The decision of the Unique Identification Authority of India (UIDAI) to appoint Deloitte as the only agency to do mandatory audits of Information Security (IS) in banks, financial institutions and telcos using the Aadhaar-based authentication regime, has attracted flak from bankers.
In a missive to banks and other Aadhaar agencies on April 4 last, the UIDAI asked them to ‘enter a contract’ with Deloitte since the firm has been ‘empanelled’ by it.
As per the UIDAI, Deloitte would perform the assessment once a year and a fixed fee of ₹1,94,700 a unit is to be paid by ecosystem partners to Deloitte for conducting the mandatory IS audit. Banks will also need to pay for the travel, boarding and lodging of Deloitte officials, the communique said.
'A monopoly situation'
According to bankers, not only are the specified costs too high, the UIDAI’s move has also created a monopoly situation for the firm. The inclusion of more alternatives as empanelled auditors could allow individual user agencies of the Aadhaar ecosystem to negotiate better rates and services. Banks have conveyed these views to the UIDAI.
The controversy has been brewing since November last, when the UIDAI first issued a circular mandating Deloitte as the sole agency for the audit.
However, following requests from banks, on December 11, a one-line circular was issued by the authority, putting its November circular on hold.
“Then on April 4, they again issued the circular making it mandatory for banks to appoint Deloitte and prescribed the charges that were the same as the November circular. However, there were two differences. One, words 'per site' [for charges] were removed, and it simply said 'per audit'; two, the specified rates for 'out of pocket' expense were removed,” said a top private sector bank official, who wished not to be named.
Smaller lenders unhappy
In addition, the word ‘sole’ was removed with reference to Deloitte’s empanellment. Some of the smaller lenders like cooperative banks have described the mandate as unjust and unwanted. They questioned the rational for uniform charges for all entities irrespective of the size, business, income and profitability.
The UIDAI did not respond to queries from The Hindu on the issue. When contacted, a spokesperson for Deloitte said, “We are bound by confidentiality obligations and are unable to comment on client-specific matters.”
An official aware of the tendering process followed by the UIDAI for empanelment of agencies to conduct the IS audits, said it had laid down stiff conditions that were only met by Deloitte. Given the sensitivity around data security, it was felt that only agencies with a track record should be given the contract, the official said.