Know Your Customer (KYC) is one of the most important tools of the financial services providers (FSPs), especially banks, to verify the identity of the customer and manage and mitigate the risks, including criminal elements or money laundering activities prudently and maintain strong customer trust in the financial institutions.  

Failure to observe KYC is a serious infringement on customer’s rights.

The recent Gelephu case where a woman lost all her savings seems to be a good example of failure to exercise due diligence. KYC was set aside which allowed the criminal to run away with the client’s savings. 

When the Bank of Bhutan launched BoB Connect Agents in 2017, the BoB touted that such facilities are “secure, convenient and hassle-free transactions” which is provided through one-time password (OTP). Probably, the bank did not realize the enormous threats of using such technology if left for OTP as the sole means to allow the transaction. 

A paper published by the International Journal of Engineering Research & Technology revealed that “there are several ways such as Wireless interception, mobile phone Trojans, SIM Swap Attack” through where one can obtain OTP. With the reform in the education system, special focus on computer literacy and the introduction of coding, we may even have many homes grown hackers who may obtain OTP illegally and steal our money.  

Thus, our banks must put in vigorous KYC mechanisms to protect the customers through multilayered security and identification—only a bonafide customer should be able to avail banking services like BoB Connect.

The recent case was not because of the mere loss of mobile phones because of the extent to which the BoB agents failed to follow. It is reported that a person can withdraw a maximum of Nu 10,000 at a time and a total of Nu 595,000 was withdrawn. This means the person was able to complete more than 59 transactions. The fact that despite him being a foreign citizen who came with numerous OTPs belonging to a Bhutanese woman and agents permitted multiple transactions itself shows the magnitude of lack of due diligence and KYC measures. This is a clear failure on the part of FSPs and the bank should reimburse her money back.

Section 144 of the Financial Service Act 2011 mandates the financial service providers to “establish KYC system to identify and verify customers to combat money laundering and the financing of terrorism, a reporting entity.” Failure to do is liable to “any action in damages” arising out of such lapses besides other administrative and criminal sanctions.  

Rule 2.1 of Agent Banking Rules and Regulations 2016, imposes an equal duty on the banks for the failure of their agents when it relates its business.  Further, Rule 3.2.6 of Consumer Protection for Financial Services Rules and Regulations 2019 requires the FSPS to “establish grievance redressal mechanism with appropriate and adequate measures to address consumer grievances” and require FSPs to “publicly display the compensation policy through respective websites.”

At the time of writing this article, none of the FSPs had anything on their websites on such policy.

Financial matters are not only personal affairs but also serve as the lifeline for customers. Considering our small population holding bank accounts, any such news will create distrust in the society on banking services. The Agents Rules imposes equal liability on both the bank and agents in such failure. 

Sonam Tshering

Lawyer, Thimphu

Disclaimer: The views expressed in this article are author’s own.