NBFCs licensed for KYC authentication: Guide to the new RBI privilege for Aadhaar e-KYC Authentication

-Kanakprabha Jethani (kanak@vinodkothari.com)

Background

On September 13, 2021, the RBI issued a notification[1] (‘RBI Notification’) permitting all NBFCs, Payment System Providers and Payment System Participants to carry out authentication of client’s Aadhaar number using e-KYC facility provided by the Unique Identification Authority of India (UIDAI), subject, of course, to license being granted by MoF. The process involves an application to the RBI, onward submission after screening of the application by the RBI, then a further screening by UIDAI, and final grant of authentication by the MoF,

We discuss below the underlying requirements of the PMLA, Aadhaar Act and regulations thereunder (defined below) and other important preconditions for this new-found authorisation for NBFCs.

Understanding the difference between authentication and verification

As per section 2(c) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (‘Aadhaar Act’)[2] “authentication” means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it;

Further, Section 2(pa) defines offline verification as the process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations.

Authentication is a process of authenticity of aadhaar information using the authentication facility provided by the UIDAI. The same may be done in any of the following ways:

  • Use of demographic authentication: The Aadhaar number and demographic information of the customer is obtained and matched with the demographic information of the Aadhaar number holder in the CIDR[3].
  • Using one-time pin based authentication: Aadhaar number of customer is obtained. OTP is sent to the registered mobile number and/ or e-mail address. Aadhaar is authenticated when customer shares OTP and is shared with the same generated by UIDAI
  • Using biometric information: The Aadhaar number and biometric information submitted by the customer are matched with the biometric information stored in the CIDR.

Essentially, aadhaar authentication requires the Regulated Entity (RE) to obtain the aadhaar number of the customer. However, owing to the Supreme Court Verdict on Aadhaar, aadhaar number could be obtained only by banks or specific notified entities. Eventually, the concept of offline verification was introduced by virtue of which verification can be done using XML file or QR code which carries minimum details of the customer. RE is not required to obtain aadhaar number in this case.

Understanding the concept of AUA and KUA

The Aadhaar (Authentication) Regulations, 2016 provide the following definitions:

“Authentication User Agency” or “AUA” means a requesting entity that uses the Yes/ No authentication facility provided by the Authority;  

 “e-KYC User Agency” or “KUA” shall mean a requesting entity which, in addition to being an AUA, uses e-KYC authentication facility provided by the Authority;  

 “e-KYC authentication facility” means a type of authentication facility in which the biometric information and/or OTP and Aadhaar number securely submitted with the consent of the Aadhaar number holder through a requesting entity, is matched against the data available in the CIDR, and the Authority returns a digitally signed response containing e-KYC data along with other technical details related to the authentication transaction; 

 To Summarise:

  • AUA’s rights are limited and it gets only a yes or no as a response of aadhaar authentications, i.e. response to whether the aadhaar is authentic or not.
  • KUA’s rights are comparatively broader. It shall receive eKYC details of the customer upon utilising the authentication facility.

Further, there is a concept of sub-AUA and sub-KUA, which utilise the facility of licensed AUAs or KUAs for aadhaar authentication.

Application for AUA/KUA License

Process

The power of granting permission for use of aadhaar authentication facility by entities other than banks is derived from section 11A of the Prevention of Money Laundering Act, 2002[4] (‘PMLA’). It states-

(1) Every Reporting Entity shall verify the identity of its clients and the beneficial owner, by—

(a) authentication under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016) if the reporting entity is a banking company; or

(b) offline verification under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016); or

**

Provided that the Central Government may, if satisfied that a reporting entity other than banking company, complies with such the standards of privacy and security under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016), and it is necessary and expedient to do so, by notification, permit such entity to perform authentication under clause (a):

**

In exercise of powers under the above mentioned provisions, the Ministry of Finance (MoF) issued a notification on May 9, 2019[5], providing the process for permitting entities other than banks for using authentication facilities of the UIDAI. The notification provides for the following process:

  • Step1: Application to be made to the concerned regulator
  • Step 2: Examination of the application by concerned regulator
    • To ensure conditions of section 11A of PMLA and other security and IT related requirements are met
  • Step 3: Examination by UIDAI of applications recommended by the regulator
    • To check standards of privacy and security set out by UIDAI are complied with
    • UIDAI to then send notification to the Department of Revenue, MoF
  • Step 4: Notification as AUA/KUA by MoF
  • Step 5: UIDAI to issue authorisation to use UIDAI’s authentication facility

The Reserve Bank of India, being the financial sector regulator, has issued the notification permitting all NBFCs, Payment System Providers and Payment System Participants to carry out authentication of client’s Aadhaar number using e-KYC facility. The Application form seeks various details about the applicant, including a confirmation that the entity is meeting the standards of complying with the Data Security Regulations 2016 of UIDAI and other related guidance / circular issued by UIDAI from time to time with regard to the privacy and security norms.

Eligibility

The most crucial aspect of eligibility for availing AUA/KUA license is the capability of meeting the standards of privacy and security set out by UIDAI. The requirement for meeting the said standards arises from section 4(4) of the Aadhaar Act[6], which states-

(4) An entity may be allowed to perform authentication, if the Authority is satisfied that the requesting entity is—

(a) compliant with such standards of privacy and security as may be specified by regulations; and

(b) (i) permitted to offer authentication services under the provisions of any other law made by Parliament; or

(ii) seeking authentication for such purpose, as the Central Government in consultation with the Authority, and in the interest of State, may prescribe.

 Additionally, the Aadhaar (Authentication) Regulations, 2016[7] provide for the eligibility criteria for appointment as AUA/KUA. As per the said regulations, the following requirements must be met by the applicant:

  • Backend infrastructure, such as servers, databases etc. of the entity, required specifically for the purpose of Aadhaar authentication, should be located within the territory of India.

  • Entity should have IT Infrastructure owned or outsourced capable of carrying out minimum 1 Lakh Authentication transactions per month.

  • Organisation should have a prescribed Data Privacy policy to protect beneficiary privacy.

  • Organisation should have adopted data security requirements as per the IT Act 2000.

Understanding standards of privacy and security

The regulations surrounding data protection and privacy issued by the UIDAI are:

  • Aadhaar (Data Security) Regulations, 2016
  • Aadhaar (Sharing of Information) Regulations, 2016
  • Miscellaneous circulars issued by the UIDAI from time to time

Major requirements under the said regulations are as follows:

  • Applicant to adopt an information security policy outlining information security framework of the applicant developed in line with applicable guidelines issued by UIDAI;
  • Applicant to designate an officer as Chief Information Security Officer (CISO) for ensuring compliance with information security policy and other security-related programmes and initiatives of UIDAI
  • Operations of applicant to be audited by information systems auditor
  • Applicant to ensure that biometric information is not stored, except for buffer during authentication;
  • Applicant to ensure identity information is not shared with anyone else except with prior approval

Conclusion

Pursuant to the said notification, the NBFCs or Payment System Providers or Payment System Participants shall be eligible to make application with the RBI, subject to compliance with the privacy and security norms issued by UIDAI. The notification is a much-awaited relaxation for the eligible non-banking entities to undertake Aadhaar authentication of their customers. However, the criteria for granting approval have not been laid down specifically and may be based on the evaluation conducted by the RBI along with UIDAI. For those who receive the approval, this would be an addition to the modes in which CDD of a customer can be conducted.

[1] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12161&Mode=0

[2] https://uidai.gov.in/images/targeted_delivery_of_financial_and_other_subsidies_benefits_and_services_13072016.pdf

[3] Central Identities Data Repository (CIDR) means a centralised database containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto

[4] https://www.indiacode.nic.in/bitstream/123456789/2036/1/A2003-15.pdf

[5] https://dor.gov.in/sites/default/files/circular%20dated%2009.05.2019%20of%20PMLA.pdf

[6] https://uidai.gov.in/images/news/Amendment_Act_2019.pdf

[7] Refer Schedule A to Aadhaar (Authentication) Regulations, 2016 (Page 19)- https://uidai.gov.in//images/resource/CompendiumMay2020Updated.pdf

 

Related articles:

 

Registration under Money-Lending Laws

finserv@vinodkothari.com

Our other articles on the topic can be accessed through below link:

  1. Registration under money-lending laws
  2. Inapplicability of money lending laws to regulated entities

 

Workshop on Effective Regulatory interface: Preparing for and handling RBI’s NBFC inspections

Register your interest here: https://forms.gle/RmwXa13DjuLBqhMU9

brochure-1-1

VKCPL – team profile

Are financial leases subjected to TDS?

Yutika Lohia

yutika@vinodkothari.com 

Introduction

In today’s time, leasing has become an indispensable element of businesses – Any and every asset movable or immovable, equipment or software can be taken on lease. Colloquially, lease refers to an arrangement where a property owned by one is given for use by another, against regular rentals. In India, there are two types of lease transactions-financial lease and operating lease. Typically, a financial lease is a disguised financial transaction whereas operating lease is akin to rental contracts.

While leasing has gained much importance and relevance over the years, its feasibility and viability depends a major deal on its tax implications – they could easily make or break the deal. The technical aspects with respect to taxation on implementation makes it all the more significant.   Issues like depreciation, lease rentals, tax deduction at source and exposure to GST are key concerns. Further, though leases are classified as finance or operating, it is important to note that such distinction is essentially from an accounting perspective – the Income Tax Act, 1961, however, does not distinguish between the two.

A rather significant but overlooked aspect of leasing is the ‘tax deduction at source’ (‘TDS’). As is known TDS is a key element of the Indian taxation framework which aims to collect tax at the source of generation of income. In case of a lease transaction, the lessee is required to deduct tax under 194-I of the Income Tax Act at the time of payment of lease rentals to the lessor.

While there are several judicial precedents dealing with TDS vis-à-vis lease transactions, the Hon’ble High Court of Karnataka in a recent order, in the case of Commissioner of Income Tax vs. Texas Instruments India Pvt Ltd (2021),[1] concluded that in case of a financial lease, the lease financing company did not provide any particular service as a driver or otherwise for the purpose of usage of the car. The only transaction entered between the assessee and the lease financing company was to make payments of the amount due to the company. To say there was a mere financing arrangement and therefore section 194-I of the IT Act shall not be applicable in case of a financial lease transaction.

In this article we shall discuss the above stated ruling in detail.

The case of Texas Instruments India Pvt Ltd

The Assessee, Texas Instruments India Pvt Ltd being in the business of manufacture and export of computer software had taken motor vehicle on finance lease for its employees. It considered the lease rentals as business expenditure and claimed deduction of the same under the head income from business and profession. TDS was not deducted on the finance lease rentals as the assessee contested that the same did not fall under the provision of section 194-I or 194-C of the IT Act.

However, the Assessing Officer disallowed the claimed expenditure on the grounds that the lease rentals were being paid to the vendor under the contract and therefore the payment/ expenses would be attracting the provisions of section 194-C.

Aggrieved by the order of the A.O., the Assessee preferred an appeal before to the CIT(A). Upon such appeal, the CIT(A) overturned the A.O’s order and held that the payments made by assessee were not in the nature of service rendered by the leasing company for the carriage of goods or passengers. The CIT(A) also held that the assets were in the disposition of the Assessee.

Following such order, the matter was appealed before the Income tax Appellate Tribunal (ITAT) where it was held that provisions of Section 194-C will not be applicable on lease rentals.

Once again, the matter was taken for appeal before the Hon’ble Karnataka High Court where it was held that the leasing financing company did not provide any particular service as a driver or otherwise for the purpose of usage of car. The maintenance was carried by the employees of the assessee. The only transaction entered between the assessee and the leasing company was to make payments of the amount due to the company. Since no services were being provided by the leasing company and is a mere financing agreement, provisions of section 194-C and 194-I shall not be applicable.

Understanding the Provisions of Law

Section 194-I of the Income Tax Act, 1961: TDS on Rent

Section 194-I of the IT Act 1961 governs tax deduction at source in case of lease rentals. As already mentioned, Income Tax Act does not draw any line of distinction between financial lease and operating lease, let us understand whether TDS needs to deducted on lease rentals in case of both financial lease and operating lease.

Section 194-I of the IT Act explains rent as follows:

“rent” means any payment, by whatever name called, under any lease, sub-lease, tenancy or any other agreement or arrangement for the use of (either separately or together) any

(a)  land; or

 (b)  building (including factory building); or

 (c)  land appurtenant to a building (including factory building); or

 (d)  machinery; or

 (e)  plant; or

 (f)  equipment; or

 (g)  furniture; or

 (h)  fittings,

whether or not any or all of the above are owned by the payee;

Rent has been broadly defined under section 194-I and shall be applicable when asset is given for use for any payment under lease, sub lease, tenancy, or any other arrangement or agreement.

Section 194-C of the Income Tax Act, 1961: Payment to contractors

(1) Any person responsible for paying any sum to any resident (hereafter in this section referred to as the contractor) for carrying out any work (including supply of labour for carrying out any work) in pursuance of a contract between the contractor and a specified person shall, at the time of credit of such sum to the account of the contractor or at the time of payment thereof in cash or by issue of a cheque or draft or by any other mode, whichever is earlier, deduct an amount equal to—

 (i)  one per cent where the payment is being made or credit is being given to an individual or a Hindu undivided family;

(ii)  two per cent where the payment is being made or credit is being given to a person other than an individual or a Hindu undivided family,

of such sum as income-tax on income comprised therein.

XX

Conclusion

The judgement highlights that by virtue of the fact that no services were provided by the leasing company and that it was a mere financing agreement, section 194-C and 194-I would not be applicable in the given case.

Therefore, it seeks attention on the fact whether TDS has to be deducted on financial lease rentals.

Also, one must contemplate whether TDS should have been deducted under section 194-A of the IT Act as the lease transaction was considered as a mere finance agreement. This remains unanswered.

 

 

 

 

 

 

 

[1] https://indiankanoon.org/doc/59654437/

De-novo Master Directions on PPIs

I. Introduction

The Reserve Bank of India (RBI) on August 27, 2021, issued the Master Directions on Prepaid Payment Instruments[1] (‘Master Directions’) repealing the Master Directions on Issuance and Operation of Prepaid Payment Instruments[2] (‘Erstwhile Master Directions’) with immediate effect. These Master Directions have been issued keeping in mind the recent updates to the Erstwhile Master Directions.

In this write-up we aim to cover the major regulatory changes brought about by the Master Directions.

II. Overview of key changes

1.  Classification of PPIs instruments

The Erstwhile Master Directions classified PPIs into three categories namely closed ended PPIs which could be issued by anyone and required no RBI approval, semi-closed PPIs and open ended PPIs which could be issued only by Banks. The new Master Directions have also classified PPIs in three categories i.e. Closed-ended PPI, Small PPIs and Full-KYC PPIs. However, since closed-ended PPIs are not a part of the payment and settlement system, they are not regulated by the RBI. A brief snapshot of the nature of the other two types of PPIs is presented below:

Basis Small PPI Full KYC PPIs
With cash loading facility Without cash loading facility
Issuer Banks and non-banks after obtaining minimum details of PPI holder (mobile number verified with OTP; self-declaration of name and unique identity/identification number of any OVD) Banks and non-banks after completing KYC of holder
Identification Process Verification of mobile number through an OTP

Self-declaration of name and unique identify number of any OVD as recognized in KYC Master Directions

Video-based Customer Identification Process
Nature of PPI Reloadable and can be issued in electronic form.

 

Electronic payment transactions have been divided into two categories- transactions that do not require physical PPIs and those which require. Hence, even cards could be issued.

Reloadable and can be issued in card or electronic form.

 

Loading/Reloading shall be from a bank account / credit card / full-KYC PPI.

 

Reloadable and can be issued in electronic form.

 

Electronic payment transactions have been divided into two categories- transactions that do not require physical PPIs and those which require. Hence, even cards could be issued.

Maximum amount that can be loaded In a month: INR 10,000

In a year: INR 120,000

No maximum limits
Maximum outstanding amount at any point of time INR 10,000 INR 200,000
Limit on debit during a month INR 10,000 per month No limit No limit
Usage of funds For purchase of goods and services only.

Cash withdrawal or fund transfer not permitted

 

Transfer to source or bank account of PPI holder, other PPIs, debit or credit card permitted subject to:

 

Pre-registered benefit – maximum INR 200,000 per month per beneficiary

 

Other cases – maximum INR 10,000

Cash Withdrawal Not permitted Permitted subject to limits:

 

INR 2000 per transaction and

INR 10,000 per month

Conversion To be converted into full-KYC PPIs within a period of 24 months from the date of issue of the PPI. Small PPI with cash loading can be converted into Small PPI without cash loading, if desired by the PPI holder. Not applicable
Restriction on issuance to a single person Cannot be issued to same person using the same mobile number and same minimum details more than once. No such restriction No such restriction
Closure Funds transferred back to source or Holders bank account after complying with KYC norms

 

Funds transferred to pre-designated bank account or

 

PPIs of the same issuer

 

The concept of ‘Small PPI’ and ‘Full-KYC PPI’ cannot be said to be a new introduction, rather, it is more of a merger of the existing variety of semi closed PPIs in Small PPI and the open ended PPI to Full KYC PPI. However, an important change that has been inserted is the recognition of non-bank PPI issuers to issue Full KYC PPI, who were earlier not allowed to issue open ended PPIs.

2. Validity of Registration

Earlier, the Certificate of Authorisation was valid for five years unless otherwise specified and was subject to review including cancellation of the same. However, under the Master Directions, the authorisation is granted for perpetuity (even for existing authorisation which becomes due for renewal) subject to compliance with the following conditions:

  1. Full compliance with the terms and conditions subject to which authorisation was granted;
  2. Fulfilment of entry norms such as capital, net worth requirements, etc.;
  3. No major regulatory or supervisory concerns related to operations, as observed during onsite and / or offsite monitoring;
  4. Efficacy of customer grievance redressal mechanism;
  5. No adverse reports from other departments of RBI / regulators / statutory bodies, etc.

Also, the concept of ‘cooling period’ was introduced in December 2020[3], for effective utilisation of regulatory resources. PPI issuer whose CoA is revoked or not-renewed for any reason; or CoA is voluntarily surrendered for any reason; or application for authorisation has been rejected by RBI; or new entities that are set-up by promoters involved in any of the above categories; will have a one year cooling period. During the said cooling period, entities shall be prohibited from submission of applications for operating any payment system under the PSS Act.

3. Cross border transactions in Indian denomination

The Erstwhile Master Directions provided that Cross Border Transactions in INR denominated PPIS was allowed only by way of KYC compliant semi-closed and open PPIs which met the conditions specified therein. However, under the Master Directions, such issuances have been permitted only in the form of Full-KYC PPI and other conditions as prescribed earlier have not been altered.

4. Maintenance of Current Account

Apart from maintaining an escrow account with a scheduled commercial bank, non-bank PPI issuer that is a member of the Centralised Payment Systems operated by RBI i.e. non-bank issuers as covered under Master Directions on Access Criteria for Payment Systems[4] which have been allowed to access Real Time Gross Settlement (RTGS) System and National Electronic Fund Transfer (NEFT) Systems and any other such systems as provided by RBI, shall also be required to maintain a current account with the RBI.

Transfer from and to such current account is permitted to be credited or debited from the escrow account maintained by the PPIs.

5. Ensuring additional safety norms

  • To ensure safety and security, PPIs issuers are now required to put in place a Two Factor Authentication (2FA) in place for all wallet transactions involving debit to wallet transactions including cash withdrawals. However, it is not mandatory in case of PPI-MTS and gift PPIs.
  • The Erstwhile Master Directions required PPI issuers to put in place a mechanism to send alerts to the PPI holder regarding debit/credit transactions, balance available /remaining in the PPI. In addition to the same, the Master Directions now require issuers to send alerts to the holder even in case of offline transactions. The issuer may send a common alert for all transactions as soon as the issuer receives such information. Separate alerts for each transaction shall not be required.

6. Miscellaneous

  • In case of co-branding, additionally it has been specified that the co-branding partner can also be a Government department / ministry.
  • The Erstwhile Master Directions provided banks and non-banks a period of 45 days to apply to the Department of Payment and Settlement Systems (DPSS) after obtaining the clearance under the Payment and Settlement Systems Act, 2007. The same has now been reduced to 30 days from obtaining such clearance.
  • In addition to the satisfactory system audit report and net worth certificate, RBI also requires issuers to submit a due diligence report for granting final Certificate of Authorisation (CoA).
  • Transfer of funds back to source account in case of Gift PPIs has been allowed after receiving the consent of the PPI holder.
  • To improve customer protection and grievance redressal, the Master Directions have provided customers of non-bank PPI issuers to have recourse to the Ombudsman Scheme for Digital Transactions.

7. Effect on existing issuers

The timeline for complying with the minimum positive net-worth of 15 crores by non-bank PPI issuers has been extended and shall now be met with by September 30, 2021 instead of March 31, 2020. Non-bank issuers shall submit the provisional balance sheet indicating the positive net-worth and CA certificate to the RBI on or before October 30, 2021, failing which they may not be permitted to carry on their business.

III. Conclusion

In this write-up we have aimed to cover the gist of changes introduced in the Master Directions as compared to the Erstwhile Master Directions. The changes made in the regulatory framework for the PPIs have created a level playing field for banks and non-banks, especially, with respect to issuance of full KYC PPIs. Comparatively, the new directions are way more liberal than the earlier one, which only indicates how bullish the regulator must be with respect to PPIs.

 

[1] https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12156#MD

[2] https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11142

[3] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12001&Mode=0

[4] MD51170116C65788DE8A564165B74D5FECE0626A73.PDF (rbi.org.in)

Credit Default Swaps (Global and Indian Scenario)

Credit default swaps (what is happening in global markets and the recommendations of the working group)

Other ‘I am the best’ presentations can be viewed here

Our other resources on related topics –

      1. https://vinodkothari.com/wp-content/uploads/RBIa%CC%82%C2%80%C2%99s-Guidelines-on-Credit-Default-Swaps-for-Corporate-Bonds.pdf
      2. https://vinodkothari.com/2021/02/rbi-issues-draft-directions-on-credit-derivatives/
      3. https://vinodkothari.com/isda_new_definition_credit-derivs_impact/
      4. https://vinodkothari.com/2013/12/secnews-110810/
      5. https://vinodkothari.com/rbi-new-cds-guidelines-feeble-effort-start-non-starting-product/

Workshop on KYC : Concepts and Operations

We have gone housefull for our workshop to be held on 16th and 17th September and not accepting further registrations. In view of the overwhelming interests shown, a repeat workshop will be announced in due course. You can register your interest in the form below –

You may register your interest for the repeat workshop here:

https://forms.gle/HHCVp6XKhAB567cc9

Our Resources on KYC: