wordpress blog stats
Connect with us

Hi, what are you looking for?

Banks object to UIDAI’s decision of appointing Deloitte as sole agency for information security audits

Several banks have raised objection to UIDAI’s decision of appointing Deloitte as the only agency to conduct the mandatory Information Security (IS) audits in banks, financial companies, telecoms and other institutions that use Aadhaar-based authentication systems, a report from the Hindu said. According to bankers, not only has the move created a monopoly situation for Deloitte, but the charges specified to avail their services are too high, the Hindu reports.

The issue first began in November last year when the UIDAI issued a circular mandating Deloitte as the sole agency for conducting the IS audits, the Hindu said. However, a month later, following multiple requests from banks, UIDAI issued a one-line circular, putting the decision on hold, the report added.

Fast forward to April 4, UIDAI again issued a circular asking banks to ‘enter a contract’ with Deloitte since the firm has been ‘empaneled’ by it for a tenure of three years. According to bank officials, the April circular was the same as the November notice baring two differences. “One, words ‘per site’ [for charges] were removed, and it simply said ‘per audit’; two, the specified rates for ‘out of pocket’ expense were removed,” said a private bank official to the Hindu.

According to UIDAI’s latest circular, Deloitte would perform the mandatory IS audit once a year and charge a fixed fee of ₹1,94,700 per unit. Further, these ‘ecosystem partners’ will also need to pay for the travel, boarding and lodging of Deloitte officials, the communique said.

Objection raised on several counts

The move is expected to hit ‘smaller’ banks the hardest given their inability to shell out such kind of charges for IS audits.  Some of the smaller lenders like cooperative banks have described the mandate as unjust and unwanted, the Hindu report stated. They questioned the rational for uniform charges for all entities irrespective of the size, business, income and profitability.

Most bankers were of the opinion that by having more alternatives as empaneled auditors, individual user agencies of the Aadhaar ecosystem could negotiate better rates and services. “Deloitte is a well-respected organisation; no one will have a doubt on their competence to conduct these audits. The problem is that they charge handsomely for their services and by removing our ability to go elsewhere, we (banks) are stuck,” an official from a private bank told Medianama on the condition of anonymity. The official suspected that the response from UIDAI would be that because the requirements laid down to be awarded the contract were so stringent, that only Deloitte qualified successfully.

Questioning UIDAI’s decision

Some officials aware of the tendering process followed by the UIDAI said that the Aadhaar issuing body had no intent of mis-doings. Given the sensitivity and media coverage around data security, particularly concerning Aadhaar, UIDAI felt that only agencies with a proven track record and repute should be given the contract. Other bankers, however, questioned the process and intent of awarding Deloitte the IS audit contract. Given the lack of transparency and details regarding other failed participants, these bankers stopped short of accusing UIDAI of creating a syndicate with private firms.

“We would have had no major issues if UIDAI issued these contracts in a transparent manner. But there was little or no information on why and how other participants were completely disregarded. You said they might have taken the decision because they are particular about having the best practices to protect data. But I can point out a whole lot of small time but equally good, if not better, auditors that will do the same service for a fraction of what these guys (Deloitte) are charging. These small firms are all fully licensed and capable forces. Completely disregarding them makes me question this whole thing,” another official from a different private bank said to Medianama.

Moreover, some online news portals claim that Deloitte was given the contract to conduct IS audits despite not qualifying for the said tender. According to Moneylife.in, UIDAI required applicant companies — to be registered in India for five years; have a minimum specified annual turnover in the past three financial years; employ a specified number of technically qualified personnel; and have completed a minimum number of audit assignments — and that Deloitte didn’t fulfill many of these requirements. However, Medianama could not verify or confirm the claims made on these reports.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like


As many as 40,955 fraudulent Aadhaar numbers have been discovered and cancelled as of August 31, 2020, the IT ministry told the Rajya Sabha...


The Ministry of Finance has allowed 23 private insurance companies and state-owned Life Insurance Company to carry out Aadhaar-based authentication under Section 11A of...


Imagine if government databases could track when you moved cities, changed jobs, bought property, got married, or basically had any kind of social life....


On February 27, HR tech firm SpringRole India Pvt Ltd launched a WhatsApp-based tool that can authenticate any person’s government IDs — Aadhaar card,...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2018 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to Daily Newsletter

    © 2008-2018 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ