Emerging RBI

KYC norms and

Aadhaar
Table of Content:

Chapter I: Terror, Drugs and KYC Pages 2 to 5

Chapter II: Know Your KYC or KY-KYC Pages 6 to 13

Chapter III: Aadhaar and KYC Pages 14 to 19

Chapter IV: Authentication with Aadhaar Pages 20 to 28

Chapter V: Aadhaar e-KYC in Practice Pages 29 to 33

Chapter VI: IDfy View Pages 34 to 36

© Baldor Technologies Pvt. Ltd. 2018 1 idfy.com

Chapter I:
Terror, Drugs and KYC

It was still the pre-Y2K era. Banks would come

rushing to students of premier educational
institutions in India to offer them credit cards with
credit limits that seemed like a small fortune to most
who were yet to earn their first rupee.
The card selling agents asked for nothing more than
a copy of the student identity cards. The agents
would themselves fill up the entire form as long as
you took the time to fill in your name and sign the
document.
A friend I know, entered his name as Al Capone and
even though that was not the name on his identity
card, it didn’t matter.
Yes, the very first card of someone who would later
specialise in creating models for fraud detection for
credit cards and insurance, was in the name of Al
Capone!
These were the days when customer acquisition
was the priority and nothing else really mattered. A
number of the student card beneficiaries defaulted
and ended up agreeing for settlement deals many
years later.
About IDfy
IDfy  is helping build a world without fraud where
people and businesses can engage with
confidence. As a gatekeeper, IDfy ensures that only
the real can enter and transact. 
Our proprietary systems are built on the latest in
machine-learning based anomaly detection,
machine vision and identity authentication
techniques. These systems catch new and
emerging fraud as well as fraud that previously
went undetected, keeping our clients, their
customers and employees safe and secure. 
IDfy  provides risk and fraud solutions processing
half a million people profiles every month for more
than 150 companies. These include the best
known names in Fintech, Cryptocurrencies,
I n s u r a n c e , Te l e c o m , E - c o m m e r c e , Ta x i
aggregation, and P2P exchanges.
Supporting us in our mission are VC firms NEA and
Blume Ventures.

At least with this bunch, the banks got lucky that by

and large, they did not end up dealing with criminals
or supporting criminal activity.

However, with the kind of checks that were in place

then, it would not be too difficult for Al Capone to

© Baldor Technologies Pvt. Ltd. 2018 2 idfy.com

get a card in the name of the Average Joe, just as
Average Joe could get one with his name.
Half-hearted Measures
It wasn’t as if this had never occurred to Indian
regulators, or for that matter, regulators all over the
globe.
• By the time the 1970s rolled in, banks were given
guidelines to help prevent “benaami” transactions,
or transactions that could not be traced to specific
people. Banks were required to have the names
and addresses for all depositors.
• By the 1980s, new back accounts could be
opened only after being “introduced” by someone
who already had an account with the bank.
• Then the norms for introduction got a bit stricter.
Sometime later, banks were required to have
photographs of all account holders.
All this is to suggest that RBI and other regulators
were aware of the misuse of the financial system
and were trying to implement solutions.
However, neither were the guidelines water-tight in
themselves, nor was the implementation of
prevailing ones done to perfection.
Which meant that either by exploiting loopholes, by
lying, or through collusion with insiders, it was
possible for just about anyone to get a lot of illegal
stuff done, pretty easily.
While regulators and law enforcement were to an
extent lumbering their feet over the issue of misuse
of the financial system, criminals outside and within
their system were rubbing their hands with glee.
Towards the last decade of the twentieth century,
going right up to the beginning of the current one,
© Baldor Technologies Pvt. Ltd. 2018 3 idfy.com
Narcos and the BCCI
Back in the 1980s, Bob Musella enabled drug
traffickers to move their money around the world or
help it get converted to legal money, without the
sources of funds being detected. Many important
bankers were on his payroll.
Because of his speciality, he built close
connections with members of Pablo Escobar’s
cartel.
When he was about to get married, his cartel and
banking friends turned up in large numbers to
attend.
The evening before the big day, limousines arrived
to pick up the guests and take them to what
promised to be a really wild bachelor party.
Instead, the limousines took all of them straight to
US law enforcement agents.
Bob Musella was actually employed by the US
Customs as an undercover agent and his real
name was Robert Mazur and he had helped catch
a number of dangerous criminals.
It would also lead to the demise of the Bank of
Credit and Commerce International (BCCI) - an
international bank, which at the peak of its
operations had over 400 branches in 48 countries.
The bank had grown rapidly by enabling criminals
all over the world to use their services without
regulation. It was even known as the “Bank of
Crooks and Criminals International” to law
enforcement agents who were on to them.
The 2016 Hollywood movie “The Infiltrator”
directed by Brad Furman is a dramatized
recollection of the heroics of Robert Mazur and
other agents.
many high-profile cases of major financial
institutions colluding with criminals or enabling
them in some way came to light. We do not
know of the many that may never have been
discovered.

A Post 9/11 World

September 11, 2001 was to change the view of

not just the American government, but many
governments across the world with regards to
the need to seriously clamp down on the misuse
of financial institutions by criminals and
especially terrorist organisations.

In the USA, the USA PATRIOT Act of 2001 spelt

out the need for greater control and monitoring
of financial institutions and by 2002, all American
banks were required to perform KYC processes
for their customers.

2002 was also the year when India’s RBI first laid
out KYC norms for banks and other financial
institutions.

In the years that have passed since then, there

has been a massive evolution in the financial
services market driven by a new digital economy
and fintech that has changed the way in which
people transact using money and interact with
financial institutions.

The regulations regarding KYC have had to keep

pace with these changes and are continually
updated to keep pace with the times.

But that is far easier said than done in reality and

not just because times are changing so fast.

Also, adding to the complexity is that the KYC

regulations can’t be decided and operated by a
central regulator and financial institutions alone.

4
Others interested in them are government and
politicians, judiciary and of course citizens - who
need to go through the KYC process before they
can avail necessary services like banking.

After all, the average neighbour does not

understand why they must face inconvenience
just because the banks were shaking hands with
Pablo Escobar and Osama bin Laden (see box -
Narcos and the BCCI). 

There is of course the other side of the story as

well - the story of the banks and other
organisations who are regulated by such norms. 

What does it mean for them? Do they feel the

current norms are justified? What would be the
ideal solution that would work for everyone and
what’s stopping all concerned parties from
getting there?

These are some of the questions we will try and

answer over the next chapters. 

5
Chapter II:
Know Your KYC or KY-KYC

This e-book is about understanding the challenges

and issues presented by the KYC norms laid out by
the Reserve Bank of India (RBI) for businesses that
offer financial products and services.
There are other businesses that are mandated by
government through regulators to adopt strict KYC
procedures (e.g. telecom).
Benefits of KYC
• Prevents and detects money laundering
• Allows companies to get useful
information that may help them serve
customers better

However, our discussion is focused on entities

regulated by the RBI and how they are impacted by
the ever-evolving KYC norms, the systems that
would in theory work best for business as well as
customers and the roadblocks to getting there.

Before getting into an analysis of specific aspects of

the norms, let us however spend a little time getting
to know a little more about the fundamentals - the
why, who, what and how of KYC.

Why adoption of KYC is critical?

Money laundering is the process of making money

that has been earned illegally, appear as if it has
been earned by legitimate means.

Examples of money being earned illegally could be

income made by selling drugs or weapons, taking
bribes, or even through a transaction that is not
declared in order to avoid paying taxes.

Apart from the serious threat that money laundering

creates to law and order as well as security, it also

© Baldor Technologies Pvt. Ltd. 2018 6 idfy.com

puts the economy at risk as money goes in and out
of the system at the whim of the launderers.
Strict adoption and enforcement of KYC practices is
a major tool in combatting money laundering and
preventing not just criminals from getting away but
also security threats to a country.
While regulators have to set norms that are practical
and do not hinder the growth of promising industries
and services in the financial sector, their primary
c o n c e r n w h e n i t c o m e s t o d e fin i n g K Y C
Wachovia Money Laundering
Scandal
In 2008, it was discovered that Wachovia, one of
the USA’s biggest banks of the time, had been
helping drug cartels launder money earned from
selling drugs in Mexico.
Handlers would deposit large sums of cash with
money transfer services in Mexico and these were
transferred into bank accounts operated at various

requirements is usually their ability to prevent money branches of Wachovia in the United States.

laundering.
This money could then be used for legal purposes

However, as businesses (and not just financial in the USA. One of the uses that the drug cartels

businesses) that have enforced good KYC practices put the money to was to buy aeroplanes that they

have found, there are plenty of direct benefits to
knowing your customer.
Companies are using the information they collect
about their customers to predict likelihood of default
on loan payments, likelihood to commit fraud and
even to conduct targeted promotions for their
products.
In summary, an ideal KYC eco-system serves its
primary purpose of putting a check on money
laundering, while at the same time providing
benefits to the industry that encourages them to
adopt good KYC practices, rather than seeing them
as a burden.
then used to smuggle more drugs from other
countries into Mexico.
Between 2004 and 2007, almost $380 billion was
laundered by this mode, using just one bank as a
partner. 
This happened in an era when KYC had already
been mandated not just in the USA, but across
major countries in the world.
Had KYC been strictly following the KYC
requirements and the proper checks had been in
place, the kind of transactions that occurred would
have been red flagged and reported to law
enforcement authorities in time. 

Who are governed by RBIs KYC norms?

The KYC norms or requirements stipulated by RBI

are addressed to all entities regulated by RBI.
Termed “Regulated Entities” or REs, these consist
of different types of businesses:

• Banks of all kinds - includes nationalised, private

and international commercial banks, co-operative

© Baldor Technologies Pvt. Ltd. 2018 7 idfy.com

 banks and other types of banks like local area
banks, rural banks, payment banks, etc. RBI Regulated Entities (REs)

• Banks
• All Indian Financial Institutions (AIFIs) - like Exim
Bank, NABARD, SIDBI etc. • All Indian Financial Institutions (AIFIs)

• Non-banking financial companies  (NBFCs)- wide • Non-banking Financial Companies

range of companies that include the likes of loan (NBFCs)
providers, investment companies, companies that
• Payment System Providers (PSPs)
finance purchase of different types of assets and
goods, chit funds and more. • Authorised Persons (APs)

• Payment system providers, providers of pre-paid

payment instruments like mobile wallets as well as
participant entities in a payment system.

• All authorised persons (APs) including those who

are agents of Money Transfer Service Scheme
(MTSS) which is a quick and easy way of
transferring personal remittances from abroad to
beneficiaries in India.

These regulated entities must perform KYC to

satisfy themselves of the authenticity of not just Customers covered by KYC
customers with an active relationship with them, but
• Individuals with ongoing business
also “walk-in” customers or those who use their relationship
facilities to undertake one time transactions.
• Walk-in customers for one time
In addition to individuals acting on their own behalf, transactions
KYC must also identify “beneficial owners” of
• Beneficial owners
businesses and other customers that are not
‘people’ (e.g. associations and societies etc.).

Regulated entities consist of a range of

organisations with very different turnovers as well as
offering different products and services that
generate contrasting revenue per customer.

Larger organisations have the ability to enforce the

KYC norms as per requirements while for the
smaller ones, the costs could prove prohibitive.

© Baldor Technologies Pvt. Ltd. 2018 8 idfy.com

However, the costs of non-compliance can be
equally prohibitive leading to a situation where KYC Four Elements of KYC Policy
regulations may end up having a significant impact • Customer Acceptance Policy
on the ability of certain companies to do business
and serve genuine customers. • Risk Management

• Customer Identification Procedure

What do KYC norms consist of?
• Monitoring of Transactions
KYC norms are intended to help investigating
authorities become aware of suspicious
transactions, identify people that are involved in
those transactions as well as understand the entire
chain though which the money moves.

As per guidelines by RBI, and indeed the model

used globally, KYC policies for every organisation
must consist of four elements:

• Customer Acceptance Policy; 

• Risk Management; 

• Customer Identification Procedures (CIP); and 

• Monitoring of Transactions

The Customer Acceptance Policy is expected to

ensure that people or businesses cannot conduct Customer Acceptance Policy
financial business using ‘benaami’ accounts or
• No benaami transactions
fictitious identities.
• No fictitious identities
It must not allow any individual whose name
appears in the sanctions list circulated by the RBI to • Prevent individuals in sanctions list from
transacting
operate an account or perform one-time
transactions. • Prevent individuals unable to furnish
identity documents from transacting
The same applies for anyone who cannot meet the
due diligence requirements by providing the • Ensure service is not denied to genuine
requirement information and identity documents. people

Critically, the Customer Acceptance Policy must

achieve all this without the policy resulting in a

© Baldor Technologies Pvt. Ltd. 2018 9 idfy.com

denial of service to regular people, especially those
who are financially or socially disadvantaged. Risk Management Classification
and Frequency of Customer
Risk Management involves categorising all Identification Procedures
customers as being of low, medium or high risk
when it comes to the likelihood of being involved in • High Risk: Periodic KYC updation once
every two years
fraud or a suspicious transaction.
• Medium Risk: Periodic KYC updation
A number of factors like identity, social and financial
once every eight years
status, nature of business, information about the
business, location details, etc. go towards • Low Risk: Periodic KYC updation once
determining the risk profile of the customer.  A every ten years
person deemed to be high risk would invite far more
frequent and closer scrutiny than someone
identified as being medium or low risk. 

Customer Identification Procedures are the part

of the KYC process that involve getting the required
information about customers.

It must be carried out at the time of opening an

account, when certain types of transactions take
place.

For example, an international money transfer for a

person who is not an account holder or when
buying a travel card worth more than fifty thousand
rupees or even when trying to perform a series of
transactions which when viewed collectively, seem
to be structured to avoid detection.

Customer details need to be updated periodically,

with the frequency of update depending upon the
risk profile - every two years for high risk individuals,
eight for medium and ten years for the least risky.

A significant portion of the “how” of KYC policies is

about the rules and requirements for Customer Due
Diligence that is required as part of the Customer
Identification requirement. 

© Baldor Technologies Pvt. Ltd. 2018 10 idfy.com

The RBI guidelines go in great detail about the
procedure for identifying customers and the Monitoring of Transactions
documents that a customer must furnish to • Transactions by high risk individuals
establish identity.
• Suspicious transactions by medium or
There are plenty of details like the information that a low risk individuals
business must provide in addition to details of
• Detecting patterns across transactions
beneficial owners, handling exceptional cases like
that raise suspicion
students from foreign countries, NBFC customers
who do not have the basic set of documents, etc. 

Monitoring of Transactions implies that the

regulated entities need to keep cross-checking that
the pattern of behaviour shown by customers is in
line with the assessment of the risk they pose.

For example, if a customer categorised as low-risk

undertakes a suspicious behaviour, it should still be
red-flagged.

Certain transactions are expected to automatically

fall in the category of suspicious activity like large
deposits from various sources quickly followed by
large cash withdrawals or very high turnover
disproportionate to the balance maintained or a
transaction that exceeds the threshold allowed for
that category of customer.

In addition to these, regulated entities must also

have systems in place that are able to detect
patterns of transaction that are abnormal and
appear to have no economic rationale. 

Other areas covered by the norms

The norms laid out by RBI also spell out procedures

and clarifications for various aspects connected to
the implementation of the KYC policy. Examples:

• Guidelines for the organisation structure that

needs to be put in place to frame and implement
the KYC policy

© Baldor Technologies Pvt. Ltd. 2018 11 idfy.com

• How to handle exceptions like when people do not
have required documents Organisation KYC Resources

• Designated Director
• Reporting requirements
• Principal Officer
• Protocols associated with action to be taken after
suspicious activity is detected • In-house or third party resources for
identity verification
• Procedures for dealing with correspondent banks
or setting up international subsidiaries

• Training of employees

The RBI publishes the guidelines on its website in

the form of a “Master Direction” or “Master Circular”
document that is continually updated. The most
recent version of the norms was published on
February 25, 2016 and have been updated twice in
2018 - on April 20 and on July 12th. 

How are businesses expected to implement

KYC policies?

Regulated entities are required to take responsibility

and ownership of compliance with KYC norms by
having a policy that has been approved by the
Board of Directors and appointing key people like
the “Designated Director” and “Principal Officer”
who form a core part of the set-up that is
responsible for ensuring compliance. 

RBI allows businesses to make use of third party

services to complete the identity verification
process when certain conditions can be met.

These conditions include the need to be sure that

the third party can produce the required
documentation at short notice and that it in turn
follows all the regulations it is subjected to.

© Baldor Technologies Pvt. Ltd. 2018 12 idfy.com

Heart of the matter

However, at the heart of the modifications made

to the guidelines in April 2018 was the intent of
the RBI to make an individual’s Aadhaar number
the key identifier for the person as far as KYC
was concerned.

Most of the exceptions detailed are to explain

how situations where an individual does not
have an Aadhaar number must be handled.

This is a major shift in guidelines from the earlier

practice of accepting from a wider range of
Officially Valid Documents (OVDs) like passport,
voter identity card and more. 

The catch is, that the implementation of these

norms depends on the ruling of the Supreme
Court in the case - Justice K.S. Puttaswamy
(Retd.) & Anr. V. Union of India.

So where does that leave us?

The remainder of this book will try and

understand the role Aadhaar can play in the KYC
process, how it is set up to do so, the challenges
in implementing the system and the impact of
not being able to implement a solution that
works for all.

13
Chapter III:
Aadhaar and KYC

As per the updates published to the RBI KYC norms

in April 2018, the central bank’s intention is to make Aadhaar in RBI KYC norms
Aadhaar the “document for identity and address”. 
• Information collection - Aadhaar must
be collected
The enforcement of this provision at the time of
writing is subject to the final legal judgement on the • Authentication - Identity must be
matter, but we will keep that aside for now and try validated using e-KYC or Yes/No
authentication
and understand what the RBI norms say about
using Aadhaar for KYC and the spirit behind them.

Norms for Information Collection

What the RBI norms intend to establish, is that

Aadhaar becomes central and critical to the process
of establishing the identity of a customer during the
KYC process.

As such, most references to Aadhaar and related

terms in the RBI circular, come under the section
titled “Customer Due Diligence (CDD) Procedure”,
which forms a part of the customer identification
procedure as specified by the KYC policy.  

Performing customer due diligence requires

collecting certain information from the customer.
The central guideline for what information should be
collected is the following: 

“From an individual who is eligible for enrolment of

Aadhaar, the Aadhaar number; the Permanent
Account Number (PAN) or Form No. 60.”

The implication of this statement is significant as

this covers most of the people living in the country.

© Baldor Technologies Pvt. Ltd. 2018 14 idfy.com

So it is clear that the default expectation from any
Some Examples of Handling Cases
customer would be that they provide their Aadhaar
number to the regulated entity with who they intend of People without Aadhaar
to do business.
For people who are eligible for Aadhaar but do not
But what if a person who is eligible for Aadhaar, has yet have one:
not yet enrolled for it? And what about the few who
• Proof of enrolment for Aadhaar which is not less
may not be eligible under law to get an Aadhaar
than six months old, in addition to other
number, even while residing here?
documents proving identity and address
The norms look at many such scenarios and provide
• The individuals must however, submit the
clear guidelines about the alternate information or
Aadhaar related details within six months of
documentation that needs to be collected in each
commencement of account, or the regulated
case.
entities must cease operations of the account

Norms for Authentication

“Authentication”, as defined by the Aadhaar Act, For individuals who are not eligible for Aadhaar or
means the process by which the Aadhaar number are not residents:
along with demographic information or biometric
information of an individual is submitted to the • The PAN number or Form 60

Central Identities Data Repository (CIDR) for its

• A recent photograph
verification.
• A certified copy of any document listed as an
The repository then verifies if the information Officially Valid Document (OVD)
provided is correct or not.  

When the regulated entity receives a client’s

Aadhaar detail, RBI expects them to verify or For foreign students banks may open a
authenticate if the information being provided is Non-Resident Ordinary (NRO) account on the basis

correct or not. of:

This authentication must only be done with the • Their passport that has a valid visa and

explicit consent of the customer.  immigration endorsement

Two methods of authenticating Aadhaar details are • Their photograph

listed - e-KYC authentication (biometric or OTP

• A letter of admission from the educational
based) or Yes/No authentication. institute

The following definitions for these methods is as

stated in the current KYC norms circular and the

© Baldor Technologies Pvt. Ltd. 2018 15 idfy.com

regulations for Aadhaar authentication circulated by
UIDAI:

• “e-KYC authentication facility”, means a type of

authentication facility in which the biometric
information and/or OTP and Aadhaar number
securely submitted with the consent of the
Aadhaar number holder through a requesting
entity, is matched against the data available in the
CIDR, and the Authority returns a digitally signed
response containing e-KYC data along with other
technical details related to the authentication
transaction

• “Yes/No authentication facility”, means a type of

authentication facility in which the identity
information and Aadhaar number securely
submitted with the consent of the Aadhaar
number holder through a requesting entity, is then
matched against the data available in the CIDR,
and the Authority responds with a digitally signed
response containing “Yes” or “No”, along with
other technical details related to the authentication
transaction, but no identity information

The key difference between the two types of

authentication mentioned is that in the case of the
latter, the response from the CIDR is merely a
confirmation of whether the data submitted matches
with the record in the database or not.

e-KYC is the prescribed mode in most scenarios

In general, e-KYC is the expected form of

authentication, especially biometric based
authentication, though OTP authentication is
acceptable if done in a face-to-face scenario in
usual cases.

For regulated entities, the implication is that while

Yes/No authentication allows them to verify a user’s

© Baldor Technologies Pvt. Ltd. 2018 16 idfy.com

identity, e-KYC makes their customer data
collection process a lot easier by helping them Authentication Procedure
move to a paperless system.

Generally, if a Yes/No authentication has been

carried out, the regulated entity is expected to carry
out biometric or OTP based e-KYC within six
months of the Yes/No authentication.

The norms in fact specifically lay out when the

Yes/No facility may be used and when it may not.

• Yes/No authentication shall not be carried out

while establishing an account based relationship. 

• Yes/No authentication shall suffice for the

beneficial owners of a legal entity with existing
accounts or while establishing a new one

What this suggests is that the RBI is keen to ensure

that the most stringent form of possible
authentication takes place for each customer, even
if it may not be possible to do so for operational
reasons at the time of performing the first KYC
exercise with the customer.

Push for In-person Verification

RBI’s intention seems to be that not only is Aadhaar

based e-KYC conducted, they also want to ensure
that any verification happens in-person.

Cases where the customer was not present during

verification (e.g. e-KYC with OTP for a mobile
application) are described as accounts opened in
non-face-to-face mode. 

Keen to ensure that this does not open up the

possibility of identity misrepresentation, RBI has
spelt out specific restrictions scope and scale of
transactions that can be carried our using such an
account.

© Baldor Technologies Pvt. Ltd. 2018 17 idfy.com

Some of the limitations imposed are: 

• The aggregate balance of all the deposit

accounts of the customer shall not exceed
rupees one lakh. In case, the balance exceeds
the threshold, the account shall cease to be
operational, till the required due diligence is
completed

• The aggregate of all credits in a financial year,

in all the deposit taken together, shall not
exceed rupees two lakhs

• For borrowal accounts, only term loans not

exceeding a combined rupees sixty thousand
in a year shall be sanctioned

• If biometric based e-KYC is not completed

within a year, the account must cease to be
operational

• A customer should be able to open not more

than one account in this manner

Similar restrictions are placed into different types

of accounts and relationships where deep
authentication of Aadhaar is either not possible
or not applicable.

For example, restrictions are placed on foreign

remittances to “small accounts” that can be
opened by people without Aadhaar, especially
from economically disadvantaged sections. 

Impact of Aadhaar KYC on Stakeholders

In 2007-08, banks regulated by the RBI raised

less than 2,000 suspicious transaction reports.
By 2015-16 that number had crossed a lakh and
2016-17 saw over 4,70,000 suspicious
transactions reported.

18
Money laundering and suspicious activities have
always existed - it is just that we have gotten Growth in Suspicious
much better at detecting them. Transaction Reports
Many factors may be contributing to the
increased detection - better definition of
suspicious activity, better training and
awareness, better data analytics capabilities etc.

But surely, the increased use of Aadhaar based

authentication must be a contributing factor -
making identity fraud more difficult to carry out
in the first place, but also helping easily catch
people trying to do so.
Data source: fiuindia.gov.in
For the financial services industry, especially
new entrants bringing innovative solutions, the
added advantage of Aadhaar based e-KYC is a
boon as it has helped them drastically cut down
not only cost of conducting KYC, but also
helped them capture user data in an error free
and paperless mode leading to increased
efficiency.

The biggest concern that industry has with the

norms is the restriction imposed on accounts
opened in non face-to-face mode, which
prevents many businesses from maximising the
revenues they may generate from a consumer.
The only option they are left with is to invest in
more expensive and cumbersome face-to-face
KYC verification.

For customers, on the one hand there are valid

concerns about privacy exist which need to be
addressed through framing the right regulations
and their strict enforcement.

On the other hand, there are also benefits of

convenience as well as the security of knowing
that in general, it has become more difficult for
someone to use their identity to commit fraud.

19
Chapter IV:
Authentication with Aadhaar

So far, we have understood the potential dangers of

unchecked money laundering, the need for a strong
KYC system to prevent it from happening and RBI’s
intention to use authentication of Aadhaar using the
e-KYC method as the default mode for verifying
identity.

Now, we turn our attention to the other significant

stakeholder that has an important role to play in
enabling the eco-system desired by RBI.

The Unique Identification Authority of India

(UIDAI) is the body responsible for collecting and
managing information from individuals enrolling to
obtain an Aadhaar number.

It is responsible for the management of the Central

Identities Data Repository (CIDR) and regulating
interactions with organisations seeking validation of
Aadhaar details from the CIDR.

Under regulations specified according to the

Aadhaar Act of 2016, UIDAI has clearly laid down
the procedures for using the CIDR data for
authentication, spelling out details about what
authentication means, how it should be done and
who are the organisations authorised to contact the
CIDR for authentication.

Let’s understand what these details are all about.

© Baldor Technologies Pvt. Ltd. 2018 20 idfy.com

What is Aadhaar Authentication?
Methods of identity verification
It is the process in by which an organisation can of Aadhaar Number holder
verify that the Aadhaar number a client or
prospective client claims to be theirs’, is actually • Demographic
assigned to them or not. • Bio-metric

In other words, it is aimed at ensuring that no one • Multi-factor

can provide someone else’s Aadhaar number or a
fake Aadhaar number, to enrol for the service that is
seeking authentication.

Interestingly, UIDAI on its website, sets out a clear

vision in terms of the standards it expects the
authentication process to achieve - “that the identity
of Aadhaar number holders can be validated
instantly anytime, anywhere.”

How can Aadhaar Authentication be

performed?

The authentication process begins with the

requesting organisation obtaining, with the
customer’s consent - their Aadhaar number and
certain other information or input that will be sent
electronically to the CIDR.

The CIDR then checks whether the information

received can confirm the identity of the customer
and returns a response based on its finding.

Different verification methods

The first step in the process is making a request to

the CIDR for authentication. There are four different
types of authentication, based on the nature of user
information submitted:

• Demographic authentication: Aadhaar enables

verifying the Aadhaar number and certain
demographic information associated with the
number against the CIDR. Demographic

© Baldor Technologies Pvt. Ltd. 2018 21 idfy.com

 information that can be collected from a user
Facial Authentication
should have relevant details like name, date of
birth, address, etc. but cannot include race,
Recognising that there are individuals who may
religion, caste, tribe, ethnicity, language, records face inconvenience in providing a fingerprint or an
of entitlement, income or medical history. iris scan for biometric authentication, UIDAI has
announced that soon authentication will be
• One-time pin (OTP) based authentication: A
possible by matching a photo of the face of the
regulated entity may send a recently generated
Aadhaar holder with the photo captured during the
OTP that has been sent to the Aadhaar number
time of enrolment for Aadhaar.
holder’s mobile phone or e-mail address, along
with the Aadhaar number. CIDR matches if the Face authentication will only be used in
same OTP has been generated recently for that combination with other methods like iris or
Aadhaar number and returns a response.  fingerprint authentication.

• Biometric-based authentication: Biometric When these are not possible, it may also be
information is typically a fingerprint or an iris scan, combined with an OTP based authentication.
which is collected by the organisation using a
device and then the scan is sent along with the
Aadhaar number to the CIDR. 

• Multi-factor authentication: When two or all

three of the above are used at the same time, it is
called multi-factor authentication.

For e-KYC, the authentication can only be done

using the OTP or the biometric method or a
combination of the two.

Devices

UIDAI has provided specific guidelines about the

devices that can be used to collect personal identity
data (PID) or biometric data.

Only authorised devices may be used during

Aadhaar authentication.

The device is expected to:

• Collect the required information

• Prepare it in the format the CIDR expects a

request

© Baldor Technologies Pvt. Ltd. 2018 22 idfy.com

• Send the request to CIDR
Categories of Agencies
• Receive the result Authorised to Submit Requests
Authentication devices that collect PID from
• Authentication Service Agency (ASA)
Aadhaar number holders, may be in the form of
laptops, kiosks, handheld devices, tablets, etc. • Authentication User Agency (AUA)

• Sub Authentication User Agency

Biometric devices that collect fingerprints or iris (Sub-AUA)
scans, may either be discrete devices that require
• e-KYC User Agency (KUA)
connectivity to another device like a laptop or a
mobile phone to complete the process or integrated • Sub e-KYC User Agency (Sub-KUA)
devices like a phone or a tablet which can be used
for the scan as well as transmitting and receiving
information.

Response from CIDR 

When the request for authentication reaches the

CIDR, it compares the data received with the data
stored in the repository and then returns either a Yes
or No response or a digitally signed e-KYC
authentication, with encrypted data for valid
requests.

Who can send authentication requests to

the CIDR?

We will now look at the set of agencies authorised

to contact the CIDR for either a Yes/No or an e-KYC
response. 

UIDAI has mandated a layered structure for access

to CIDR consisting of Authentication Service
Agencies (ASAs), Authentication User Agencies
(AUAs) and e-KYC User Agencies (KUAs).

Let us take a quick look at the roles each of these

perform.

© Baldor Technologies Pvt. Ltd. 2018 23 idfy.com

Authentication Service Agency (ASA)

As per UIDAI:

“ASAs are agencies that have established secured

leased line connectivity with the CIDR compliant
with UIDAI’s standards and specifications.

ASAs offer their UIDAI-compliant network

connectivity as a service to requesting entities (such
as AUAs/KUAs) and transmit their authentication
requests to CIDR.” 

An ASA is like the final link between a regular

regulated entity and the CIDR.

Its role is to perform basic checks on the requests it

receives from other agencies down the line and
pass it on to the CIDR.

Similarly, the response received from the CIDR,

passes through an ASA before reaching an agency
like an AUA. 

Given the significance of an ASA in the whole

authentication system, UIDAI has set strict norms
for who can qualify to become an ASA.

Apart from government departments, authorities

constituted by the government and entities of
national importance, other companies need to meet
stringent conditions to be able to apply to become
an ASA. 

For example, companies are required to have a

turnover of at least rupees 100 crores in the last
three financial years and have a pan India fibre optic
network meeting certain conditions.

This does not apply to companies registered as

AUA or KUA that meet certain criteria that allows
them to become eligible to qualify as an ASA. 

© Baldor Technologies Pvt. Ltd. 2018 24 idfy.com

Some examples of companies listed as ASA are
Bharti Airtel Ltd., Idea Cellular Ltd., Mastercard India
Services Pvt. Ltd, Reliance Corporate IT Park Ltd,
etc.

Authentication User Agency (AUA)

UIDAI defines two levels of AUAs. Quoting from

their website, these are:

• Authentication User Agency (AUA): An AUA is any

entity that uses Aadhaar authentication to enable
its services and connects to the CIDR through an
ASA. An AUA enters into a formal contract with
UIDAI.

• Sub AUA:  An entity desiring to use Aadhaar

authentication to enable its services through an
existing AUA.

Examples: 

• IT Department of a State/UT could become an

AUA and other departments could become its Sub
AUAs to access Aadhaar authentication services. 

• A Hoteliers Association becomes an AUA and

several hotels could access Aadhaar
authentication as its Sub AUAs. UIDAI has no
direct contractual relationship with Sub AUAs.

Simply put, a AUA has the permission to request for

a Yes/No authentication.

It does so by sending its requests to an ASA. At the

time of writing, almost 300 AUAs are recognised by
UIDAI.

These include banks of all categories, NBFCs,

fintech companies, government bodies and more.

© Baldor Technologies Pvt. Ltd. 2018 25 idfy.com

e-KYC User Agency (KUA)
Virtual ID
• A KUA is an AUA with the added facility of
There has been widespread concern over an
receiving e-KYC authentication. More than 250
individual’s need to share their Aadhaar number
companies are recognised as KUAs at the
with multiple parties for authentication.
moment, with many of them also among the listed
AUAs. The profile of companies registered as There is apprehension that the Aadhaar information
KUAs if similar to AUAs and include all sorts of could be misused by one of the many parties that
entities regulated by RBI. have it, or it could be stolen from them for misuse.

• A Sub-KUA is similar to a sub-AUA and can
receive e-KYC data from a KUA after receiving the
required authorisation and complying with
regulations.
Similar qualifying criteria have been mentioned to be
eligible as either an AUA or a KUA, though a certain
category of companies need to meet authentication
transaction criteria - like the volume of transactions
processed, as prescribed by UIDAI.
Most private sector companies that are not
regulated by RBI, need to have a paid-up capital of
at least rupees one crore or a turnover of rupees five
crores in the previous year, to become eligible.
To facilitate Aadhaar authentication without the
sharing of an individual’s Aadhar number, UIDAI
has proposed the concept of a Virtual ID or VID.
The VID is a 16 digit number that maps to an
individual’s account number.
Every Aadhaar card holder, can generate a VID that
is unique but temporary.
This unique VID can be shared for authentication
and later revoked or changed by the Aadhaar card
holder, after a certain specified amount of time has
passed.
The virtual identity ensures that in case there is a
data leak or security breach, only the VID can be

Data security and sharing of information stolen, which can easily be changed by the
Aadhaar number holder.
There are many clear guidelines about the roles and
responsibilities of requesting agencies, none
perhaps more important than the requirements on
data security and information sharing.

With regards to data security, the intention is to

ensure that the data stored is not used for
unauthorised purposes, accessible to hackers or
other similar external parties and cannot be leaked
by an internal source.

To achieve this, regulations provide clear rules for

how the data should be stored, for how long and
many other technical requirements like rules related

© Baldor Technologies Pvt. Ltd. 2018 26 idfy.com

to the IT infrastructure and devices used for data
Limited KYC
capture.

Ongoing monitoring, audits and strict checks
and controls on internal people with access to
data have all been recommended.
As far as the sharing of data is concerned,
restrictions are imposed upon all concerned
entities.
For example, even UIDAI through the CIDR, is
not allowed to share core biometric information
with requesting agencies, though it may share
other types of information including photograph
and demographic information.
Similarly, the core biometric information
collected by the requesting agency can be
stored only for ‘buffered authentication’.   banks like scheduled commercial banks,
There are rules for information sharing that need
to be followed by everyone else, i.e. all
companies that are not requesting entities.
The limited KYC system proposes to further reduce
the distribution of actual Aadhaar numbers to
requesting entities.
According to the limited KYC concept, UIDAI
categorises AUAs into two groups - Global AUAs
and Local AUAs. 
Global AUAs are those that are required by law to
necessarily use the Aadhaar number as part of
their KYC process.
These entities have access to full KYC and the
permission to store the Aadhaar number in their
system.
The list of Global AUAs includes different types of
co-operative banks, payment banks, etc. and
certain other entities like life insurance providers
and the National Payments Corporation of India
(NCPI).

To begin with the Aadhaar number or numbers
of customers can never be published or
displayed by anyone.
If companies do possess the Aadhaar details for
lawful reasons, they need to adhere to all
conditions of full disclosure to customers and
preventing any unauthorised use of this data.
Recent updates - Virtual ID, Limited KYC and
UID tokens
All other AUAs are Local AUAs, which receive a
limited KYC response without the Aadhaar number,
as well as other information that UIDAI may decide
does not need to be shared in this case.
Local AUAs can also not have Aadhaar numbers
stored in their system.
Among RBI regulated entities, AUAs classified as
local, consist of pre-paid instruments and NBFCs.

With an eye on improving data security and

limiting the risk of loss from data theft or
unauthorised use, UIDAI announced new
mechanisms for authentication which enable
customers to get authenticated by Aadhaar
without having to share their Aadhaar number.

27
The concept of Virtual ID, limited KYC and UID
tokens were proposed by UIDAI through a
circular in January 2018 (see details in boxes).
Conclusion: In Sync with RBI in Theory
Theoretically, UIDAI seems to have the perfect
structure to support the processes that the RBI
norms demand..
RBI guidelines point to Aadhaar being the best
tool for the required KYC, with an insistence on
in-person e-KYC process on most occasions.
While the industry may have specific concerns
about the insistence on in-person verification,
from UIDAI the expectation is to provide a
solution that helps them meet the norms in a
reliable and cost-effective manner.
On paper, UIDAI provides them with the required
tools and processes that are needed, while also
continually adopting new technologies to
address concerns over privacy and breaches.
However, recent experience show that in
practice, it’s not smooth sailing for the industry.
Businesses have been hit by implementation
troubles and arbitrary decision making by UIDAI,
in addition to legal challenges placed by
activists.
In the next chapter, we will try and understand
how Aadhaar based KYC has worked in practice
for the financial services industry and learn
about some of the issues that exist.
28
UID Tokens
With access to limited KYC only, many requesting
agencies would be left with a situation where they
are not able to uniquely identify customers in their
system.
With VID being a temporary ID as well, it can be
changed by the customer without the requesting
entity knowing about it.
This created the need for a mechanism where the
ability of companies to establish unique identity for
their customers was not compromised, just like the
customer’s privacy.
The UID token system is the solution that
addresses these concerns.
In this system, when the CIDR returns a limited
KYC response, it also sends a unique UID Token.
This token is unique for each customer-entity
combination.
Which means, that all authentication requests by
the same entity for a particular Aadhaar number
will have the same UID Token but a different entity
requesting authentication for the same Aadhaar
number, will receive a different unique token.
A major impact of the UID token system is that
different companies or agencies will not be able to
match databases with each other based on the
Aadhaar number. Thus the UID token system
addresses one of the major privacy concerns
related to Aadhaar authentication. 
Chapter V:
Aadhaar e-KYC in Practice

There was a time when a close association with a

friendly banker could help you get an account Benefits of Aadhaar e-KYC
opened within a few hours.
• Faster customer on-boarding
Then came KYC requirements!
• No errors because of manual entry of
information in forms
Between the time KYC became a mandatory
requirement and the availability of Aadhaar based • Fewer application rejections
e-KYC authentication, companies had to conduct
KYC the hard way. • Significantly lower cost of conducting
KYC
A regulated entity mandated to perform KYC would
usually appoint field agents whose responsibility
was to physically collect documents from
customers as well as verify details like the address.

Estimates for the cost of completing KYC for a

single customer range between Rs. 100 to Rs. 150.

Apart from the cost of conducting the KYC, the time

it took was also significant for business.

The number of KYCs that could be performed in a

day was heavily dependent on the number of
resources on-ground, leading to situations where
new customer acquisition was getting delayed
because of the inability to complete swift KYC.

Aadhaar e-KYC Transformation

Suddenly, companies that needed (and indeed

wanted) to perform KYC, could do so in quick time
without the need to collect paper documents, make

© Baldor Technologies Pvt. Ltd. 2018 29 idfy.com

photocopies of ID cards or even having to worry
about manual errors in the data entry process.

They found themselves rejecting fewer new

customer applications because of missing
documentation than before.

Importantly, they began on-boarding and serving

customers quicker. 

To all the above advantages, add the fact that the

reported cost of conducting each e-KYC for a
sub-KUA is about Rs. 15 - at least 85% lower than
the cost of a physical KYC.

For small companies, say a newly launched mobile

wallet, this results in KYC costs for acquiring the
first 100,000 customers, coming down from about
Rs. 1 crore to Rs. 15 lakhs (Rs. 10 million to Rs. 1.5
million).

It’s the kind of difference that can impact the very

viability of the business! 

It is no surprise then, that entrepreneurs have gotten

excited about the opportunity that e-KYC creates by
lowering operational costs.

The last few years have seen the emergence of

many players offering innovation and choices to
consumers of financial products and services and
traditional and established players have had to
expand their offerings to keep hold of their
customers.

Large Scale Industry Adoption

Between 200 - 450 million e-KYC transactions are

carried out every month, with RBI regulated entities
making significant use of the facility. 

UIDAI first published APIs for e-KYC verification in

September 2012.

© Baldor Technologies Pvt. Ltd. 2018 30 idfy.com

By 2015, from banks like SBI to micro-finance
companies like Suvidhaa and Oxigen had started More than 1.5 Billion e-KYC
using e-KYC for accepting new customers. Transactions (Jan-Jun 2018)
Other players like mutual funds were soon onboard
as well and the fintech excitement was palpable.

A surge of new companies providing solutions as

alternative lending or mobile wallets appeared and
began making use of the network of KUAs to
perform authentication.

By the beginning of 2018, there were over 50

non-banking pre-paid instruments (PPIs - usually
mobile wallets) operational in India. 

Rising Issues

To begin with, as the volume of e-KYC transactions

grew, so did reports of operational issues.

Reliability concerns

For example, there were complaints from people

that their authentication was rejected even when
they had given their Aadhaar number with genuine
biometric data or an OTP.

Elderly people specifically faced issues in biometric

authentication as fingerprint match with their profile
failed, as their prints had altered because of ageing. 

High costs and delays in authorisation

Some fintech players are reportedly keen on

registering themselves as KUA, but the processing
of applications has also not kept pace with
requirements. 

Also, the costs of becoming a KUA can be quite

prohibitive for new players. Apart from any financial
eligibility criteria that they must fulfil, they are also
required to pay a license fee of Rs. 20 lakhs for two

© Baldor Technologies Pvt. Ltd. 2018 31 idfy.com

years for the use of a production environment to
authenticate.

This is in addition to the pre-production environment

that will need to be first set up and costs a minimum
of Rs. 5 lakhs. 

Data security concerns

In addition to operational issues with the

authentication process itself, reports of regulation
violations and data leaks too began emerging with
regularity.

Aadhaar numbers combined with personal

information was accessed with ease through
government websites and that of private players.

A case that made news in mid 2017 was the leak of

personal data including Aadhaar numbers (where
available) of about 12 crore Reliance Jio
subscribers.

While Jio may be regulated by TRAI and not RBI,

such developments are significant as they affect
consumer confidence in the e-KYC process itself,
irrespective of where it is being applied.

In other developments that shook consumer

confidence, telecom major Airtel was found to have
used it’s KYC data collected at the time of getting
mobile phone collections, to create accounts for
people with their payments bank.

This violation of the KYC guidelines, especially

those related to getting consent, led RBI to fine
Airtel Payments Bank a reported sum of Rs. 5 crore.

The damage that the industry has suffered because

of the lack of people’s confidence in the process
because of events such as these, is significantly
higher.

© Baldor Technologies Pvt. Ltd. 2018 32 idfy.com

A Crippling Uncertainty

Operational failures, data leaks and misuse of

data have lent voice to critics of Aadhaar based
e-KYC who feel that mandating Aadhaar based
e-KYC as the only acceptable form of KYC will
leave customers vulnerable to fraud as well as
invasive monitoring by the government.

While legal challenges to many aspects of

Aadhaar are unresolved so far, the courts have
already expressed their concern over the fact
that regulations regarding security of data at the
sub-KUA level, have not been implemented
properly.

Perhaps shaken by such observations from the

legal system, UIDAI has often seemed to take
sudden decisions without open communication
that have had a big impact on the industry.

For example, just days after the court’s

observations about security of data with
sub-KUAs, many fintech players found that they
were unable to conduct e-KYC through their
partner KUAs anymore.

While UIDAI could cite violation of norms for

such an action, affected fintech companies
could make little sense of it as they had not
received any communication before such a step.

Suddenly dozens of companies found

themselves unable to add new customers with
alternative options being too expensive in
comparison and also not operationally ready.

Not surprising then, that many organisations

have decided to abandon Aadhaar based e-KYC
till there is clarity. However, others might not be
able to make this transition because of the costs
involved and will face severe consequences.

33
Chapter VI:
IDfy View - Mandatory in-person
verification is a backward step

Given the significance of e-KYC to the very

business case of many emerging fintech players, the
uncertainty regarding their implementation, has the
potential of delivering a crippling blow to a
blossoming sector.

However, while UIDAI needs to work with other

stakeholders to address the concerns and failures in
implementation, the Reserve Bank of India too must
look at some of the norms that have been specified
that are obstructing innovation and growth.

While RBI has taken note of the changing demands

of the modern economy and made provisions for
on-boarding customers in non face-to-face
scenarios, the restrictions imposed on transactions
with such customers, is out of sync with any
intention to truly transform to a presence-less
industry.

Bank accounts opened using OTP based

verification have a limit of a maximum of one lakh
rupees that may be deposited in them. Similarly,
loans exceeding sixty thousand rupees cannot be
extended to people for whom in-person biometric
KYC has not been conducted. Moreover, in almost
all cases where in-person KYC is not conducted
within a year of the OTP based verification, the
account is expected to be shut down.

For many newly formed companies in the financial

products and services space, these restrictions
make no sense at all.

© Baldor Technologies Pvt. Ltd. 2018 34 idfy.com

Many of these businesses serve customers digitally
with no face to face interactions needed for the
conduct of operations. They do not need to set up a
nation wide network of branch offices and
employees.

The transaction limits imposed on the accounts

mean that the organisations are not able to serve
customers with need for a large account balance or
size or loan or payment transaction, without an
in-person KYC.

On the other hand, the necessity for biometric

verification would require all these startups like
mobile wallet providers, lending companies and
more to incur huge costs, simply for the sake of
collecting biometric information in-person to
complete KYC formalities.

So may businesses find themselves in a catch-22

situation. Implementing in-person KYC practices
does not make business sense for them, while not
adhering to the norms attracts penalties that also
seriously hinder the viability of business.

A few major mobile wallet providers found this the

hard way when they were barred from adding new
customers towards the beginning of August 2018,
as they have been found to be in violation of KYC
norms by not completing biometric authentication
within twelve months of on-boarding a customer.

What the RBI needs to change in it’s guidelines are

the necessity for an in-person biometric verification
as well as raising the limits imposed on transactions
that can be conducted by accounts opened in non
face-to-face mode.

The central bank’s main concern with an OTP based

authentication done without the presence of the
individual, is the threat of identity impersonation
using a stolen phone.

© Baldor Technologies Pvt. Ltd. 2018 35 idfy.com

However, such concerns can easily be addressed
using simple mechanisms available today.

Mobile devices are capable of capturing biometric

information; video KYC is easily possible; digital
images can be verified; there are mechanisms of
verification using test deposits to existing bank
accounts and a number of other ways can be
developed to ensure that concerns about identity
theft are addressed.

In fact, in-person KYC can also be manipulated by

criminals by submitting forged documents. Apart
from Aadhaar, most of the other identity documents
acceptable for in-person verification cannot be
validated from a central registry in real time.

In conclusion, the need of the hour is for RBI to

understand that mandating in-person KYC is a
backward step for the industry’s growth.

Not only does it add a major cost an operational

burden on many of the new and smaller players in
the industry, it also deprives consumers of the
convenience of access to financial services in
scenarios where they cannot be physically present
to complete KYC procedures.

Addressing this major concern would be a big step

in stabilising the KYC eco-system.

The other key stakeholder - UIDAI too needs to

address concerns of data security and reliability at
the earliest.

We remain optimistic that both bodies will soon

listen to the reasonable demands from industry and
enable businesses to conduct KYC efficiently,
without errors and at low cost, so that they can
spend most of their energies on focusing on their
core business.

© Baldor Technologies Pvt. Ltd. 2018 36 idfy.com