Aadhaar as defined under Targeted Delivery of Financial and Other subsidies, Benefits and Services Act, 2016 (‘Aadhaar Act’), is a 12-digit unique identity number that can be obtained by residents of India, based on their biometric and demographic data. UIDAI, a MeitY (Ministry of Electronics and Information Technology) authorized body is responsible for issuing the same. This unique number is personal identifiable information for an Indian citizen as individual’s biometric data is linked to it and stored in the Central Identities Data Repository (CIDR) of UIDAI.
The Govt of India, under the aegis of the Digital India program, revolutionized the Indian ecosystem by enabling development and delivery of variety of services – from direct transfer of benefits & govt subsidies to rollout of innovative financial & digital services to all citizens, powered by India stack, a powerful technology suite of applications & products, of which Aadhaar formed the bedrock. Using Aadhaar as the baseline data component allowed entities – both private & public to access a large pool of readily verifiable data to develop and roll out it’s services.
In order to fully leverage the value of Aadhaar, one of the most prevalent use cases during this era saw various institutions & entities making it mandatory to provide Aadhaar data in order to access the services offered by them.
Privacy Concerns & SC verdict
In response to concerns raised by various civil groups in relation to security of the Aadhaar data, the Hon’bl Supreme Court upheld the constitutional validity of the Aadhaar Act and passed certain observations regarding Section 57 of the same. The salient observations of the ruling were as follows:-
- Aadhaar was made non mandatory for opening bank accounts, availing mobile services, or seeking admission to a school.
- Pursuant to the Aadhaar verdict, private entities were not allowed to demand Aadhaar for establishing identity unless the same is pursuant by any law.
This was major blow for many business arms (Banks, Telcos, FinTechs etc.) which had designed their models around Aadhaar ecosystem as a KYC (Know Your Customer) instrument which can be verified electronically to establish true person identity.
Aadhaar – a new beginning
In order to alleviate the various concerns raised by businesses around accessing Aadhaar services and lack of clarity around the legal interpretation of the verdict, the Govt. of India, under the leadership of Prime Minister Narendra Modi, approved the promulgation of an Ordinance that made provisions for entities to leverage the Aadhaar ecosystem as well as heed to the spirit of the law as dictated by the Hon’bl Supreme Court.
Thus, it was proposed to amend the Aadhaar Act, Indian Telegraph Act and the Prevention of Money Laundering Act, in line with the Supreme Court directives. In order to ensure that personal data of Aadhaar holder remains protected against any misuse and Aadhaar scheme remains in conformity with the Constitution, the Aadhaar and Other Laws (Amendment) Ordinance, 2019 (Ordinance) was passed.
Here, we share the various provisions under the new Ordinance.
- Voluntary (Consent-based) use of Aadhaar in both offline and online mechanisms allowed for purposes of Bank account opening (for non-DBT services) and telecom connection.
- Mandatory requirement for Aadhaar only for DBT (direct benefit transfer) recipient.
- Provision to use both Aadhaar number as well as VID (Virtual ID) for purposes of Aadhaar authentication.
- No biometric data storage allowed for any requesting entities.
Aadhaar (Pricing of Aadhaar Authentication Services) Regulations 2019
In response to the Ordinance introduced by the govt., UIDAI has also published a set of regulatory guidelines to be adhered to by business/entities for accessing services provided by UIDAI for authentication of Aadhaar data:-
- Aadhaar authentication services shall be charged @ Rs 20 (including taxes) for each e-KYC transaction and Rs 0.50 (including taxes) for each Yes/No authentication transaction from requesting entities;
- Government entities and the Department of Posts shall be exempt from Authentication transaction charges; and
- Scheduled Commercial Banks engaged in providing Aadhaar enrolment and update facilities in accordance with Gazette Notification no. 13012/79/2017/Legal-UIDAI (No. 4 of 2017) dated 14th July 2017 shall be exempt from Authentication transaction charges. However, such banks, which fall short of the Aadhaar enrolment and update targets, as communicated from time to time, will be charged in proportion to the shortfall in achieving the target.
Aadhaar – The Decimal View
At Decimal, we have been speaking to various stakeholders at Banks and FIs to better understand the challenges and opinions surrounding Aadhaar. Senior stakeholders in some banks have taken the view that the Ordinance provides enough regulatory & legal support to continue with Aadhaar-based eKYC & customer onboarding while some bank executives are willing to wait and watch how the legal nomenclature evolves further – especially with elections around the corner.
While opinions vary on the legal interpretation of the new measures as introduced in the Ordinance mentioned above, in our opinion, the following holds true:-
- No entities, be it private or govt can deny services (unless services specifically provisioned for direct benefits or govt subsidies), on the basis of authentication of Aadhaar data.
- No entities are allowed to store Aadhaar biometric data of it’s customers.
- No private entities (other than Banks & telcos) are allowed to access UIDAI database for authentication of customer’s Aadhaar data.
- There is a pricing matrix that has been defined for such authentication of services as mentioned in the Aadhaar Regulations as mentioned above. All requesting entities have to pay the prescribed fees to avail UIDAI’s services pursuant to point 3 (under section 4) above.
- Entities should inform customers/Aadhaar number holder of alternate & viable means of identification & cannot deny services for refusing to/unable to undergo Aadhaar authentication
Entities can opt for offline methods of Aadhaar verification/non-Aadhaar methods by capture of OVD (Officially Valid Documents) as defined by RBI for purposes of KYC. OVD includes the following:-
- Driving licence,
- Voter ID card,
- PAN card,
- Aadhaar letter issued by UIDAI; and
- Job Card issued by NREGA signed by a State Government official
How can Decimal help?
At Decimal, our digital solutions already support various onboarding workflows:-
- Aadhaar based online biometric verification based on assisted mode –
Our solution invokes the SDK of the biometric authentication device registered with the application and sends the PID (Personal Identity Data) block to UIDAI via domain/client application hosted on such devices.
- Aadhaar based offline validation using XML signed docs –
Our solution allows us to read the XML data from the Aadhaar platform by asking user to input Aadhaar number only on the client application. This allows us to verify the data contained in the XML doc without accessing the UIDAI server for any request/response. Thus, data is fully validated in an offline model
- Non-Aadhaar workflow –
This solution is built on capturing OVD documents in-app and an OCR engine is run in-app to capture all the data in these documents. The sanctity of this data can be further strengthened by accessing digital data banks of services such as Voter ID, Driver License etc. available via 3rd party integrations to check/validate the same in real-time.
Security & Data Encryption
At Decimal, security of data is of paramount importance and hence our solutions are built using the latest technological standards & conform to regulatory compliance. In compliance with the regulatory guidelines, Decimal’s solutions do not store any Aadhaar data in it’s application database or servers.
Decimal’s applications/solutions allows masking of Aadhaar data. For digital encryption of the same, Decimal’s application will access the Aadhaar Data Vault (ADV) – a Hardware Security Module that has to be implemented by the bank/FI to store Aadhaar data in the form of securitized tokens. HSM is a hardware device that is used to secure the encryption keys. It also optimizes the encryption and signing process by providing dedicated processors for the operation. HSM can be of 3 types:-
- USB HSM – These are USB-attached devices that are ideal for storing root cryptographic keys in an offline key storage device
- Network HSM – These are network-attached devices used for safeguarding encryption keys used by applications in on-premises, virtual, and cloud environments
- PCI HSM – These are embedded directly in an appliance or application servers and primarily used for safeguarding cryptographic keys and accelerating sensitive cryptographic operations
Decimal’s application will pass the masked Aadhaar data to the ADV and in return, ADV will return a reference value and this reference value will be stored in application database. Thus, full data privacy & security is achieved in compliance with regulatory guidelines.