Is this process Inadequacy or a Fraud?

I came across a recent personal data protection incident involving someone I know. Below is the sequence of events:

1. My acquaintance, hereinafter referred to as Mr. X, joins an organization around November-December 2024.

2. During the organization's induction, Mr. X learns about a well-known, lucrative credit card offer and the opportunity to apply. The credit card service provider seems to be partnered with the organization Mr. X joined.

3. Mr. X decides to proceed with the application and its process due to the trusted brand name association and expected good service. The card was offered as a lifetime free card. Mr. X follows the instructions received via mobile and email. These contact details were used by Mr. X during the initial application for the lucrative credit card.

4. Mr. X visits the site and fills out the application by clicking "Apply Now."

5. Mr. X is asked to provide a contact number, followed by an OTP, to authenticate the applicant's number.

6. Mr. X receives a registration link on his smartphone, where the following details are updated:

A. PAN

B. First name and last name

C. Date of birth

D. Gender

E. Pin code

F. Occupation details

G. Company name

H. Personal email

I. Based on eligibility criteria, the application confirms that Mr. X is eligible for a credit limit of ?3,20,000.

J. Delivery address or permanent residential address

K. Application verification using Aadhaar authentication

L. Mr. X is asked to accept an Aadhaar consent form online, which he accepts to proceed

M. eKYC OTP using Aadhaar authentication by providing the Aadhaar number

N. OTP received on the Aadhaar-registered number and validated in the online application by Mr. X

7. Mr. X's CIBIL score was accessed by Bank.

8. After two to three days, Mr. X continues to receive reminders via SMS, WhatsApp, and email to complete the pending application.

9. Mr. X receives a video KYC link to complete the video KYC or eKYC process.

10. Mr. X clicks on the link to initiate a video call and connects with the service provider's executive.

11. To ensure a smooth process, Mr. X is provided with instructions, such as enabling browser permissions for location, camera, microphone, etc., which were enabled before the video call.

12. Mr. X initiates an internet-based call using the customized link provided by the service provider, connects with the executive, and follows the instructions.

13. During this call, Mr. X shares information, including the PAN card (front and back) on camera, which was recorded and screen-captured by the service provider's executive. A signature on a blank piece of paper is also recorded and screen-captured by the executive. Real-time images are captured and recorded.

14. Mr. X cooperates with the executive, and it is confirmed that the process is complete.

15. Despite completing the process, Mr. X continues to receive SMS notifications stating that his KYC is pending. He asks for clarification on the procedural steps and requests any process documentation for reference, if available.

16. After some time, Mr. X receives an email from the service provider stating that his application was rejected due to "considerations in line with the bank's internal credit policy (based on a combination of financial and related criteria and/or statistically determined scores to assess credit eligibility) and operating/credit processes (which include verifications, credit bureau reports, and document verifications)."

17. Mr. X is okay with the email confirmation and notes the poor process he experienced.

18. In a surprising turn, Mr. X receives two rejection emails from two domains of the bank: one from bankname.com (TLS-secured) and another from bankname.net. Upon checking, Mr. X finds that bankname.com is registered under the bank's name, while bankname.net is not. It was also observed that when accessing bankname.net, it redirects to bankname.com. This confirms that a redirection is set up, but the ownership remains unclear.

19. In another surprising event, despite the rejection, Mr. X receives a call from a number ending in +91*****77767 asking for KYC and wanting to meet in person to complete the KYC process. Mr. X, assuming this number belongs to a third-party agent, informs the caller that a grievance filing is in progress and asks to close the KYC request.

20. Now, Mr. X only wants his data to be deleted from the bank and its associates' custody to prevent further misuse and circulation.

21. Mr. X plans to reach the bank's privacy office, followed by the regulator, if the bank does not address the issue.

22. To address Mr. X's concern and contact the bank's privacy office, Mr. X needs to fill out a form requesting details such as full name, registered mobile number, identity proof, name on PAN, PAN number, date of birth, other document details, date, and signature.

23. Mr. X has a few unanswered questions:

Question 1 - Was Mr. X eligible to know the full process during the application?

Question 2 - Since Mr. X was a prospective customer and not an existing customer of the bank, will his privacy concern be addressed by the bank?

Question 3 - What was the motivation of the bank to collect Mr. X's personal data?

Question 4 - Why is a third party still calling Mr. X for in-person KYC when it was originally stated to be an eKYC process?

Question 5 - Will Mr. X ever receive spam email, phishing email, unsolicited, or targeted calls and SMS?

Question 6 - Is this process inadequate or fraudulent?

Hope to see justice, Your sincere Netizen Mr X.