The anomaly of bancassurance and investment product pitches, -- where banks take over the role of insurance companies and investment banks by pushing insurance and mutual funds (or a combination of both) to swell their fee-based incomes, beyond only managing the funds of their customers --, doesn't spring a surprise anymore. But the emerging scenario implicit in RBI's latest guidelines on third party product selling by banks holds the promise of playing out well if the oversight part is strong and robust across banking domains.
The apex bank earlier this week made it clear that rampant insurance policy, housing loan or mutual fund sales spiels to a customer who goes into the bank premises to check her account balance or interest on a public provident fund account, or even open a new savings account, must be done with care and sensibility. And, no coercive bundling of an insurance policy on top of a housing loan or a mutual fund, just because the bank thinks the customer owes it to them to take one because they are graciously helping them out in troubled times.
The Reserve Bank of India's (RBI) widening of the scope of Banking Ombudsman Scheme 2006 to include deficiencies arising out of sale of insurance, mutual funds and other third party investment products by banks, on the face of it, lends more teeth to customer rights. By default, the widened scope of the Ombudsman Scheme would now extend into ATM malfunctions like wrong debiting of bank accounts, unsolicited calls, mobile banking and electronic banking spaces as well.
For the first time, banks that have been registered as corporate agents in the insurance space for selling policies may be in for a higher rate of penalty over any complaints of mis-selling third party products like insurance policies and mutual fund schemes. That looks fair enough at the outset, but consider the fact that reporting breaches of third party selling and bundling by banks is still a bureaucratic maze nee migraine-inducing challenge for the customer.
No premium on principles
Most banks do not provide a form on their websites or even within branches to facilitate easy registration of mis-selling complaints. Drop-down menus on online banking websites do not consider mis-selling as a problem to be reported at all. This looks likely to continue in the event of RBI's lackadaisical approach to carrying out real-time inspections of banking operations at the counter level, instead, restoring to one futile field study after the other.
Following the amendment, the pecuniary jurisdiction of the ombudsman to pass an award has been doubled from Rs 10 lakh to Rs 20 lakh. The ombudsman has been empowered to award compensation not exceeding Rs 1 lakh for loss of time, expenses incurred and also harassment and mental anguish suffered by the complainant. There is also an option for customers to go in for appeal on closed complaints which wasn't available earlier.
In registering banks as corporate agents in the sale of insurance policies, the apex bank is moving to ensure that customers can lodge complaints against the bank for non-adherence to its instructions and bringing unaddressed areas like bank servers and network data management into its ambit.
Tighter oversight of mis-selling in the mobile banking and electronic spaces as well would open up new battlegrounds for RBI. But this should happen in a phased manner without banks waiting for major incidents which will hamper customer faith in the system. The need for tighter oversight will be paramount.
Banking applications routinely attempt to entice online customers into buying services they don't need at the moment. Online banking help assistants indulge in the same sales spiel as their offline peers behind the bank counters. This is real-time activity oversight which the RBI or its ombudsmen are far from adept at.
Across the panoply of online mis-selling, the banks have diligently tried to address security concerns and transaction speeds, but only when they teeter out of control. The scope for enhancing security in online transactions, -- especially, credit card transactions, and 'salami slicing' or repeated gradual debiting of a bank account by online hackers --, continues to witness rather casual reactions by banks.
Delays or failure to effect online payment of fund transfers and permitting unauthorised electronic payments to hackers are felonies which are slowly penetrating the RBI's ambit for action since the fiascos of 2016. The service provider's liability in cases of wrongful payments caused by security breaches has to be as strong as that of the banking intermediary. The lack of clarity from RBI on this issue would put banking ombudsmen all at sea when confronted with complaints of a Yahoo-style cyber attack (where payment data stored in customer email accounts can be at risk) or the sort of hacking which Union Bank of India witnessed in April this year.
Last year, thousands of telecom users with accounts in major public sector banks noticed amounts between Re 1 and Re 3 being siphoned off their accounts in a hacking which repatriated crores of rupees to unknown hacker accounts overseas. In the past, many banks have neglected to report such an "incident" to RBI as India, -- unlike the US and the European Union where hiding information on cyber incidents can lead to companies being sued as well as penalised --, lacked a law which made reporting of data breaches mandatory.
The RBI made strong noises on this front in February this year by issuing security guidelines and strictly mandating banks to report data breaches within 2-6 hours of their occurrence. However, clear disclosure data of any security breaches since then, root cause analysis and forensic audit reports are as yet unavailable in the public domain.
Dodging the causes
Indian banks still look at security as a bits-and-pieces affair and not a holistic strategy. International norms, including those from the International Organisation of Securities Commissions, the Financial Crimes Enforcement Network and the Financial Action Task Force are rarely adhered to.
In September last year, hundreds of thousands of people got SMSes telling them that they needed to reset the ATM pin for their debit cards. They were also told that the limit on international transactions on their cards was reduced to Rs 7,000. No other information was provided, even though customers of several banks, including the big ones like State Bank of India (SBI), HDFC and ICICI, got these messages. SBI confirmed at least 6 lakh leaks, while the other banks maintained a studious silence.
Debit card transactions on the Internet have lagged since February this year following a blip in January in the aftermath of demonetisation, but could pick up into the next quarter starting July 1 following GST implementation and the requirements under reforms like the RERA.
Security will soon be an obligation, not a banking add-on. Consequently, it appears that the RBI is still not pushing for banking accountability the way it should be -- by quantifying the outcome of customer exposure to the millions of newly issued chip-enabled debit cards; or, checking how ATMs are being made leakproof from hackers so that customer debit card data is protected.
Worries of third party product mis-selling -- offline, online and via unsolicited spam calls --, fears of data theft and account hacking continue to deter customers from making the switch to online transactions.
As much as the danger of being mis-sold products which customers do not need, and the intermittently crashing websites of public sector banks adding to their bandwidth costs, the huge expenses incurred at an annual level in responding to unsolicited calls and coercive SMS messages pushing loan and insurance products need to be tackled at the appropriate RBI financial sub-committee level. More than guidelines thrown at a problem, our dreams of a Digital India need to be addressed through stronger and workable laws. When it comes to mis-selling by banks, let us be guided by binaries.