Aadhaar Officials meet Axis Bank, Suvidhaa reps about misuse; services still suspended

Ramarko Sengupta February 27, 2017

Axis Bank and its banking correspondent Suvidhaa Infoserve on Monday met with UIDAI (Unique Identification Authority of India) officials in Delhi to explain the Aadhaar violation they had reportedly committed. UIDAI had lodged a complaint with the Delhi police earlier this month against Axis Bank, Suvidhaa Infoserve and eMudhra (digital signature certificates issuing firm) for violating norms, after it found the same biometric match in concurrent transactions over a period of time.

“All their questions have been replied and a detailed written submission has been made. We have explained (to) them about the incident which took place in a testing environment and there are no financial implications or actual transactions which took place during this incident. We will be awaiting further instructions from the authorities,” a Suvidhaa spokesperson said after the meeting.

The concurrent transactions which took place between July 14, 2016 and February 19, 2017 could only have happened if the biometric data was stored, an industry expert, who works closely with UIDAI, said. “It’s like your credit card being used in Nagpur and Mumbai at the same time,” he explained.

The Aadhaar Act bars storing biometric data in systems. Violation can attract jail time of up to three years along with a fine. However, the mentioned industry expert (who wished not to be named) pointed out that “for testing purposes people do use saved biometrics, that’s not unusual. What happens is, testing does not happen on a production system, it happens on a sandbox (testing environment) that is available.” A source at Axis Bank said that the Suvidhaa engineer testing the system went live with it by mistake, creating a red flag in the Aadhaar system. eMudhra, on the other hand, denies storing biometric data.

Aadhaar is an ‘ignorant system’ which means it does not know whether a bank or a telco is asking for an authentication. It simply has a ‘yes’/ ‘no’ model of working. For example, if a bank is trying to verify an identity, the request goes through an AUA (Authentication User Agency), which in turns sends it to an ASA (Authentication Service Agency) which strips the information as to where the query has come from and sends it to the Aadhar system. The tiered approach is to ensure privacy and security. Currently there are around 235 AUAs and 26 ASAs.

Axis Bank did not immediately have a comment on Monday’s meeting, whereas UIDAI officials did not respond to calls and emails regarding the next course of action.

The Aadhaar authentication operations of the Axis Bank, Suvidhaa Infoserve and eMudhra in the meantime remain suspended.