“O unhappy citizens, what madness?

Do you think the enemy’s sailed away? Or do you think

any Greek gift’s free of treachery? Is that Ulysses’s reputation?

Either there are Greeks in hiding, concealed by the wood,

or it’s been built as a machine to use against our walls,

or spy on our homes, or fall on the city from above,

or it hides some other trick: Trojans, don’t trust this horse.

Whatever it is, I’m afraid of Greeks even those bearing gifts.

A Trojan horse uses a disguise to hide its true purpose.”

Virgil’s Aeneid, Book II

The Greek king Odysseus thought of building a great wooden horse (the horse being the emblem of Troy) to hide an army inside it and fooling the Trojans into wheeling the horse into the city as a trophy. For this guile he is often known as Odysseus the Cunning.

Any trick that causes a target to invite an enemy into a protected place has come to be described as a Trojan Horse. In a digital era, data, programs and devices that masquerade without displaying their true purposes have become Trojan horses that caused much damage and even destroyed the targets.

If we learnt from history, it wouldn’t repeat. But we have big egos. We live in a world where we give up our natural intelligence to the artificial, we treat that as a gift from the gods of technology. We cannot possibly be as foolish as the Trojans.

Whether in some ways Aadhaar is a Trojan horse, one that was welcomed as a gift in to the secure world of finance by the Reserve Bank of India, in to the democratic world of elections by the Election Commission of India, into the secure world of citizenship by the Registrar General of India, and into the dependable world of subsidies by the Government of India, you decide.

I’m not going to talk about Aadhaar’s link to the Citizenship Amendment Act and the National Population Register. Nor will I talk about the linkage of the voter id to Aadhaar card. That I will leave for another day, or for you to discover

I’m going to trace the short history of Aadhaar as a gift of the technology world to serve as a financial address and an identifier. How it pushed out the use of bank account number and branches of the banks where the transactions happened, when in fact it can neither hold money nor identify the transacting parties. I’m going to trace the chronology of how the bastion of the Reserve Bank of India was breached.

It all started in January 2009 when the Government notified the formation of the Unique Identification Authority of India (UIDAI) with Nandan Nilekani, cofounder of Infosys, as the Chairperson. In April 2010, ground was being prepared for using the Aadhaar as a financial address. The UIDAI published a white-paper on financial inclusion. The Nilekani led TAGUP Committee formed in 2010, which included the then CEO of the National Payments Corporation of India (NPCI), argued for the creation of an Aadhaar payments bridge for delivery of government payments to beneficiaries.

In less than three months from the date that the UIDAI issued the first Aadhaar in September 2010, a non-governmental company, the National Payments Corporation of India ( NPCI) set up in December 2008 with its first Chairperson being the Founding Chairman of Infosys NRN Narayana Murthy. Its backers were ready with a demonstration and pilot license of the Aadhaar enabled payment system.

It was only on 6th of January 2011 that the UIDAI and NPCI signed an MoU. The MoU claimed that several banks were opening new bank accounts or linking existing bank accounts with Aadhaar numbers. At the time neither was true. The RBI had refused to allow the use of Aadhaar even as a KYC. The RBI file noting indicates that its KYC process did not permit the use of Aadhaar for opening bank accounts and it was opposed to the use of Aadhaar. The RBI pointed out that at best the Aadhaar was a third-party identification, and such third-party identification is not permitted in banking anywhere in the world. The RBI maintained that the use of the Aadhaar number was in conflict with the Prevention of Money Laundering Act (PMLA), the Basel Standards for maintaining customer information and its own extant guidelines. It underlined that the use of Aadhaar would dilute its practices of keeping customer records.

The MoU also states that these accounts would be Aadhaar Enabled Bank Accounts (AEBA). It proposed that NPCI would offer “switching, clearing and settlement services for Aadhaar based financial transactions from Aadhaar Enabled Bank Accounts”. Significantly, while on 11th January 2011 the NPCI had already obtained a certificate to set up and operate Aadhaar Enabled Payment Systems from the RBI under the Payment and Settlement Act, 2007 it chose not to say so in the MoU.

Pressured by the UIDAI, the RBI issued a notification dated 27th January 2011 reluctantly allowing the use of Aadhaar as KYC. It however underlined that such bank accounts would be subject to the restrictions of small bank accounts under the PMLA. The record indicates that the UIDAI increased the pressure on RBI. Finally on 28th September, 2011, after being “advised” by the Department of Revenue, Ministry of Finance, the RBI backtracked in the matter of PMLA restrictions on bank accounts opened solely with Aadhaar. It also enabled the presence-less and paperless opening of bank accounts using eKYC or remote Aadhaar authentication throwing the caution of identifying account holders and transacting parties out into the wind.

The AEPS went live in January 2011. The AEPS transfers money to Aadhaar numbers instead of bank accounts. Since money must ultimately go to bank accounts, Aadhaar money transfers require a separate mapping of Aadhaar number to a bank account. This mapping is updated by the NPCI based on Aadhaar numbers seeded to bank accounts by various member banks. Neither the recipient of the money transfers nor their bank is in control of receiving the money anymore due to this volatile mapping. This makes uncertain and untraceable the bank accounts that will receive funds.

Once linked with Aadhaar bank accounts opened with the traditional KYC practices of the RBI become indistinguishable from those opened solely with Aadhaar. They also become operable through the Aadhaar Enabled Payment Systems.

Despite this, in June 2011 it was the Taskforce on Direct Transfer of Subsidies that recommended the government use Aadhaar payments for Kerosene, LPG and Fertilizers to transfer the subsidies to the intended beneficiary. The taskforce was silent as to why the RBI’s NEFT could not transfer government benefits and subsidies could not serve the purpose and needed to be replaced.

In this scheme of DBT through AEPS, the Aadhaar numbers not only need to be seeded to bank accounts but also to the beneficiary lists. Unlike a list of fixed beneficiaries bank accounts, the list of beneficiaries now becomes a volatile list that is available for manipulation by seeding or deseeding Aadhaar numbers to Beneficiary Lists or bank accounts, every time, before making money transfers. This updation of Aadhaar numbers associated with either list can be done by cyberlaunderers to siphon subsidy, benefits, other Aadhaar based payments, or even to make the source or destination of funds untraceable.

Neither the UIDAI, the Ministry of Finance, the Reserve Bank of India, or NPCI certify the Aadhaar numbers of beneficiaries or the identities of the account holders where the money was transferred. The CAG has never audited the need, or sanity, to use Aadhaar. They have ignored that the Aadhaar is an uncertified, unverified, and unaudited number, to decide inclusion or exclusion from beneficiary lists. Nor have they verified those who received the money targeted through Aadhaar numbers were those who qualified as beneficiaries. The use of Aadhaar for money transfers enabled an ecosystem of private players to take control of targeting money transfers.

In February 2012 the Task Force on an Aadhaar-Enabled Unified Payment Infrastructure pushed for Aadhaar enabled payments across all ministries. The Planning Commission in choosing AEPS over NEFT for DBT in January 2013 ignored that unlike NEFT, where the beneficiary account receiving money is always traceable, AEPS has a volatile mapping of an Aadhaar number to a bank account.

In the Finance Act of 2017 section 139AA was introduced to make every PAN holder link Aadhaar to their PAN to keep it from becoming “invalid”. More than 17 crores of PAN, or 40 percent of all PAN ever issued) were allotted solely based on Aadhaar after 139AA was notified. Citing GSR 538(E), the amendment to the Prevention of Money-laundering (Maintenance of Records) Rules, 2005 under the Prevention of Money-laundering Act, 2002 (15 of 2003) (PMLA), on 1st June, 2017, the Department of Revenue, Ministry of Finance notified a law in the form of PMLA Rules. They promised to freeze assets not linked with Aadhaar. They did not ask who certifies the biometric or demographic data linked with an Aadhaar number. They did not ask who identifies anyone when an Aadhaar number is used. They did not ask who takes responsibility for the business process thatMinistry of Finance who pushed for the use of Aadhaar to open bank accounts with Aadhaar against RBI’s reservations. They created a TAGUP committee to push Aadhaar for collecting taxes through a non-government company, the GSTN. They then proceeded to push AEPS to transfer government subsidies and benefits instead of the established practice of using RBI’s NEFT. They created a Watal committee to push Aadhaar banking post demonetization. Furthermore they even passed a law to invalidate the valid instrument of tracking financial transactions: the PAN card. Then they notified new rules in the PMLA to freeze assets not linked to Aadhaar.

According to Nilekani, who has been advising the NPCI, in violation of section 16 of the Aadhaar Act, over 95,000 crores were transferred to beneficiaries in 2017-18 using AEPS. No one has established that the recipients of the 95,000 crores are all real persons and genuine beneficiaries. No one has certified the delivery of benefits and subsidies from the Consolidated Fund of India to those it was meant to be targeted to.

In December 2016, it was reported that 76% of the Jan Dhan accounts were zero balance till one rupee was added to many accounts to bring down zero balance accounts to 23% so that the concentration of money deposits would not be noticed. It was also found that there was a rise Rs 32,0 billion in Jan Dhan deposits in just two weeks after demonetisation.

In September 2017, the Maharashtra Government’s Chhatrapati Shivaji Maharaj Shetkari Sanman Yojana (CSMSSY), or the Maharashtra Farm Loan Waiver Scheme website received 10,512,040 registrations from farmers in Maharashtra from which 5,659,187 applied for farm loan waiver under the scheme. Under this scheme, farmers who had defaulted on crop loan or term loan between April 2009 and June 2016, if found eligible, would be given a loan waiver of Rs 1.50 lakh. It was discovered that millions of farmers had identical Aadhaar numbers.

In October 2018, 3.7 million bank accounts were opened by Airtel Payments Bank solely based on Aadhaar, without any form being filled up by any on-boarded “customers”. Rs 1.67 billion LPG subsidy was transferred to these benami bank accounts.

In January 2020, farmers in Karnataka who were promised compensation, through Aadhaar payments, of Rs 16,500, Rs 23,000, and Rs 25,000 per hectare in in dry lands, irrigated lands and horticultural crops respectively alleged many had not received the compensation or got amounts that were different from what they were entitled to.

So, when, in February 2020, the Niti Aayog finally discovers that one in three Aadhaar-based payments for the Centre’s maternity benefit scheme, or Pradhan Mantri Matru Vandana Yojana (PMMVY), was credited to a wrong bank account, what should the government do?

The use of Aadhaar as a identifier and financial address enabled siphoning subsidies to benami accounts untraceably through AEPS. It has opened the gates of the financial system of India. If the situation is Contrary to the MoU to improve international tax compliance and to implement Foreign Account Tax Compliance Act (FATCA) signed in 2015, the RBI Governor needs to take immediate action to prevent dilution of international tax compliance If a Trojan Horse has entered the gates of the financial system, it should be rolled back under the leadership of Prime Minister Narendra Modi

—

Dr. Anupam Saraph is a Future Designer, Professor of Sustainability and Governance of Complex Systems and an internationally renowned expert in governance of complex systems. He can be reached @anupamsaraph.