The fault lines of Aadhaar Mapper in digital payments

This article discuss the fault lines of the current Aadhaar Mapper that is maintained by the National Payments Corporation of India (NPCI), and used in various Aadhaar-based payment systems.

For an overview of the role of Aadhaar in digital payments, read this:

Airtel Payments Bank was in the news recently for having received government subsidy deposits on behalf of users who did not even know they had bank accounts with Airtel.

The consent violations that happened here:

  1. Opening of payments bank account without explicit consent, using eKYC.
  2. Updating Aadhaar Mapper to route subsidy deposits to this account. On its part, NPCI specifically demands maintenance of documentary proof of having obtained consent, but technically, there is no audit in place and the process of updating the Mapper is automatic.

Opening accounts with eKYC

Earlier this year, the Department of Telecom mandated that all existing mobile connections must be re-verified with Aadhaar.

This created an opportunity for mobile operators who also hold a payments bank license to increase their customer base.

It is very easy for agents to perform multiple authentications, informing consumers that the first transaction failed, while actually making two successful transactions: one for mobile verification, another for opening a payments bank account.

This enabled them to open a payments bank account through Aadhaar’s eKYC API (“Electronic Know Your Customer”) without explicit informed consent, a design problem of eKYC described in detail by Prof. Verma in his blog.

UIDAI does not provide an Aadhaar dashboard for individuals, and most have been enrolled without any contact information (email or phone), so the average individual has no way to know when this sort of fraud happens. According to UIDAI’s own data, a disproportionately large number of eKYC transactions are by mobile operators who hold payments bank licenses (Airtel and Jio).

This makes one wonder if many more shadow accounts exist against a person’s UID without their knowledge and consent.

Direct Benefit Transfer (DBT) through Aadhaar Payments Bridge

NPCI runs the Aadhaar Payments Bridge System (APBS, sometimes referred to as just APB), which enables transfers between a sponsor bank — a banker to a government ministry that is offering subsidies — and the destination bank — a banker to the subsidy recipient. The destination bank must in turn credit the subsidy to the individual, looking up the account in their internal Core Banking System.

Indian Bank’s UPI App: the “Aadhaar Card” option uses NPCI’s Mapper, while “IIN Aadhaar” routes similar to NEFT’s IFSC + Acc, without using NPCI’s Mapper

Any bank transfer needs two details: an identifier for the bank, and an identifier for the individual account.

In the case of NEFT (National Electronics Funds Transfer), these are the IFSC (Indian Financial System Code) and account number.

In the case of AePS (Aadhaar-enabled Payment System), the bank maintains the mapping between an account number and an Aadhaar number, and NPCI maintains the mapping between an Aadhaar number and the bank where payments need to be made.

However, it is not essential to use this NPCI Mapper if one knows the IIN (Institution Identification Number) of the bank. The option of using IIN while using AePS exists in several apps and Micro ATMs, giving users a choice of which bank they want to send the transfer to (assuming they have an Aadhaar-linked account at that bank).

For Direct Benefit Transfer (subsidy transfers), NPCI prohibits sponsor banks from providing an IIN, and instead forces them to lookup the Mapper database to identify the destination bank. From the APB standard operating procedure:

APB guidelines by NPCI specifically ask sponsor banks to not provide an IIN, meaning beneficiaries can’t choose to direct subsidies to a specific bank account

By making the Mapper compulsory for routing subsidy payments, NPCI gains control over the process:

  1. It gives NPCI a single point for audit and data collection on all government (central and state) subsidy payments.
  2. It gives NPCI the technical ability to block transfers to an account. NPCI has a similar feature in UPI (Unified Payments Interface) and porting it to APBS is trivial.

Together, these are powerful instruments in the hands of a Friend of the State actor who need not be accountable to the public.

Updated Link to UPI Circular 6 — Originally breaking news via this tweet

Also largely unknown to the public, NPCI runs the Aadhaar Overdraft Verification Service (AOVS), enabling the mandate under PMJDY (Prime Minister’s Jan Dhan Yojna) to provide overdraft up to ₹5000 for accounts which have an annual transaction volume below ₹1 lakh (₹100k).

This is part of the government’s financial inclusion mandate enabling micro-credit to PMJDY account holders. The banks receive an implicit guarantee on the overdraft through government subsidy transfers (DBT), so the risk of default is minimal. AOVS provides supporting infrastructure.

AOVS computes average subsidy credit and informs banks. When the beneficiary takes an overdraft, updates to the Aadhaar Mapper are frozen, thereby guaranteeing that the overdraft will be compensated from future subsidy transfers.

Sameer Kochhar also cites that updating of payment bank account on the aadhaar mapper, defeats the purpose of PMJDY as micro-credit / OD facility to the poor through their Jan Dhan accounts is available to only those having only one bank account.

Lack of authenticated dashboard and ability to self-update Mapper

Ideally, individuals holding an Aadhaar number should also own their record in the Aadhaar Mapper, and should be able to choose which of their bank accounts subsidies are transferred to.

In the absence of such a system, banks have the power to update the Mapper without user consent, and can receive the user’s subsidy transfers even if the user would prefer to send them elsewhere.

The very promise of removing intermediaries and making payments directly to citizen is defeated with digital intermediaries now controlling the process.

Traceability and privacy through Aadhaar

Anupam Saraph previously listed multiple hazards of linking banking with Aadhaar. I had for a long time promised him a response. Anupam was primarily concerned with Aadhaar to Aadhaar transactions becoming untraceable. The APB standard operating procedure makes it clear that transactions using the Aadhaar Mapper are indeed traceable for banks.

APB Standard Operating Procedure — NPCI

While transactions are technically traceable, there is a compelling need for an independent regulator (Payments Regulatory Board) and an independent digital auditor (preferably a constitutional authority) overseeing and auditing all critical payment and banking infrastructure operated by government, banks and non-banking financial corporations (NBFCs). In the absence of these institutions and processes being put in place, we are at the mercy of rogue actors in unaccountable private institutions who have the means to perform fraud / benami transactions without being detected.

To summarize, the various shortcomings that led to this situation:

  1. Lack of infrastructure provided by UIDAI to inform an Aadhaar holder about eKYC transactions on their Aadhaar.
  2. Lack of infrastructure provided by NPCI to inform an Aadhaar holder about Mapper updates via notifications (instead of just queries). Similarly, no available infrastructure for an Aadhaar holder to choose where their subsidies are deposited.
  3. NPCI’s role in controlling the flow of government subsidies. NPCI’s stakeholders are banks, not the government or citizens. It has a stakeholder obligation in ensuring overdrafts are guaranteed with subsidy transfers (thereby allowing the Aadhaar Mapper to be frozen), but no corresponding obligation to individual subsidy recipients, who’d like to be in control of where the subsidies are delivered.

NPCI is a private non-profit entity run by a consortium of public and private banks, outside the ambit of the Right to Information (RTI) Act.

NPCI’s use of Aadhaar, and influence over the interests of state, banks and citizens, needs better scrutiny to ensure effective delivery of welfare benefits. Either NPCI must be made transparent under the ambit of RTI, or it can continue to perform its non-profit commercial functions while another government entity takes over projects such as DBT, which need increased transparency and accountability to the public.