Fool me once – Learning from the UCO Bank IMPS glitch

It is clear that many of the financial and other institutions have to up their game to ensure that such large incidents are prevented

On November 15, 2023, UCO Bank reported that during November 10-13, certain transaction(s) initiated in Immediate Payment Service (IMPS), by holders of other banks had resulted in credit to the account holders in UCO Bank without actual receipt of money from these banks. On November 16, 2023, the Bank added that Rs 649 crore out of Rs 820 crore could be recovered.

Subsequently, on December 5, the Central Bureau of Investigation (CBI) released a press note, giving further details. As many as 14,000 account holders across seven private banks originated 8,53,049 IMPS inward transactions to 41,000 account holders within UCO Bank. Several account holders exploited this situation, wrongfully withdrawing funds from UCO Bank through various banking channels.

As you can imagine, this case generated a lot of excitement in banking circles. This article tries to dig into some of the root causes and lessons from the incident.

Neglect Of PSB Governance

When looking at an event of such gigantic size, one has to start from the top. There is an old saying: Soldiers do not lose wars; wars are lost by generals. For any event to turn catastrophic, the lack of foresight and preparedness by past and current leaders is responsible.

Let’s look at the issue of governance in public sector banks (PSBs). The definitive study report on this was written in 2014 by the PJ Nayak Committee. The main recommendations relate to elimination of dual control over Public Sector Banks (PSBs), upgradation of the quality of Board deliberation, setting-up of a Bank Investment Company (BIC) and reducing Government's stake in PSBs to less than 51 percent, uniform licence regime across all broad based banks, selection of top management of bank by Banks Board Bureau and subsequently by BIC and then Banks' Board.

A decade down the line, many of the recommendations have not been acted upon. The quality of boards in many (but not all) PSBs in particular remains a weak area.

RBI has long recognised the need for specialised technology experience and oversight in the Board of Directors. The report of the G Gopalakrishna Working Group (I was a member) on Cyber Security, published in January 2011, had a chapter on IT Governance, which called for competent board members heading the IT Strategy Committee.

While the WG recommendations were not binding, subsequently RBI reiterated these expectations about expert oversight, culminating in the recent Master Directions  issued on November 7, 2023, which have laid down timelines for all Regulated Entities (REs) to abide by the provisions of the IT Strategy Committee of the Board (Clause 6) and the relevant processes which they should follow.

On this note, a perusal of the UCO Bank website failed to reveal any board member who seemed to have significant technology experience.

As the news of the massive amount involved spread, experienced bankers immediately noted that the “glitch” continued for three days, indicating weak reconciliation processes. With raw data being shared every four hours, the red flag would have been up in a matter of hours. Perhaps, the timing of the glitch (November 11 being a second Saturday and November 12 being Sunday/Kali Puja) may have acted as the delaying element. It remains to be seen if this peculiar timing was happenstance, or was a deliberate choice by someone.

Failures Galore

Given the unusual transaction pattern, an effective fraud monitoring system would have caught the trend very quickly. Now, it is well known within the industry that PSBs lack dedicated and skilled centralised fraud management teams. Software purchased at great expense lies underutilised due to this missing skillset.

The third aspect of concern appears to be change management of software configurations/new application versions. Investigation by CBI should reveal whether the configuration changes (or else) which led to the glitch were authorised/conscious or inadvertent.

A good practice guide on change management recommends a “configuration control review board (CCRB) that is responsible for supporting the assessment, prioritisation, authorization, and scheduling of changes to Configuration Items and the implementation of policies governing those changes. ITIL refers to this construct as a Change Advisory Board.”

It is also not known if the configuration error emanated out of defective code (which would reflect on the User Acceptance Test effectiveness), or parameter changes (which would indicate faulty design). Coverage by Privilege Access Management tools may also be relevant to examine.

A more subtle point: I have heard knowledgeable banking practitioners talk about the absence of adequately knowledgeable maker-checkers, who should be bank employees and not vendor staff, in a 24x7 payment environment. Ideally, with burgeoning data centre operations and round-the-clock availability of payment infrastructure (including NEFT/RTGS), this should have been in place already. Perhaps, a time has come for banks to over-invest in these areas.

Now, we will zoom out a little. An influential IMF paper of April 2017 rightly identified that “the true aggregation of risks related to cyberspace goes well beyond the internal monitoring and risk management capacities of an individual institution.” No single organisation, however well-resourced, can hope to be successful on its own, and has not only to work with its peers to be on top of threat intelligence and share best practices on cyber resilience, but also will need to rely on the regulator, law enforcement and national security institutions to protect its assets and customers.

So, what is India’s record in strengthening the financial ecosystem?

In 2017, a Computer Emergency Response Team for the financial sector (CERT-Fin) was recommended to be set up as a not-for-profit company, with sub-sectoral CERTs (separately dealing with banking, markets, insurance and pension), housed in each of the financial sector Regulators. An important recommended function CERT-Fin was to develop was on cyber skills and to promote information sharing among the industry participants.

Lack Of Institutional Memory

CERT-Fin never took off, probably due to some confused thinking in the Ministry of Finance. This important piece of the puzzle where a mechanism for documenting major cyber incidents, culling out their learnings and propagating them in the financial community in a structured manner – to avoid the same mistake being committed due to lack of institutional memory – has remained missing.

Has an incident like UCO Bank happened before? It has. In March 2017, Bank of Maharashtra lost Rs 25 crore in one of the biggest Unified Payments Interface (UPI) frauds till then – when a few people moved money illegally, taking advantage of a minor bug. The bug in the UPI system allowed people to send money without having the necessary funds in their accounts. Even when the core banking solution of the bank declined a transaction, the UPI solution used to send the success message to NPCI. Sounds familiar?

Similar issues of inadequate software testing and change management and lack of timely reconciliation were flagged in that case as well.

It is clear that many of the financial and other institutions have to up their game to ensure that such large incidents (whether out of negligence or malice) are prevented. It is everyone’s responsibility to protect the trust in electronic banking  and Digital India.

In general, individual learning is experiential, but organisations do not have the same luxury. Even in a fiercely competitive environment, with adaptive adversaries whose numbers and reach can scale up scarily, collaborating with peers and learning from others’ failures becomes imperative.

Risk managers and business leaders owe it to their profession, customers and shareholders to be up to the job, and not let public funds be taken away with impunity. The ecosystem operated by the government and the regulators should enable and empower them with the right policies and shareable knowledge.

Nandkumar Saravade is a former IPS officer and co-founder, DeepStrat. Views are personal, and do not reflect the stand of this publication.