http://www.moneycontrol.com/news/india/comment-how-aadhaar-and-npci-together-open-the-door-to-major-frauds-and-impersonations-2506669.html

Aadhaar and NPCI have left the door open for major scams to take place

Why was the UIDAI created when the same purposes (even biometric details) could have been achieved using the NPR?

As one begins a scrutiny of the steps that were taken to make Aadhaar possible, one is confronted with secrecy, bypassing of well-established procedures, and adoption of processes that could only cause harm to consumers and the country. In fact, many of the processes appear to make money laundering and even impersonation and financial fraud easier.

But to understand how such serious consequences could take place, one must first look into the manner in which two major players associated with Aadhaar, UIDAI and NPCI, came into existence.

Let’s begin with UIDAI (Unique Identification Authority of India).  Since it was concerned with “identification”, aimed at providing each Indian an identity akin to a citizenship paper, one would have assumed that it was always in sync with the National Population Register (NPR) guidelines (http://censusindia.gov.in/2011-Common/IntroductionToNpr.html).

The NPR itself is “a Register of usual residents of the country”. It has a well-established procedure at identifying who is the person who should be considered a citizen of India and then entering his/her name on the citizenship rolls.

It talks about “being prepared at the local (Village/sub-Town), sub-District, District, State and National level under provisions of the Citizenship Act 1955 and the Citizenship (Registration of Citizens and issue of National Identity Cards) Rules, 2003.” It is mandatory for every usual resident of India to get registered in the NPR. A usual resident is defined for the purposes of NPR as a person who has resided in a local area for the past 6 months or more or a person who intends to reside in that area for the next 6 months or more. Its objective is “to create a comprehensive identity database of every usual resident in the country. The database would contain demographic as well as biometric particulars.”

This raises one question– why was the UIDAI created when the same purposes (even biometric details) could have been achieved using the NPR?  And why were the time-tested processes of the NPR cast aside? Nobody has the answer.  It could be unwillingness, complicity, or sheer ineptness.

The UIDAI was born on 28 January, 2009 (during the Manmohan Singh regime) through a gazette notification. It was not formed through any Act of Parliament.  It was formed as an attached office of the then Planning Commission (now NITI Aayog. Then on 12 July 2016 (under the Modi government), it gained more legitimacy and became a statutory authority established under the provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act 2016”) under the Ministry of Electronics and Information Technology (MeitY) whose minister is Ravi Shankar Prasad.

True, UIDAI was created with the objective to issue Unique Identification numbers (UID), named as “Aadhaar”, to all residents of India., As the UIDAI website explains, the system had to be (a) robust enough to eliminate duplicate and fake identities, and (b) one that can be verified and authenticated in an easy, cost-effective way. The website goes on to add that the first UID number was issued on 29 September 2010 to a resident of Nandurbar, Maharashtra. The Authority has so far, according to the website which was viewed on 10 February 2018, issued more than 111 crore (1.11 billion) Aadhaar numbers to the residents of India. – (website viewed on 10 February 2018).

But the question remains – Why create the UIDAI when NPR had already been given the mandate for this activity?  Clearly, both the Modi and Manmohan Singh government saw some reason to promote UIDAI.  Those reasons have not been spelt out.

Moreover, there are fears that half a billion (out of 1.1 billion) Aadhaar cards issued till February this year could be suspect (Read the Moneycontrol article here). The numbers arise from the statement by Union minister Ravi Shankar Prasad on 10 April 2017, and widely reported in the media, that as many as 34,000 Aadhaar registration agencies have been blacklisted.  Experts believe that assuming 50 people at each of these centres for 365 days a year, the numbers registered could easily exceed half a billion. Further, just a few days ago, UIDAI announced its plans of severing its relations with CSC e-Governance Services India Limited. Around 180 million Aadhaar registrations had been done by CSC (some put this number at 260 million).

NPCI enters the picture

The waters get even more muddied when we look at NPCI (National Payments Corporation of India).

First, contrary to what NPCI states on its website (that it is an initiative of Reserve Bank of India (RBI) and Indian Banks’ Association (IBA)) this organisation too was neither created through an Act of Parliament, nor the RBI.  All of a sudden, ten core banks decided to come together and form a Section 25 (non-profit) company.  As NPCI’s website explains, the ten core promoter banks are State Bank of India, Punjab National Bank, Canara Bank, Bank of Baroda, Union Bank of India, Bank of India, ICICI Bank, HDFC Bank, Citibank N. A. and HSBC. In 2016 the shareholding was broad-based to 56 member banks to include more banks representing all sectors. (website viewed on 10 February 2018).

The shareholding pattern itself raises a conflict of interest issue.  Can a body which has been formed by bank shareholders have the interests of consumers or of the banks at heart?

Curiously, little on NPCI’s website gives details about the manner in which it was formed. Nor are there any press releases prior to 2016 on its website.  But in a press release of January 9, 2016  (No.111/09-01-2016) NPCI states that it  “was set up in 2009 as the central infrastructure for various retail payment systems in India and was envisaged by the Reserve Bank of India’s Department of Payment and Settlement Systems (DPSS)  as the payment utility for all banks in the country.”

Where controversies begin

One of the first MoUs that both UIDAI and NPCI signed was with each other. It was signed on 6 January, 2011. The MoU makes no reference to the RBI. It must be remembered that the earliest reference to NPCI (by V Leeladhar, Deputy Governor, RBI on August 1, 2008 in Mumbai) stated that, “The Indian Banks Association set up a Working Group which examined this issue and suggested the modalities for setting up this organisation. This organisation to be known as the National Payments Corporation of India (NPCI) will be an entity registered under the Companies Act and will be owned by banks and financial institutions.  NPCI will be a Section 25 company, which will not distribute its profits as dividend, but will plough it back for the improvement and expanding the reach of the retail payment systems. The ownership of the company will be suitably diverse with no bank or group of banks having shareholding exceeding 10 % of the total shareholding. The Payment and Settlement Systems Act 2007 has laid down that such not less than 51% of the equity of this company will be held by public sector banks. The work relating to the setting up of NPCI is in progress.”

Obviously, till the MoU was entered into, NPCI was not meant to be an Aadhaar based system.  Somewhere, somehow, NPCI became an organisation committed to promoting the interests of Aadhaar, throwing to the winds conventional norms of banking transactions. NPCI’s management refused to be interviewed and did not reply to questions sent to it by email.

At the heart of this entire relationship is the Aadhaar number – which as this author has pointed out merely authenticates but does not identify.  And the processes followed lead one to believe that there are flaws in at least one-third of the Aadhaar numbers registered.

The other core issue is the underlying payment mechanism that all NPCI producers use. It is called the Aadhaar Payment Bridge (APB) and a good description of this is given in the FAQ document given to banks.

The most significant points are (quoted verbatim from the NPCI document:

1. It is a unique payment system implemented by National Payments Corporation of India (NPCI), which “uses Aadhaar number as a central key for electronically channelizing the Government subsidies and benefits in the Aadhaar Enabled Bank Accounts (AEBA) of the intended beneficiaries”.
2. It is a payment system based on Aadhaar numbers issued by UIDAI & IIN (Institution Identification Number) issued by NPCI. APB System is used by the Government Departments and Agencies for the transfer of benefits and subsidies under Direct Benefit Transfer (DBT) scheme launched by Government of India.
3. In case of change in bank account, a customer is not required to convey the bank account details or change in bank details to the Government Department or Agency. Customer just needs to open one account and seed his/her Aadhaar number in the bank account to start receiving benefits and subsidies directly into his/her Aadhaar Enabled Bank Account.
4. NPCI mapper acts as a repository of the Aadhaar numbers along with the IIN to which the Aadhaar number is mapped. The APB System routes the transaction to the bank against whose IIN the Aadhaar number is mapped. is not necessary for the sponsor bank to send the IIN for each Aadhaar number in the input file.  Aadhaar numbers along with the IIN of the bank are required to be stored in NPCI mapper to identify the destination bank for routing the benefits and subsidies to the intended beneficiaries. NPCI does not maintain bank account details of the customers like account number, IFS code and branch address etc. of the customer in NPCI mapper. In case, a customer seeds his/her Aadhaar number in multiple bank accounts, the previous mapping if any in the NPCI mapper, gets overwritten by the fresh seeding of the Aadhaar number. The customer Aadhaar number will get mapped in NPCI mapper to the bank in which he/she has given the Aadhaar number at the last. NPCI mapper uses the latest IIN of the bank in which the customer has seeded his/her Aadhaar number to transfer benefits and subsidies in his/her bank account.
5. NPCI does not provide direct facility to the bank customers or LPG consumers to check the Aadhaar number mapping status in NPCI mapper. However, LPG consumers can check their Aadhaar number mapping status in NPCI mapper by visiting the transparency portal of the respective OMCs (Oil Marketing Companies) website. NPCI is providing Aadhaar Lookup facility to the banks and Government Departments to know the status of Aadhaar numbers mapped in NPCI mapper in the form of Active, Inactive, Invalid or Not resent in NPCI mapper. For more information on Aadhaar Lookup facility, banks may  efer circular No. 6 on NPCI website under this link.

Crucial flaws

There are some crucially important things to be noted in the above notes.

First, NPCI offers transactions between the government and an Aadhaar number. All its payments are made to an Aadhaar number, not to an account. Unlike normal banking transactions where the amount goes to an account number, the government seeks to send the money to an Aadhaar number, which has only been authenticated, not identified.

Second, transactions can be made between one Aadhaar number and another.  But NPCI does not maintain details of account numbers or balances.

Third, a new account opened by a person “overwrites” the older account number.  This means that all details of transactions done between parties using an earlier account number are lost because the account number has been overwritten.

Unlike the current protocol adopted by NEFT by banks where the money is transferred from an account to another account, the new system dispenses with an existing, safer and trackable NEFT and chooses an APB which does not keep track of past account numbers, and does not maintain a list of transacrtions or balances.

Thus any financial dispute would mean that the customer does not have a transaction ID with which he can approach the bank.  The bank will merely shrug off the complainant directing him to NPCI. But NPCI does not keep details of accounts, especially if they are over several transactions involving different accounts but belonging to the same Aadhaar number.

Thus you have a flawed Aadhaar number based on authentication, not identification.  You have a financial transaction protocol that dispenses with records of bank numbers, and you have a system where the new number overwrites the older number.

Combine both the problems and you have a perfect system for fraud, for money laundering and for financial transactions that cannot be tracked or traced.

In conclusion

The need for a national identity card is critically important.  You need a social security number.  But when you dispense with processes relating to identification and traceability of financial transactions, the system is prone to gross abuse.

There is no sense in locking the stable doors after the horse has bolted.

=====================================

NPCI spawns a brood

Under the Milestones tab, you learn that in January 2010 it set up the NFS, the National Financial Switch Over for ATM systems.

In November 2010, it launched the IMPS (Immediate Payment Service) which is  “for transferring funds real time and 24 x 7 x 365 interbank [that] was a major challenge faced in banking industry.

January 2011 saw it launch AePS “bank led model which allows online interoperable financial inclusion transaction at PoS (MicroATM) through the Business correspondent of any bank using the Aadhaar authentication(https://www.npci.org.in/product-overview/aeps-product-overview).

In April 2011, CTS (the Cheque Truncated System) was launched. In March came the RuPay “a new card payment scheme . . . . . to fulfill RBI’s vision to offer a domestic, open-loop, multilateral system which will allow all Indian banks and financial institutions in India to participate in electronic payments”.

December 2012 brought in NACH a web based solution to facilitate interbank, high volume, electronic transactions which are repetitive and periodic in nature.  August 2014 saw NPCI launch its *99# service “a common number across all Telecom Service Providers (TSPs)” on their mobile phone and transact through an interactive menu displayed on the mobile screen.

In 2016, four more products were launched and April saw the introduction of the Unified Payments Interface (UPI) with member banks . August saw the release of Bharat BillPay, an  “RBI conceptualised system, a one-stop payment platform for all bills providing an interoperable and accessible Anytime-Anywhere bill payment service to all customers across India”. And December saw the launch of  NETC for which details are not known. In the same month came BHIM – “Bharat Interface for Money, a mobile app that lets you make simple, easy and quick payment transactions using Unified Payments Interface (UPI)”

In March 2017, NPCI  launched Bharat QR which it developed jointly with ICS (International Card Schemes), a common standard QR code specification). Merchants can display these QR codes at their premises and customers can pay through their card linked account / VPA / IFSC + Account / Aadhaar by scanning these QR codes.