UPA government is pushing hard Aadhaar biometric ID scheme while bankers are complaining about the high cost of technology and how it is negating its benefits. Meanwhile, customers who ultimately pay the bill for these technology costs are not even being consulted and complaints about higher services charges have been ignored so far. Where are we headed?
Despite opposition from several quarters, including experts, academicians and bankers, the United Progressive Alliance (UPA) is enforcing its biometric-based unique identification (UID) for banking transactions. The government want banks to install/upgrade automated teller machines (ATMs) to facilitate the UID or Aadhaar's biometric identification. But this comes with a big price tag. What is worse, the authentication systems of biometric ATMs were once tried a decade ago and have failed, especially for the target group that massively high cost Aadhaar project claims to address -- namely those unbanked and underprivileged people who do not have identification documents.
According to a report in the Economic Times on Monday, the Unique Identification Authority of India (UIDAI) is pushing for biometric authentication for credit card and ATM transactions, but bankers are reluctant to make changes since technology costs are high. Bankers argue that upgrading every ATM and point of sale (PoS) terminal at thousands of merchant outlets will not come cheap, besides travails and risks of a new technology, says the report. But aren’t we forgetting something here? ATM with biometrics is not a new idea. It has been tried and discarded as a failure when the ATMs did not authenticate the biometrics of many underprivileged persons (during the pilot launch) and left them without access to their own funds, especially when banks were closed.
While use of biometric ATMs looks good on paper, its implementation so far has proved costly for the banks as well as for the end-users. On 1 December 2006, Citibank had issued a global release about the launch of its biometric ATM with multi-language voice instruction capability. It had tied up with a NGO called Swadhar FinAccess and a microfinance firm for Citibank Pragati for (no frills) accounts. The experiment ended in a whimper. (See more here : ) In fact, the drumbeat for biometric ATMs began in 2005 as suggested by this report in The Financial Express. In 2007, Andhra Bank had launched biometric ATMs and wanted to make the mobile, to cater to the burgeoning microfinance business.
Canara Bank set up its first biometric-based ATM at Dharavi, in Mumbai in 2008 with much fanfare. It was a dual purpose ATM, which accepted cards as well as thumbprints for banking transaction (mostly cash withdrawals). The biometric-based ATM was expected to cater to the needs of working class, especially housemaids and other people in Dharavi. In fact, even after the global financial crisis, the biometric ATMs and tie-ups continued because micro-finance firms were still seen as saviours and had not revealed their exploitative and rapacious side.
The ground reality turned out to be completely different. According to information provided by several non-government organisations (NGOs) spreading financial literacy in that area, the biometric ATMs in Dharavi failed from day one. The reason? Working class there, especially housemaids and other labours do not have fingerprints without which they could not operate the ATM!
Not having fingerprints is just one of the issues with the biometric-based ATMs. The more serious issue is the danger it may pose to the user as thieves may stalk and assault the person to gain access. If the item is secured with a biometric device, the damage to the owner could be irreversible, and potentially cost more than the secured property. For example, in 2005, Malaysian car thieves cut off the finger of a Mercedes-Benz S-Class owner when attempting to steal his car.
In addition, the biometric-based passwords are irreversible. That means it cannot be re-issued in case of loss or theft. If a token or a password is lost or stolen, it can be cancelled and replaced by a newer version. This is not naturally available in biometrics. If someone's face or fingerprint is compromised from a database, it cannot be cancelled or reissued.
Another problem associated with the biometric-based ATM is its cost, both installation and operations. The biometric-based ATMs, as proposed by the Reserve Bank of India (RBI) that would facilitate use to Aadhaar data, are more costly than the regular card-based ATMs. While consumers are increasingly complaining about reasonableness of bank charges, the banks themselves are lobbying hard with the RBI, claiming that high cost of technology is making each transaction very expensive. For instance, having encouraged and pushed to obtain corporate accounts of companies, banks are now cribbing about high transaction costs on small withdrawals from ATMs.
For instance, a senior central banker says that each balance inquiry at an ATM costs the bank Rs11 while each transaction costs around Rs18. However, this calls for a serious discussion on the cost-benefit of technology to consumers, since the solution cannot be to load higher costs on to consumers.
And while the UIDAI and RBI are still thinking about using Aadhaar number or fingerprints collected under the UID scheme, for authentication of transactions, the world has moved ahead. World over, fingerprint based ATMs are being replaced by biometric ATMs, which use ‘finger vein scanning’ technology to authenticate the customer's ID. Unlike current fingerprint scanners, the finger vein scanner, developed by Japanese company Hitachi, uses infrared light to analyse the micro veins beneath the surface of the finger. According to Hitachi, it is impossible to fool its machine, as it is not possible to replicate an individual's finger veins. In addition, it does not work with fingers that have been chopped off, the company had said.
In addition, several experts have pointed out that using Aadhaar for identification is completely different than using it for authentication. Especially, when it comes to using biometric data of Aadhaar for payment transactions, the facts are not too encouraging. Several poor people like housemaids and construction labourers are finding it difficult to even enrol for Aadhaar due to lack of a clean fingerprint sample. Some could not even submit sample of their iris due to cataract. In such cases, how will the Aadhaar help in authenticating the card present transaction? Also, why burden the entire banking system with high costs, which will have to be paid by hundreds of million account holders who have no need for biometric identification and have no reason to support biometric authentication systems?
Coming back to the issue of using Aadhaar or UID for authentication card present transactions, it looks good only on paper. As per the latest census, 58.7% households were availing banking services in 2011 as compared with 35.5% in 2001. Notwithstanding these efforts by the RBI and the financial sector, the challenges are enormous. Providing banking coverage to a population of 120 crore and ensuring transactions in these accounts is a daunting task.
According to National Payments Corporation of India (NPCI), at the end of October 2012, there were over 1.04 lakh ATMs in the country. State Bank of India (SBI) and its five units had installed 61,500 ATMs, while private sector and foreign banks put together have about 41,800 ATMs. Co-operative banks and regional rural banks have 1,150 machines. All the banks put together have plans to install about one lakh ATMs over a period of next two years, the NPCI said, noting that this will take up the average to 170 ATMs per million of population from the current 85. Nearly, 200 million transactions were processed every month in its national financial switch (NFS), of which 75% were cash withdrawal transactions with an average ticket size of Rs3,300, NPCI added.
While, the government and the RBI have asked banks to accept the Aadhaar number as one of the identification proofs for opening an account, the lenders are not sure about the authentication and verification of these numbers for payment system. The RBI itself was not confident about Aadhaar as it felt that the UID project is not ready for handling secure payment transactions.
According to the Economic Times report, there was a distinct possibility that RBI would ask banks to gradually roll out Aadhaar-based biometric authentication as an additional authentication for card transactions. RBI may not mandate banks immediately, but may nonetheless ask them to upgrade the technology. This is happening at such a time when banks are issuing credit and debit cards based on Europay, MasterCard and Visa (EMV) chip technology, the report said quoting a banker.
According to a report by a "Working Group on Securing Card Present Transactions" of the Reserve Bank of India (RBI), there is a need to put in place a series of measures to strengthen the payments’ infrastructure and ecosystem in the country. Inferences drawn from case studies clearly indicate the need to have a much stronger authentication mechanism and reiterate the need for a second factor (2FA) for card present transactions.
The report discusses new systems like EMV chip cards with PIN that has been adopted by many countries and enhancing the current MSD card system with help from biometric identification.
"Aadhaar (issued by UIDAI) authentication using biometrics, provides a strong 'Who you are' factor of authentication. This can be combined with a second 'What you have' or 'What you know' factor to achieve strong customer identification at the point of sale," the report said.
While the option to use biometrics from the UIDAI database looks good, it may, in practice, due to insufficient feasibility tests, may not be a viable option. "The working committee considered biometric, or UID, as the second factor in one of the solution sets; however, the decision to adopt this would depend on various factors like the number of UIDs issued to the population which transacts through cards, the error rates, authentication network capability to handle transaction volumes, network capability to handle enhanced transaction size and acquiring infrastructure," the report said.
According to the Economic Times report, another working group set up to study the recommendation of the previous group has recently submitted its report to the RBI. “(the) panel has pegged the cost of banks' readiness for Aadhaar at Rs4,259 crore compared with Rs3,556 crore the banking industry has to spend to upgrade machines to match a different technology they think lowers the risk of card frauds,” the report says.
Another more serious question about UIDAI is the ownership of data collected by the agency. According to Dr Usha Ramanathan, an independent law researcher, who has been critically following the policy and practices of the UIDAI since 2009, those enrolling on the UID database have not been informed that their Aadhaar data is to yield profit for the UIDAI, Rs288.15 crore a year and its only investor, the government, does not even own the data.
“As set out in the Nilekani-chaired Technology Advisory Group on Unique Projects (TAG-UP) report, the data we think we are giving to the government is to end up on the database of what will be in the nature of a private company once it reaches steady state. When it is still a start-up, and till it reaches steady state at least, it will be funded by the government. After that, the government, like other commercial service providers, will become the customer of the UIDAI,” she said.
Unfortunately, instead of addressing all the problems related with the Aadhaar, the UPA government is forcing its usage and acceptance, that too without any Parliamentary approval for the UIDAI scheme. The hard push for biometric ATMs is just one of the examples about how technology is being used to exclude the needy, without even thinking about the cost.