Capital subject to “Caps”: RBI relaxes norms for investment by REs in AIFs, subject to threshold limits

/0 Comments/in , , , , , /by

-Sikha Bansal (finserv@vinodkothari.com)

Introduction

The RBI has issued Draft Reserve Bank of India (Investment in AIF) Directions, 2025 (‘Draft Directions’), vide Press Release dated 19th May, 2025, marking a significant revision to the existing regulatory framework governing investments by regulated entities (REs) in Alternative Investment Funds (AIFs). These new directions, once finalised, will replace the existing circulars dated December 19, 2023 (“2023 Circular”), and March 27, 2024 (“2024 Clarification”) (collectively, referred to as “Existing Directions”), which currently govern such investments.

The Existing Directions prohibit REs from making investments in any scheme of AIFs which has downstream investments either directly or indirectly in a debtor company of the RE. In case of any such investment full provision is required to be maintained by the RE. Such prohibition is imposed to address the concerns of evergreening while making investments by an RE. See our analytical article on the same here.

However, the Draft Directions now propose to allow investment by the RE in such AIF upto 5% of the corpus of the AIF scheme. Any investment exceeding this 5% limit will require full capital if AIF has made debt investments in the debtor company. Note that these norms are entirely directed towards debt or debt instruments (whether at the RE level or the AIF level), as all sorts of equity instruments (equity shares, compulsorily convertible preference shares and compulsorily convertible debentures) are excluded – detailed discussion follows.

Comparison of Existing and Draft Directions

Below is a snapshot of what is going to change once the Draft Directions are finalised and notified, and certain important implications are discussed further:

Particulars2023 Circular read with 2024 clarificationDraft Directions
Investment by REs in scheme of AIFRE completely prohibited from investing in any scheme of AIF which has downstream investments in debtor company of the RE.Any investment already made had to be liquidated within 30 days of the issuance of the Circular. Similarly, where the RE had already invested, but AIF makes investment in a debtor company of RE, RE shall liquidate investments in AIF within 30 days.To be allowed subject to individual and collective limits:Max. contribution of single RE to an AIF scheme – 10% of its corpusMax. contribution of multiple REs – 15% of its corpusSee illustrations later in this article.
Debtor companyShall mean any company to which the RE currently has or previously had a loan or investment exposure anytime during the preceding 12 months.Shall imply any company to which the RE currently has or previously had a loan or investment exposure (excluding equity instruments) anytime during the preceding 12 months.
Provisioning requirementsInability to liquidate investments within 30-day liquidation period would entail 100% provisioning against such investments.Investment by the RE in such AIF allowed upto 5% of the corpus of the AIF scheme, without looking into the form of downstream investments made by AIF. Hence, no provisioning required.
If investment by RE exceeds 5%, it will require full capital, if downstream investments by AIF in debtor company are not permissible investments (see below). See illustrations later in this article
Provisioning required proportionately and not on entire investmentsProvisioning is required only to the extent of investment by the RE in the AIF scheme which is further invested by the AIF in the debtor company, and not on the entire investment of the RE in the AIF schemeNorms remain the same – RE shall be required to make 100 per cent provision to the extent of its proportionate investment in the debtor company through the AIF Scheme
Permissible forms of investments by AIF scheme in debtor companyInvestment in equity shares (by AIF scheme in debtor company) were excluded from the prohibition by 2024 clarification. However hybrid instruments were still included.All forms permitted, if investment by RE does not exceed 5%. Therefore, even debt investments by AIFs are permissible.Only equity shares, CCPS, and CCDs allowed, if investments by RE exceeds 5%. If AIF makes other forms of investments in debtor company, RE will have to provide for full capital.Note that, irrespective of the form of downstream investments by AIF in the debtor company, RE can take a maximum exposure of 10% in an AIF.
Priority distribution modelinvestment by REs in the subordinated units of any AIF scheme with a ‘priority distribution model’ shall be subject to full deduction from RE’s capital funds. Deduction shall be made from Tier I and II equally.Norms remain the same.
Investment policyNo specific requirement Investment policy to have suitable provisions to ensure that investments in an AIF Scheme comply, in letter and spirit, with the extant regulatory norms. In particular, such investments shall be subject to the test of evergreening.
Exemption by regulatorNo specific enabling provisionExempted category to be decided by RBI in consultation with GoI.

Illustrations on investment limits by RE

Below are certain illustrations to explain the implications of the investment thresholds under Draft Directions:

ScenariosImplications under Draft Directions
Investment of Rs. 10 Crores by an RE in an AIF scheme having corpus of 50 croresCannot make since the threshold limit of 10% will be breached.
Investment of Rs. 5 Cr by an RE in an AIF scheme having corpus of 50 crores with other REs contributing Rs. 15 CrWhile the investment by the RE individually is within the limit of 10%, the collective investment is more than 15%. Hence, such an investment cannot be made by the concerned RE. Further, since the total investment of 15 cr by other REs will also breach the threshold of 15%, the investments will not be possible.
Investment of Rs. 5 Cr by an RE in an AIF scheme having a corpus of 50 Cr. The AIF in turn has a downstream debt investment in a debtor company of the RE. Cannot be made since the limit of 5% will be breached.
Investment of Rs. 1 Cr by an RE in an AIF scheme having a corpus of 50 Cr. The AIF in turn has a downstream debt investment in a debtor company of the RE. This constitutes only 2% of the corpus of the AIF scheme. Hence, permissible – even when the downstream investment of the AIF is a debt investment.
Investment of Rs. 5 Cr by an RE in an AIF scheme having a corpus of 50 Cr. The AIF in turn has a downstream equity investment in a debtor company of the RE. Can be made as the downstream investment of the AIF is in equity of the debtor company. However, the maximum cap of 10% would apply to the RE.

Certain points of discussion/implications

  • Prospective applicability: The Draft Directions, once notified, will be applicable prospectively. It says, “These Directions shall come into force from the date of final issue (‘effective date’), substituting the existing circulars. Provided that, all outstanding investments as on the effective date, or subsequent drawdowns out of commitments made prior to the effective date, shall continue to be guided by the provisions of the existing circulars.” Therefore, no relaxations would be available to the existing investments/commitments by REs. If the same had not been liquidated so far – those will require to be liquidated. The Draft Directions will apply only to fresh investments by REs.
  • Maximum cap on investments by RE in AIF: Under Existing Directions, there is a blanket prohibition on RE to invest in AIF scheme which has invested in a debtor company. However, if such downstream investment is in equity shares, such prohibition would not apply. As such RE could invest in the said AIF without any limits. However, now, even if the AIF has invested only in equity instruments of the debtor company (equity shares, CCPS and CCDs), RE can only invest upto 10% of the corpus of the AIF scheme. Hence, to that extent, the Draft Directions are more restrictive than the Existing Directions. Note that, SEBI Circular on specific due diligence with respect to investors and investments of the AIFs does not provide any carve out for equity investments.
  • Exclusion of equity instruments (equity shares, CCDs and CCPS) from investment exposure of REs in the debtor company: Such exclusion is not explicitly there in the Existing Directions; which might have led to a possible interpretation that investment would include any nature of investment, including equity. Although, it was evident from the use of terminology that a debtor company would only mean a company where RE has extended only debt. The Draft Directions has clarified the same through explicit exclusion. Therefore, the directions will be applicable only where RE has investment in debt/debt instruments of the investee company.
  • Investments in AIF through intermediary funds: Existing directions exclude investments by REs in AIFs through intermediaries such as fund of funds or mutual funds from the scope of the directions. However, Draft Directions are silent on the same. We are of the view that such exclusion should continue to apply – as funds such as mutual funds are required to be well-diversified in terms of the SEBI Regulations, and investment decisions are taken by an independent investment manager.

Closing Remarks

We had earlier indicated that the Existing Directions may need to be reviewed and softened. The Draft Directions take a step in the same direction – however, a few concerns may still remain open. For instance, the Draft Directions retain the outreach of these restrictions to all AIFs, and not only affiliated AIFs. In our previous article, we had discussed how the concerns as to evergreening, etc. would arise mostly in cases involving affiliated AIFs, and not those AIFs which are completely unrelated to the RE..Further, no distinction has been made between various categories of AIF – therefore, investments in any AIF (Cat I, II, III) would be governed by these directions.

Profile of Speakers -13th Securitisation Summit 2025 | May 23, 2025

/0 Comments/in , /by

The 13th Securitisation Summit home page can be accessed here – https://vinodkothari.com/secsummit/

The detailed agenda for the 13th Securitisation Summit can be accessed here – https://vinodkothari.com/2025/05/agenda-13th-securitisation-summit-may-23-2025/

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [893.28 KB]

SEBI overhauls EBP framework; Reduces threshold from 50Cr to 20Cr

/0 Comments/in , /by

– Palak Jaiswani, Manager & Vidhi Shalia, Executive | corplaw@vinodkothari.com

SEBI overhauls EBP framework; Reduces threshold from 50Cr to 20Cr_FinalDownload

Other resources on the topic:

  1. Recent changes in the regulatory framework for the long-term bond market
  2. SEBI rationalizes issuances on Electronic Book Platform – Limits | Bidding Process | Anchor Investor | Basis of Allotment
  3. SEBI revisits EBP mechanism for issuance of debt securities
  4. Bond issuers set to become Market Maker to enhance liquidity

Agenda – 13th Securitisation Summit | May 23, 2025

/0 Comments/in , /by

Summit home page can be viewed here: https://vinodkothari.com/secsummit/

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [1.04 MB]

Fizzled out at NCLAT: No fizz for interest on unpaid MSME dues

/0 Comments/in /by

Neha Malu and Prerna Roy | resolution@vinodkothari.com

NCLAT in the matter of SNJ Synthetics Limited v. PepsiCo India Holdings Private Limited, rejected the section 9 application filed by an MSME operational creditor on the ground that the amount of default (excluding interest accrued as per sec 15 and 16 of MSMED Act) was less than the limit stipulated under section 4 that triggers IBC proceedings.

Brief Background:

The operational creditor in the present case was an MSME supplier which filed a section 9 application for an operational debt of 1.96 Crores which included 1.05 Crores as interest for the delayed payment in terms of the provisions of section 15 and 16 of the MSMED Act.

During the pendency of the matter, the parties reconciled accounts and revised the principal to around ₹77.37 lakh. Pursuant to directions from the AA, the CD paid this amount, which the OC accepted while continuing to press for interest at 24% pa in terms of section 16 the MSMED Act. Note, section 15 of the MSMED Act  makes it mandatory for the buyers to make payments to MSME suppliers on or before the agreed-upon date in writing. However, this period cannot exceed 45 days from the date of acceptance or deemed acceptance of the goods or services. If no such agreement exists, payment must be made within 45 days from the day of acceptance or deemed acceptance.

Section 16 prescribes that, upon failure to pay within the stipulated period, the buyer is liable to pay compound interest at three times the RBI notified bank rate. Crucially, this obligation applies notwithstanding any agreement to the contrary. Section 17 further confirms that both the principal and such interest are payable by the buyer.

The AA dismissed the application, holding that CIRP could not be initiated solely on the basis of unpaid interest, once the principal amount had been settled. NCLT observed:

“In the present case, the principal amount stands paid, therefore the CIRP cannot be initiated solely on the basis of the claim of interest component…”

On appeal, the NCLAT upheld this view and further stated:

“… We also notice that the Appellant has relied on the provisions of other laws like MSME Act or Interest Act to justify their claim of interest payment. Without making any observation on the merits of their contention, we would only like to add that neither the Adjudicating Authority nor this Appellate Tribunal is the appropriate forum for making any such determination on the liability of the Respondent- Corporate Debtor to pay interest under the MSME Act or Interest Act.

While there may be facts specific to the case, for instance, comments of the NCLAT on the interest claim being unsubstantiated despite downward revision of principal, and whether the process was being abused as a debt recovery process, the only point of discussion in this article is whether only the interest component in case of an operational debt, particularly the interest arising under statute, can form sole basis for initiation of CIRP.

Interest as operational debt- A grey area?

While interest is explicitly included in the definition of financial debt under section 5(8) of IBC, the definition of operational debt under section 5(21) makes no such explicit reference. “Operational debt” u/s 5(21) is defined as:

“operational debt” means a claim in respect of the provision of goods or services including employment or a debt in respect of the payment of dues arising under any law for the time being in force and payable to the Central Government, any State Government or any local authority.

This distinction in statutory language has raised questions on inclusion of interest on delayed payments as part of operational debt for the purpose of initiating insolvency proceedings, even though there are clear stipulations under the MSMED Act[1].

However, in so far as the interplay between IBC and MSMED Act is concerned, with respect to the statutory interest, judicial decisions indicate that for the purpose of interpretation, such interest, unless mutually agreed upon or expressly admitted, is not regarded as forming part of operational debt under section 5(21) of the Code.

In Vedic Projects Pvt Ltd v. Sutanu Sinha Resolution Professional for Simplex Projects Ltd., NCLAT New Delhi confirmed the view of the AA and held that,

“10. With regard to claim under the MSME, the Adjudicating Authority has observed that NCLT is not appropriate Forum to consider the issue pertaining to the interest, claimed by the Appellant under Section 16 of the MSMED Act.”

Further, NCLT Mumbai in KBC Infrastructures Pvt. Ltd v. Shapoorji Pallonji band Company Pvt. Ltd., held that in the absence of mutual agreement or any promise to pay interest for delayed payment, the claim of OC for treating the interest payable under MSMED Act as operational debt cannot be sustained. The Tribunal held:

“...However, it is now settled in the context of the Code that if interest is not agreed upon between the parties, it cannot form a part of ‘operational debt’ within the meaning of Section 5(21) of the Code and that no such interest can be claimed in an application under Section 9 of the Code. Interest under Section 16 of MSME Act can be claimed before the MSME Facilitation Council (MSEFC) in terms of Section 18 of the MSME Act. Thus, the correct forum for such claims shall be the MSEFC and not this Tribunal…

A similar view was also taken by NCLAT in Coal India Ltd v. Gulf Coil Lubricants India Ltd. & Anr, NCLT Mumbai in the matter of Skoda Auto Volkswagen India Pvt. Ltd. v. Susee Automotive Pvt. Ltd.and  NCLT New Delhi in Lakshya Infrapromoters Pvt. Ltd. v. The Indure Pvt. Ltd.

However, in other cases wherein the OC was not an MSME, the treatment of interest has seen divergent views.

In Prashant Agarwal v. Vikas Parasrampuria, the NCLAT held that when interest terms are clearly mentioned in the invoices and remain undisputed, such interest forms part of the debt and must be considered while computing the default threshold under Section 4 of the IBC.

“It is, therefore, clear from these facts that the total amount for maintainability of claim will include both principal debt amount as well as interest on delayed payment which was clearly stipulated in the invoice itself…”

Relying on the Prashant Agarwal judgement, NCLAT in Anuj Sharma v. Rustagi Projects Pvt. Ltd., held that:

“The above judgment of “Prashant Agarwal” clearly supports the submission of learned counsel for the Respondent that for calculating the amount for maintainability of the claim, for threshold purpose, both Principal Amount and Interest has to be calculated when the interest is stipulated between the parties.”

On the other hand, in Wanbury Ltd. v. Panacea Biotech Ltd. and SS Polymers v. Kanodia Technoplast Ltd., NCLAT  denied inclusion of interest in operational debt where there was no express agreement or where interest was unilaterally imposed through invoices not accepted or signed by the corporate debtor.

In Rohit Motawat v. Madhu Sharma, Permali Walla Ce Private Limited v. Narbada Forest Industries Private Ltd, also, the NCLAT reiterated that operational creditors cannot rely on unilaterally raised invoices to claim interest, and that once the principal is paid, section 9 proceedings solely for interest are not maintainable.

Further, in Swastik Enterprises v. Gammon India Limited, clarifying on whether interest should form part of the debt amount, held that:

“4. It is submitted that the ‘debt’ includes the interest, but such submission cannot be accepted in deciding all claims. If in terms of any agreement interest is payable to the Operational or Financial Creditor then debt will include interest, otherwise, the principle amount is to be treated as the debt which is the liability in respect of the claim which can be made from the Corporate Debtor.

5. In the present appeals, as we find that the principle amount has already been paid and as per agreement no interest was payable, the applications under Section 9 on the basis of claims for entitlement of interest, were not maintainable. If for delayed payment Appellant(s) claim any interest, it will be open to them to move before a court of competent jurisdiction, but initiation of Corporate Insolvency Resolution Process is not the answer.”

Our Analysis

It appears from the judicial precedents discussed above that, in case of operational debt, the judiciary is inclined to accept “interest” as a debt eligible to initiate CIRP, only when there is an explicit contract between the parties. However, the authors also submit that in case of MSME, the intent of the provisions in sections 15 and 16 is to ensure that the payments to MSMEs are not delayed. Such interest operates in the nature of a penalty[2], and thus there can be no question of any contract between the parties. Hence, going by the judicial precedents above, such statutory imposition of interest can never enable an operational creditor to initiate CIRP against the corporate debtor.

Further, the definitions of “debt” and “default” under IBC are quite broad. While “debt” is defined as  a liability or obligation in respect of a claim which is due from any person and includes a financial debt and operational debt; “default” is non-payment of debt when whole or any part or instalment of the amount of debt has become due and payable and is not paid by the debtor or the corporate debtor. Interest arising under section 16 of the MSMED Act would squarely fall under the definition of “debt” – hence, any non-payment of such interest as per statutory timelines should be considered as a default.

Also, in case of an application being filed by operational creditor, as referred in section 9(5), the AA shall admit the application when “no notice of dispute has been received by the operational creditor or there is no record of dispute in the information utility”, and shall reject the application when “notice of dispute has been received by the operational creditor or there is a record of dispute in the information utility”. Therefore, unless there is a dispute, the AA does not have the discretion to reject the application – particularly on the grounds that such interest was not “contractually” agreed. Ofcourse, there can also be possibilities where the levy of interest by MSME is disputed by the corporate debtor, that is, there is a pre-existing dispute before the notice is given by the operational creditor under section 8 of IBC – in such cases, the AA should not admit the application, given that the very existence of such debt is in dispute.

Closing thoughts

The observation of NCLAT in the present case, read with the previous judicial precedents as well, has raised a significant concern i.e., whether statutory interest under laws such as the MSMED Act or the Interest Act is effectively excluded from consideration in insolvency proceedings?

This interpretation could have far-reaching implications. While such interest may be a rightful claim under special statutes, the exclusion of these amounts from the computation of default under section 9 in view of judicial interpretations, introduces a disconnect between substantive rights under one law and procedural access under another.

[1] See FAQs  on delayed payment to MSMEs at: https://vinodkothari.com/wp-content/uploads/2019/05/Revised-FAQs-MSME-upload-1.pdf

[2] ITAT Bengaluru in Dy. CIT (LTU) v. Bosch Ltd, held that “…we further note that as per the Section 15 of the MSMED Act, the liability of the buyer to make the payment to MSME within the period as agreed between the parties or in case there is a delay beyond 45 days from the date of acceptance or date of deemed acceptance the interest payable as per Section 16 shall be three times of the bank rate notified by the RBI. Thus as per Section 16 of the MSMED Act, the payment of interest on delayed payment is in the nature of penalty or it is penal interest…”

A Regulation on Regulations – Rule of law checks by the Reserve Bank of India

/0 Comments/in , /by

– Aditya Iyer, Manager (Legal) | (finserv@vinodkothari.com

Background

In Rajeev Suri v. Delhi Development Authority, the Supreme Court of India[1] noted that the ‘Rule of Law’ (RoL) posits four universal tenets, of which two are: (i) The laws must be just, clear, publicized, and stable; (ii) Open Government – the process by which laws are enacted, administered, and enforced are accessible, fair, and efficient. Further, it was noted that an integral part of a participatory democracy is public participation regarding decision-making (to a reasonable extent).

We have written elsewhere about how a strong RoL framework may play a role in improving investor confidence and encouraging investments in a given jurisdiction. Predictability and transparency are verily the lifeblood of the RoL.

Read more

Digital Lending Directions, 2025

/0 Comments/in , /by

Largely a consolidation; New rules on multi-lender platforms and lending apps

– Aditya Iyer, Manager (Legal), Tejasvi Thakkar, Assistant Manager | (finserv@vinodkothari.com)

Background

On May 08 2025, the RBI notified the Digital Lending Directions, 2025 (‘Directions’). At the outset, it is worth noting that the Directions are not a regulatory overhaul of any kind; they are rather a consolidation of the extant regulations (including the FAQs), with certain key additions relating to multiple lender platforms as well as disclosure on DLAs to RBI, along with the certification from CCO. Further, the fact that the FAQs have also been integrated into the regulation signals the RBI’s intent to impart seriousness to its FAQs.

Below, we analyse the key changes, along with the compliance implications they present for REs.

Read more

RBI removes short term investment limits and concentration limits in case of FPI

/0 Comments/in /by

– Neha Malu, Associate | finserv@vinodkothari.com

On 8th May, 2025, RBI notified amendments to the Master Direction – Reserve Bank of India (Non-resident Investment in Debt Instruments) Directions, 2025, governing investments by Foreign Portfolio Investors in corporate debt securities. The changes impact both the general investment route and the Voluntary Retention Route (VRR).

What has changed?

A. Removal of short-term investment limit:
In the case of general route, the earlier cap that restricted a FPI investment in corporate debt securities with residual maturity of up to one year to 30% of its total investment in such securities has been repealed. 

    However, under the general route, a separate provision, clause 4.4(i) continues to allow investment only in securities with original/residual maturity above one year. Therefore, while the 30% threshold is no longer relevant, FPIs under the general route still cannot invest in short-term corporate debt except debt securities provided in para 4.4(viii) which includes SRs and debt instruments issued by ARCs, debt instruments issued under CIRP, default bonds, PTCs and SDIs issued and listed as per SEBI (Issue and Listing of Securitised Debt Instruments and Security Receipts) Regulations, 2008.

    Under the VRR scheme, however, pursuant to para 5.4(v), the minimum residual maturity requirement does not apply. This means FPIs opting for the VRR can invest in corporate debt securities with shorter maturities, offering greater flexibility.

    B. Withdrawal of concentration limits:
    The previous restriction that capped FPI investment (including its related entities) in corporate debt securities to 15% (for long-term FPIs) and 10% (for other FPIs) of the prevailing investment limit has also been withdrawn. 

      Implications:

      The removal of these limits simplifies the regulatory framework and provides FPIs greater flexibility in structuring their debt portfolios. It may also help in improving the depth and liquidity of the corporate bond market, particularly in the short-end of the maturity spectrum.

      Our FPI resource centre is available at: https://vinodkothari.com/resources-on-fpi/

      Online Authentication of Aadhaar: Exclusive Club, Members Only!

      /0 Comments/in , , /by

      -Archisman Bhattacharjee (finserv@vinodkothari.com)

      Introduction

      The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016 (‘Aadhaar Act’) was introduced with a clear vision: to ensure efficient, transparent, and targeted delivery of subsidies, benefits, and services, fostering good governance. While its preamble underscores these fundamental objectives, Aadhaar’s role has expanded far beyond its original scope, becoming a cornerstone in the banking and NBFC sectors. As outlined in paragraph 16 of the RBI’s KYC Master Directions, Aadhaar now plays a central role in the Know Your Customer (KYC) process, a critical compliance measure for both prospective and existing borrowers.

      A key aspect of KYC is the verification of the authenticity of customer documents, a process governed by specific guidelines. 

      When it comes to Aadhaar-based KYC, there are two recognized methods: 

      1. Online Authentication and 
      2. Offline Verification 

      The Offline Verification process is relatively straightforward (at least on paper), involving the verification of a Digital Signature Certificate (DSC) attached to the downloaded masked Aadhaar document. Importantly, offline verification can be conducted by all RBI-regulated entities for conducting KYC verification.

      In contrast, Online Authentication, while offering a more robust and reliable method of KYC verification (refer FAQ 1 of UDIAI), is subject to stricter eligibility conditions and compliance requirements. Not all entities are permitted to perform Online Authentication (discussed in later parts of this article). While lenders may prefer Online Authentication due to its real-time verification capabilities and greater assurance of data authenticity, the regulatory fetters surrounding eligibility must be carefully navigated.

      Given the evolving regulatory framework and industry practices, it is critical to develop a clear understanding of how Online Authentication operates and who is permitted to undertake it.

      What is Online Authentication

      The term authentication has been defined under Section 2(c) of the Aadhaar Act as a process “by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it”. Further The Aadhaar (Authentication and Offline Verification) Regulations, 2021 (‘Aadhaar Rules’) expands upon the process of carrying out online authentication. Rule 4 of the Aadhaar Rules states that:

      Authentication may be carried out through the following modes:

      (a) Demographic authentication: The Aadhaar number and demographic information of the Aadhaar number holder obtained from the Aadhaar number holder is matched with the demographic information of the Aadhaar number holder in the CIDR.

      (b) One-time pin based authentication: A One Time Pin (OTP), with limited time validity, is sent to the mobile number and/ or e-mail address of the Aadhaar number holder registered with the Authority, or generated by other appropriate means. The Aadhaar number holder shall provide this OTP along with his Aadhaar number during authentication and the same shall be matched with the OTP generated by the Authority.

      (c) Biometric-based authentication: The Aadhaar number and biometric information submitted by an Aadhaar number holder are matched with the biometric information of the said Aadhaar number holder stored in the CIDR. This may be fingerprints-based or iris-based authentication or other biometric modalities based on biometric information stored in the CIDR.

      (d) Multi-factor authentication: A combination of two or more of the above modes may be used for authentication.

      The stated modes of how the process of online authentication is required to be carried out is quite descriptive and does not require any further explanation. However one thing is certain that, based on  the definition of the term “authentication”, obtaining the Aadhaar number becomes a mandate. The KYC Master Directions under para 17 recognizes one such mode of authentication as OTP based online authentication.  

      Who can carry out Online Authentication

      Considering that the authentication process and the e-KYC data obtained through Aadhaar may include biometric information, such information constitutes “sensitive personal data” under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). While the Digital Personal Data Protection Act, 2023 (DPDPA) does not expressly categorize any particular type of data as “sensitive personal data,” it is important to note that the Supreme Court’s judgment in the Aadhaar judgement recognized biometric data associated with Aadhaar as sensitive in nature. Given that the DPDPA itself has its origins in the principles laid down by the Aadhaar judgment, it is our view that such data should continue to be treated with a higher standard of care.

      Without delving into the subject in great detail, it is sufficient to highlight that Aadhaar-based authentication exposes individuals to considerable risks of harm, particularly in the event of a data breach. This risk is exacerbated by the fact that other identifiers such as telephone numbers, PAN cards, and other financial data are often linked to an individual’s Aadhaar number. Consequently, possessing access to an individual’s full Aadhaar number may subject such an entity to considerable risk (including legal and litigation risk) in case proper security safeguards are not taken by such an organization. Usually these heightened data sensitivity concerns would not be present in case KYC verification is conducted through use of masked Aadhaar, i.e via Offline Verification.

      Given the heightened sensitivity of Aadhaar information, it is imperative that, beyond compliance with technical security safeguards, the right to carry out Aadhaar authentication be restricted only to entities that have demonstrated robust security frameworks. Imbibing this philosophy, the Aadhaar Act has restricted access to Aadhaar number only to a few entities and these entities are known as “requesting entities” as defined under Section 2(u) of the Aadhar Act. From the context of Financial Sector Entities these requesting entities would be required to be a KUA/Sub-KUA (discussed in later parts of this article). 

      Online authentication and KYC

      Under paragraph 16(a)(ii) of the KYC Master Directions, an Aadhaar number can only be collected by entities that have been notified under Section 11A of the Prevention of Money-laundering Act, 2002 (PML Act). Further, Section 4(4)(b) of the Aadhaar Act stipulates that “authentication” can only be performed by an entity that is:

      1. either permitted to offer authentication services under any other law made by Parliament, or
      2. is seeking authentication for purposes as may be prescribed by the Central Government in consultation with the UIDAI, and in the interest of the State. 

      Accordingly, a combined reading of Section 11A of the PML Act and the Aadhaar Act makes it evident that for RBI regulated entities [Except for banks, which are permitted to obtain Aadhaar numbers under paragraph 16(a)(i) of the KYC Master Directions and the proviso to Section 11A of the PMLA Act, no other entities may carry out Aadhaar authentication without being specifically notified by the Central Government.] only those entities which have been notified by the Central Government are authorized to carry out Aadhaar-based authentication by collecting Aadhaar numbers.

      Under para 17 of the KYC Master Directions , OTP-based e-KYC authentication has been recognized as a valid mode of Aadhaar authentication. This form of authentication is also recognized under the Aadhaar (Authentication and Offline Verification) Regulations, 2021 (“Aadhaar Regulations”), wherein such authentication can be carried out by either a KUA (KYC User Agency) or an AUA (Authentication User Agency).

      The Aadhaar Regulations further introduce the concept of a “Sub-KUA”, which is defined under Rule 2(ob) of Aadhaar rules as a requesting entity that utilizes the infrastructure of a licensed KUA to perform online Aadhaar authentication. Under Rule 16, it is stipulated that an e-KYC record obtained by a KUA can only be shared with its Sub-KUAs and cannot be transferred further to any other entity. Additionally, Rule 14(ga) of the Aadhaar Regulations mandates that a KUA must obtain prior approval from UIDAI before onboarding any third-party entity as a Sub-KUA.

      Reference is also drawn to UIDAI Circular 2 of 2025 which discusses Sub-AUA and Sub-KUA application form and joint undertaking. The said documents specify that under the head “Category of Sub-KUA and Sub-AUA“, eligible entities include those “permitted to offer authentication services under Section 11A of the Prevention of Money-laundering Act, 2002 by virtue of being a reporting entity.”. A similar requirement has also been provided under the AUA/KUA Application Form.

      In view of the above, it becomes clear that for any RBI-regulated entity (i.e., entities to whom the KYC Master Directions apply) wishing to onboard customers through OTP-based Aadhaar e-authentication, the following conditions must be satisfied:

      1. the entity must be registered either as a KUA or as a Sub-KUA with UIDAI; 
      2. the entity must be notified by the Central Government under Section 11A of the PML Act, thereby being authorized to collect Aadhaar numbers and conduct authentication.

      However, it may be noted that in practice, the recognition processes under Section 11A of the PML Act and by UIDAI typically go hand in hand. For entities seeking notification under Section 11A of the PML Act, prior recognition by UIDAI, confirming the entity’s capability to carry out Aadhaar authentication is generally a prerequisite. This position is supported by Circular No. F.No.P-12011/7/2019-ES Cell-DOR issued by the Government of India, Ministry of Finance, Department of Revenue.

      Conclusion

      In today’s dynamic financial landscape, Aadhaar-based KYC—whether through online authentication or offline verification has become an indispensable tool for streamlining customer onboarding and ensuring regulatory compliance. However, the regulatory framework surrounding Aadhaar authentication remains stringent for good reason: it seeks to strike a delicate balance between enabling ease of business and safeguarding the sensitive personal information of individuals.

      While offline verification using masked Aadhaar offers a universally accessible and relatively lower-risk method for KYC compliance by RBI-regulated entities, online authentication—though more robust and efficient—comes with heightened obligations. Only entities meeting the twin conditions of being recognized under Section 11A of the PML Act and being duly registered as a KUA or Sub-KUA with UIDAI are permitted to undertake online Aadhaar authentication. This dual-layered recognition ensures that only entities with demonstrably strong security practices are entrusted with the collection, storage, and processing of Aadhaar-related sensitive data.

      As technology evolves and customer expectations shift toward faster, seamless digital experiences, regulated entities must not only prioritize compliance but also cultivate a strong internal culture of data protection and risk mitigation. Institutions seeking to leverage Aadhaar-based online authentication must therefore invest in robust data security frameworks, maintain strict internal governance standards, and ensure that their authentication practices align with both the letter and spirit of the law.