Several banks have raised objection to UIDAI’s decision of appointing Deloitte as the only agency to conduct the mandatory Information Security (IS) audits in banks, financial companies, telecoms and other institutions that use Aadhaar-based authentication systems, a report from the Hindu said. According to bankers, not only has the move created a monopoly situation for Deloitte, but the charges specified to avail their services are too high, the Hindu reports.

The issue first began in November last year when the UIDAI issued a circular mandating Deloitte as the sole agency for conducting the IS audits, the Hindu said. However, a month later, following multiple requests from banks, UIDAI issued a one-line circular, putting the decision on hold, the report added.

Fast forward to April 4, UIDAI again issued a circular asking banks to ‘enter a contract’ with Deloitte since the firm has been ‘empaneled’ by it for a tenure of three years. According to bank officials, the April circular was the same as the November notice baring two differences. “One, words ‘per site’ [for charges] were removed, and it simply said ‘per audit’; two, the specified rates for ‘out of pocket’ expense were removed,” said a private bank official to the Hindu.

According to UIDAI’s latest circular, Deloitte would perform the mandatory IS audit once a year and charge a fixed fee of ₹1,94,700 per unit. Further, these ‘ecosystem partners’ will also need to pay for the travel, boarding and lodging of Deloitte officials, the communique said.

Objection raised on several counts

The move is expected to hit ‘smaller’ banks the hardest given their inability to shell out such kind of charges for IS audits.  Some of the smaller lenders like cooperative banks have described the mandate as unjust and unwanted, the Hindu report stated. They questioned the rational for uniform charges for all entities irrespective of the size, business, income and profitability.

Most bankers were of the opinion that by having more alternatives as empaneled auditors, individual user agencies of the Aadhaar ecosystem could negotiate better rates and services. “Deloitte is a well-respected organisation; no one will have a doubt on their competence to conduct these audits. The problem is that they charge handsomely for their services and by removing our ability to go elsewhere, we (banks) are stuck,” an official from a private bank told Medianama on the condition of anonymity. The official suspected that the response from UIDAI would be that because the requirements laid down to be awarded the contract were so stringent, that only Deloitte qualified successfully.

Questioning UIDAI’s decision

Some officials aware of the tendering process followed by the UIDAI said that the Aadhaar issuing body had no intent of mis-doings. Given the sensitivity and media coverage around data security, particularly concerning Aadhaar, UIDAI felt that only agencies with a proven track record and repute should be given the contract. Other bankers, however, questioned the process and intent of awarding Deloitte the IS audit contract. Given the lack of transparency and details regarding other failed participants, these bankers stopped short of accusing UIDAI of creating a syndicate with private firms.

“We would have had no major issues if UIDAI issued these contracts in a transparent manner. But there was little or no information on why and how other participants were completely disregarded. You said they might have taken the decision because they are particular about having the best practices to protect data. But I can point out a whole lot of small time but equally good, if not better, auditors that will do the same service for a fraction of what these guys (Deloitte) are charging. These small firms are all fully licensed and capable forces. Completely disregarding them makes me question this whole thing,” another official from a different private bank said to Medianama.

Moreover, some online news portals claim that Deloitte was given the contract to conduct IS audits despite not qualifying for the said tender. According to Moneylife.in, UIDAI required applicant companies — to be registered in India for five years; have a minimum specified annual turnover in the past three financial years; employ a specified number of technically qualified personnel; and have completed a minimum number of audit assignments — and that Deloitte didn’t fulfill many of these requirements. However, Medianama could not verify or confirm the claims made on these reports.