The necessity of financial institutions undertaking “know your customer” (KYC) checks on clients participating in the financial markets has been well established across the globe. The purposes of such KYC checks include preventing illicit transaction of monies within the banking and financial system, monitoring of suspicious transactions and detecting funding of terrorist organizations.
In India, the Prevention of Money Laundering Act, 2002 (PMLA), and the rules issued under it, set out the framework governing the manner in which banks, financial institutions and intermediaries should undertake KYC on every customer, starting from the time of commencement of an account-based relationship.
Pursuant to the PMLA, both the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI) have prescribed the KYC compliance which banks, non-banking financial companies and financial intermediaries need to be mindful of while accepting clients and undertaking transactions on their behalf.
While KYC compliance is undoubtedly critical, for the customer it often poses a cumbersome compliance hurdle as multiple documents have to be submitted as proof of identity, residence, etc. The intention in introducing the Aadhaar facility was to streamline and simplify KYC compliance to the degree that the Aadhaar card/number alone would suffice for KYC purposes.
Through the electronic KYC process, a customer’s name, address, age, gender, photograph and other details made available from the Unique Identification Authority of India (UIDAI) can be used to complete the KYC process, thereby permitting customers to fulfil their KYC compliance by simply submitting their Aadhaar number. SEBI and the RBI have both operationalized the process of KYC verification by allowing Aadhaar-based e-KYC coupled with biometric verification or a one-time password facility.
However, notwithstanding the apparent ease of KYC compliance brought in by Aadhaar, it has been beset by legal challenges since its inception, including the argument that it violates the right to privacy since it involves storage of biometric information. These legal issues recently resulted in a nine-judge bench of the Supreme Court ruling – in Justice KS Puttaswamy (Retd) v Union of India – that the right to privacy is protected as an intrinsic part of the right to life and personal liberty under article 21 India’s constitution.
While this case did not specifically deal with the validity of Aadhaar, it will be interesting to see how this ruling impacts the cases still pending before the Supreme Court which challenge Aadhaar as being ultra vires.
Interestingly, Justice Chandrachud in his judgment held that the well-established three-prong test can be employed to justify restriction on one’s right to privacy. According to this test, there must be a law in existence to justify an encroachment on privacy, a legitimate state aim which is a guarantee against arbitrary state action, and the means which are adopted by the legislature should be proportional to the object and needs sought to be fulfilled by the law.
It is possible that the government may use the above to argue that Aadhaar is not a violation of the right to privacy but rather constitutes a reasonable restriction where the benefits outweigh any perceived concerns over breach of privacy and personal space. Still, it is clear that with the recognition of the right to privacy as a fundamental right, there will be a greater onus on the government to show that the collection and storage of biometric information is absolutely essential (to the degree that justifies curbing a fundamental right) and that the information will be handled with utmost care.
Any judicial ruling that strikes down Aadhaar would have significant repercussions for the e-KYC regime as currently implemented by both SEBI and the RBI, and the regulators have to be prepared to work swiftly to revise the process, if required.
A parallel consequence that is expected out of the above Supreme Court decision is a greater focus on data protection laws in India. Currently, the legal regime for ensuring data protection is embodied in the wafer-thin Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The Supreme Court has recommended that the government put in place an adequate data protection regime. The introduction of a revised, broader data protection law would also tie in with the need to maintain confidentiality of information available with the UIDAI, which would be crucial for Aadhaar to withstand judicial scrutiny.
Cyril Amarchand Mangaldas is India’s largest full-service law firm. Shruti Rajan is a partner and Rohan Banerjee is a principal associate at the firm.
Peninsula Corporate Park,
Lower Parel, Mumbai – 400 013 India
New Delhi | Bengaluru | Hyderabad |
Chennai | Ahmedabad
Tel: +91 22 2496 4455
Fax: +91 22 2496 3666