you solutions, but decades ago, all good financial institutions, including Indian entities, had their own internal checks and balances to eliminate the confusion created by similar email addresses. Consider, for a moment, that if the fault lies with Gmail, then how come we don't get emails from other entities for a similar email address?"
"...your response smacks of a supercilious, condescending and arrogant approach towards us as ex-customers. Maybe your bank customer profile settings feel that female senior citizens are easy prey or silent targets for such issues?" says Mr Malik, who started life as a seafarer and has been in technology for decades.
Many readers would have heard of this problem for the first time. Unfortunately, this is only one part of the problem.
The main issue here is the blatant misuse (read: abuse) of email IDs by all financial institutions, including banks and government authorities. While all organisation insist on mobile verification through one-time passcode (OTP), there is hardly any verification or validation done for email IDs.
Here is one more example. My friend Vikram felt lucky many years ago to have his surname registered as his email ID. Nowadays, his 'lucky' email ID is flooded with emails from Home Credit Finance, Punjab National Bank, Yes Bank, CIBIL TransUnion, PaisaBazaar, HDFC Mutual Fund, Tata AIG, BillDesk, Hyundai Motors, M&M and Kia India, to name a few.
The reason? These and many more businesses blindly use his email ID for anyone with the same surname! What is really scary is that he has never been a customer of any of these companies or businesses.
He has tried everything from writing to these institutions to even taking up the matter with the banking ombudsman. Almost invariably, he was told that he had received the email because some customer had submitted this particular email ID as their own while registering or availing of their service. However, this is a half-truth.
Data entry operators often use surnames as the default email ID when a customer does not have an email ID or refuses to share it. Anyone working with customer service outlets used by banks to open basic accounts will confirm this.
His case and the communication with Home Credit Finance were the most bizarre, Vikram told me. "The company asked me to provide customer ID (when I am not even a customer!) and my KYC documents to verify my claim! Even when I took them to the banking ombudsman, they got away by stating it was not their fault since the 'wrong' email ID was provided by their customer."
Till date, only Union Bank of India has deleted and HDFC MF and Home Credit Finance (after reaching the banking ombudsman level) has de-linked Vikram's email ID from the records of another customer. Others continue to send him emails meant for someone who shares his surname.
You may wonder what is the harm even if Vikram receives emails meant for other people on his email ID. There are two aspects to this issue. Vikram can simply mark these wrongly directed emails as spam and delete or unsubscribe from them. But what happens if he is also a customer of these entities? It could lead to a mix-up that may even affect his credit score.
A more critical aspect is that you are required to use your email ID or mobile number as the default login ID for many online engagements. These email IDs are sent one-time passcodes (OTPs) to enable a login. Someone who receives wrongly directed emails may also receive such OTPs and misuse them—in the hands of a cybercriminal instead of an honest person like Vikram, it could be a serious threat. He would be in a position to log into someone else's account, change passwords and cause a substantial loss of money and reputation.
Most importantly, an email address is often a key identifier for password recovery processes in banking systems. If the bank mistakenly links the wrong email, the person receiving the emails could potentially exploit the password reset process to access someone else's account.
Even if the person doesn't intend to commit fraud, he may be able to reset passwords, access banking systems, or authorise transactions inadvertently or intentionally, leading to financial fraud.
In such cases, where significant financial issues occur like fraud or account takeovers, the email owner (for example, Vikram) would be contacted by law enforcement agencies (LEAs), financial regulators, or the actual customer, accusing him of fraud or demanding explanations.
Let us examine the other side of such emails and the implications for the intended recipient (real customer).
When a bank or financial institution (FI) uses the wrong email ID, the actual customer may not receive important notifications, such as alerts about suspicious transactions, loan or credit card statements, or changes in terms and conditions. It can result in missed payments, late fees, or even unawareness of fraudulent activity on the account.
If someone else's email is linked to a customer's account, important security alerts, like suspicious activity notifications, might be missed, leading to the account being frozen or suspended due to security concerns. In this case, the rightful account holder may face inconvenience, delayed access to funds, or other disruptions in banking services.
If a customer disputes a transaction or claims he or she never received the critical information, it can be challenging to resolve, especially if the communication is sent to the wrong email address.
In such a situation, the bank or FI may face complications proving that they properly notified the customer, leading to potential legal and financial implications.
Moneylife has raised this issue at the highest levels with the Reserve Bank of India (RBI), and it is hoped that the regulator understands the gravity of the problem and addresses it quickly.
Incorrectly using someone else's email ID may violate know-your-customer (KYC) and anti-money laundering (AML) regulations, as it shows a lack of due diligence in verifying the customer's identity. This can lead to regulatory fines, penalties and reputational damage for the bank, FI, or service-providers.
To avoid these dangers, banks and FIs need to enforce strict procedures for email verification and ensure that any communication is sent to the correct, verified email ID of the actual customer. Further, FIs and service-providers need to have a system in place to allow non-customers to file complaints, such as receiving unsolicited or unintended emails and other communication.
The only issue is that in India, there is no mandate to validate an email ID like it is done for mobile numbers. So unless the regulators act on this critical issue, the abuse of email IDs and, thus, dangers to customers will prevail.
This happens across banks. Also insurance companies. Pretty much anywhere where there is a commission / incentive involved for account opening.
One solution - we have to return to hard copy verification within XX days, till then, control/limit/watch on transactions.
Thanks again