Banks to Discontinue Aadhaar-based Payments Through UPI, IMPSNPCI Says Aadhaar Framework Is Still Evolving
The National Payment Corporation of India, the umbrella organization for all retail payments systems, has asked banks to discontinue Aadhaar-based payments through Unified Payments Interface and Immediate Payment System channels.
In a circular addressed to banks, NPCI describes the reason behind its move: "The Aadhaar number is sensitive information, and the revised framework about its usage in the payment landscape is still evolving."
Gurgoan-based Aditya Khullar, technical leader-cybersecurity at Paytm, an e-commerce payment organization, notes: "To a large extent, there will be no implications with the removal of 'Pay to Aadhaar' because Aadhaar-based transactions are less than 0.1 percent of the total overall payments."
Aadhaar security has been in question in recent times because of data breaches and the unauthorized access to UIDAI data. Critics charge Aadhaar uses obsolete technology and allege that the UIDAI team has poorly implementated security controls (see Aadhaar Security: How Can It Be Fixed?).
In 2017, Aadhaar-related breach incidents at government portals affected over 13 crore people and bank account details of about 10 crore.
The Aadhaar Act is silent on the UIDAI's powers to take action against companies that wrongly insist on obtaining Aadhaar numbers, those using Aadhaar numbers for unauthorized purposes and those leaking Aadhaar numbers.
Lack of Interest
The Aadhaar-enabled payment model has not taken off because of widespread use of one-time passwords for two-factor authentication.
NPCI launched the UPI service in 2016 to enable account holders of any bank to send and receive money from their smartphones with a single identifier. The three options included: the Aadhaar number, a 12-digit individual identification number issued by the Unique Identification Authority of India on behalf of the government of India; a mobile number or a virtual payments address (see: Securing NPCI's Unified Payment Service Against Online Fraud).
Dr. N. Rajendran, chief technology officer of NPCI, notes: "'Pay to Aadhaar' is an additional functionality in UPI and IMPS wherein the payer can transfer funds to the beneficiary using the Aadhaar number of the latter. However, since UPI is a secure channel with two-factor authentication, including customer ID, IFSC code and password which is mapped with UPI system, there is no Aadhaar number additionally required as identification proof to transfer funds."
NPCI says all member banks should remove the Aadhaar functionality both as remitter and beneficiary. Also, all interfaces currently offering this functionality, including UPI apps and third-party apps, should remove the Aadhaar option as well.
Over 55 banks have been leveraging NPCI's UPI and IMPS channels in general for fund transfers to align with RBI's vision of migrating toward a more digital economy.
"Aadhaar-enabled payments have not really taken off as customers are using their bank accounts/debit cards to do online transfers and make payments," says Sriram Natarajan, president and former chief risk officer at Quattro, a knowledge process organization consulting in the financial sector.
NCPI's decision comes in the wake of controversy surrounding Aadhaar security, he notes. "Given the low consumer usage, I guess the government and NPCI is playing it safe and doesn't see the need to expose the Aadhaar database to the vagaries of a payment transaction and accentuating the risk further," he says.
Khullar adds: "I understand the decision has largely been taken due to the ongoing implementation of the Virtual ID, introduced by UIDAI to give Aadhaar users/holders the option of not sharing his/her 12-digit number. By doing this, the security quotient will be strengthened."