The striking down of Section 57 of the Aadhaar Act was a major setback for the FinTech entities and payment systems. These companies were highly dependent on Aadhaar for verifying their customers. The Aadhaar verdict caused an adverse impact on the FinTech companies as compliance with the know your customer (KYC) guidelines for these companies became ambiguous. Earlier private entities and corporate bodies were allowed to use Aadhaar number for establishing identities of the customers, however, after the landmark judgement, private entities could not demand Aadhaar for verification of identity unless the same was pursuant to any law. Therefore, this unsettled the very basis on which these FinTech entities built their businesses.
Subsequently, necessary amendments were made in the Prevention of Money Laundering (Maintenance of Records) Rules, 2005, vide the notification of Prevention of Money-Laundering (Maintenance of Records) Amendment Rules, 2019 issued on 13 February 2019 (‘PMLA Notification’) so as to allow the use of Aadhaar as a proof of identity, albeit in a manner that protected the private and confidential information of the borrowers. However, despite the changes in the PMLA Rules and the Aadhaar and Other Laws (Amendment) Ordinance, 2019 issued on 2 March 2019 (“Ordinance”), the RBI did not bring changes in its operative guidelines. As a result, ambiguity with respect to usage of Aadhaar number for KYC purposes increased.
On 29 May 2019 , the RBI brought the much awaited amendments in the KYC Master Directions.
Before we delve further into the issue, it is important to be mindful of the following:
The definition of Aadhaar number under the KYC Master Directions has been borrowed from the Ordinance, which means an identification number issued to an individual under sub-section (3) of section 3 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016), and includes any alternative virtual identity generated under sub-section (4) of that section.
Further, sub-section (4) provides that the Aadhaar number issued to an individual under sub-section (3) shall be a twelve-digit identification number and any alternative virtual identity as an alternative to the actual Aadhaar number of an individual that shall be generated by the Authority in such manner as may be specified by regulations.
Acceptance of Aadhaar as an ‘officially valid document’
The PMLA Notification, recognises proof of possession of Aadhaar number as an 'officially valid document' (OVD). As per the proviso to Rule 2(1)(d) of the said notification, whoever submits “proof of possession of Aadhaar number” as an officially valid document, has to do it in such a form as are issued by the Authority.
Pursuant to the amendment in KYC Master Directions, ‘Proof of possession of Aadhaar number’ has been added to the list of OVD with a proviso that where the customer submits ‘Proof of possession of Aadhaar number’ as OVD, he may submit it in such form as are issued by the Unique Identification Authority of India (UIDAI).
Regulation 15 of the Aadhaar (Enrolment and Update) Regulations, 2016 (“Enrolment Regulations”) which deals with delivery of Aadhaar number stipulates that:
“Aadhaar number may be communicated to residents in physical form (including letters or cards) and/or electronic form (available for download through the Authority’s website or through SMS).”
The Authority in exercise of the provisions under Regulation 35 of the Enrolment Regulations has on 4 April 2019 notified that delivery of Aadhaar number under Regulation 15 shall mean and include the following:
(a) Aadhaar letter: Issued by the Authority carries name, address, gender, photo and date of birth details of the Aadhaar number holder.
(b) Downloaded Aadhaar (e-Aadhaar): Carries name, address, gender, photo and date of birth details of the Aadhaar number holder in similar form as in printed Aadhaar letter.
(c) Aadhaar Secure QR Code: A quick response code generated by the Authority containing name, address, gender, photo and date of birth details of the Aadhaar number holder.
(d) Aadhaar Paperless Offline e-KYC: An XML document generated by the Authority containing name, address, gender, photo and date of birth details of the Aadhaar number holder.
It has been specified that the Aadhaar number holder can use any of the documents above to prove possession of Aadhaar number subject to the concerned entity’s right to verify the genuineness of the above mentioned documents.
Further, as per the KYC Master Directions, in case an OVD, including Aadhaar, furnished by the individual does not contain updated address, certain deemed OVDs for the limited purpose of proof of address can be submitted, provided that the OVD updated with current address is submitted within three months.
Obtaining certified true copy
As per the requirement of the amended KYC Master Directions, for undertaking Customer due-diligence (CDD), non-banking financial companies (NBFCs) shall have to obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity (section 16):
(a) a certified copy of any OVD containing details of his identity and address
(b) one recent photograph
(c) the Permanent Account Number (PAN) or Form No. 60 as defined in Income-tax Rules, 1962, and
(d) such other documents pertaining to the nature of business or financial status specified by the reporting entities (REs) in their KYC policy
Here, obtaining a certified copy by regulated entity shall mean comparing the copy of officially valid document so produced by the customer with the original and recording the same on the copy by the authorised officer of the regulated entity.
It has been clearly specified by the RBI that the individuals (apart from those desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016) while submitting Aadhaar for Customer Due Diligence, shall redact or blackout their Aadhaar number in terms of sub-rule 16 of Rule 9 of the amended PML Rules, as per the PMLA Notification.
The relevant provision of the sub-sections is reproduced herein below:
“(16) Every reporting entity shall, where its client submits his Aadhaar number, ensure such client to redact or blackout his Aadhaar number through appropriate means where the authentication of Aadhaar number is not required under sub-rule (15).”;
In case where simplified procedure have been followed for opening accounts by NBFCs, the CDD as mentioned above (as per section 16 of the KYC Master Directions) must be carried out within a period of twelve months. Even at the time of periodic verification, CDD as per section 16 has to be carried out.
The Ordinance defined the term “offline verification”. Section 2 (pa) states –
“offline verification” means the process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations.
It is pertinent to note that the offline modes are not specified in the regulations. However, Unique Identification Authority of India (UIDAI) had proposed two methods of using offline Aadhaar verification–
1. Using the Quick Response (QR) codes
Companies may seek the Aadhaar QR code from the customers. The same has to be downloaded and printed by the customer and submitted to the company who shall read it using a QR code reader. Scanning of QR code, from the QR code reader will provide the name, address and photograph of the customer, without providing the Aadhaar number.
2. Using paperless local e-KYC
The paperless local e-KYC involves generation of a digitally signed XML which can be stored in a laptop or phone and be communicated by the customer to the company, as and when required. Companies can receive the Aadhaar Paperless Offline e-KYC XML from the customers. The XML file provides the name, address and photograph of the customer, without providing the Aadhaar number.
Further, section 8A of the Ordinance specifies the process of offline verification to be conducted by the offline-verification seeking entity. The entity seeking offline verification must obtain the consent of the customer before performing such offline verification. The entity must also ensure that the demographic information or any other information collected from the customer is used only for the purpose of such verification.
RBI has also specified in the KYC Master Directions that the NBFCs may identify a customer through offline verification under the Aadhaar Act with his/her consent, for identification purpose.
The Ordinance provides that banking companies shall verify the identity of the customers by authentication under the Aadhaar Act or by offline verification or by use of passport or any other officially valid documents. Further distinguishing the access, the Ordinance permits only banks to authenticate identities using Aadhaar. Other reporting entities, like NBFCs, are permitted to use the offline tools for verifying the identity of customers provided they comply with the prescribed standards of privacy and security. The use of Aadhaar shall be a voluntary choice of every customer who is sought to be identified. In order to safeguard the interests of the customers, the reporting entity must inform the customer of the other alternatives available to them.
The KYC Master Directions require non-individual customers such as legal entities, to submit either PAN or Form No. 60 of the entity apart from other entity related documents as a mandatory KYC document. Further, in case of companies and partnership firms, the PAN itself is mandatory. Additionally, the PAN or Form No. 60 of the authorised signatories shall also be obtained by the reporting entities.
In case of existing customers also the PAN or Form No.60, shall be obtained by such date as may be notified by the Central government, failing which the reporting entities shall temporarily cease operations in the account till the time the PAN or Form No. 60 is submitted by the customer. In case of asset accounts such as loan accounts, for the purpose of ceasing the operation in the account, only credits shall be allowed. However, before temporarily ceasing operations for an account, the customer shall be given an accessible notice and a reasonable opportunity to be heard.
The amendments in the KYC Master Directions allow verification of customers by offline modes and it permits NBFCs to take Aadhaar for verifying the identity of customers if provided voluntarily by them, after complying with the conditions of privacy to ensure that the interests of the customers are safeguarded. The amendments clearly specify the regulatory approach to resume the KYC process by using Aadhaar through offline modes.
(The writer is senior manager, Vinod Kothari Consultants P. Ltd.)