Banks question UIDAI decision to appoint Deloitte as only agency for information security audits

An official aware of the tendering process followed by UIDAI for empanelment of agencies to conduct IS audits, said it had laid down stiff conditions that were only met by Deloitte.

Updated - July 12, 2018 04:09 pm IST

Published - July 11, 2018 10:51 pm IST - Mumbai

The decision of the Unique Identification Authority of India (UIDAI) to appoint Deloitte as the only agency to do mandatory audits of Information Security (IS) in banks, financial institutions and telcos using the Aadhaar-based authentication regime, has attracted flak from bankers.

In a missive to banks and other Aadhaar agencies on April 4 last, the UIDAI asked them to ‘enter a contract’ with Deloitte since the firm has been ‘empanelled’ by it.

As per the UIDAI, Deloitte would perform the assessment once a year and a fixed fee of ₹1,94,700 a unit is to be paid by ecosystem partners to Deloitte for conducting the mandatory IS audit. Banks will also need to pay for the travel, boarding and lodging of Deloitte officials, the communique said.

'A monopoly situation'

According to bankers, not only are the specified costs too high, the UIDAI’s move has also created a monopoly situation for the firm. The inclusion of more alternatives as empanelled auditors could allow individual user agencies of the Aadhaar ecosystem to negotiate better rates and services. Banks have conveyed these views to the UIDAI.

The controversy has been brewing since November last, when the UIDAI first issued a circular mandating Deloitte as the sole agency for the audit.

However, following requests from banks, on December 11, a one-line circular was issued by the authority, putting its November circular on hold.

“Then on April 4, they again issued the circular making it mandatory for banks to appoint Deloitte and prescribed the charges that were the same as the November circular. However, there were two differences. One, words 'per site' [for charges] were removed, and it simply said 'per audit'; two, the specified rates for 'out of pocket' expense were removed,” said a top private sector bank official, who wished not to be named.

Smaller lenders unhappy

In addition, the word ‘sole’ was removed with reference to Deloitte’s empanellment. Some of the smaller lenders like cooperative banks have described the mandate as unjust and unwanted. They questioned the rational for uniform charges for all entities irrespective of the size, business, income and profitability.

The UIDAI did not respond to queries from The Hindu on the issue. When contacted, a spokesperson for Deloitte said, “We are bound by confidentiality obligations and are unable to comment on client-specific matters.”

An official aware of the tendering process followed by the UIDAI for empanelment of agencies to conduct the IS audits, said it had laid down stiff conditions that were only met by Deloitte. Given the sensitivity around data security, it was felt that only agencies with a track record should be given the contract, the official said.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.