What is the India Stack and why is it no longer the dream it used to be?

Last week was all about Indian fintech for me – Burnmark’s Indian FinTech Opportunities Review was released last week in partnership with Yes Bank and PWC. I also chaired the “India Stack” session at Money20/20 Asia and a panel with leaders from several Indian banks at SunTec Confluence.

The India Stack (or Aadhaar Stack) is one of the hottest topics today in fintech, and a must-talk-about term in any conversation around identity, data, biometrics or government services. When I polled my mostly European audience at Money20/20 Asia last week, 88% of them said they had heard of Aadhaar, but only half of them knew what it was. And it was a full room too, showing how much interest there is in the Aadhaar stack from people with limited business interests in India. There are three reasons why Aadhaar elicits such great interest:

1. It is the largest biometric identity project in the world that has been successfully completed.
2. India is one of the hottest markets for fintech, with 200+ start-ups just in the payments space.
3. India has made open APIs available for payments through the UPI framework and could be a good case study when PSD2 happens.

The good

Aadhaar is a fantastic initiative, and one of the first such to be deployed in the world. Identity is a huge problem in every part of the world – from Europe to Africa to Asia. People are migrating more than ever, and they lose their identity and credit worthiness whenever they move to a new country. Refugees coming from Africa or Asia to Europe all receive the same level of reproach from banks and lending agencies, regardless of their financial behaviour in their previous lives, which prevent the entrepreneurs and successful professionals amongst them struggling to find a new life and career.

In India, the biggest challenge in terms of Identity was not about migration or refugees, but about inclusion. There had to be a better and more efficient mechanism to provide basic education, health and food services to 1.3 billion people, out of which 67.5% of the population live in rural areas – and the Aadhaar identity scheme was conceived as a means to do this.

What is truly brilliant about the idea is that Aadhaar is not just about Identity, but is about the “stack”. The biometric identity, Aadhaar, is only the bottom most layer in a value-adding stack of offerings from the government and other parties. The paperless layer, that uses Aadhaar identity data to provide e-KYC (know your customer) and e-documentation services is today one of the most cost-efficient, all pervasive KYC tools in the world, with over 16.96 billion e-KYCs already done by consumers, helping the Government save more than $7 billion so far. The cashless layer has taken a huge leap forward with the deployment of Unified Payments Interface (UPI), launched in 2016, an instant payments system that enables peer-to-peer (P2P) transfer of money between bank accounts with the help of open APIs and enablers using them.

Thus Aadhaar is only one of the enablers within the stack which fintechs, developers, banks, healthcare providers, non-profit organisations and others can use to build offerings and value-added services that benefit the end consumers.

An example is Samaadhaar, a social market place app that connects non-internet users from across India. Another app developed by a student, called True Scholar, helps identify students during an examination process. Today, taxes, bank accounts, pension funds, academic scholarships, farming insurance, cooking gas and food subsidies, driving licenses, financial support schemes and mobile phone connections are linked to Aadhaar, helping governments have a single, transparent view of the consumers’ needs and also helping to handle issues around money laundering, corruption and terrorism.

The bad

It all sounds great, but what can possibly go wrong will always go wrong. The process of getting and updating an Aadhaar card has been a nightmare (or so I’ve been told). Since the Aadhaar identity is stored in a physical card, if the customer loses it, or needs to update any details for some reason, the process can be very slow, confusing and tedious without much help from any of the organisations involved. Technical glitches and discrepancies have been reported in the updation process as well, with systems being down for weeks, and people having to stand in lines for hours to speak to someone at the post offices.

The courts system of India is facing thousands of petitions against the implementation of Aadhaar, mainly due to concerns of privacy. The court also seems to be taking the side of pro-privacy rather than pro-Government in these cases, which is the way it should be, but leading to significant challenges and delays with the implementation process as planned by the Government.

For example, the Government had set a deadline of 31 March 2018 to link Aadhaar accounts to bank accounts and mobile phone accounts, and said in no uncertain terms that the accounts will be disabled if not done by deadline. I even flew from London to India to transfer/close my accounts since I do not own an Aadhaar card. However, just two weeks before deadline, the Supreme Court announced that there is now an unlimited extension on the deadline, and firms are now back doing paper-based KYC instead of using Aadhaar if the consumers so desire.

The ugly

These all seem like minor hiccups, compared to the real issue around Aadhaar. There is a real, tangible and fearsome concern around data privacy and security. There have been at least two signifcant reports of Aadhaar consumer data being leaked – the first major report of a data breach came in January, when anonymous people were selling Aadhaar data over Whatsapp for the equivalent of £5. Reporters were able to access login information of consumers through the data sellers, and also, for another £3, get access to a platform with easy access to all customer data. A more concerning development occurred last week, when there were reports of a government utility firm (that has access to Aadhaar data for purposes of subsidies etc) used such a vulnerable platform for storing data that anyone could have obtained unique Aadhaar data by hacking into it – this platform went offline when the report came out.

Though these are the two widely reported instances of a data breach around Aadhaar, there have been several cases of successful or close-to-successful hacks that the data has seen, including when a French security researcher was able to get Aadhaar account details of 5.6 million customers with a basic SQL injection. There are several blogs online today (found with a simple google search) who have shared Aadhaar account details online of thousands of consumers, obtained through god-knows-what channels. There have also been instances of fake accounts being created for dogs, cats, Lord Hanuman and so on!

Aadhaar is not like the US Social Security number or the UK National Insurance number, as those are mostly used for purposes of social benefits and not for everything from flights to buying property to cooking gas subsidies. More importantly, Aadhaar is the largest sensitive data store in the world, with over 1.1 billion unique data points stored in it – connected to hundreds of government agencies and data shared with thousands of private companies – which, on its own, deserves the best security system is possible. I am not convinced, today, the security and data privacy elements are fully taken care of, which is why I will not be taking my Aadhaar card in a hurry. I am fortunate I have a choice, but I worry about the billions who live in India, who have shared all of their data, who never had that choice. Very worrisome indeed.

Click here to view my presentation on the India Stack at Money20/20 Asia.

By Devie Mohan, fintech advisor and analyst