English हिंदी मराठी ‫اردو‬ ABOUT US SUPPORT US LOGIN

POLITICS ECONOMY WORLD SECURITY LAW SCIENCE SOCIETY CULTURE

BANKING

Aadhaar Mess: How Airtel Pulled Off Its Rs 190 Crore Magic Trick
LPG subsidy payments worth Rs 190 crore was allegedly routed to over 30 lakh Airtel payment bank accounts, with some of the accounts even having
been opened without informed user consent. How did this happen?

BANKING TECH 21/DEC/2017

Anand Venkatanarayanan and

Srikanth Lakshmanan

While Airtel has been censured, the Centre, UIDAI and NPCI all need to shoulder some of the blame. Credit: PTI,
The Wire.

On December 16, 2017, the Unique Identification Authority of India (UIDAI) temporarily
suspended the eKYC (electronic know your customer) licence of Airtel Payments Bank for
allegedly opening bank accounts and force-seeding them with Aadhaar numbers without
obtaining the informed consent of the customers in question.

An eKYC licence is what allows third-parties like a bank or a telecom company to verify the
personal details of an Aadhaar holder as a means of complying with ‘know-your-customer ‘
regulations.

A couple of days after that, PTI reported that UIDAI imposed a fine of Rs 2.5 crore on Airtel
for allegedly opening payment bank accounts for its mobile subscribers without consent. The
report also notes that Airtel routed the LPG subsidies of 31 lakh users (payments worth Rs 190
crore) to their Airtel payment bank accounts instead of the beneficiaries’ original bank
accounts.

Simply put, although Airtel is yet to publicly confirm or acknowledge this, it appears that a
certain amount of Airtel mobile subscribers who were receiving LPG subsidy payments
stopped getting them in their existing bank accounts and instead started receiving them in their
Airtel payment bank accounts – which they had no knowledge of creating.

Complaints that had piled up over the last few months, both to the UIDAI and oil ministry,
prompted the former to even issue issue a gazette notification outlining the process needs to be
followed by banks for receiving subsidy payments in their bank account.

How did we get here? Although Airtel has been censured, there are at least four actors who
should assume some amount of responsibility for what has happened.

One, the Centre, which pushed ahead with its direct benefit transfer scheme and mandated the
Aadhaar-based re-verification of mobile phone subscribers. Two, the National Payment
Corporation of India (NPCI), which is responsible for handling payment and settlement
systems.

Three, the UIDAI which created the eKYC framework. And finally, Airtel, which exploited
holes in the above systems to route LPG subsidies to bank accounts that were allegedly
created without user consent.

DBT regime

Streamlining welfare delivery through a direct benefit transfer (DBT) programmes, where
cash is directly transferred to a beneficiary’s bank account, has been a crucial component of
Indian government welfare policy since 2013.

For instance, consider how subsidies for LPG were handled before the introduction of DBT.
Residents paid the subsidised price to oil marketing companies (OMCs), while the government
paid the subsidy to the OMCs.

In the DBT regime, residents paid full market price for cylinders to the OMCs, while the
government paid the subsidy directly to the bank accounts of the residents.

Watch: T.M. Krishna On Aadhaar And The Story Behind ‘Privacy Matters’

Before the DBT model could work though, it had significant hurdles to cross. First off, not
every resident who receives a subsidy may have a bank account. Banks were also not very
enthusiastic about opening accounts that would be mostly zero balance, which would be a
drain on their resources. The solution for this was the Pradhan Mantri Jan Dhan Yojana
scheme, which allowed creation of zero balance bank accounts to which the subsidy would be
deposited.

A further refinement of the DBT regime happened when Aadhaar became ubiquitous and
started acting as a financial identifier. This not only improved how the Centre could keep track
of the actual person receiving the subsidy, but also eliminated the need for a specific
government department to keep track of the bank account details of the beneficiary.

But how would the money reach the beneficiary’s bank account, if subsidy payments were
only made to an Aadhaar number?

NPCI and Aadhaar Payment Bridge (APB)

Enter the Aadhaar Payment Bridge (APB). Operated by the NPCI, the purpose of the APB was
to facilitate transfer of the bulk government subsidies to a bank account via a beneficiary’s
Aadhaar number.

How does the the bridge acquire the bank account details of the Aadhaar holders? This is
accomplished through “seeding” of an Aadhaar number to an account. Once seeded, the bank
then creates an entry in the APB, which contains the account number and branch code against
the Aadhaar number.

A specific example can help illuminate this process.

1. Suppose Ashok Kumar’s Aadhaar number is 1234-5678-1234*

2. His LPG ID is 3-000-1234-1234, which is then linked to his Aadhaar number.
3. Ashok Kumar then gives his Aadhaar number to his bank, the State Bank of India,
which attaches it to his bank account number as an identifier.
4. The State Bank of India then goes to the payment bridge and records that Ashok
Kumar’s account is linked to his specific Aadhaar number.
5. When the LPG subsidy is paid, it’s paid to Ashok Kumar’s Aadhaar number 1234-
5678-1234.
6. The payment bridge then routes this payment to SBI bank, against that specific
Aadhaar number.
7. State Bank of India then credits Ashok Kumar’s account by checking its customer
database to find the account linked with his specific Aadhaar number (1234-5678-
1234).

The Rs 190-crore question when it comes to the Airtel fiasco is: What happens when Ashok
Kumar has more than one bank account? Suppose he has one with State Bank of India and
another with ICICI?

Documentation put out by the NPCI, the nodal government agency responsible for
maintaining the Aadhaar payment bridge, clearly states that all payment subsidies will be
routed to the last bank account that was seeded with Aadhaar. From Page 6:

If two different banks seed the same Aadhaar number to the account of the customer in
their respective banks and NPCI, the bank seeding with the latest mandate date will be
mapped in the NPCI mapper and all the subsidies will be routed to that bank only.

This means that if Ashok Kumar first seeded his State Bank of India account with his Aadhaar
number, but then later willingly did it with his ICICI account, the subsidy payment would be
routed to ICICI.

Now, does this mean every single time an Aadhaar number is seeded into a bank account, it
will automatically override the entry in the payment bridge? Not at all.

Multiple circulars from NPCI, the nodal agency responsible for maintaining the payment
bridge, specify that explicit user consent must be taken for overriding the entry (circular
numbers 158, 251, 259) and this has also been emphasised further in the documentation (Page
3):

Under no circumstances the Aadhaar number submitted as a part of KYC be seeded in

NPCI mapper. The seeding should only be subject to explicit request from customer for
receiving the Aadhaar based payments and also subject to submission of written consent
(mandate) by the customer.

If the NPCI had been quite clear about it’s instructions, how did the Airtel payment bank
incident happen at all? Simply put, NPCI isn’t a regulator and its directions don’t come with
the statutory force of law like the Reserve Bank of India (RBI). In other words, it can easily be
ignored by the Indian banking system in general and the Airtel Payment Bank in particular.

Men make phone calls as they sit on a railing with Bharti Airtel billboards installed on it, along a sidewalk in
Kolkata February 1, 2013. Credit: Reuters/Rupak De Chowdhuri/Files

Aadhaar eKYC

The next part of the puzzle is understanding why Airtel needs an eKYC licence in the first
pace. Simply put, it has now become mandatory for customers looking to apply for a new SIM
card.

When customers want a new number, government regulations require that the telephone
company ascertain that the person is really who they say they are. This is where Aadhaar
eKYC enters the picture.

Using Aadhaar eKYC to authenticate a transaction is inherently problematic. For instance,

using fingerprints in offline, physical transactions, say when one puts their thumbprint on a
physical sale deed, the fingerprint is bound to the document. In the Aadhaar eKYC model,
when getting a SIM card, a customer’s thumb is put on a fingerprint device and not on the
document that specifies the transaction details.

This, in theory, could allow the party that records the thumbprint on the device to later claim
that the authentication was carried out for an altogether different purpose. A useful analogy is
to think of Aadhaar eKYC as being similar to signing a blank sheet of paper on which the
other party could theoretically write whatever it wants.

Airtel and its payment bank

The final piece of the puzzle is Airtel itself. At last count, it had a subscriber base of around
28.20 crore. However, the number of eKYC transactions done by Bharti Airtel as a telecom
provider is nearly three times that amount, clocking in a total of 83.8 crore transactions.

What explains this? Two possible conclusions, with the former far more likely to be true than
the latter.

1. The rate of failure when it comes to eKYC transactions is 67% (two in three
attempts fail).
2. Airtel has more than 28.20 crore subscribers.

Now, if Airtel wanted to open a payment bank account for a customer without his or her
consent how would that happen? The failure rate offers a theoretical opportunity for an Airtel
representative, looking to open ‘X’ number of payment bank accounts, to game the Aadhaar
eKYC system. When Ashok Kumar authenticates successfully the first time, the representative
could falsely claim that the authentication failed and make him authenticate again, but this
time not for issuing the SIM card, but for opening a payment bank account. There is
absolutely nothing that stops the representative from doing this.

This is made possible because Airtel has two distinct licenses for carrying out Aadhaar eKYC
transactions. One is for the telephone company (to register customers for a new SIM card) and
the other for its payment bank (to open new accounts) which has so far performed 7.64 crore
eKYC transactions. Assuming a failure rate of 67%, it is quite likely that there are at least 2.54
crore bank accounts opened, of which a certain number appear to have been opened without
user consent.

Also Read: Aadhaar Conundrum – Three Tests For A Fool-Proof Identity

A zero balance payment bank account is however a cost for Airtel that needs to be offset. The
deliberate over-writing of the entry in the Aadhaar payment bridge ensured it was able to
collect Rs 190 crore worth of deposits – money that media reports say Airtel will “return to the
accounts of 31 lakh subscribers over the next 24 hours”

As per an RTI response from RBI to Bloomberg, Airtel payment bank had deposits worth Rs
224.03 crore as of September 2017, which implies that nearly 85% of the deposits were
obtained through the routing of LPG subsidies.

Why would Airtel not only open bank accounts, but also allegedly seed them with Aadhaar
numbers without obtaining user’s informed consent ? One reason could be because forced
seeding of Aadhaar numbers in bank accounts has long been Indian government policy.

Consent is broken by intent

On March, 2016, Economic Times published an article that all government welfare schemes
are on track to be linked with DBT. The last paragraph is clear that explicit consent is not
required for bank account seeding.

A panel of secretaries headed by cabinet secretary has suggested that instead of waiting
for beneficiaries to visit a bank branch to give consent for seeding their accounts with
Aadhaar, and if the consent of the beneficiaries for use of Aadhaar has already been
obtained, any further consent may not be insisted upon and data provided by government
agencies to the bank be used to seed PMJDY accounts.

There also exists a cabinet secretary note, from November 2015, which further makes this
explicit.

A clipping of the Cabinet secretary note. Credit: The Wire

The above note is just a restatement and emphasis of the “no explicit consent” policy from
2012, which predated the Aadhaar Act, 2016.

It is now possible to reconstruct the sequence of events with the available evidence.

Solving the puzzle

Firstly, Aadhaar-seeded bank accounts were required for DBT of subsidies. The NPCI was in
charge of the operational infrastructure for this, but didn’t have the statutory power nor
accountability to enforce the recommended informed consent clause for Aadhaar seeding.

The Indian government, in its determination to increase the number of Aadhaar-seeded bank
accounts, issued multiple executive orders to force seed bank accounts without the need to
obtain user consent, in direct violation of the Aadhaar Act.

UIDAI created a flawed eKYC framework, which allowed an Aadhaar authentication to

theoretically be functionally equal to signing a blank sheet of paper. Airtel, in at least some
cases, appears to have allegedly used the holes in the eKYC process to open bank accounts
without user consent.

After this, UIDAI has now temporarily suspended the Airtel payment bank eKYC licence for
violating the Aadhaar Act and also issuing multiple guidelines to banks on user data retention.

Anand Venkatanarayanan is a senior engineer at Netapp. Views expressed here are personal
and do not reflect the views of his employer.

Srikanth Lakshmanan is a software professional with interests in digital payments, FOSS and
open data.

1 Support The Wire ₹2400 once

The founding premise of The Wire is this: if good journalism is to survive and thrive, it can only do so
by being both editorially and financially independent.This means relying principally on
contributions from readers and concerned citizens who have no interest other than to sustain a
space for quality journalism. For any query or help write to us at support@thewire.in

I would like to contribute

Once Monthly Yearly

Select amount

₹200 ₹1000 ₹2400 Type an amount

Continue

2 Add contact details

3 Review & Pay

ALSO READ

20 FEB BANKING 13 FEB BANKING 02 FEB BANKING 25 JAN BANKING

Bank of Baroda Willing to Consider to Mauritius Securities Market Regular Says RBI Asks Indian Banks for Details of Is the Yes Bank CEO the Only One to Blame
Lending Adani Group More Money, Says CEO 'No Breach of Law' by Companies Linked to Exposure to Adani Group Companies: Reports for the AT1 Bond Fiasco?
Adani Group

MORE

ABOUT US TERMS & CONDITIONS PRIVACY POLICY REFUND POLICY