The National Payments Corporation of India (NPCI) has swung into action to prevent scammers from misusing customers’ credentials to empty their bank accounts. It has asked acquirer banks’ to allow interoperable AePS (Aadhaar-enabled Payment System) cash withdrawal transactions only after Aadhaar-based biometric authentication of business correspondents (BCs) and agents.

Further, acquirer banks, which provide the necessary infrastructure to the merchant to accept payments and facilitate acceptance of payments through cards, have to ensure that there is no misuse of the BHIM Aadhaar Pay transactions for carrying out cash withdrawals and to have daily monitoring to identify and stop any misuse.

This advisory comes as cases of fraud have been reported across the country, whereby money has been withdrawn by scamsters via AePS by surreptitiously using customers’ Aadhaar credentials.

Cybercriminals have now taken to using silicone thumbs to operate biometric POS devices and biometric ATMs to drain users’ bank accounts, per a May 2023 report in The Hindu.

AePS is a payment service that allows a bank customer to use Aadhaar as his/her identity to access his/ her respective Aadhaar-enabled bank account and perform basic banking transactions such as balance inquiries, cash deposits, cash withdrawals, and remittances through a BC/Agent.

BHIM Aadhaar Pay enables merchants to receive digital payments from customers over the counter through Aadhaar authentication. It allows any merchant associated with any acquiring bank, live on BHIM Aadhaar Pay, to accept payment from customers of any bank by authenticating the customer’s biometrics.

NPCI said the process of two-factor authentication for BC/Agent login at least once a day, with one of the factors being Aadhaar biometric authentication, continues.

Acquirer banks are now required to have in place a mechanism whereby if three consecutive BC/Agent authentication requests are declined due to a biometric mismatch, they are blocked for 24 hours. Investigations have to be carried out before allowing the BC/Agent to resume the AePS service again.

Biometric authentication is expected to help identify the BC/Agent assisting a customer with cash withdrawal transactions. It will also allow banks’ to take appropriate action, where required, against BC/Agent’s reported to be involved in inappropriate activities.

NPCI asked banks to implement the measures relating to authentication of BCs/Agents from January 1, 2024, for an initial period of three months, after which the impact will be reviewed to decide the further course of action.

In case of any dispute is reported under BHIM Aadhaar Pay, the onus is on banks to convincingly prove that there was a purchase/ payment transaction involved and not a cash withdrawal.

As per RBI data, in November 2023, AePS logged 1,079.59 lakh transactions (944.92 lakh in November 2022), aggregating ₹28,972 crore (Rs 25,541 crore). BHIM Aadhaar Pay clocked 18.82 lakh transactions (14.52 lakh), aggregating ₹590 crore (₹275 crore).

The civil society forum “Bank Bachao Desh Bachao Manch, had drawn the attention of the RBI in September 2023 about a spate of frauds surfacing across the country, whereby fingerprints of customers of banks are being used by unscrupulous fraudsters to withdraw money from Customer Service Points using AEPS.

The forum’s joint convenors, Soumya Datta and Biswajit Ray, in a letter to RBI Governor Shaktikanta Das, said instructions should be issued to all banks not to coerce customers to submit Aadhaar Card while opening bank accounts, as this is not mandatory as per extant instructions.

“Banks should not discourage customers/account holders to delink their Aadhaar number from their accounts. On the contrary, banks should facilitate such requests promptly,” they said.

The Joint Convenors suggested that the AEPS system of cash withdrawal should be made not available by default, and a proper system should be put in place by the banks so that unless a customer specifically opts for AEPS, in general the flag should be off for the rest of the customers.