## Sunday, September 14, 2014

### A dramatic cost reduction for KYC using the e-KYC API of UIDAI

by Suyash Rai, Smriti Sharma, Sanhita Sapatnekar.

### The problem

On 2001-09-11, Mohammad Atta hijacked American Airlines Flight 11 and flew it into the North Tower of the World Trade Centre. Tracing flows of money led to the observation that a high ranking official within Pakistan's Inter-Services Intelligence (ISI) had allegedly ensured more than USD 100,000 was wired to Mohammad Atta, before the attack took place. Law enforcement authorities became quite keen to observe and block the financing of terror'.

The Financial Action Task Force (FATF) develops and promotes policies that hinder money laundering, financing terrorism and financing weapons of mass destruction. One element of this requires financial institutions of member countries to implement Customer Due Diligence' (CDD) for a variety of financial activities and circumstances. India is a member of FATF and Indian regulators are obliged to apply CDD. Regulators in India have applied CDD through excessive forms of `Know Your Customer' (KYC) requirements, which go well beyond the principles-based risk-sensitive requirements of CDD. As a result, financial firms in India face increased costs.

When an Indian financial service provider deals with a low value customer, the cost of performing the KYC that's required is often a substantial one when compared with the lifetime NPV of the customer. This has hampered financial inclusion by reducing the profitability of small value customers in the eyes of financial firms.

In 1999, Project OASIS (Old Age Social & Income Security) was established by the Ministry of Social Justice and Empowerment to make recommendations on how to develop old age income security. One of the key insights of Project OASIS was the importance of modern computer technology for the objective of serving small value customers. Paper- and human-intensive processes can even be viable for the rich, but when dealing with poor people, the only way to make ends meet is to push to the frontiers of technology.

### A new attack upon the KYC problem

The Unique Identification Authority of India (UIDAI) has developed a novel technology that cuts the cost of opening an account by approximately 80%. The steps of this process are as follows:

1. First, the customer has to have already enrolled in Aadhaar once. This involves supplying the name, identification, address details, and biometric data including the photograph. As there are many Aadhaar applications springing up in India, many individuals have ample incentive to undertake this cost of enrollment, once. Recent data shows that 670 million people in India have enrolled.
2. Now let's focus on the account-opening process at a financial firm. The customer shows up with his Aadhaar number.
3. The staff-person at the financial firm engages with the customer and takes the Aadhaar account number and captures fingerprints using a device.
4. Aadhaar has provided an applications programming interface (API) through which the software at the financial firm now reaches into the Aadhaar database, presents (encrypted) credentials of a Aadhaar number and matching fingerprints, and requests a packet of information.
5. This information is used to populate the form for the account-opening process. E.g. the photograph is brought from the Aadhaar database and placed into the account opening form. The entire process -- from fingerprint to completed form -- takes roughly 15 seconds.

e-KYC eliminates human effort in account opening, and allows residents to present their KYC information electronically and instantaneously, without needing any physical form of identity or address proof. e-KYC eliminates the movement and storage of verification papers, and therefore costs of document management. Error-free data is obtained from the Aadhaar database, at a much lower cost when compared with the costs of typing in and removing the errors in human-created data. e-KYC is a game changer when it comes to opening accounts for poor people.

### An example

Invest India Micro Pension Services (IIMPS) enables low income informal sector workers to accumulate micro-savings for their old age. It has faced KYC challenges in the past, and is an early adopter of e-KYC. IIMPS's target population, i.e. the informal sector poor, cannot gain access to formal financial products as they have insufficient identity documentation (due to factors such as migration), or a complete lack thereof. As a result of this, and due to differences in KYC compliance across regulators, a host of interested low income workers are unable to join the integrated micro-pension program. This is only the first half of the problem. Lengthy KYC application and verification procedures cause significant cost and time overhead expenses for IIMPS while processing each micro-pension application. e-KYC has resolved both of these issues.

### Making it a reality

In the past, there has been doubts regarding the future of UIDAI's Aadhaar project. However, the BJP government has recently reaffirmed its interest in continuing with it. e-KYC is a valid document for all financial services, under the Prevention of Money Laundering Act Rules. e-KYC has also been accepted as valid proof of identification and address by five regulators in the financial sector, namely the Reserve Bank of India (RBI) ; the Securities and Exchange Board of India (SEBI) ; the Pension Fund Regulatory and Development Authority (PFRDA) ; the Insurance Regulatory and Development Authority (IRDA) ; and the Forward Markets Commission . It is also compliant with the Information Technology Act, 2000. This means the encryption and digital signatures ensure both end-points of the data transfer are secure, making e-KYC legally equivalent to KYC paper documents. e-KYC is up and running. However, most financial firms do not (at present) utilise it. They need to modify their software systems in order to utilise the API. As only 670 million people are enrolled in Aadhaar, financial firms have to have the ability to do the old-style KYC also. In the future, there could be situations where the entire process capability for conventional KYC is removed, which would further reduce costs.

1. Until and unless Aadhar weeds out illegal immigrants urgently, it is nonsense and should not be encouraged. Proof is in the pudding. Show me that that the Aadhar process can weed out illegal immigrants. If it can't do that, it can't be trusted for anything.

1. Aadhar is an identity proof. Not a nationality proof. There is no method to establish citizenship in India.

2. Not really. It is a national identity proof. And, establishing citizenship should be a pre-requisite to giving out national identities. And, if it is not a national identity proof then its of no use and is a serious security threat (not matter what definition you use). Nothing should be tied to Aadhar unless we can remove illegal immigrants from the database. That much is commonsense. UIDAI cannot shift the responsibility away from itself. Shame on them.

3. Oh there are very easy commonsense ways to establish citizenship. How are passports given out? What is KYC all about if one cannot even find out if someone is a legal citizen or not. Instead of solving the problem. it is unbelievably shameless of a technology initiative to throw its hand up in the air and say we aren't going to do it. No need for Aadhar too then, and no need for pretence of using technology where its not needed but not using it where it is needed.

2. Ajay Shah should declare if there is potentially any conflict of interest with his advocacy of aadhar (UID) and his role as an academic and think tanker. For all the rosy picture peddled on this blog, UID is problematic at so many levels. UID is not primarily meant for due diligence. It is one of its "supposed applications" as those who habitually market technology, with little appreciation or patience for complexities of governance in a democratic polity, would suggest.

Such "applications" are fraught with implications for privacy of citizens which are easier to gloss over during powerpoint presentations in AC rooms full of self-important people, than in courtrooms and media. Such advocacy posts do no justice to Mr. Shah's erudition and indeed raise questions about his moral center, in the context of news that the much touted technology of UID is so unreliable as to allow Hanuman, a God (and technically an alien) to enter himself into the UID database. One may argue duping the deduplication process is child's play for someone who can enter Ravan's lanka with ease, and we should infact also extend OASIS benefits to him in deference to his age, but that is really beside the point.

Many years have passed since UID was launched. The actors have faded, but some in the bureaucracy and people who have pulled their weight behind that project continue to bat for it, despite no proof that any of its many pilot projects have addressed the many concerns about the project. The few studies which showed UID in good light were authored by Ajay Shah & some US scholars. They fail to address concerns of many in the academia, bureaucracy as well as the people who experience administrative burden on a daily basis due to hasty rollout. This project has already hastened the fading of a political dynastic party. The only question left is if it will do the same for a rightwing party sharing the same inability to protect public interest from dysfunctional bureaucratic rationality.

1. I don't see how a "Hanuman" photo on an Aadhaar card implies the de-duplication has been duped. In fact, the biometric information and corresponding Aadhaar number linked to that (and only that) photo belong to a very real person somewhere in India, who now faces a big issue due to the de-duplication process.

This unique individual cannot re-enrol as his/her fingerprints and iris scan are already in the database. As far as I can tell, to be able to utilise Aadhaar-enabled services they have precisely two choices. First, to carry on with paper based KYC to prove their identity (i.e. this person is essentially excluded from using the e-KYC system). Second, to update their photo to the real one and use e-KYC services. The fact remains that this unique Aadhaar number, and the corresponding biometrics, belong to a very real person who now cannot acquire a
new Aadhaar identity. The photo might be inaccurate but the identity will never be duplicated.

Only one person will ever have this Aadhaar number, and this Aadhaar number is the ONLY one that will be assigned to these biometrics. The only thing this individual can do now is update the current photo assigned to the Aadhaar number in order to amend the mistake (intentional on their part, or otherwise) made during enrolment.

If anything, this incident proves how well the de-duplication can work. I could try and dupe other identity providers, and get a fake drivers license, PAN card, Voters ID card, etc. They all require
the exact same level of KYC for granting entrance into the system. The difference here is that succeeding in acquiring a "Hanuman" drivers license (and who knows, there may be hundreds out there) will not stop me from then also getting a real and accurate drivers license. In the case of Aadhaar however, this is not possible BECAUSE of the de-duplication process.

2. ^^ One Hanuman, must have given his biometrics as part of the fake name application and he is no alien. It is only a matter of time this person will be known to law enforcement. If anything it only goes to tell how hard it is to beat the technology and not otherwise. And this is precisely what the left academicians are worried - that the use of technology, time stamps, and data integration will give little recourse for those that would like to deploy privacy mantra and the right against self-incrimination. This, they do with such filthy luxury and insensitivity even as the lack of- and misuse of- identity is bleeding the country's public finances and robbing the poor's share of endowments at such alarming levels.

3. This blog post is by Suyash Rai, Smriti Sharma and Sanhita Sapatnekar. It is not by me.

(I agree with them, but that's a different matter).

4. We should remove all arrest warrants immediately. No one should be arrested from this moment on:
http://www.thehindu.com/2004/02/24/stories/2004022402011200.htm

3. "Error-free data is obtained from the Aadhaar database"

Good joke there.

People have demonstrated that they can get duplicate IDs, IDs for fictitious people. Furthermore:

"The International Biometric Group (IBG) testing also shows that performance can vary drastically within technologies-some fingerprint solutions, for example, had next to no errors during testing, while others rejected nearly 1/3rd of enrolled users. "Most interestingly, the testing shows that over time, many biometric systems are prone to incorrectly rejecting a substantial percentage of users. Verifying a user immediately after enrolment is not highly challenging to biometric systems. However, after six weeks, testing shows that some systems' error rates increase ten-fold," said the research, consulting and integration firm, which works closely with the biometric industry. The report is titled "Real-World Performance Testing"."

Error-free my foot.

1. When I read the full sentence in question, I understood it to be something different. There may be errors in data collection at front end, yes, but the collected data is then repeated into different systems in an error free way, i.e. "Error-free data is obtained from the Aadhaar database, at a much lower cost when compared with the costs of typing in and removing the errors in human-created data." I understood this to mean that instead of a human being typing in data manually and making human errors, the data is transferred electronically (as I observed in the video) making it error free from the source.

2. Then it should say "Error-free retrieval of data", not, "error-free data". Secondly, if the argument is that error-free retrieval is possible due to the use of biometrics as the query, then its not accurate as biometrics are not error-free (as commented previously). Third, we aren't even talking about hacking of the database, etc as yet. Fourth, cost was irrelevant to the point so the full sentence is irrelevant. In any case the cost is to be looked at in entirety. All trivial cost savings will go out of the window when one large scam or one large terrorist breach occurs.

By the way, I hope the ID cards shown in the video are not genuine cards. I don't think one should be giving out ID details like that.

4. The beauty of a continued use of a unique identification number is that it will create its own intelligence and character over time, making the need for biometrics redundant. The current state of technology related to datawarehousing and analytics makes possible to do away with biometrics with tolerable losses in efficiency and accuracy. In fact this is how the credit bureaus in the US can catch identity fraud with out utilizing any biometrics. The Aadhaar's parallel in the US, the SSN, collects no biometrics but is universally used to most public and private sector transactions.

1. The argument is that biometrics solves the de-dup problem which plagues other UIDs like PAN. Instead of finding out how SSN processes solve the de-dup problem, we have gone with something that doesn't work and increases costs and increases security and privacy risks. Yet another regulation that is only meant to make you feel warm, but not actually achieve anything. Its like urinating in your pants, it may make you feel warm but it does nothing for you. That's biometrics and Aadhar for you. Actually, that is the entire regulation framework in India for you.

5. Hi,with eKYC how is the signature capturing process handled in paperless account opening, since signature capture is also important for cheque issuance and clearance

6. How will a complete digital account opening handle signature capturing which is also important for cheque issuance and clearance.

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticism is perfectly okay; uncivilised language is not. We delete any comment which is spam, has personal attacks against anyone, or uses foul language. We delete any comment which does not contribute to the intellectual discussion about the blog article in question.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.