Fintech has caused significant disruption in the financial services industry. Aadhaar (a unique identity number-based on biometric data) was, probably, the single largest factor that contributed to the exponential growth in fintech products in India. With Aadhaar-enabled e-know-your-customer (e-KYC) facility, a fintech platform could on-board customers quickly and at a fraction of the cost of using physical documents.
Aadhaar judgment: In September 2018 the Supreme Court of India, in a landmark decision on the constitutional validity of the Aadhaar Act, struck down the right of any private entity to use Aadhaar authentication to establish the identity of an individual without the backing of legislation. As a result, private entities cannot do e-KYC authentication, even with the consent of the individual.
Offline Aadhaar-based KYC: Following the Aadhaar judgment, the Unique Identification Authority of India (UIDAI), the issuing agency for Aadhaar numbers, in an October 2018 circular made it clear that a bank may do an e-KYC authentication if a customer (when opening a bank account) gives a declaration that they intend to receive direct benefits or subsidies from a government welfare scheme directly into the account, and that the voluntary use of a physical Aadhaar card by the holder to establish their identity is not prohibited. The UIDAI indicated that banks may accept an Aadhaar card, e-Aadhaar card, or an offline electronic xml file (with Aadhaar details) for customer verification while opening bank accounts provided it has been offered voluntarily and the first eight digits of the Aadhaar number are masked while storing a physical copy of the Aadhaar card.
The UIDAI also permitted banks to develop applications and solutions for a paperless KYC process using the QR code embedded on the Aadhaar card. The fintech industry is working with technology partners to develop low-cost offline, paperless models for customer verification using a combination of these procedures. However, there are still several key areas that require clarity.
One is whether these rules apply equally to non-bank licensed fintech players (such as non-banking finance companies and payment platforms) and the second is in the context of non-face-to-face customer on-boarding procedures. The Reserve Bank of India’s (RBI) Know Your Customer (KYC) Directions, 2016 (master direction), under regulation 17, provides for certain procedures and transaction limits that need to be complied with when a customer is on-boarded in a non-face-to-face format using a one-time-password-based Aadhaar verification (which is no longer permitted).
The question is whether the UIDAI clarification can be read with RBI’s KYC master directions to mean that newer offline non-face-to-face Aadhaar-based verification procedures (where done voluntarily) can be equated with a non-face-to-face verification as mentioned in the KYC master direction. Until the RBI amends its regulations and recognizes these alternative means of KYC, it will have limited acceptability and usage.
Aadhaar Amendment Bill: The Supreme Court, over the course of the Aadhaar judgment, indicated that private companies may be allowed access to Aadhaar-based authentication if it is backed by appropriate legislation. The Aadhaar (and Other Laws) Amendment Bill, 2018 (bill), tabled in the parliament in early January this year, but not yet effective, seeks to put in place a regulatory framework for Aadhaar-based authentication. The bill makes it clear that any Aadhaar holder may voluntarily choose to establish their identity via an authentication (e-KYC), or an offline verification (the Aadhaar-based verification allowed by the UIDAI in its October circular).
Authentication may be done with the informed consent of the Aadhaar holder and only by an entity that is: (i) compliant with the prescribed standards of privacy and security; and (ii) permitted to offer authentication by law; or (iii) for a purpose that the central government may prescribe. The bill also prescribes procedures for obtaining consent and sets out restrictions around storing Aadhaar and related biometric data.
The fintech sector is hoping that the bill will extend to a broader set of regulated entities and not just banks. Once enacted, the bill should give the market a much-needed push after the setback following the Supreme Court decision.
The debate regarding access to Aadhaar information is intrinsically linked to the sector’s ability to ensure data privacy and protection. Once the government and the RBI are satisfied that fintech companies have secure data handling systems in place, they are more likely to enable them to access Aadhaar details and other sensitive customer data.
Shilpa Mankar Ahluwalia is a partner at Shardul Amarchand Mangaldas & Co and leads the fintech group at the firm.