The Aadhaar-enabled Payment System (AePS) in India is recently facing an exploitation by cybercriminals, leading to number of depositors losing their hard earned savings through these frauds. This was observed by civil society platform, Bank Bachao Desh Bachao Manch, in its letter to the Reserve Bank of India governor sent on September 20, 2023.
According to the letter to the RBI Governor, “Despite clear cut guidelines from UIDAI all the banks are coercing account holders to link Aadhaar with their account number thereby exposing them to AEPS without their mandate.”
According to Bachao Desh Bachao Manch’s social media account, X, it is a civil society platform to mobilise public opinion against Bank Privatisation and also to take up social causes.
Bank of Baroda (BoB) World app scam could be tip of iceberg, RBI should appoint IT auditors in banks: Forum
According to the forum, banks are directly responsible for this fiasco, which has led to thousands of innocent depositors lose their hard earned savings through frauds using the AEPS.
Despite clear cut guidelines from UIDAI all the banks are coercing account holders to link Aadhaar with their account number thereby exposing them to AEPS without their mandate.
Cash with withdrawal using AEPS
It has been flagged by the forum that the AEPS cash withdrawal mechanism should not be available by default, and banks should put in place an appropriate system to ensure that, unless a customer specifically chooses AEPS, the flag should generally be off for the rest of the customers.
What is Aadhaar Enabled Payment System?
Aadhaar Enabled Payment System (AEPS) is a payment service that allows a bank customer to use Aadhaar as his/her identity to access his/her Aadhaar enabled bank account and perform basic banking transactions like balance enquiry, cash withdrawal, remittances through a Business Correspondent.
The only inputs required for a customer to do a transaction under this scenario are:-
- Bank Name
- Aadhaar Number
- Biometrics captured during enrolment
To prevent misuse of Aadhaar data the biometrics should be locked using the m-Aadhaar app or Unique Identification Authority of India (UIDAI) website.
How to lock Aadhaar biometrics online
For locking UID, residents should have a 16 digit VID number and it’s a pre-requisite for locking. If resident don’t have VID can generate via SMS service or website.
Step 1: Visit the Uidai website or visit direct link https://resident.uidai.gov.in/bio-lock
Step 2: Click on ‘My Aadhaar’ tab and under the ‘Aadhaar services’, click on ‘Aadhaar lock/unlock’.
Step 3: Enter Aadhaar number or VID
Step 4: Enter Captcha and click on Send OTP
Step 5: Enter OTP received on your registered mobile number
Step 6: Click the ‘Enable’ button after entering the four-digit security code displayed on the screen.
Your biometrics information will now be locked, and you will need to unlock it in order to use it again.
Aadhaar holders won’t be able to use their UID, UID Token, or ANCS Token for biometric, demographic, or OTP-based authentication after locking. Once their UID has been locked (Demo, Bio, & OTP), residents can use their 16-digit VID Number to authenticate for all methods of authentication.
The following steps can be taken right away if someone has fallen victim to AePS fraud but has not locked their biometric information.
Bank’s customer care: One of the first things that an individual should do is to contact the bank’s hotline number to report fraudulent transactions.
Account Block: People can request their bank to temporarily block their account to prevent unauthorised transactions if they are suspicious of any ongoing misuse or fraud.
Notify the authorities: “The victim(s) of AePS unauthorised transactions should immediately report the fraud incident to his bank and file a police complaint and also report the incident to National Cyber Crime Reporting Portal (https://cybercrime.gov.in/). Further, the victim also has 90 days to raise chargeback (reversal) on the transaction. They have to approach their bank for this or call the customer service helpline of the bank. Also based on the customer’s request, the bank will be taking steps to prevent further transactions in the account,” says Biju K, Senior Vice President & Chief Vigilance Officer, at Federal Bank.
Further, the Unique Identification Authority of India (UIDAI) must also be apprised of the AePS fraud incident. The contact details of UIDAI can be found here- https://uidai.gov.in/en/contact-support.html.
Also read: Aadhaar fraud alert: How banks use new methods to protect your money from scammers
The maximum transaction amount for a single AEPS financial transaction has been fixed by NPCI at Rs. 10,000.
Bank Bachao Desh bacho forum stated the following, which if adopted peremptorily, could arrest the frauds to a large extent.
- Instruction to be issued to all the banks not to coerce the customers to submit Aadhaar Card while opening the bank accounts as this is not mandatory as per extant instructions.
- Banks should not discourage customers/account holders to delink their Aadhaar number from their accounts. On the contrary, banks should facilitate such requests promptly.
- The system of opening of accounts on the e-Kyc platform should be stopped forthwith as it is directly l inked with submission of Aadhaar details by way of usage of biometric gateway. The banks should revert to normal account opening system by way of using other KYC address proof documents like Voter Card, Electric Bill, landline Bill, etc.
- AEPS system of cash withdrawal should be made not available by default and proper system should be put in place by the Banks so that unless a customer specifically opts for AEPS, in general the flag should be off for the rest of the customers.
- Separate flags for AEPS to be enabled for accounts opened at CSPs for customers, who require AEPS for cash withdrawal for availing DBT etc.
- Checkpoints to be incorporated at various points which are soft targets for the fraudsters to get access to the fingerprints like offices of Registrars, Mobile SIM vending outlets, ration shops etc.