Posts

NBFCs licensed for KYC authentication: Guide to the new RBI privilege for Aadhaar e-KYC Authentication

-Kanakprabha Jethani (kanak@vinodkothari.com)

Background

On September 13, 2021, the RBI issued a notification[1] (‘RBI Notification’) permitting all NBFCs, Payment System Providers and Payment System Participants to carry out authentication of client’s Aadhaar number using e-KYC facility provided by the Unique Identification Authority of India (UIDAI), subject, of course, to license being granted by MoF. The process involves an application to the RBI, onward submission after screening of the application by the RBI, then a further screening by UIDAI, and final grant of authentication by the MoF,

We discuss below the underlying requirements of the PMLA, Aadhaar Act and regulations thereunder (defined below) and other important preconditions for this new-found authorisation for NBFCs.

Understanding the difference between authentication and verification

As per section 2(c) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (‘Aadhaar Act’)[2] “authentication” means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it;

Further, Section 2(pa) defines offline verification as the process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations.

Authentication is a process of authenticity of aadhaar information using the authentication facility provided by the UIDAI. The same may be done in any of the following ways:

  • Use of demographic authentication: The Aadhaar number and demographic information of the customer is obtained and matched with the demographic information of the Aadhaar number holder in the CIDR[3].
  • Using one-time pin based authentication: Aadhaar number of customer is obtained. OTP is sent to the registered mobile number and/ or e-mail address. Aadhaar is authenticated when customer shares OTP and is shared with the same generated by UIDAI
  • Using biometric information: The Aadhaar number and biometric information submitted by the customer are matched with the biometric information stored in the CIDR.

Essentially, aadhaar authentication requires the Regulated Entity (RE) to obtain the aadhaar number of the customer. However, owing to the Supreme Court Verdict on Aadhaar, aadhaar number could be obtained only by banks or specific notified entities. Eventually, the concept of offline verification was introduced by virtue of which verification can be done using XML file or QR code which carries minimum details of the customer. RE is not required to obtain aadhaar number in this case.

Understanding the concept of AUA and KUA

The Aadhaar (Authentication) Regulations, 2016 provide the following definitions:

“Authentication User Agency” or “AUA” means a requesting entity that uses the Yes/ No authentication facility provided by the Authority;  

 “e-KYC User Agency” or “KUA” shall mean a requesting entity which, in addition to being an AUA, uses e-KYC authentication facility provided by the Authority;  

 “e-KYC authentication facility” means a type of authentication facility in which the biometric information and/or OTP and Aadhaar number securely submitted with the consent of the Aadhaar number holder through a requesting entity, is matched against the data available in the CIDR, and the Authority returns a digitally signed response containing e-KYC data along with other technical details related to the authentication transaction; 

 To Summarise:

  • AUA’s rights are limited and it gets only a yes or no as a response of aadhaar authentications, i.e. response to whether the aadhaar is authentic or not.
  • KUA’s rights are comparatively broader. It shall receive eKYC details of the customer upon utilising the authentication facility.

Further, there is a concept of sub-AUA and sub-KUA, which utilise the facility of licensed AUAs or KUAs for aadhaar authentication.

Application for AUA/KUA License

Process

The power of granting permission for use of aadhaar authentication facility by entities other than banks is derived from section 11A of the Prevention of Money Laundering Act, 2002[4] (‘PMLA’). It states-

(1) Every Reporting Entity shall verify the identity of its clients and the beneficial owner, by—

(a) authentication under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016) if the reporting entity is a banking company; or

(b) offline verification under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016); or

**

Provided that the Central Government may, if satisfied that a reporting entity other than banking company, complies with such the standards of privacy and security under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016), and it is necessary and expedient to do so, by notification, permit such entity to perform authentication under clause (a):

**

In exercise of powers under the above mentioned provisions, the Ministry of Finance (MoF) issued a notification on May 9, 2019[5], providing the process for permitting entities other than banks for using authentication facilities of the UIDAI. The notification provides for the following process:

  • Step1: Application to be made to the concerned regulator
  • Step 2: Examination of the application by concerned regulator
    • To ensure conditions of section 11A of PMLA and other security and IT related requirements are met
  • Step 3: Examination by UIDAI of applications recommended by the regulator
    • To check standards of privacy and security set out by UIDAI are complied with
    • UIDAI to then send notification to the Department of Revenue, MoF
  • Step 4: Notification as AUA/KUA by MoF
  • Step 5: UIDAI to issue authorisation to use UIDAI’s authentication facility

The Reserve Bank of India, being the financial sector regulator, has issued the notification permitting all NBFCs, Payment System Providers and Payment System Participants to carry out authentication of client’s Aadhaar number using e-KYC facility. The Application form seeks various details about the applicant, including a confirmation that the entity is meeting the standards of complying with the Data Security Regulations 2016 of UIDAI and other related guidance / circular issued by UIDAI from time to time with regard to the privacy and security norms.

Eligibility

The most crucial aspect of eligibility for availing AUA/KUA license is the capability of meeting the standards of privacy and security set out by UIDAI. The requirement for meeting the said standards arises from section 4(4) of the Aadhaar Act[6], which states-

(4) An entity may be allowed to perform authentication, if the Authority is satisfied that the requesting entity is—

(a) compliant with such standards of privacy and security as may be specified by regulations; and

(b) (i) permitted to offer authentication services under the provisions of any other law made by Parliament; or

(ii) seeking authentication for such purpose, as the Central Government in consultation with the Authority, and in the interest of State, may prescribe.

 Additionally, the Aadhaar (Authentication) Regulations, 2016[7] provide for the eligibility criteria for appointment as AUA/KUA. As per the said regulations, the following requirements must be met by the applicant:

  • Backend infrastructure, such as servers, databases etc. of the entity, required specifically for the purpose of Aadhaar authentication, should be located within the territory of India.

  • Entity should have IT Infrastructure owned or outsourced capable of carrying out minimum 1 Lakh Authentication transactions per month.

  • Organisation should have a prescribed Data Privacy policy to protect beneficiary privacy.

  • Organisation should have adopted data security requirements as per the IT Act 2000.

Understanding standards of privacy and security

The regulations surrounding data protection and privacy issued by the UIDAI are:

  • Aadhaar (Data Security) Regulations, 2016
  • Aadhaar (Sharing of Information) Regulations, 2016
  • Miscellaneous circulars issued by the UIDAI from time to time

Major requirements under the said regulations are as follows:

  • Applicant to adopt an information security policy outlining information security framework of the applicant developed in line with applicable guidelines issued by UIDAI;
  • Applicant to designate an officer as Chief Information Security Officer (CISO) for ensuring compliance with information security policy and other security-related programmes and initiatives of UIDAI
  • Operations of applicant to be audited by information systems auditor
  • Applicant to ensure that biometric information is not stored, except for buffer during authentication;
  • Applicant to ensure identity information is not shared with anyone else except with prior approval

Conclusion

Pursuant to the said notification, the NBFCs or Payment System Providers or Payment System Participants shall be eligible to make application with the RBI, subject to compliance with the privacy and security norms issued by UIDAI. The notification is a much-awaited relaxation for the eligible non-banking entities to undertake Aadhaar authentication of their customers. However, the criteria for granting approval have not been laid down specifically and may be based on the evaluation conducted by the RBI along with UIDAI. For those who receive the approval, this would be an addition to the modes in which CDD of a customer can be conducted.

[1] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12161&Mode=0

[2] https://uidai.gov.in/images/targeted_delivery_of_financial_and_other_subsidies_benefits_and_services_13072016.pdf

[3] Central Identities Data Repository (CIDR) means a centralised database containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto

[4] https://www.indiacode.nic.in/bitstream/123456789/2036/1/A2003-15.pdf

[5] https://dor.gov.in/sites/default/files/circular%20dated%2009.05.2019%20of%20PMLA.pdf

[6] https://uidai.gov.in/images/news/Amendment_Act_2019.pdf

[7] Refer Schedule A to Aadhaar (Authentication) Regulations, 2016 (Page 19)- https://uidai.gov.in//images/resource/CompendiumMay2020Updated.pdf

 

Related articles:

 

Introduction of Digital KYC

Anita Baid (anita@vinodkothari.com)

The guidelines relating to KYC has been in headlines for quite some time now. Pursuant to the several amendments in the regulations, the KYC process of using Aadhaar through offline modes was resumed for fintech companies. The amendments in the KYC Master Directions[1] allowed verification of customers by offline modes and permitted NBFCs to take Aadhaar for verifying the identity of customers if provided voluntarily by them, after complying with the conditions of privacy to ensure that the interests of the customers are safeguarded.

Several amendments were made in the Prevention of Money laundering (Maintenance of Records) Rules, 2005, vide the notification of Prevention of Money laundering (Maintenance of Records) Amendment Rules, 20191 issued on February 13, 2019[2] (‘February Notification’) so as to allow use of Aadhaar as a proof of identity, however, in a manner that protected the private and confidential information of the borrowers.

The February Notification recognised proof of possession of Aadhaar number as an ‘officially valid document’. Further, it stated that whoever submits “proof of possession of Aadhaar number” as an officially valid document, has to do it in such a form as are issued by the Authority. However, the concern for most of the fintech companies lending through online mode was that the regulations did not specify acceptance of KYC documents electronically. This has been addressed by the recent notification on Prevention of Money-laundering (Maintenance of Records) Third Amendment Rules, 2019 issued on August 19, 2019[3] (“August Notification”).

Digital KYC Process

The August Notification has defined the term digital KYC as follows:

“digitial KYC” means the capturing live photo of the client and officially valid document or the proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by an authorised officer of the reporting entity as per the provisions contained in the Act;

Accordingly, fintech companies will be able to carry out the KYC of its customers via digital mode.

The detailed procedure for undertaking the digital KYC has also been laid down. The Digital KYC Process is a facility that will allow the reporting entities to undertake the KYC of customers via an authenticated application, specifically developed for this purpose (‘Application’). The access of the Application shall be controlled by the reporting entities and it should be ensured that the same is used only by authorized persons. To carry out the KYC, either the customer, along with its original OVD, will have to visit the location of the authorized official or vice-versa. Further, live photograph of the client will be taken by the authorized officer and the same photograph will be embedded in the Customer Application Form (CAF).

Further, the system Application shall have to enable the following features:

  1. It shall be able to put a water-mark in readable form having CAF number, GPS coordinates, authorized official’s name, unique employee Code (assigned by Reporting Entities) and Date (DD:MM:YYYY) and time stamp (HH:MM:SS) on the captured live photograph of the client;
  2. It shall have the feature that only live photograph of the client is captured and no printed or video-graphed photograph of the client is captured.

The live photograph of the original OVD or proof of possession of Aadhaar where offline verification cannot be carried out (placed horizontally), shall also be captured vertically from above and water-marking in readable form as mentioned above shall be done.

Further, in those documents where Quick Response (QR) code is available, such details can be auto-populated by scanning the QR code instead of manual filing the details. For example, in case of physical Aadhaar/e-Aadhaar downloaded from UIDAI where QR code is available, the details like name, gender, date of birth and address can be auto-populated by scanning the QR available on Aadhaar/e-Aadhaar.

Upon completion of the process, a One Time Password (OTP) message containing the text that ‘Please verify the details filled in form before sharing OTP’ shall be sent to client’s own mobile number. Upon successful validation of the OTP, it will be treated as client signature on CAF.

For the Digital KYC Process, it will be the responsibility of the authorized officer to check and verify that:-

  1. information available in the picture of document is matching with the information entered by authorized officer in CAF;
  2. live photograph of the client matches with the photo available in the document; and
  3. all of the necessary details in CAF including mandatory field are filled properly.

Electronic Documents

The most interesting amendment in the August Notification is the concept of “equivalent e-document”. This means an electronic equivalent of a document, issued by the issuing authority of such document with its valid digital signature including documents issued to the digital locker account of the client as per rule 9 of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016 shall be recognized as a KYC document. Provided that the digital signature will have to be verified by the reporting entity as per the provisions of the Information Technology Act, 2000.

The aforesaid amendment will facilitate a hassle free and convenient option for the customers to submit their KYC documents. The customer will be able to submit its KYC documents in electronic form stored in his/her digital locker account.

Further, pursuant to this amendment, at several places where Permanent Account Number (PAN) was required to be submitted mandatorily has now been replaced with the option to either submit PAN or equivalent e-document.

Submission of Aadhaar

With the substitution in rule 9, an individual will now have the following three option for submission of Aadhaar details:

  • the Aadhaar number where,
    1. he is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 or
    2. he decides to submit his Aadhaar number voluntarily
  • the proof of possession of Aadhaar number where offline verification can be carried out; or
  • the proof of possession of Aadhaar number where offline verification cannot be carried out or any officially valid document or the equivalent e-document thereof containing the details of his identity and address;

Further, along with any of the aforesaid options the following shall also be submitted:

  1. the Permanent Account Number or the equivalent e-document thereof or Form No. 60 as defined in Income-tax Rules, 1962; and
  2. such other documents including in respect of the nature of business and financial status of the client, or the equivalent e-documents thereof as may be required by the reporting entity

The KYC Master Directions were amended on the basis in the February Notification. As per the amendments proposed at that time, banking companies were allowed to verify the identity of the customers by authentication under the Aadhaar Act or by offline verification or by use of passport or any other officially valid documents. Further distinguishing the access, it permitted only banks to authenticate identities using Aadhaar. Other reporting entities, like NBFCs, were permitted to use the offline tools for verifying the identity of customers provided they comply with the prescribed standards of privacy and security.

The August Notification has now specified the following options:

  1. For a banking company, where the client submits his Aadhaar number, authentication of the client’s Aadhaar number shall be carried out using e-KYC authentication facility provided by the Unique Identification Authority of India;
  2. For all reporting entities,
    1. where proof of possession of Aadhaar is submitted and where offline verification can be carried out, the reporting entity shall carry out offline verification;
    2. where an equivalent e-document of any officially valid document is submitted, the reporting entity shall verify the digital signature as per the provisions of the IT Act and take a live photo
    3. any officially valid document or proof of possession of Aadhaar number is submitted and where offline verification cannot be carried out, the reporting entity shall carry out verification through digital KYC, as per the prescribed Digital KYC Process

It is also expected that the RBI shall notify for a class of reporting entity a period, beyond which instead of carrying out digital KYC, the reporting entity pertaining to such class may obtain a certified copy of the proof of possession of Aadhaar number or the officially valid document and a recent photograph where an equivalent e-document is not submitted.

The August Notification has also laid emphasis on the fact that certified copy of the KYC documents have to be obtained. This means the reporting entity shall have to compare the copy of the proof of possession of Aadhaar number where offline verification cannot be carried out or officially valid document so produced by the client with the original and record the same on the copy by the authorised officer of the reporting entity. Henceforth, this verification can also be carried out by way of Digital KYC Process.


[1] https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11566#F4

[2] http://egazette.nic.in/WriteReadData/2019/197650.pdf

[3] http://egazette.nic.in/WriteReadData/2019/210818.pdf