A series of recent scams have exposed the vulnerabilities of the Aadhaar-enabled Payment System (AePS). The AePS enables a person to withdraw money from her bank account anywhere in the country using a local “business correspondent” (BC). A BC is an informal bank agent equipped with a biometric Point-of-Sale (PoS) machine — a kind of micro-ATM. If you want to withdraw, say, Rs 500 from your bank account using a BC, you just have to give him the name of your bank and submit yourself to Aadhaar-based biometric authentication (ABBA). The BC will give you Rs 500 in cash, and his own account will be credited with the same amount. For this to be possible, your bank account must be linked with Aadhaar.
So far so good. But what if the BC enters “one thousand rupees” in the PoS machine even as he gives you five hundred? In that case, one thousand will be debited from your account, and credited to the BC’s account, but you will only get five hundred — fraud! This is unlikely to happen if you are educated and alert. You will ask for a receipt, and the BC will promptly give you the receipt generated by the PoS machine. BCs, however, routinely deny receipts to poor people, if they demand one at all. As a safeguard, some PoS machines have a voice-over, but the voice-over is easy to disable. There lies one major vulnerability of AePS.
A corrupt BC can even get away with asking a gullible customer to put her finger in the PoS machine under some pretext, without giving her any money. This is what happened to Nagina Bibi, an elderly woman who lives in Vishunbandh village of Latehar district in Jharkhand. A roaming BC came to her house one day, from a neighbouring district. Claiming that he was helping her to get a gas subsidy, he persuaded her to put her finger eight times in the PoS machine and withdrew Rs 24,000 from her bank account without her knowledge. Most of this money consisted of her meagre pension and hard-earned wages, saved for her daughter’s marriage.
Later on, Nagina discovered that Rs 24,000 had been withdrawn from her account. She complained to the bank manager, but he pleaded helplessness. He had no record of the fraudulent BC (only “AePS” showed in his transaction records). From his point of view, this was a matter between Nagina and the “acquirer bank”, that is, the bank that had deployed the concerned BC. He added that he could request more detailed transaction records online if Nagina filed an FIR. The police, however, refused to register an FIR.
Many similar cases of AePS-enabled fraud have emerged in Latehar. Most of them are unresolved. Even if the BC can be traced, it is easy for him to claim that he did disburse cash as per records — it is his word against the victim’s. In short, corrupt BCs operate with virtual impunity.
All this, however, is just a trailer. A friendly BC told us that similar ploys were being used across Jharkhand for mass embezzlement of scholarships intended for minority children. After preliminary enquiries, confirming his allegations, we alerted the media and a detailed investigation by The Indian Express exposed the scam.
Briefly, the scam worked as follows. Corrupt middlemen bribed school principals to obtain names of minority children and other information such as the school’s Unified District Information System for Education (UDISE) code and login. They submitted scholarship applications on behalf of the children after opening Aadhaar-linked bank accounts for them using a local BC. Children were given nominal sums of money and the rest was siphoned off without their knowledge. This was made possible by AePS. Had children been required to collect their scholarships from bank premises, they would have learnt the correct scholarship amounts from their passbooks, if not from a bank employee. The scholarship scam in Jharkhand shows that AePS-enabled fraud is not a sporadic problem but a systemic vulnerability.
The AePS is a valuable facility for those who are able to use it safely. Like other micro-ATM systems, it has helped to decongest banks. It can be particularly useful to migrant workers who have no ATM facility. But AePS comes with serious risks of being cheated for those who are not clear about how it works. These risks are magnified when banks refuse to disburse small amounts to their customers and send them to BCs instead, a routine practice in rural Jharkhand.
There are ways of reducing the vulnerabilities of AePS. For instance, BCs could be required to make manual if not digital entries into printed customer passbooks. That would act as a permanent, verifiable receipt that cannot be denied to the customer so easily (a blank entry would be incriminating). Ensuring that BCs are clearly identified in transaction records would also help. So would SMS alerts, when the customer has a mobile number. Roaming BCs should perhaps be banned, at least in states with low literacy levels. And most importantly, better grievance redressal facilities must be made available to the victims of AePS fraud.
And now, the happy end. Nagina belongs to a workers’ organisation, so she decided to fight back. She and her comrades ultimately managed to prevail on the bank manager and the police to trace the culprit, who was arrested and charged. It emerged, however, that he had swindled many other people in the same fashion, and that other corrupt BCs were also prowling in the area. According to the cybercrime cell in Latehar, some recent acts of AePS-related fraud involve lakhs of rupees.
Nagina’s victory is the exception, not the rule. The vulnerabilities of AePS are putting countless people in danger of being robbed of their hard-earned savings.
This column first appeared in the print edition on October 5, 2021 under the title ‘The Aadhaar loophole’. Drèze is Visiting Professor at the Department of Economics, Ranchi University; Paikra is an independent researcher