Purpose limitation and Bank-UID Linking

Why Bank-Aadhaar linking is risky for residents

Co-authored by Anand Venkatanarayanan

First, the official statement that “Bank-Aadhaar linking will prevent frauds and will enable fraudsters to be traced”, by Ajay Bhushan Pandey:

And then a few stories on how the very linking of Aadhaar to bank accounts enabled a few innovative scams, some of which were not traceable.

What is the truth behind the claims and the counter claims? This article attempts to explain why linking your bank account with Aadhaar is risky as of today. Before we delve deeper, here are a few necessary concepts:

Aadhaar Payment Bridge (APB)

Used by the government to transfer subsidies to your account, and run by National Payment Corporation of India (NPCI). The Aadhaar Mapper is a key part of this bridge. The Mapper holds the first level mapping between an Aadhaar number and the bank to which this subsidy will be routed. If you ever dialed *99*99#, this is what you were looking up.

Aadhaar Based Remittance Service (ABRS)

Aadhaar can be used as a financial address to receive funds. Any bank account linked to Aadhaar becomes an Aadhaar-enabled Bank Account, and payments to an Aadhaar number are deemed to be accepted by banks.

This is slightly different than APB because it allows third parties and not just the government to use the Aadhaar number as a financial identifier. An example of this is the “Pay to Aadhaar” feature in the BHIM UPI app.

Aadhaar Payment Example

Aadhaar-enabled Payment System (AePS)

It is also possible to use an Aadhaar number as one uses a Debit card in an ATM, to perform various transactions like:

  • Cash Withdrawal
  • Cash Deposit
  • Statement Retrieval
  • Fund Transfer

In this case, rather than a physical debit card, this is done with a Point of Sale machine (PoS) with an inbuilt or attached fingerprint scanner, a so-called “Micro ATM” operated by a Banking Correspondent (BC).

Merchant transactions through Aadhaar Pay or BHIM Aadhaar Pay are also possible with AePS.

Know Your Customer (KYC) and Money Laundering rules

It is possible to open a bank account entirely through Aadhaar eKYC, and the latest Prevention of Money Laundering Act (PMLA) rules require linking of Aadhaar with bank accounts.

With these out of the way, we are finally delve into the real reasons why the Bank Aadhaar linking is currently a risk to the resident.

Architecture of Bank-Aadhaar Linking Scams

Bank-Aadhaar linking is a single act that magically enables all the above features: (RX = Receive from, TX = Transmit to)

  • Enabling the linked account to function as a recipient for receiving subsidies and other government transfers (RX Govt).
  • Enabling the linked account to function as a recipient for receiving payments from third parties (RX Others).
  • Enabling the linked account to function for withdrawal and merchant payments (TX all).

This breaks consent and the purpose-limitation principle because most people who linked their bank accounts to Aadhaar were unaware of all this being enabled.

Now let us re-examine the various banking frauds that were reported so far and examine which one of the above features contributed to the frauds.

  1. Aadhaar seeding scam (link) happened because of TX All.
  2. Airtel Subsidy routing (link) happened because of RX Govt.
  3. Pension swindling (link) happened because of RX Govt.
  4. Hanuman and ISI Spy (link) happened because of RX Govt.
  5. Frauds happened in two public sector banks (link) because of TX All.

Quote:

It is not clear how the money was fraudulently withdrawn from the customers’ accounts using the customers’ Aadhaar number. “It is possible that the funds were withdrawn using the Aadhaar Enabled Payment System (AEPS) from these bank accounts without the knowledge of the account holder,” said a banker at another bank, asking not to be named.

And we have not even covered the standard phishing attacks which manage to extract an OTP through social engineering, which even Members of Parliament fall far.

Inorganic seeding

Now that we understand how voluntarily linking Aadhaar to bank accounts can enable certain ‘mandatory’ features such as AePS, APB and ABRS, which were central to the reported scams so far, the real icing in the cake is “inorganic seeding”.

In March 2016, The Economic Times published an article that all government welfare schemes are on track to be linked with Direct Benefit Transfer (DBT). The last paragraph is clear that explicit consent is not required for bank account seeding.

A panel of secretaries headed by cabinet secretary has suggested that instead of waiting for beneficiaries to visit a bank branch to give consent for seeding their accounts with Aadhaar, and if the consent of the beneficiaries for use of Aadhaar has already been obtained, any further consent may not be insisted upon and data provided by government agencies to the bank be used to seed PMJDY accounts.

There also exists a Cabinet Secretary note from November 2015, which further makes this explicit.

Cabinet Secretary note on consent.

The above note is just a restatement and emphasis of the “no explicit consent” policy from 2012, which predated the Aadhaar Act 2016 (Department Order 6/23/2012-FI available in archive.org)

Relevant paragraphs pointing out Seeding does not require consent.

Connecting the dots

We have covered a lot of ground so far, but let us re-iterate for simplicity.

  1. Linking Aadhaar with bank accounts enables a whole set of “mandatory features”, which most holders are not even aware of.
  2. There is established causation between all the Aadhaar related scams and these “mandatory features”. Most account holders are unaware of these features.
  3. Through a series of executive orders, the union government practically ordered the banks to perform “inorganic seeding” of bank accounts with Aadhaar numbers, without the consent of account holders, in the process violating the Aadhaar Act 2016, section 8(2).
  4. The Reserve Bank of India, which functions as a banking regulator and also as an ombudsman for managing consumer grievances against erring banks, issues a press release (on a holiday!) that banks have to proceed with Aadhaar linking.

5. The UIDAI puts out a FAQ as shown below

We will now leave it to readers to make up their minds on the risks of linking their bank accounts with Aadhaar, when our readers very well know the capability of our institutions to handle complaints on fraudulent transactions.

Conclusion

It is strange indeed that it always falls upon those who criticise a flawed system to offer suggestions for improvements, but the same standard does not apply for those who create these flaws in the first place. We nevertheless offer the following interim suggestions, pending the resolution of the ongoing challenges to Aadhaar in the Supreme Court of India.

  1. Banks should not automatically enable all these additional “mandatory features” when an Aadhaar number is linked.
  2. They must take separate user consent for enabling each of these features, with appropriate counselling on the risks and benefits involved.
  3. They must provide an opt-out mechanism electronically (through their Net Banking or Mobile Banking portals) for these “mandatory features”.
  4. The government and RBI must put out a circular or notification which overrules the “inorganic seeding” policy that is already in force.
  5. Residents who wish to link their bank accounts with their Aadhaar numbers must — at the minimum — be offered a template form like the one shown below. This form lists various purposes, and specifically asks for consent and purpose limitation.
Bank of Baroda Aadhaar linking consent form (archive)

Meanwhile we advise residents to call up their bank manager and request opt out of these “mandatory features”, even if they have linked their bank accounts with their Aadhaar number (either voluntarily or via inorganic seeding).