The legislative overreach of UIDAI in Banking
The Airtel Payments Scam confirms that Aadhaar and demographic data is sufficient to open bank accounts. Neither your biometrics nor your presence is required to open bank accounts. The Unique Identification Authority of India (UIDAI) and the various government arms have yet to take cognisance of how banking with Aadhaar is destroying the rule of law in banking and facilitating money laundering. Benami accounts get created when banks fail to identify the real customers who own the accounts. The Panama Papers exposed data of thousands of benami accounts created through a Panamanian law firm, Mossack Fonseca. The Panama Papers exposed the modus operandi of hiding the real owners of the assets in tax havens.
Prudent bankers recognise the importance of knowing who they bank with. It is no wonder that the Reserve Bank of India (RBI) had warned, right from before the Trojan horse was installed  into the RBI in 2011, that the Aadhaar enrolment process does not have due diligence. It had pointed out that for Aadhaar enrolment verification is not compulsory, as confirmed by the UIDAI in the demographic data standards and verification procedure, and does not require document based verification. The RBI also highlighted that such use of Aadhaar as third party identification is against the Prevention of Money Laundering Act, the Financial Action Task Force (FATF) and the paper issued on customer due diligence (CDD) for banks by the Basel Committee on Banking Supervision and circulated to scheduled commercial banks by the RBI on November 29, 2004.
The RBI also observed that a fixed time document like the Aadhaar cannot be a proof of address. It further cautioned against the deployment of business correspondents (BC) to open bank accounts or to undertake banking transactions, as the vulnerability of the system has not been tested and co-mingling funds of different banks in the hands of BCs was a major operational risk to the banks. While resisting the use of Aadhaar, the RBI also highlighted the ggovernment’s concern about the perceived misuse of such accounts for terrorist financing.
Under pressure from the UIDAI and the department of revenue, ministry of finance, the RBI, through its circular dated January 27, 2011, allowed bank accounts to be opened exclusively on the basis of Aadhaar number. However the RBI required such accounts to be put to restrictions and be subjected to conditions and limitations prescribed for small accounts.
Not happy with the restrictions, the UIDAI pressed the RBI to lift the restrictions placed on accounts opened with Aadhaar numbers under the PMLA. On September 28, 2011, again through the Department of Revenue, the UIDAI succeeded in getting the RBI to backtrack and suspend the restrictions of the Prevention of Money Laundering Act (PMLA) on bank accounts opened solely through Aadhaar. The UIDAI also succeeded in persuading the RBI to accept electronic know-your-customer (eKYC) or remotely using information associated with an Aadhaar number, as KYC. According to the UIDAI, eKYC brings scale to the ease of onboarding customers. 
Strangely, the UIDAI does not certify the identity, age, address, resident status or even existence of records associated with each Aadhaar number. Perhaps because no one in the Aadhaar enrolment process was required to identify anyone. At best they had to merely verify documents that were submitted for enrolment. Needless to say anyone in possession of your documents could enroll with minor changes in any demographic information or with different biometrics. Field stories of enrolments are full with descriptions of biometric jugaad including using combination of persons, use of biometric masks, biometric modifications, and other ingenious methods to maximise registrations.
According to the IT minister Ravi Shankar Prasad, 34,000 operators who tried to make fake Aadhaar Cards have been blacklisted. Even if each operator worked for a year before being blacklisted, at about 50-100 cards a day, this amounts to more than 45% of the database. The Aadhaar enrolment has been unlike that of any other identity document, easily scaling the creation of duplicate and ghost identities.
So why the push to use Aadhaar in banking? Like Panama, it offers the ultimate modus operandi for hiding real persons who can do transactions using the ghosts of Aadhaar. Once traditional KYC is destroyed and every bank account is linked with Aadhaar, there will be no way to distinguish the real from the ghost.
Excerpt of IT Minister Ravi Shanker Prasad’s reply in Rajya Sabha on April 10, 2017
Massive growth in accounts and deposits from 2009-2014 when Aadhaar was used in banking. Source: RBI
Interestingly RBI’s data on bank accounts reveals that after Aadhaar was enabled by the UIDAI in banking, the bank accounts in India almost doubled in just five years, from about 65 crore to 120 crore, as did the deposits, from about 38 lakh crore to about 80 lakh crore. This suggests a huge surge in benami bank accounts with black money, not financial inclusion.
Overreach into money transfers
Even when it had no mandate to develop banking platforms, in 2009, the UIDAI signed a memorandum of understanding (MoU) with the National Payments Corporation of India (NPCI), a non-government company, to develop an Aadhaar Enabled Payment System (AEPS). In this MoU the UIDAI has no responsibility for your banking transactions and the NPCI has no obligation to the RBI. The payment system uses the Aadhaar linked to a bank account as a “financial address” to do electronic money transfers from one Aadhaar number to another.
An Aadhaar number becomes a financial address when an Aadhaar is “seeded” into a table called the “NPCI mapper” by anyone linking the Aadhaar to a bank account. This mapper is a directory of Aadhaar numbers and Institution Identification Number (IIN) numbers used for the purpose of routing transactions to the destination banks. The IIN is a unique 6-digit number issued by NPCI to any participating bank. 
If you or anyone else link your Aadhaar with another bank account, the NPCI mapper is overwritten with the new banks’ IIN. Money transferred to an Aadhaar number using theAEPS gets transferred to the bank account linked to the Aadhaar number at the branch recognised by the IIN.
This idea of a mapper, as used by NPCI’s AEPS, does not allow for instructions from sender about the account to deposit money, but relies on periodic update of IIN in the NPCI’s table mapping Aadhaar numbers from banks. This mapping is volatile because multiple banks periodically update the Aadhaar numbers linked with accounts held by them. Neither the banks, the NPCI nor you have control on where you would like your payments to go. 
Money launderers exploit this volatility to make money transfers untraceable. A money launderer can transfer money to an account linked to an alternate IIN and then re-seed the NPCI’s mapper with the original IIN for the Aadhaar number, completely wiping out any trace of money to the alternate IIN. Like transactions of bearer shares in Panama, such money transfers becomes no different from a hawala transaction between real parties who remain anonymous or benami.
Your Aadhaar number can be used to facilitate such benami money transfers without your knowledge. If these money transfers linked to your Aadhaar number are detected by investigation officers or tax authorities, you, not the real operator will be held on suspicion of economic offences.
Perhaps the worst aspect of the mapper is that it slices the business process and outsources parts. This destroys the responsibility of the payment system from any single party as was in the case of RBI’s electronic payment systems the NEFT or RTGS. Neither the NPCI, the UIDAI or the banks are responsible in such money transfers. They merely provide “look-up” services. In this system, a single compromised or rogue bank branch, or the perpetuator’s ability to exploit a good one, is enough to siphon off subsidy, park black money or take bribes. 
The use of Aadhaar as a financial address is inherently flawed as all money is ultimately stored in bank accounts and not in the name of a person. Nowhere in the world does one transfer money to a person; you transfer it to a person’s account. Money transfers to and from a bank account makes every money transfer traceable from source to destination making money laundering difficult, if not impossible.
Hawala schemes make money transfers untraceable by eliminating the bank accounts. Money transfers that, like the hawala, are based on the premise that you do not share an account number, with someone transferring money to you, are inherently flawed in auditability as they wipe out the money trail.
Since the NPCI’s idea of Aadhaar to Aadhaar banking itself is flawed, it is surprising that the RBI licensed this payment system under the Payment and Settlements Act.
The consequences of UIDAI’s overreach
On January 4, 2018 The Tribune broke a story of access to details for any of the more than 1 billion Aadhaar numbers. The UIDAI in a press release indicated that “UIDAI reassures that there has not been any data breach of biometric database which remains fully safe and secure with highest encryption at UIDAI and mere display of demographic information cannot be misused without biometrics.”
On December 18, 2017 several newspapers broke the story of Rs167.77 crore of LPG subsidy having been transferred to 37.18 lakh accounts in Airtel Payment Bank. Rs88.18 crore of this subsidy was actually marked for 17.32 lakh consumers enrolled with Indian Oil Corp (IOC), Rs40.08 crore subsidy to 10.06 lakh consumers enrolled with Hindustan Petroleum Corp Ltd (HPCL) and Rs 39.46 crore to 9.8 lakh consumers of Bharat Petroleum Corp Ltd (BPCL). These reports allege that all of the 37.18 lakh payment bank accounts were created without the willful and informed consent of the consumers.
Despite the customers not being present, and despite the biometrics of the customers not being available, these accounts were opened and money from the Consolidated Fund of India was transferred to them. The mere availability of Aadhaar numbers and demographic information allowed the creation of 37.18 lakh bank accounts. It allowed the targeting of Rs167.77 crore to these accounts. This exemplifies the scale of the harm that the use of Aadhaar linking is doing, UIDAI’s denial notwithstanding.
This becomes even more dangerous as even access of the sort indicated by The Tribune is unnecessary if one has access to Aadhaar numbers and demographic information from another organisation (perhaps as happened in the Airtel Payments Bank case), from data accessed from any organisation storing Aadhaar numbers, from data archived due to Aadhaar leaks on various websites, or even from data and eKYC records leaked from companies.
This example is not isolated. It confirms that not only are Aadhaar numbers with demographic data sufficient to open benami bank accounts, but also, that eKYC is not suited for banking, and also that the use of Aadhaar as a financial address for money transfers enables, rather than prevents, money laundering. It also demonstrates how the UIDAI has messed up responsibilities of various government bodies, like for example the RBI, under various Acts by destroying business processes and responsibilities implied in those Acts. Not only was a banking entity, Airtel Payments Bank, able to open lakhs of bank accounts when no one had approached them to open bank accounts, but actually received money into these accounts. 
It is evident that eKYC is flawed by design. Any eKYC can be reused by anyone. UIDAI has admitted previously that biometrics can be stored by those using them for authentication and reused later. Unlike RBI’s traditional KYC practices, eKYC and e-authentication does not provide any evidence of a person having been present or authorised and consented to the opening of any bank account, or for that matter any transaction.
It is also evident that Aadhaar money transfers siphon off money. There is no way to rollback the money transfers from Airtel Payments Bank as the original accounts they were meant for have been obliterated from the trace. Using this system for managing the Consolidated Fund of India is destroying the responsibility of the RBI to ensure auditable banking, the responsibility of the banks to identify customers and causing a legislative overreach of the UIDAI with no accountability.
The UIDAI, on its part, has done a cover up by temporarily suspending the “e-KYC licence key of Bharti Airtel Ltd and Airtel Payment Bank Ltd with immediate effect”. The news report claims that Airtel Payments Bank will not be able to open a new account with Aadhaar e-KYC. However, accounts can be opened through alternate methods, if available. The peculiarity of this action is that, according to these news reports and the action taken by UIDAI, Airtel Payments Bank never did any eKYC to open the bank accounts. This order of UIDAI, therefore, completely ignores the ability for anyone to use Aadhaar and demographic information to open bank accounts, among other things. The UIDAI has not questioned the storage of Aadhaar numbers by the NPCI, that has allowed such large scale siphoning of funds into unintended bank accounts. They have not even questioned the use of Aadhaar in banking, a use that is not permitted in the Aadhaar Act.
The RBI has yet to react and cancel the licence of NPCI’s Aadhaar Based Payment System that facilitated this money transfer. The Enforcement Directorate is yet to react and investigate money transfers that have been happening with the Aadhaar Payment System. The CBI is yet to react and investigate how the Consolidated Fund of India was proposed to be managed using such a leaky and untraceable system in place of the RBI’s NEFT or RTGS. The CVC is yet to react and take cognisance of the overzealousness of the ministry of finance in coercing the use of Aadhaar in banking and now the linkage of every bank account with Aadhaar to expose it to such siphoning of money from the bank accounts. The NSA is yet to suspend the UIDAI for causing a national emergency by delusional coercion of Aadhaar everywhere. The PMO is yet to place under suspension key bureaucrats that have misadvised and misguided the Prime Minister resulting in such a massive failure of governance. 
Aadhaar has turned out to be a weapon of mass corruption. It corrupts the financial system, it corrupts the governance system. It removes the aadhaar  of banking. It destroys the databases that ensure that India is a sovereign, democratic republic. 
(Dr Anupam Saraph is a renowned expert in governance of complex systems and advises governments and businesses across the world. He can be reached @anupamsaraph)
Sam Sam
4 years ago
I am working very closely in the field of financial inclusion since 2011 with

SBI and recently with Airtel Bank as well, I just want to say Dr Anupam
has done very extensive research
work to put up this story, we are just getting mad at ground level and I am completely agreed that Adhaar has already corrupted the financial
system ,there is just an open loot by CSC & by several payment banks thru AEPS,the situation is worst in rural areas where customers are just clueless about this open loot.Digital India must do everything there is digital loot with digiJan....

thru AEPS,
Sridhar Rao
4 years ago
Truly alarming!
jaideep shirali
4 years ago
Aadhar seems to be another example of a mad rush to "get things done", supposedly because somebody else did nothing for the last 60 or 70 years. Systems may be designed with good intentions, as Aadhar started off with, but the leakages and abuse of Aadhar are horrifying, to say the least. This is not a "we'll learn as we go along" case, as government representatives say so casually. We need to stop further linking of Aadhar to every blessed thing in the country, before this becomes a laughing stock and the ultimate government approved weapon for money laundering. What amazes is me that every government entity and bank insists on Aadhar, even for NRIs and PIOs, though it is illegal for these people to even apply for Aadhar. We need to plug these gaping holes before the financial system becomes a minefield and identity theft becomes the norm.
Ramesh I
4 years ago
That the BJP-led NDA Govt has been promoting Aadhar enrolments and usage more than the erstwhile Congress-led UPA Govt proves the sinister objectives Aadhar database serves the Govt, at the expense of its allotees. What's more intriguing to me is why the Supreme Court of India has been going soft on Govt coersion on this, when it clearly violates the SC's own order of 2015 restricting it to a select few govt schemes. The SC has been deferring hearing a bunch of PILs challenging the very Constitutional validity of Aadhar as it clearly infringes on the fundamental right to privacy of Indian citizens. While I don't expect the political parties to oppose it (as it seems to serve some extraneous purposes) I hoped that atleast the Supreme Court would ensure that its order is obeyed, and citizens are not forced into submission like in a banana republic.
Free Helpline
Legal Credit