-Kanakprabha Jethani (firstname.lastname@example.org)
On September 13, 2021, the RBI issued a notification (‘RBI Notification’) permitting all NBFCs, Payment System Providers and Payment System Participants to carry out authentication of client’s Aadhaar number using e-KYC facility provided by the Unique Identification Authority of India (UIDAI), subject, of course, to license being granted by MoF. The process involves an application to the RBI, onward submission after screening of the application by the RBI, then a further screening by UIDAI, and final grant of authentication by the MoF,
We discuss below the underlying requirements of the PMLA, Aadhaar Act and regulations thereunder (defined below) and other important preconditions for this new-found authorisation for NBFCs.
Understanding the difference between authentication and verification
As per section 2(c) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (‘Aadhaar Act’) “authentication” means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it;
Further, Section 2(pa) defines offline verification as the process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations.
Authentication is a process of authenticity of aadhaar information using the authentication facility provided by the UIDAI. The same may be done in any of the following ways:
- Use of demographic authentication: The Aadhaar number and demographic information of the customer is obtained and matched with the demographic information of the Aadhaar number holder in the CIDR.
- Using one-time pin based authentication: Aadhaar number of customer is obtained. OTP is sent to the registered mobile number and/ or e-mail address. Aadhaar is authenticated when customer shares OTP and is shared with the same generated by UIDAI
- Using biometric information: The Aadhaar number and biometric information submitted by the customer are matched with the biometric information stored in the CIDR.
Essentially, aadhaar authentication requires the Regulated Entity (RE) to obtain the aadhaar number of the customer. However, owing to the Supreme Court Verdict on Aadhaar, aadhaar number could be obtained only by banks or specific notified entities. Eventually, the concept of offline verification was introduced by virtue of which verification can be done using XML file or QR code which carries minimum details of the customer. RE is not required to obtain aadhaar number in this case.
Understanding the concept of AUA and KUA
The Aadhaar (Authentication) Regulations, 2016 provide the following definitions:
“Authentication User Agency” or “AUA” means a requesting entity that uses the Yes/ No authentication facility provided by the Authority;
“e-KYC User Agency” or “KUA” shall mean a requesting entity which, in addition to being an AUA, uses e-KYC authentication facility provided by the Authority;
“e-KYC authentication facility” means a type of authentication facility in which the biometric information and/or OTP and Aadhaar number securely submitted with the consent of the Aadhaar number holder through a requesting entity, is matched against the data available in the CIDR, and the Authority returns a digitally signed response containing e-KYC data along with other technical details related to the authentication transaction;
- AUA’s rights are limited and it gets only a yes or no as a response of aadhaar authentications, i.e. response to whether the aadhaar is authentic or not.
- KUA’s rights are comparatively broader. It shall receive eKYC details of the customer upon utilising the authentication facility.
Further, there is a concept of sub-AUA and sub-KUA, which utilise the facility of licensed AUAs or KUAs for aadhaar authentication.
Application for AUA/KUA License
The power of granting permission for use of aadhaar authentication facility by entities other than banks is derived from section 11A of the Prevention of Money Laundering Act, 2002 (‘PMLA’). It states-
(1) Every Reporting Entity shall verify the identity of its clients and the beneficial owner, by—
(a) authentication under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016) if the reporting entity is a banking company; or
(b) offline verification under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016); or
Provided that the Central Government may, if satisfied that a reporting entity other than banking company, complies with such the standards of privacy and security under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016), and it is necessary and expedient to do so, by notification, permit such entity to perform authentication under clause (a):
In exercise of powers under the above mentioned provisions, the Ministry of Finance (MoF) issued a notification on May 9, 2019, providing the process for permitting entities other than banks for using authentication facilities of the UIDAI. The notification provides for the following process:
- Step1: Application to be made to the concerned regulator
- Step 2: Examination of the application by concerned regulator
- To ensure conditions of section 11A of PMLA and other security and IT related requirements are met
- Step 3: Examination by UIDAI of applications recommended by the regulator
- To check standards of privacy and security set out by UIDAI are complied with
- UIDAI to then send notification to the Department of Revenue, MoF
- Step 4: Notification as AUA/KUA by MoF
- Step 5: UIDAI to issue authorisation to use UIDAI’s authentication facility
The Reserve Bank of India, being the financial sector regulator, has issued the notification permitting all NBFCs, Payment System Providers and Payment System Participants to carry out authentication of client’s Aadhaar number using e-KYC facility. The Application form seeks various details about the applicant, including a confirmation that the entity is meeting the standards of complying with the Data Security Regulations 2016 of UIDAI and other related guidance / circular issued by UIDAI from time to time with regard to the privacy and security norms.
The most crucial aspect of eligibility for availing AUA/KUA license is the capability of meeting the standards of privacy and security set out by UIDAI. The requirement for meeting the said standards arises from section 4(4) of the Aadhaar Act, which states-
(4) An entity may be allowed to perform authentication, if the Authority is satisfied that the requesting entity is—
(a) compliant with such standards of privacy and security as may be specified by regulations; and
(b) (i) permitted to offer authentication services under the provisions of any other law made by Parliament; or
(ii) seeking authentication for such purpose, as the Central Government in consultation with the Authority, and in the interest of State, may prescribe.
Additionally, the Aadhaar (Authentication) Regulations, 2016 provide for the eligibility criteria for appointment as AUA/KUA. As per the said regulations, the following requirements must be met by the applicant:
Backend infrastructure, such as servers, databases etc. of the entity, required specifically for the purpose of Aadhaar authentication, should be located within the territory of India.
Entity should have IT Infrastructure owned or outsourced capable of carrying out minimum 1 Lakh Authentication transactions per month.
Organisation should have adopted data security requirements as per the IT Act 2000.
Understanding standards of privacy and security
The regulations surrounding data protection and privacy issued by the UIDAI are:
- Aadhaar (Data Security) Regulations, 2016
- Aadhaar (Sharing of Information) Regulations, 2016
- Miscellaneous circulars issued by the UIDAI from time to time
Major requirements under the said regulations are as follows:
- Applicant to adopt an information security policy outlining information security framework of the applicant developed in line with applicable guidelines issued by UIDAI;
- Applicant to designate an officer as Chief Information Security Officer (CISO) for ensuring compliance with information security policy and other security-related programmes and initiatives of UIDAI
- Operations of applicant to be audited by information systems auditor
- Applicant to ensure that biometric information is not stored, except for buffer during authentication;
- Applicant to ensure identity information is not shared with anyone else except with prior approval
Pursuant to the said notification, the NBFCs or Payment System Providers or Payment System Participants shall be eligible to make application with the RBI, subject to compliance with the privacy and security norms issued by UIDAI. The notification is a much-awaited relaxation for the eligible non-banking entities to undertake Aadhaar authentication of their customers. However, the criteria for granting approval have not been laid down specifically and may be based on the evaluation conducted by the RBI along with UIDAI. For those who receive the approval, this would be an addition to the modes in which CDD of a customer can be conducted.
 Central Identities Data Repository (CIDR) means a centralised database containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto
 Refer Schedule A to Aadhaar (Authentication) Regulations, 2016 (Page 19)- https://uidai.gov.in//images/resource/CompendiumMay2020Updated.pdf