Aadhaar Act amendments take steps in right direction

By Shilpa Mankar Ahluwalia and Himanshu Malhotra, Shardul Amarchand Mangaldas & Co
0
218

Fintech players in India had effectively leveraged the Aadhaar-based know-your-customer authentication services (Aadhaar KYC) made available by the Unique Identification Authority of India (UIDAI) to onboard customers quickly and at a fraction of the cost involved in any paper-based onboarding method.

However, the Supreme Court, in September 2018, in the Justice KS Puttaswamy and Anr v Union of India (Aadhaar judgment) case, read down section 57 of the Aadhaar Act (act) prohibiting private bodies from using Aadhaar KYC in the absence of supporting legislation. The Aadhaar and Other Laws (Amendment) Ordinance, 2019 (ordinance), promulgated on 2 March 2019, seeks to introduce a legislative framework for the use of Aadhaar KYC by banks and financial institutions.

Key regulatory changes

Shilpa-Mankar-Ahluwalia-Shardul-Amarchand-Mangaldas-&-Co-law-business
Shilpa Mankar Ahluwalia
Partner
Shardul Amarchand Mangaldas & Co

The most significant changes introduced by the 2019 ordinance are the amendments to section 4 of the ct and the Prevention of Money Laundering Act, 2002 (PMLA), allowing private entities to use Aadhaar KYC to onboard customers (going back to the position that existed before Aadhaar judgment). However, the ordinance only permits banks and telecom companies to use Aadhaar KYC. Non-bank fintech players such as wallet issuers, digital lending platforms, and other non-banking financial services companies still do not have access to Aadhaar KYC, which has been one of the most common criticisms of the ordinance.

Banks and telecom companies may accept the Aadhaar number (which includes any virtual identity used as an alternative to the Aadhaar number) of a customer to undertake an Aadhaar KYC, provided that:

  • the Aadhaar number is obtained with the express and informed consent of the customers
  • Aadhaar KYC is only one of the available options to authenticate the identity of the customer
  • the entity undertaking Aadhaar KYC is compliant with the prescribed standards of privacy and security
  • the entity is permitted to undertake Aadhaar KYC under the provisions of any law or the entity seeks to use Aadhaar KYC for purposes as may be prescribed by the central government in consultation with the UIDAI and in the interest of the state.

While section 4 of the act and the PMLA permits banks and telecom companies to undertake Aadhaar KYC, other fintech players will need to be explicitly permitted by the central government vide a notification.

Shardul-Amarchand-Mangaldas-&-Co-business-law
Himanshu Malhotra
Associate
Shardul Amarchand Mangaldas & Co.

The ordinance has also given statutory recognition to “offline verification”, which is an alternative for verifying the identity of an Aadhaar holder without accessing the Central Identities Data Repository. While the ordinance has not specified what would constitute offline verification, market practices (relying on the clarifications and circulars issued by the UIDAI following the Aadhaar judgment) seem to indicate that offline verification methods will be linked to the use of QR codes or XML files generated by an Aadhaar holder. Offline verification is not subject to the same restrictions as online authentication (i.e. Aadhaar KYC).

The scheme of amendments introduced by the ordinance and several circulars issued by the UIDAI collectively suggest that private entities that may not be permitted (either generally or through a notification issued by the central government) to undertake online authentication using Aadhaar will be able to undertake offline verification.

The way forward

Following the Aadhaar judgment and the ordinance, the two critical factors that have emerged as determinative tests to allow any private entity access to online Aadhaar KYC are: (i) informed customer consent; and (ii) adequate safeguards to ensure privacy and security of customer data.

The ordinance will, in our view, eventually tie in with the standard prescribed by the Personal Data Protection Bill, 2018. There will be a direct correlation between the ability of a non-bank fintech player to demonstrate that it can securely access, process and store customer financial data and its qualification to access online Aadhaar authentication KYC services.

Developing a robust data privacy infrastructure and compliance systems for fintech players will increasingly become a critical part of doing business.

Shilpa Mankar Ahluwalia is a partner and Himanshu Malhotra is an associate at Shardul Amarchand Mangaldas & Co.

Shardul-Amarchand-Mangaldas-&-Co

Shardul Amarchand Mangaldas & Co
Amarchand Towers
216 Okhla Industrial Estate, Phase 3
New Delhi- 110 020

Executive Chairman: Shardul Shroff
Managing Partner Delhi:Pallavi Shroff
Contact details
Tel: +91 11 4159 0700, 4060 6060
Email: [email protected]
New Delhi | Mumbai | Gurugram | Chennai | Bengaluru | Ahmedabad | Kolkata