Purpose limitation and Bank-UID Linking

Why Bank-Aadhaar linking is risky for residents

Srikanth @logic
Jan 22, 2018 · 7 min read

Aadhaar Payment Bridge (APB)

Used by the government to transfer subsidies to your account, and run by National Payment Corporation of India (NPCI). The Aadhaar Mapper is a key part of this bridge. The Mapper holds the first level mapping between an Aadhaar number and the bank to which this subsidy will be routed. If you ever dialed *99*99#, this is what you were looking up.

Aadhaar Based Remittance Service (ABRS)

Aadhaar can be used as a financial address to receive funds. Any bank account linked to Aadhaar becomes an Aadhaar-enabled Bank Account, and payments to an Aadhaar number are deemed to be accepted by banks.

Aadhaar Payment Example

Aadhaar-enabled Payment System (AePS)

It is also possible to use an Aadhaar number as one uses a Debit card in an ATM, to perform various transactions like:

  • Cash Deposit
  • Statement Retrieval
  • Fund Transfer

Know Your Customer (KYC) and Money Laundering rules

It is possible to open a bank account entirely through Aadhaar eKYC, and the latest Prevention of Money Laundering Act (PMLA) rules require linking of Aadhaar with bank accounts.

Architecture of Bank-Aadhaar Linking Scams

Bank-Aadhaar linking is a single act that magically enables all the above features: (RX = Receive from, TX = Transmit to)

  • Enabling the linked account to function as a recipient for receiving payments from third parties (RX Others).
  • Enabling the linked account to function for withdrawal and merchant payments (TX all).
  1. Airtel Subsidy routing (link) happened because of RX Govt.
  2. Pension swindling (link) happened because of RX Govt.
  3. Hanuman and ISI Spy (link) happened because of RX Govt.
  4. Frauds happened in two public sector banks (link) because of TX All.

Inorganic seeding

Now that we understand how voluntarily linking Aadhaar to bank accounts can enable certain ‘mandatory’ features such as AePS, APB and ABRS, which were central to the reported scams so far, the real icing in the cake is “inorganic seeding”.

Cabinet Secretary note on consent.
Relevant paragraphs pointing out Seeding does not require consent.

Connecting the dots

We have covered a lot of ground so far, but let us re-iterate for simplicity.

  1. There is established causation between all the Aadhaar related scams and these “mandatory features”. Most account holders are unaware of these features.
  2. Through a series of executive orders, the union government practically ordered the banks to perform “inorganic seeding” of bank accounts with Aadhaar numbers, without the consent of account holders, in the process violating the Aadhaar Act 2016, section 8(2).
  3. The Reserve Bank of India, which functions as a banking regulator and also as an ombudsman for managing consumer grievances against erring banks, issues a press release (on a holiday!) that banks have to proceed with Aadhaar linking.

Conclusion

It is strange indeed that it always falls upon those who criticise a flawed system to offer suggestions for improvements, but the same standard does not apply for those who create these flaws in the first place. We nevertheless offer the following interim suggestions, pending the resolution of the ongoing challenges to Aadhaar in the Supreme Court of India.

  1. They must take separate user consent for enabling each of these features, with appropriate counselling on the risks and benefits involved.
  2. They must provide an opt-out mechanism electronically (through their Net Banking or Mobile Banking portals) for these “mandatory features”.
  3. The government and RBI must put out a circular or notification which overrules the “inorganic seeding” policy that is already in force.
  4. Residents who wish to link their bank accounts with their Aadhaar numbers must — at the minimum — be offered a template form like the one shown below. This form lists various purposes, and specifically asks for consent and purpose limitation.
Bank of Baroda Aadhaar linking consent form (archive)

Kaarana

Kaarana (ಕಾರಣ; कारण; reason) is a collection of independent critiques of Aadhaar and digital India

Thanks to Kiran Jonnalagadda and Anand Venkatanarayanan.

Srikanth @logic

Written by

Pseudogeek #CashlessConsumer

Kaarana

Kaarana

Kaarana (ಕಾರಣ; कारण; reason) is a collection of independent critiques of Aadhaar and digital India