Setu-ing the Standard: NPCI’s New Path to Aadhaar e-KYC

Archisman Bhattacharjee | finserv@vinodkothari.com

Introduction

The National Payments Corporation of India (NPCI), vide its notification NPCI/2024-25/e-KYC/003 dated 10 March 2025, formally introduced the e-KYC Setu facility. As outlined on NPCI’s official platform, e-KYC Setu enables Aadhaar-based e-KYC authentication under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act), without disclosing the individual’s Aadhaar number to the requesting (verification-seeking) entity.

Designed as a one-stop onboarding solution for regulated financial-sector entities, e-KYC Setu leverages Aadhaar-based e-KYC services while ensuring compliance with privacy safeguards under the Aadhaar Act. A key feature and a significant compliance advantage is that regulated entities using e-KYC Setu are not required to obtain a separate notification under Section 11A of the Prevention of Money-laundering Act, 2002 (PMLA). This allows financial sector regulator entities to conduct Aadhaar-based authentication without directly collecting Aadhaar numbers or integrating with UIDAI as a licensed AUA/KUA, thereby reducing both operational complexity and regulatory burden.

In this article, we examine the regulatory implications for RBI-regulated entities, the legal permissibility for non-AUA/KUA entities to conduct authentication through e-KYC Setu, process how e-KYC setu operatives and the operational and business benefits of adopting this framework.

Permissibility of non-KUA/AUA entities to carry out authentication via e-KYC Setu

The collection of Aadhaar numbers and the performance of authentication on such data are governed strictly by the Aadhaar Act  and The Aadhaar (Authentication and Offline verification) Regulations, 2021 (Aadhaar Regulation). Under the Aadhaar Act read along with the Aadhaar Regulations only Authentication User Agencies (AUAs) and KYC User Agencies (KUAs) are permitted to directly perform Aadhaar authentication, including OTP-based e-KYC. For RBI regulated entities, Section 11A(1) of the PMLA, read together with para 16(a) of the Master Direction – Know Your Customer (KYC) Direction, 2016 (KYC Master Directions), requires a Central Government notification before Aadhaar numbers may be collected and authentication is carried out. In practice, this framework has meant that only licensed KUAs/AUAs, or entities notified under Section 11A (other than banks, which already have this permission), could undertake OTP-based Aadhaar e-KYC. (for more details on this refer to our article here).

The e-KYC Setu architecture further expands this operational model by routing Aadhaar entry and authentication through NPCI’s secure interface. The reporting entity is not required to seek the Aadhaar number; instead, it receives only a masked Aadhaar together with the demographic information from the UIDAI, thereby eliminating direct access of the Aadhaar number.

The legal foundation for non-KUA/AUA entities to use e-KYC Setu stems from Gazette Notification S.O. 5684(E) dated 6 December 2022, issued by the Department of Revenue, Ministry of Finance. This notification, made under Section 11A(1) of the PMLA and in consultation with UIDAI, RBI, SEBI, IRDAI, and PFRDA, provides that:

“……the Central Government, being satisfied that it is necessary to do so, hereby notifies that entities onboarded to perform authentication under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016)(hereinafter referred to as the Aadhaar Act) for the purposes of section 11A of the Prevention of Money-laundering Act, 2002 using the e-KYC setu system be permitted to do so, after being satisfied that the e-KYC setu system complies with the standards of privacy and security under the Aadhaar Act”

This provision creates an express, standalone permission pathway under Section 11A(1) of the PMLA stating that:

1. Any regulated entity onboarded by NPCI to perform authentication through the e-KYC Setu is deemed to have Central Government authorisation to use Aadhaar authentication for KYC purposes.
2. Such an entity need not obtain its own Gazette notification under Section 11A, provided authentication is carried out strictly via NPCI’s e-KYC Setu platform.
3. The permission is exclusive to e-KYC Setu and does not confer any general right to collect Aadhaar numbers or conduct authentication outside the NPCI framework.

In practice, this means that a non-KUA/AUA RBI-regulated entity can perform Aadhaar OTP-based e-KYC or Aadhaar-based biometric authentication via e-KYC Setu without having to build the technical infrastructure or meet the licensing and compliance requirements of becoming a direct AUA/KUA.

It is noteworthy that both SEBI and PFRDA have issued sectoral communications allowing their respective regulated entities to use NPCI’s e-KYC Setu for customer authentication. While no equivalent circular or notification has yet been issued by RBI, this absence should not be interpreted as a prohibition. In our view, the December 2022 Central Government notification itself is sufficient, as it explicitly covers RBI-regulated entities and grants them permission to use the NPCI e-KYC Setu facility for Aadhaar authentication, subject to compliance with applicable privacy, security, and KYC norms.

How the NPCI-e-KYC Setu operates

The NPCI e-KYC Setu brochure outlines the standard process flow through which the facility operates. In essence, the journey for Aadhaar-based e-KYC authentication via Setu involves the following stages:

1. Customer redirection to NPCI’s secure application/page
   1. During the loan journey, the requesting regulated entity (RE) redirects the customer to the NPCI app or secure web interface to initiate the e-KYC process.
      
2. Consent capture
   1. On the NPCI interface, the customer is presented with a consent form clearly stating that they are voluntarily providing their Aadhaar number for the purpose of e-KYC authentication.
   2. The process proceeds only if the customer provides explicit consent.
      
3. Aadhaar number entry
   1. The customer enters their 12-digit Aadhaar number directly on the NPCI page (the RE never views or stores this number).
      
4. OTP authentication
   1. An OTP is sent by UIDAI to the Aadhaar-linked mobile number of the customer.
   2. The customer enters this OTP on the NPCI page.
      
5. Face authentication (live capture)
   1. NPCI captures a live facial image of the customer, which is then compared with the photograph stored in the UIDAI database.
      
6. Transmission to UIDAI
   1. The Aadhaar number, OTP, and face authentication data are securely transmitted by NPCI to UIDAI for verification.
      
7. Masked Aadhaar issuance
   1. If the details match UIDAI’s records, UIDAI returns a masked Aadhaar (last four digits visible) along with demographic information to NPCI.
   2. NPCI forwards this masked Aadhaar and demographic data to the requesting RE.
      
8. Final client identification by the RE
   1. The RE completes the customer identification step by verifying the demographic details in the masked Aadhaar received from NPCI against the information provided by the customer during onboarding.

NPCI-eKYC setu Service Flow

Implications of conducting KYC through NPCI-e-KYC Setu

As discussed earlier, the NPCI e-KYC Setu system enables Aadhaar-based authentication through UIDAI’s infrastructure without requiring the requesting entity to be classified as a KUA or AUA. This significantly reduces the licensing, onboarding, and infrastructure requirements for regulated entities.

A key distinction from traditional OTP-based e-KYC is that, under e-KYC Setu, biometric matching (photograph verification) is carried out directly by UIDAI. As a result, the KYC verification process through e-KYC Setu is completed using two modes:

1. OTP-based e-KYC
2. Biometric-based authentication (Face authentication)

Elements of authentication via NPCY-e-KYC Setu

Source: NPCI

Given that both OTP and biometric authentication are being done, this process, in our view, falls within the definition of Multi-Factor Authentication under Rule 4(2) of the Aadhaar (Authentication and Offline Verification) Rules.

A common question is whether such a process would still be classified as OTP-based e-KYC under Paragraph 17 of the RBI KYC Master Directions, since OTP is one of the authentication steps. In our view, the answer is negative. The account-based relationship is not established solely on OTP-based e-KYC, but also on biometric authentication. Accordingly, the restrictions under Paragraph 17 of the KYC Master Directions such as:

1. One-year operational limit for such accounts;
2. Loan quantum cap of ₹60,000; and
3. Restriction to term loans only

would not apply.

However, if an account is opened using e-KYC Setu and thereafter it is not followed by face-to-face verification, the entity must comply with the Enhanced Due Diligence (EDD) requirements under Paragraph 40 of the KYC Master Directions.

It should also be noted that Paragraph 40 requires positive confirmation of the customer’s current address. Reference may also be drawn to the proviso to Paragraph 16(c)(i) which states that in case of aadhaar authentication if the Aadhaar address differs from the current address of customer, the RE may collect a self declaration to that effect, followed by positive confirmation as per Paragraph 40. This does not require furnishing of any other additional OVD in accordance with proviso (c) to para 3(xiv) of the KYC Master Directions . 

Additionally, as per Paragraph 38(a)(iv), at the time of periodic updation conducted via OTP-based e-KYC, even a positive confirmation of address is not required and only a declaration of the current address would suffice, further easing operational requirements.

Implications for NBFCs and Other Regulated Entities

• NBFCs not registered as KUA/AUA: For entities that primarily onboard customers via non-face-to-face KYC modes (other than OTP-based e-KYC), conducting KYC through NPCI e-KYC Setu can help them avoid the restrictions of Paragraph 17. This allows greater flexibility in account operations, loan size, and tenor without the need for physical face-to-face verification.
  
• Operational efficiency: In cases where the Aadhaar address is outdated, the combination of a customer declaration and positive confirmation under Paragraph 40 significantly reduces process complexity compared to collecting fresh Officially Valid Documents (OVDs).
  
• Entities already registered as KUA/AUA: Even for those with full KUA/AUA status, leveraging NPCI e-KYC Setu with multi-factor authentication can help bypass the limitations under Paragraph 17, while also offering the operational ease of UIDAI-driven KYC verification.
  
• Cost and infrastructure savings: By removing the need to directly maintain biometric capture infrastructure and by relying on UIDAI’s matching services, e-KYC Setu reduces capex, opex, and compliance overhead—particularly valuable for high-volume remote onboarding models.

In summary, NPCI e-KYC Setu provides a regulatory-compliant, infrastructure-light, and operationally efficient pathway for both KUA/AUA and non-KUA/AUA entities to conduct non-face-to-face onboarding without triggering the restrictions under Paragraph 17, while also easing address verification requirements under Paragraphs 16 and 40.

---

Resources on KYC