Posts

Representation with respect to NBFC-related Regulatory Issues

/0 Comments/in , , /by

– Team Finserv | finserv@vinodkothari.com

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [237.82 KB]

Supreme Court Mandates Digital Accessibility: Action Points for Banks and NBFCs

/1 Comment/in , , , /by

– Harshita Malik | finserv@vinodkothari.com

Introduction

On April 30, 2025, the Supreme Court of India delivered a landmark judgment in Pragya Prasun & Ors. v. Union of India, declaring digital access as an intrinsic component of the fundamental right to life under Article 21. The Court issued comprehensive directions to make digital KYC processes accessible to persons with disabilities, particularly acid attack survivors and visually impaired individuals.

This judgment fundamentally transforms how banks and NBFCs must approach customer onboarding through digital means, with immediate compliance requirements and potential legal consequences for non-adherence.

Pursuant to the directives issued by the Supreme Court, the RBI has amended the Master Direction – Know Your Customer (KYC) Direction, 2016 (‘KYC Directions’) vide Reserve Bank of India (Know Your Customer (KYC)) (2nd Amendment) Directions, 2025 (‘KYC 2nd Amendment’).

Background: The Catalyst Case

The Petitioners’ Struggle

The petitioners in these cases highlight significant barriers faced by persons with disabilities in accessing digital KYC processes. WP(C) No. 289 of 2024 involved acid attack survivors who were unable to complete digital KYC, while WP(C) No. 49 of 2025 involves a visually impaired individual facing similar difficulties. A notable incident involved Pragya Prasun, who was denied the opening of a bank account  due to her inability to perform the blinking required for liveness verification. These cases are grounded in the protections afforded by the Rights of Persons with Disabilities Act, 2016, and the fundamental right to life and personal liberty under Article 21 of the Constitution.

Current KYC Barriers Identified

The Court recognized that existing digital KYC processes create obstacles for persons with disabilities:

Barrier TypeSpecific IssuesAffected Population
Liveness DetectionMandatory blinking, head movements, reading displayed codesAcid attack survivors, visually impaired
Screen CompatibilityLack of screen reader support, unlabeled form fieldsVisually impaired persons
Visual DependenciesSelfie capture, document alignment, front/back identificationPersons with visual impairments
Signature VerificationNon-acceptance of thumb impressions in digital platformsPersons unable to sign consistently

Legal Framework and Constitutional Mandate

Supreme Court’s Key Declarations

“Digital access is no longer merely a matter of policy discretion but has become a constitutional imperative to secure a life of dignity, autonomy and equal participation in public life.”

– Justice R. Mahadevan

The Supreme Court has firmly declared that digital access is no longer just a policy choice but a constitutional necessity to ensure individuals’ dignity, autonomy, and equal participation in society. This constitutional and legal mandate is grounded in several provisions: Article 21 guarantees the right to life with dignity, requiring digital services to be accessible to everyone; Section 3 of the Rights of Persons with Disabilities (RPwD) Act, 2016, ensures equality and prohibits discrimination against persons with disabilities; Section 40 mandates that all digital platforms adhere to established accessibility standards and Section 46 sets a two-year timeline within which service providers must achieve compliance with these accessibility requirements.

Supreme Court Directives: Banks & NBFCs Action Matrix

The Supreme Court issued twenty directives in the said judgement to ensure that services are not denied based on disability and digital services are accessible to all the citizens irrespective of the impairments. Most of these are for the regulators, while a few are for regulated entities.

Following is the list of actionables arising out of the directives for banks and NBFCs:

  1. Undergo mandatory periodic accessibility audits by certified professional[1], may involve PwD in user testing of apps/websites (SC directive ii);
  2. Procure or design devices or websites / applications / software in compliance of accessibility standards for ICT Products and Services as notified by Bureau of Indian Standards. This mandate applies to a broad spectrum of digital products and services, including :
    1. Websites and web applications;
    2. Mobile apps;
    3. KYC/e-KYC/video-KYC modules;
    4. Digital documents and electronic forms; and
    5. Hardware touchpoints (ATMs, self-service machines). (SC directive xi)
  3. Cannot reject PwD applications without proper human consideration, must record reasons for rejection. Banks and NBFCs may appoint a designated officer who shall be empowered to override automated rejections and approve applications on a case-by-case basis (SC directive xvi and KYC 2nd Amendment to Para 11 of the KYC Directions).
  4. In the process of customer due diligence, REs can accept Aadhaar Face Authentication as valid method for Authentication ( KYC 2nd Amendment to Para 16 of the KYC Directions).
  5. During the V-CIP process, REs cannot rely solely on eye-blinking for liveness verification. They must ensure liveness checks do not exclude persons with special needs. For this purpose, the officials of banks or NBFCs may ask varied questions to establish the liveness of the customer (KYC 2nd Amendment to Para 18(b)(i)).

Changes to the KYC Directions

Changes have been introduced in the KYC Directions via the KYC 2nd Amendment as a result of the SC verdict, these are captured in the diagram:

Implementation Plan

Based on the Supreme Court directive in Pragya Prasun & Ors. vs Union of India and the subsequent RBI notification, here is a comprehensive stage-wise action plan for implementing digital accessibility requirements for banks and NBFCs:

Phase 1: Immediate Compliance and Assessment

Actionables for REs under phase 1 are listed below:

  1. Stage 1.1: Current State Assessment
    1. Inventory all client facing platforms like digital platforms, mobile apps, websites, and KYC systems;
    2. Document current accessibility barriers and non-compliant features and identify high-risk areas requiring immediate attention.
  2. Stage 1.2: Policy Framework Development
    1. Amend the KYC Policy  to incorporate accessibility clauses for PwD;
    2. Update existing KYC Policy to incorporate paper based KYC other than video based KYC (provided such verification methods shall not result in any discomfort to the applicant); and
    3. Make necessary changes to internal documents and SOPs to include disability-inclusive customer service protocols.

Phase 2: Technical Foundation and Alternative Methods

Actionables for REs under phase 2 are listed below:

  1. Stage 2.1: Alternative KYC Methods Implementation
    1. Implement alternative means of liveness detection other than blinking of an eye such as:
      1. Gesture-based verification (beyond eye blinking);
      2. Facial movement detection;
      3. Audio-based liveness checks; or
      4. Any other method feasible to the RE
    2. Provide notices regarding the alternative methods of KYC that the RE supports/provides to PwD
    3. In case of biometric based e-KYC verification, accept thumb impressions or AADHAAR face authentication or any other biometric alternatives.
    4. In case of paper-based KYC, strengthen offline processes as accessible alternatives in such a manner that the same shall not cause any discomfort to the applicant.
    5. Remove mandatory blinking requirements in video KYC.
  2. Stage 2.2: Technical Infrastructure Updates
    1. Ensure that all digital platforms of the RE meet the accessibility standards for ICT Products and Services as notified by Bureau of Indian Standards
    2. Ensure that assistive technology is integrated into the current systems such as screen reader compatibility, voice navigation, etc.
  3. Stage 2.3: Data Capture Enhancements
    1. Modify KYC templates in such a way to add disability fields(type and percentage) to be able to serve better to the applicants
    2. Update database to capture disability-related information (including preferred communication and customer authentication methods) for appropriate service delivery

Phase 3: Process Redesign and Human Support

Actionables for REs under phase 3 are listed below:

  1. Stage 3.1: Human-Assisted Channels
    1. Establish dedicated helpline for PwD offering step-by-step assistance in completing the KYC process through voice or video support;
    2. Conduct staff sensitization and disability awareness programs across all offices/branches
    3. Authorise/allow support from nominated guardians/family members to assist in the KYC process
    4. In case of persons dependent on sign languages, video calling service with certified interpreters shall be provided
  2. Stage 3.2: Grievance Mechanism Setup
    1. May develop dedicated accessibility complaints system for disability-related issues
    2. Ensure manual assessment of rejected KYC applications
    3. Establish clear timelines and accountability for redressal of grievances
  3. Stage 3.3: Alternative Service Delivery
    1. Train BCs/agents for disability-inclusive KYC assistance
    2. Doorstep customer authentication for severely disabled applicants, provided that such facility shall not cause any discomfort to the applicant

Phase 4: Testing and Validation

Actionables for REs under phase 4 are listed below:

  1. Stage 4.1: User Acceptance Testing
    1. May involve PwD in testing phases
    2. Ensure a diverse disability testing- cover visual, hearing, physical, and cognitive impairments
    3. Ensure testing the complete customer journey from onboarding to service access
    4. Document and address all accessibility issues through feedback integration
  2. Stage 4.2: Third-Party Validation
    1. Engage an IAAP certified professional for conducting the accessibility audit
    2. Conduct security assessment of alternative authentication methods

Phase 5: Training and Capacity Building

Actionables for REs under phase 5 are listed below:

  1. Stage 5.1: Staff Development Programs
    1. Create comprehensive training modules for disability awareness and sensitivity, alternative KYC procedures, assistive technology usage, customer service best practices, etc.
    2. Conduct customized programs for different staff categories and ongoing skill development
  2. Stage 5.2: Vendor and Partner Training
    1. Ensure external partners such as BCs, tech-cendors, third-party service providers, etc. understand accessibility requirements

Phase 6 : Continuous Improvement and Compliance

Actionables for REs under phase 6 are listed below:

  1. Define the frequency of the accessibility audit and ensure that the audit is conducted on a regular basis (as per the decided frequency)
  2. Submit compliance status/plan of implementation to RBI as and when required

Closing Remarks

The Supreme Court’s judgment in the Pragya Prasun case elevates digital accessibility from a moral imperative to a constitutional mandate. Banks and NBFCs must view this not as a burden but as an opportunity to transform compliance into competitive advantage by becoming an accessibility leader.

[1] List of Empanelled Web Accessibility Auditors with Department of Empowerment of Persons with Disabilities, Ministry of Social Justice & Empowerment, Govt. of India.

Read More: Resources on KYC

Setu-ing the Standard: NPCI’s New Path to Aadhaar e-KYC

/0 Comments/in , /by

Archisman Bhattacharjee | finserv@vinodkothari.com

Introduction

The National Payments Corporation of India (NPCI), vide its notification NPCI/2024-25/e-KYC/003 dated 10 March 2025, formally introduced the e-KYC Setu facility. As outlined on NPCI’s official platform, e-KYC Setu enables Aadhaar-based e-KYC authentication under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act), without disclosing the individual’s Aadhaar number to the requesting (verification-seeking) entity.

Designed as a one-stop onboarding solution for regulated financial-sector entities, e-KYC Setu leverages Aadhaar-based e-KYC services while ensuring compliance with privacy safeguards under the Aadhaar Act. A key feature and a significant compliance advantage is that regulated entities using e-KYC Setu are not required to obtain a separate notification under Section 11A of the Prevention of Money-laundering Act, 2002 (PMLA). This allows financial sector regulator entities to conduct Aadhaar-based authentication without directly collecting Aadhaar numbers or integrating with UIDAI as a licensed AUA/KUA, thereby reducing both operational complexity and regulatory burden.

In this article, we examine the regulatory implications for RBI-regulated entities, the legal permissibility for non-AUA/KUA entities to conduct authentication through e-KYC Setu, process how e-KYC setu operatives and the operational and business benefits of adopting this framework.

Read more

Understanding Know Your Customer (KYC): Safeguarding Financial Integrity in India

/0 Comments/in , /by

– Sakshi Patil | finserv@vinodkothari.com

KYC compliance is mandatory for opening bank accounts, investing in mutual funds, opening demat accounts, purchasing insurance policies, and availing various other financial services. It ensures not only regulatory compliance but also safeguards the integrity of the financial system by preventing identity fraud, money laundering, and other illicit activities.

Further, India’s banking and financial sector is changing fast. Banks and other financial institutions need to make sure they know who their customers really are and that their money transactions are legal, this is where KYC processes play a pivotal role.

Read more

RBI publishes FAQs on KYC – Question on Modes of Onboarding Raises more Questions

/3 Comments/in , /by

– Subhojit Shome and Sakshi Patil | finserv@vinodkothari.com

Introduction

The Know Your Customer (KYC) Direction, 2016 dated February 25, 2016 are dense, highly technical and operationally intricate. While these directions form the regulatory backbone for customer onboarding and due diligence for financial institutions, they are not always easy to navigate for the very people tasked with implementing them, the on ground compliance officers and operational staff. 

Recognising this operational gap, on June 9, 2025, the RBI published a comprehensive set of FAQs on KYC guidelines, with the intent of simplifying the KYC framework and aimed at clarifying confusion surrounding KYC measures for banks and financial institutions. While the majority of these FAQs successfully provide the much-needed clarity to the financial sector, the response to Question 13, however, has the possibility of inadvertently creating a regulatory arbitrage, by treating the modes of collecting KYC documents in isolation, as full fledged face to face customer onboarding. This article examines the root of this discrepancy, its potential consequences, and why it warrants a re-examination by the regulator.

Face to Face vs. Non-face-to-face Modes of Onboarding

The RBI’s KYC Directions classify onboarding into two modes:

  • Face-to-Face
  • Non Face-to-Face

This classification is significant because the risk perception, control measures, and regulatory compliances differ for each mode, especially with remote onboarding posing higher risks of impersonation, identity fraud, and misuse. Para 40(f) of the directions provides that the customers onboarded in non face to face mode shall be classified as high risk customers and shall be subjected to enhanced due diligence until they have done the face to face identification.

As per the KYC Directions, a ‘Non face to face customer’ means customers who open accounts without visiting the branch/offices of the REs or meeting the officials of REs (refer para 3(b)(x)).  In this regard, e-KYC authentication, undertaking offline verification of proof of possession of Aadhaar Number (submitted by way of aadhaar XML, mAadhar or electronic copy of the PVC card)); obtaining equivalent e-document of OVD can all be done by remote mode. These modes of submitting KYC information do not require the presence of the customer at the branch or an authorised official having to meet the customer in person. Hence, the aforesaid modes of collecting KYC documents are regarded as non face to face onboarding process.

However, a confusion has erupted since these modes have been listed under face-to-face methods of onboarding in the response to Question 13 in the FAQs. The relevant extract is reproduced herein below:

  • Visit to the branch/ office of the RE;
  • using e-KYC authentication (OTP as well as biometric based authentication); undertaking offline verification of proof of possession of Aadhaar Number; obtaining certified copy of the OVD or equivalent e-document thereof; undertaking ‘Digital KYC Process’, as per paragraph 16 of the MD on KYC.
  • Video based Customer Identification Process (V-CIP) complying with prescribed standards and procedures.

While it is understood that physical visit to the bank or digital KYC process requires the physical presence of the customer either at the branch or the authorised official of the RE meeting the customer physically. The KYC documents are collected and verified accordingly during the physical meeting or as a part of the digital KYC process. Similarly, the process of conducting V-CIP, has been specifically recognised as a face to face mode of onboarding, which also requires the KYC document to be submitted by the customer through any one of the modes mentioned above.

V-CIP as face to face mode of onboarding

In case these modes of collecting the KYC documents, in isolation, are considered as face to face modes of onboarding then the utility of performing V-CIP also comes into question. Let us examine why? V-CIP has been granted the same standing as face to face mode of onboarding and REs performing V-CIP are freed from additional compliance burden of performing EDD according to para 40 of the KYC Directions. The V-CIP process requires the REs to maintain costly infrastructure and also bear operating costs to run the process. Now, the V-CIP process has two parts – one, the KYC Directions mandate a rigorous process for capturing and storing the live video of the customer which is used for establishing the existence/ genuineness of the said person and two, obtaining requisite identification information from the Customer as per para 18 (b)(vi). The modes of obtaining customer identification information are –

  • OTP based Aadhaar e-KYC authentication
  • Offline Verification of Aadhaar for identification
  • KYC records downloaded from CKYCR, in accordance with paragraph 56, using the KYC identifier provided by the customer
  • Equivalent e-document of Officially Valid Documents (OVDs) including documents issued through DigiLocker

Hence, if merely performing Aadhar-based e-kyc or offline verification of aadhar or obtaining OVD e-document are considered as face-to-face modes of customer onboarding, REs will have no motivation of performing the full V-CIP. This cannot be the intention of the regulator.

Additionally, RBI in its notification dated June 12, 2025 on Updation/ Periodic Updation of KYC – Revised Instructions has touched upon the distinction between face-to-face, Non face-to-face, and V-CIP onboarding. It has considered only biometric-based e-kyc and digital KYC as face to face onboarding while considering V-CIP on the same footing as face to face onboarding.

As per para 40(f) of KYC Directions, customers onboarded through non face to face mode, are classified as high risk customers. Enhanced due diligence measures are required to be undertaken for such accounts until the customer undergoes face-to-face KYC verification.

Conclusion

The meaning of face-to-face mode of onboarding is implicit in the definition of Non-face-to-face Customer as per para 3(b)(x) of the KYC Directions. Face to face onboarding will mean that  either the customer physically visits the branch of the RE to open their account or or an authorised official of the RE physically meets such customer for such purpose. In either case the existence of the customer is physically verified when it comes to face to face onboarding.

Given the aforesaid understanding of the regulations, in our view, the KYC Directions allow for only the following three modes of face to face onboarding –

  • Physical meeting of the Customer with the officials of the RE (e.g. branch visit), or
  • Conducting Digital KYC as per Annex I where an authorised official of the RE is required to meet the customer physically, or
  • Conducting V-CIP, in compliance with all the infrastructure and operational requirements, has been explicitly recognised to have the same standing as face-to-face onboarding per para 3(b)(xvi).

The different modes of face to face and non-face to face KYC has been visualised in the following infographic :

Resources on KYC

Making KYC Simpler: RBI’s Proposal for Boosting Periodic Updation

/0 Comments/in , /by

– Sakshi Patil | finserv@vinodkothari.com

The Reserve Bank of India (RBI) has continually worked to strengthen the Know Your Customer (KYC) framework to ensure inclusion. Recognizing challenges in periodic KYC updation, especially in remote areas where bank branches and ATMs are scarce, the RBI has proposed pragmatic measures involving Business Correspondents (BCs). These initiatives aim to ease the KYC process for beneficiaries of government schemes and rural banking customers.

Via these regulations the RBI has also proposed additional measures for REs to increase the effectiveness of periodic KYC updation, while reducing hardship on customers; these are also discussed in this article.

BC allowed to perform KYC Periodic Updation

RBI identified a significant backlog in periodic KYC updation, particularly in accounts opened for the credit of Direct Benefit Transfer (DBT), Electronic Benefit Transfer (EBT), scholarship payments, and those under the Pradhan Mantri Jan Dhan Yojana (PMJDY).

To address this, RBI’s proposed framework allows authorized BCs to assist customers with certain types of KYC updation, improving service access for those in underserved locations. However, the ultimate responsibility for KYC updation still remains with the bank. Once the bank receives the updated information from the BC, it must update its records and intimate the customer upon completion. This is mandated under paragraph 38(c) of the RBI’s Master Direction on KYC.

Updated KYC Periodic Updation Process

  • Self-declaration for No Change / Address Change
    • Customers can submit a self-declaration through a BCs if:
      • There’s no change in their KYC details, or
      • Only the address has changed.
  • Collection and Recording of Self-declarations
    • Electronic Mode:
      • Banks are expected to enable their BC systems to record and store self-declarations and supporting documents electronically.
    • Physical Mode (in case electronic facilities are not available):
      • BC will authenticate the customer’s physical self-declaration and documents.
      • These will be forwarded promptly to the concerned bank branch.
      • Acknowledgment receipt shall be issued to the customer.

Transaction Flexibility for Low-Risk Accounts

In line with the KYC directions and Anti-Money Laundering (AML) standards, customers are categorized into low, medium, and high-risk categories. The risk categorization helps to determine the extent of ongoing monitoring, transaction limits, and enhanced due diligence required for each customer category.

The frequency of the periodic updation depends on the risk categorisation of the customer –

High Risk CustomersEvery 2 years
Medium Risk CustomersEvery 8 years
Low Risk CustomersEvery 10 years

RBI vide this guideline proposes that, low risk customers will be allowed time till June 2026 or one year from when their periodic KYC is due, whichever is later to complete the periodic KYC.

For example, if a customer’s KYC was due in September 2025 and it remains pending, the bank can allow the customer to continue the transactions in their accounts upto September 2026. If the due date of the periodic updation was earlier, say May 2025 then the customer could continue to transact until June 2026.

Timely Intimations and Reminders to Customers

Periodic KYC updation is a regulatory requirement under Para 12 of KYC Directions where REs are required to periodically update the customer’s KYC records after on-boarding the customer. REs face several practical challenges in completing periodic KYC updation, such as the customer being unaware about these requirements or reluctance and misconceptions towards sharing personal documents or information.

With respect to this, RBI has proposed that, REs must issue at least three advance KYC due notices (including one by letter) at appropriate intervals, using available communication channels. If the customer still does not complete periodic KYC, three additional reminders must be sent.

All communications should contain easy to understand instructions for updating KYC, escalation mechanism for seeking help, if required, and the consequences, if any, of failure to update their KYC in time. REs are also required to maintain detailed records of these notifications and reminders.

Conclusion

By enabling simplified and decentralized KYC updation, these measures address both operational challenges and the broader goals of financial inclusion.

As the financial ecosystem evolves, such regulatory measures remain crucial for building a secure, inclusive, and customer-friendly financial environment.

Online Authentication of Aadhaar: Exclusive Club, Members Only!

/0 Comments/in , , /by

-Archisman Bhattacharjee (finserv@vinodkothari.com)

Introduction

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act, 2016 (‘Aadhaar Act’) was introduced with a clear vision: to ensure efficient, transparent, and targeted delivery of subsidies, benefits, and services, fostering good governance. While its preamble underscores these fundamental objectives, Aadhaar’s role has expanded far beyond its original scope, becoming a cornerstone in the banking and NBFC sectors. As outlined in paragraph 16 of the RBI’s KYC Master Directions, Aadhaar now plays a central role in the Know Your Customer (KYC) process, a critical compliance measure for both prospective and existing borrowers.

A key aspect of KYC is the verification of the authenticity of customer documents, a process governed by specific guidelines. 

When it comes to Aadhaar-based KYC, there are two recognized methods: 

  1. Online Authentication and 
  2. Offline Verification 

The Offline Verification process is relatively straightforward (at least on paper), involving the verification of a Digital Signature Certificate (DSC) attached to the downloaded masked Aadhaar document. Importantly, offline verification can be conducted by all RBI-regulated entities for conducting KYC verification.

In contrast, Online Authentication, while offering a more robust and reliable method of KYC verification (refer FAQ 1 of UDIAI), is subject to stricter eligibility conditions and compliance requirements. Not all entities are permitted to perform Online Authentication (discussed in later parts of this article). While lenders may prefer Online Authentication due to its real-time verification capabilities and greater assurance of data authenticity, the regulatory fetters surrounding eligibility must be carefully navigated.

Given the evolving regulatory framework and industry practices, it is critical to develop a clear understanding of how Online Authentication operates and who is permitted to undertake it.

What is Online Authentication

The term authentication has been defined under Section 2(c) of the Aadhaar Act as a process “by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it”. Further The Aadhaar (Authentication and Offline Verification) Regulations, 2021 (‘Aadhaar Rules’) expands upon the process of carrying out online authentication. Rule 4 of the Aadhaar Rules states that:

Authentication may be carried out through the following modes:

(a) Demographic authentication: The Aadhaar number and demographic information of the Aadhaar number holder obtained from the Aadhaar number holder is matched with the demographic information of the Aadhaar number holder in the CIDR.

(b) One-time pin based authentication: A One Time Pin (OTP), with limited time validity, is sent to the mobile number and/ or e-mail address of the Aadhaar number holder registered with the Authority, or generated by other appropriate means. The Aadhaar number holder shall provide this OTP along with his Aadhaar number during authentication and the same shall be matched with the OTP generated by the Authority.

(c) Biometric-based authentication: The Aadhaar number and biometric information submitted by an Aadhaar number holder are matched with the biometric information of the said Aadhaar number holder stored in the CIDR. This may be fingerprints-based or iris-based authentication or other biometric modalities based on biometric information stored in the CIDR.

(d) Multi-factor authentication: A combination of two or more of the above modes may be used for authentication.

The stated modes of how the process of online authentication is required to be carried out is quite descriptive and does not require any further explanation. However one thing is certain that, based on  the definition of the term “authentication”, obtaining the Aadhaar number becomes a mandate. The KYC Master Directions under para 17 recognizes one such mode of authentication as OTP based online authentication.  

Who can carry out Online Authentication

Considering that the authentication process and the e-KYC data obtained through Aadhaar may include biometric information, such information constitutes “sensitive personal data” under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). While the Digital Personal Data Protection Act, 2023 (DPDPA) does not expressly categorize any particular type of data as “sensitive personal data,” it is important to note that the Supreme Court’s judgment in the Aadhaar judgement recognized biometric data associated with Aadhaar as sensitive in nature. Given that the DPDPA itself has its origins in the principles laid down by the Aadhaar judgment, it is our view that such data should continue to be treated with a higher standard of care.

Without delving into the subject in great detail, it is sufficient to highlight that Aadhaar-based authentication exposes individuals to considerable risks of harm, particularly in the event of a data breach. This risk is exacerbated by the fact that other identifiers such as telephone numbers, PAN cards, and other financial data are often linked to an individual’s Aadhaar number. Consequently, possessing access to an individual’s full Aadhaar number may subject such an entity to considerable risk (including legal and litigation risk) in case proper security safeguards are not taken by such an organization. Usually these heightened data sensitivity concerns would not be present in case KYC verification is conducted through use of masked Aadhaar, i.e via Offline Verification.

Given the heightened sensitivity of Aadhaar information, it is imperative that, beyond compliance with technical security safeguards, the right to carry out Aadhaar authentication be restricted only to entities that have demonstrated robust security frameworks. Imbibing this philosophy, the Aadhaar Act has restricted access to Aadhaar number only to a few entities and these entities are known as “requesting entities” as defined under Section 2(u) of the Aadhar Act. From the context of Financial Sector Entities these requesting entities would be required to be a KUA/Sub-KUA (discussed in later parts of this article). 

Online authentication and KYC

Under paragraph 16(a)(ii) of the KYC Master Directions, an Aadhaar number can only be collected by entities that have been notified under Section 11A of the Prevention of Money-laundering Act, 2002 (PML Act). Further, Section 4(4)(b) of the Aadhaar Act stipulates that “authentication” can only be performed by an entity that is:

  1. either permitted to offer authentication services under any other law made by Parliament, or
  2. is seeking authentication for purposes as may be prescribed by the Central Government in consultation with the UIDAI, and in the interest of the State. 

Accordingly, a combined reading of Section 11A of the PML Act and the Aadhaar Act makes it evident that for RBI regulated entities [Except for banks, which are permitted to obtain Aadhaar numbers under paragraph 16(a)(i) of the KYC Master Directions and the proviso to Section 11A of the PMLA Act, no other entities may carry out Aadhaar authentication without being specifically notified by the Central Government.] only those entities which have been notified by the Central Government are authorized to carry out Aadhaar-based authentication by collecting Aadhaar numbers.

Under para 17 of the KYC Master Directions , OTP-based e-KYC authentication has been recognized as a valid mode of Aadhaar authentication. This form of authentication is also recognized under the Aadhaar (Authentication and Offline Verification) Regulations, 2021 (“Aadhaar Regulations”), wherein such authentication can be carried out by either a KUA (KYC User Agency) or an AUA (Authentication User Agency).

The Aadhaar Regulations further introduce the concept of a “Sub-KUA”, which is defined under Rule 2(ob) of Aadhaar rules as a requesting entity that utilizes the infrastructure of a licensed KUA to perform online Aadhaar authentication. Under Rule 16, it is stipulated that an e-KYC record obtained by a KUA can only be shared with its Sub-KUAs and cannot be transferred further to any other entity. Additionally, Rule 14(ga) of the Aadhaar Regulations mandates that a KUA must obtain prior approval from UIDAI before onboarding any third-party entity as a Sub-KUA.

Reference is also drawn to UIDAI Circular 2 of 2025 which discusses Sub-AUA and Sub-KUA application form and joint undertaking. The said documents specify that under the head “Category of Sub-KUA and Sub-AUA“, eligible entities include those “permitted to offer authentication services under Section 11A of the Prevention of Money-laundering Act, 2002 by virtue of being a reporting entity.”. A similar requirement has also been provided under the AUA/KUA Application Form.

In view of the above, it becomes clear that for any RBI-regulated entity (i.e., entities to whom the KYC Master Directions apply) wishing to onboard customers through OTP-based Aadhaar e-authentication, the following conditions must be satisfied:

  1. the entity must be registered either as a KUA or as a Sub-KUA with UIDAI; 
  2. the entity must be notified by the Central Government under Section 11A of the PML Act, thereby being authorized to collect Aadhaar numbers and conduct authentication.

However, it may be noted that in practice, the recognition processes under Section 11A of the PML Act and by UIDAI typically go hand in hand. For entities seeking notification under Section 11A of the PML Act, prior recognition by UIDAI, confirming the entity’s capability to carry out Aadhaar authentication is generally a prerequisite. This position is supported by Circular No. F.No.P-12011/7/2019-ES Cell-DOR issued by the Government of India, Ministry of Finance, Department of Revenue.

Conclusion

In today’s dynamic financial landscape, Aadhaar-based KYC—whether through online authentication or offline verification has become an indispensable tool for streamlining customer onboarding and ensuring regulatory compliance. However, the regulatory framework surrounding Aadhaar authentication remains stringent for good reason: it seeks to strike a delicate balance between enabling ease of business and safeguarding the sensitive personal information of individuals.

While offline verification using masked Aadhaar offers a universally accessible and relatively lower-risk method for KYC compliance by RBI-regulated entities, online authentication—though more robust and efficient—comes with heightened obligations. Only entities meeting the twin conditions of being recognized under Section 11A of the PML Act and being duly registered as a KUA or Sub-KUA with UIDAI are permitted to undertake online Aadhaar authentication. This dual-layered recognition ensures that only entities with demonstrably strong security practices are entrusted with the collection, storage, and processing of Aadhaar-related sensitive data.

As technology evolves and customer expectations shift toward faster, seamless digital experiences, regulated entities must not only prioritize compliance but also cultivate a strong internal culture of data protection and risk mitigation. Institutions seeking to leverage Aadhaar-based online authentication must therefore invest in robust data security frameworks, maintain strict internal governance standards, and ensure that their authentication practices align with both the letter and spirit of the law.

Two day refresher course on NBFC Regulations – Mumbai

/0 Comments/in , , /by

Fill the google form to register: https://forms.gle/ULq6zBhESo1rpZLKA

Following the success of our recent workshop in Bengaluru, we are delighted to announce our upcoming 2-day refresher course on RBI regulations for NBFCs in Mumbai!
Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [482.87 KB]

Refer our resources on SBR:

Resources on Scale Based Regulations

Online Workshop on Regulatory Concerns on Fair Lending Practices and KYC

/0 Comments/in , , , , /by
Register here: https://forms.gle/cQ3RYWAwhqd3hqTs7
Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download as PDF [370.96 KB]

Our resources on KYC can be accessed here.

Our resources on SBR:

Resources on Scale Based Regulations

AML/ CFT Compliances Expand – RBI Further Amends KYC Master Directions

/0 Comments/in , /by

– Chirag Agarwal | Executive | finserve@vinodkothari.com

Introduction

The Reserve Bank of India (“RBI” or “Regulator”) plays a pivotal role in India meeting its anti-money laundering (AML) and combating financing of terrorism (CFT) obligations as part of its membership with the Financial Actions Task Force (FATF). As the Regulator of the credit sector and payment systems it does so by  ensuring the implementation of robust and up-to-date Know Your Customer (KYC) norms vide its  Master Direction – Know Your Customer (KYC) Direction, 2016 (“KYC Directions”). With a possible FATF evaluation around the corner, on October 17, 2023, the RBI introduced significant amendments to these KYC directives through its notification titled – Amendment to the Master Direction on KYC (“Amendment”), impacting various regulated entities, including Non-Banking Financial Companies (NBFCs).

Read more