On December 16, 2017, the Unique Identification Authority of India (UIDAI) temporarily suspended the eKYC (electronic know your customer) licence of Airtel Payments Bank for allegedly opening bank accounts and force-seeding them with Aadhaar numbers without obtaining the informed consent of the customers in question.

An eKYC licence is what allows third-parties like a bank or a telecom company to verify the personal details of an Aadhaar holder as a means of complying with ‘know-your-customer ‘ regulations.

A couple of days after that, PTI reported that UIDAI imposed a fine of Rs 2.5 crore on Airtel for allegedly opening payment bank accounts for its mobile subscribers without consent. The report also notes that Airtel routed the LPG subsidies of 31 lakh users (payments worth Rs 190 crore) to their Airtel payment bank accounts instead of the beneficiaries’ original bank accounts.

Simply put, although Airtel is yet to publicly confirm or acknowledge this, it appears that a certain amount of Airtel mobile subscribers who were receiving LPG subsidy payments stopped getting them in their existing bank accounts and instead started receiving them in their Airtel payment bank accounts – which they had no knowledge of creating.

Complaints that had piled up over the last few months, both to the UIDAI and oil ministry, prompted the former to even issue issue a gazette notification outlining the process needs to be followed by banks for receiving subsidy payments in their bank account.

How did we get here? Although Airtel has been censured, there are at least four actors who should assume some amount of responsibility for what has happened.

One, the Centre, which pushed ahead with its direct benefit transfer scheme and mandated the Aadhaar-based re-verification of mobile phone subscribers. Two, the National Payment Corporation of India (NPCI), which is responsible for handling payment and settlement systems.

Three, the UIDAI which created the eKYC framework. And finally, Airtel, which exploited holes in the above systems to route LPG subsidies to bank accounts that were allegedly created without user consent.

DBT regime

Streamlining welfare delivery through a direct benefit transfer (DBT) programmes, where cash is directly transferred to a beneficiary’s bank account, has been a crucial component of Indian government welfare policy since 2013.

For instance, consider how subsidies for LPG were handled before the introduction of DBT. Residents paid the subsidised price to oil marketing companies (OMCs), while the government paid the subsidy to the OMCs.

In the DBT regime, residents paid full market price for cylinders to the OMCs, while the government paid the subsidy directly to the bank accounts of the residents.

Before the DBT model could work though, it had significant hurdles to cross. First off, not every resident who receives a subsidy may have a bank account. Banks were also not very enthusiastic about opening accounts that would be mostly zero balance, which would be a drain on their resources. The solution for this was the Pradhan Mantri Jan Dhan Yojana scheme, which allowed creation of zero balance bank accounts to which the subsidy would be deposited.

A further refinement of the DBT regime happened when Aadhaar became ubiquitous and started acting as a financial identifier. This not only improved how the Centre could keep track of the actual person receiving the subsidy, but also eliminated the need for a specific government department to keep track of the bank account details of the beneficiary.

But how would the money reach the beneficiary’s bank account, if subsidy payments were only made to an Aadhaar number?

NPCI and Aadhaar Payment Bridge (APB)

Enter the Aadhaar Payment Bridge (APB). Operated by the NPCI, the purpose of the APB was to facilitate transfer of the bulk government subsidies to a bank account via a beneficiary’s Aadhaar number.

How does the the bridge acquire the bank account details of the Aadhaar holders? This is accomplished through “seeding” of an Aadhaar number to an account. Once seeded, the bank then creates an entry in the APB, which contains the account number and branch code against the Aadhaar number.

A specific example can help illuminate this process.

Suppose Ashok Kumar’s Aadhaar number is 1234-5678-1234* His LPG ID is 3-000-1234-1234, which is then linked to his Aadhaar number. Ashok Kumar then gives his Aadhaar number to his bank, the State Bank of India, which attaches it to his bank account number as an identifier. The State Bank of India then goes to the payment bridge and records that Ashok Kumar’s account is linked to his specific Aadhaar number. When the LPG subsidy is paid, it’s paid to Ashok Kumar’s Aadhaar number 1234-5678-1234. The payment bridge then routes this payment to SBI bank, against that specific Aadhaar number. State Bank of India then credits Ashok Kumar’s account by checking its customer database to find the account linked with his specific Aadhaar number (1234-5678-1234).

The Rs 190-crore question when it comes to the Airtel fiasco is: What happens when Ashok Kumar has more than one bank account? Suppose he has one with State Bank of India and another with ICICI?

Documentation put out by the NPCI, the nodal government agency responsible for maintaining the Aadhaar payment bridge, clearly states that all payment subsidies will be routed to the last bank account that was seeded with Aadhaar. From Page 6:

If two different banks seed the same Aadhaar number to the account of the customer in their respective banks and NPCI, the bank seeding with the latest mandate date will be mapped in the NPCI mapper and all the subsidies will be routed to that bank only.

This means that if Ashok Kumar first seeded his State Bank of India account with his Aadhaar number, but then later willingly did it with his ICICI account, the subsidy payment would be routed to ICICI.

Now, does this mean every single time an Aadhaar number is seeded into a bank account, it will automatically override the entry in the payment bridge? Not at all.

Multiple circulars from NPCI, the nodal agency responsible for maintaining the payment bridge, specify that explicit user consent must be taken for overriding the entry (circular numbers 158, 251, 259) and this has also been emphasised further in the documentation (Page 3):

Under no circumstances the Aadhaar number submitted as a part of KYC be seeded in NPCI mapper. The seeding should only be subject to explicit request from customer for receiving the Aadhaar based payments and also subject to submission of written consent (mandate) by the customer.

If the NPCI had been quite clear about it’s instructions, how did the Airtel payment bank incident happen at all? Simply put, NPCI isn’t a regulator and its directions don’t come with the statutory force of law like the Reserve Bank of India (RBI). In other words, it can easily be ignored by the Indian banking system in general and the Airtel Payment Bank in particular.

Aadhaar eKYC

The next part of the puzzle is understanding why Airtel needs an eKYC licence in the first pace. Simply put, it has now become mandatory for customers looking to apply for a new SIM card.

When customers want a new number, government regulations require that the telephone company ascertain that the person is really who they say they are. This is where Aadhaar eKYC enters the picture.

Using Aadhaar eKYC to authenticate a transaction is inherently problematic. For instance, using fingerprints in offline, physical transactions, say when one puts their thumbprint on a physical sale deed, the fingerprint is bound to the document. In the Aadhaar eKYC model, when getting a SIM card, a customer’s thumb is put on a fingerprint device and not on the document that specifies the transaction details.

This, in theory, could allow the party that records the thumbprint on the device to later claim that the authentication was carried out for an altogether different purpose. A useful analogy is to think of Aadhaar eKYC as being similar to signing a blank sheet of paper on which the other party could theoretically write whatever it wants.

Airtel and its payment bank

The final piece of the puzzle is Airtel itself. At last count, it had a subscriber base of around 28.20 crore. However, the number of eKYC transactions done by Bharti Airtel as a telecom provider is nearly three times that amount, clocking in a total of 83.8 crore transactions.

What explains this? Two possible conclusions, with the former far more likely to be true than the latter.

The rate of failure when it comes to eKYC transactions is 67% (two in three attempts fail). Airtel has more than 28.20 crore subscribers.

Now, if Airtel wanted to open a payment bank account for a customer without his or her consent how would that happen? The failure rate offers a theoretical opportunity for an Airtel representative, looking to open ‘X’ number of payment bank accounts, to game the Aadhaar eKYC system. When Ashok Kumar authenticates successfully the first time, the representative could falsely claim that the authentication failed and make him authenticate again, but this time not for issuing the SIM card, but for opening a payment bank account. There is absolutely nothing that stops the representative from doing this.

This is made possible because Airtel has two distinct licenses for carrying out Aadhaar eKYC transactions. One is for the telephone company (to register customers for a new SIM card) and the other for its payment bank (to open new accounts) which has so far performed 7.64 crore eKYC transactions. Assuming a failure rate of 67%, it is quite likely that there are at least 2.54 crore bank accounts opened, of which a certain number appear to have been opened without user consent.

A zero balance payment bank account is however a cost for Airtel that needs to be offset. The deliberate over-writing of the entry in the Aadhaar payment bridge ensured it was able to collect Rs 190 crore worth of deposits – money that media reports say Airtel will “return to the accounts of 31 lakh subscribers over the next 24 hours”

As per an RTI response from RBI to Bloomberg, Airtel payment bank had deposits worth Rs 224.03 crore as of September 2017, which implies that nearly 85% of the deposits were obtained through the routing of LPG subsidies.

Why would Airtel not only open bank accounts, but also allegedly seed them with Aadhaar numbers without obtaining user’s informed consent ? One reason could be because forced seeding of Aadhaar numbers in bank accounts has long been Indian government policy.

Consent is broken by intent

On March, 2016, Economic Times published an article that all government welfare schemes are on track to be linked with DBT. The last paragraph is clear that explicit consent is not required for bank account seeding.

A panel of secretaries headed by cabinet secretary has suggested that instead of waiting for beneficiaries to visit a bank branch to give consent for seeding their accounts with Aadhaar, and if the consent of the beneficiaries for use of Aadhaar has already been obtained, any further consent may not be insisted upon and data provided by government agencies to the bank be used to seed PMJDY accounts.

There also exists a cabinet secretary note, from November 2015, which further makes this explicit.

The above note is just a restatement and emphasis of the “no explicit consent” policy from 2012, which predated the Aadhaar Act, 2016.

It is now possible to reconstruct the sequence of events with the available evidence.

Solving the puzzle

Firstly, Aadhaar-seeded bank accounts were required for DBT of subsidies. The NPCI was in charge of the operational infrastructure for this, but didn’t have the statutory power nor accountability to enforce the recommended informed consent clause for Aadhaar seeding.

The Indian government, in its determination to increase the number of Aadhaar-seeded bank accounts, issued multiple executive orders to force seed bank accounts without the need to obtain user consent, in direct violation of the Aadhaar Act.

UIDAI created a flawed eKYC framework, which allowed an Aadhaar authentication to theoretically be functionally equal to signing a blank sheet of paper. Airtel, in at least some cases, appears to have allegedly used the holes in the eKYC process to open bank accounts without user consent.

After this, UIDAI has now temporarily suspended the Airtel payment bank eKYC licence for violating the Aadhaar Act and also issuing multiple guidelines to banks on user data retention.

Anand Venkatanarayanan is a senior engineer at Netapp. Views expressed here are personal and do not reflect the views of his employer.

Srikanth Lakshmanan is a software professional with interests in digital payments, FOSS and open data.