Aadhaar round-up: KYC norms become more liberal and clearer

This post provides an overview of major Aadhaar KYC related developments in the last year. It covers expansion of Aadhaar e-KYC access to non-banks and the framework for offline Aadhaar verification.

Know-thy-customer is the first commandment of the financial services industry. And Aadhaar-based KYC is one of the most convenient and cost effective ways to execute this commandment. So, in 2021, the Reserve Bank of India (RBI) and Unique Identification Authority of India (UIDAI) opened up access to Aadhaar e-KYC for non-banks and provided clarity about offline Aadhaar verification.

Granting non-banks access to Aadhaar e-KYC

Aadhaar e-KYC verifies the identity of customers through mobile OTP or biometrics and involves integration with UIDAI infrastructure. Till September 2021, RBI only permitted banks to conduct Aadhaar e-KYC. But in September 2021, RBI opened this much coveted door for NBFCs and other non-bank payment system providers (PSOs) too. Now, NBFCs and PSOs can perform Aadhaar e-KYC after they obtain the RBI’s and UIDAI’s authorisation.

UIDAI and RBI have been wary of letting non-banks access the Aadhaar database (following complaints of misuse). But the regulators realized that this may do more harm than good. Especially after the pandemic which led to meteoric growth in demand for digital financial products. Currently, NBFCs and PSOs use other methods to perform KYC — like Aadhaar XML, verification of documents through DigiLocker etc. But these KYC processes are friction-ridden, costly, and at times, erroneous. So, access to Aadhaar e-KYC is necessary to create a level playing field for non-bank entities.

Aadhaar e-KYC will palliate many KYC concerns of non-bank entities. First is the reduced KYC cost. Aadhaar e-KYC is cheaper than other forms of KYC. UIDAI has also proposed a steep reduction in Aadhaar e-KYC charges (from Rs. 20 to Rs. 3). The financial services industry works on wafer thin margins, so KYC costs are an important differentiator. The reduced cost will enable non-banks to lower customer acquisition cost and offer cheaper financial products. Second is the speed and customer convenience. Aadhaar e-KYC is faster. Customers just need to provide their Aadhaar number and biometric details or OTP. And voila! KYC is done. The third is reliability. Aadhaar e-KYC lowers fraud and is more robust compared to other KYC modes.

Clarity about offline Aadhaar verification

UIDAI notified the Aadhaar (Authentication and Offline Verification) Regulations, 2021 (New Aadhaar Rules) on 8 November 2021. The New Aadhar Rules replace the Aadhaar (Authentication) Regulations, 2016. One of the key additions in the New Aadhar Rules is the process for offline verification of Aadhaar numbers (oKYC). Unlike e-KYC (Aadhaar OTP and biometric based authentication), oKYC enables Aadhar number verification without interacting with the UIDAI infrastructure. But how does the oKYC story evolve with the New Aadhaar Rules? Let’s explore.

Recap: UIDAI amended the Aadhaar laws in July 2019 to allow oKYC. And mentioned that the oKYC processes will be notified separately. UIDAI also clarified that an Aadhaar number holder can use any of these documents to prove the possession of Aadhaar number:

• Aadhaar letter: A UIDAI issued letter (in physical form) which has details of the Aadhaar number holder.
• e-Aadhaar: An electronic copy of the Aadhaar letter, which is digitally signed by the UIDAI.
• Aadhaar Secure QR Code: A quick response code which is digitally signed by the UIDAI and contains details of the Aadhaar number holder.
• Aadhaar Paperless Offline e-KYC: An XML document containing details of the Aadhaar number holder, which is digitally signed by the UIDAI.

In addition, UIDAI also prescribed processes to conduct oKYC using QR Code and XML files (on its website). But one piece of the puzzle was missing. UIDAI had not prescribed these oKYC processes in any of its regulations. And the New Aadhaar Rules address this gap.

What changes:The New Aadhar Rules enable offline verification seeking entities (OVSEs) to conduct oKYC through the four documents mentioned above. The rules also impose some additional obligations on OVSEs. Like OVSEs must use a person’s Aadhaar data only for the purposes that the person has consented to. And delete the data if the person revokes her consent. OVSEs must also communicate the success or failure of the oKYC to the Aadhaar number holder. The rules also empower UIDAI to audit OVSEs and take penal action against OVSEs for violations.

Unresolved issues: The New Aadhar Rules are a positive step to clear the muddled waters of oKYC. But there are some issues which still remain unaddressed. Like it is not clear how an Aadhaar number holder will share his e-Aadhaar or Aadhaar secure QR code with OVSEs. The QR code has low resolution photographs. And OVSEs may have to introduce some additional checks to be sure of their customer’s identity and avoid frauds. The process for offline paper-based verification (using the Aadhar letter) is also not clear. Recent reports of fraudulent loans being availed using morphed Aadhaar documents underscores the need for safeguards in the oKYC process. Until these issues are addressed, the conundrum around oKYC is far from being resolved.

This post has been authored by the fintech team at Ikigai Law.