NBFCs and e-KYC: RBI , India

By

 

On September 13, 2021, the RBI issued a notification permitting all NBFCs, Payment System Providers and Payment System Participants to carry out authentication of client’s Aadhaar number using e-KYC facility provided by the Unique Identification Authority of India (UIDAI), subject, of course, to license being granted by MoF. The process involves an application to the RBI, onward submission after screening of the application by the RBI, then a further screening by UIDAI, and final grant of authentication by the MoF

 As per section 2(c) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (‘Aadhaar Act’) “authentication” means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it; Further, Section 2(pa) defines offline verification as the process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations. Authentication is a process of authenticity of aadhaar information using the authentication facility provided by the UIDAI. The same may be done in any of the following ways:

Use of demographic authentication: The Aadhaar number and demographic information of the customer is obtained and matched with the demographic information of the Aadhaar number holder in the CIDR.

Using one-time pin based authentication: Aadhaar number of customer is obtained. OTP is sent to the registered mobile number and/ or e-mail address. Aadhaar is authenticated when customer shares OTP and is shared with the same generated by UIDAI

Using biometric information: The Aadhaar number and biometric information submitted by the customer are matched with the biometric information stored in the CIDR.

 

Essentially, aadhaar authentication requires the Regulated Entity (RE) to obtain the aadhaar number of the customer.

However, owing to the Supreme Court Verdict on Aadhaar, aadhaar number could be obtained only by banks or specific notified entities. Eventually, the concept of offline verification was introduced by virtue of which verification can be done using XML file or QR code which carries minimum details of the customer. RE is not required to obtain aadhaar number in this case.

 Under the Prevention of Money Laundering Act (2002), the Central Government can allow non-banking entities to carry out customer authentication via online eKYC, by releasing a notification following consultation with UIDAI and appropriate regulators.

Before this, NBFCs were barred entirely from using the Aadhaar online eKYC facility for client authentication due to a supreme court ruling in 2018 that expressed concerns regarding the risks of online eKYC and put an end to the usage of eKYC for client authentication of any contract.

Subsequently, PMLA (2002) was amended and Section 11A was inserted, which allowed for – 


§  Banking companies to employ aadhar e-KYC for authentication

§  The central government, in consultation with UIDAI, to permit non-banking companies to use eKYC

 

Additionally, Section 11A allows the Ministry of Finance to issue notifications permitting non-banking financial companies to use eKYC provided they follow the application steps outlined below.

 

According to RBI’s notification, NBFCs will have to apply for an Aadhaar authentication licence to utilize the eKYC services provided by UIDAI. This licence can either be a KYC User Agency (KUA) Licence or a sub-KUA Licence. 

 

Understanding the concept of concept of AUA and KUA

The Aadhaar (Authentication) Regulations, 2016 provide the following definitions:

“Authentication User Agency” or “AUA” means a requesting entity that uses the Yes/ No authentication facility provided by the Authority;  

 “e-KYC User Agency” or “KUA” shall mean a requesting entity which, in addition to being an AUA, uses e-KYC authentication facility provided by the Authority;  

  “e-KYC authentication facility” means a type of authentication facility in which the biometric information and/or OTP and Aadhaar number securely submitted with the consent of the Aadhaar number holder through a requesting entity, is matched against the data available in the CIDR, and the Authority returns a digitally signed response containing e-KYC data along with other technical details related to the authentication transaction;   

 A detailed procedure for processing of applications under the PMLA provisions for use of Aadhar authentication services by entities other than banking companies has been provided by the Department of Revenue, Ministry of Finance in its circular dated May 9, 2019.

“Accordingly, non-banking finance companies (NBFCs), payment system providers and payment system participants desirous of obtaining Aadhaar Authentication License - KYC User Agency  (KUA) License or sub-KUA License (to perform authentication through a KUA), issued by the UIDAI, may submit their application to this Department for onward submission to UIDAI.


The RBI Guidance

An additional proviso is added to Section 17 as under:

Provided further that a RE may provide an option for One Time Pin (OTP) based e-KYC process for on-boarding of customers.

Accounts opened in terms of this proviso i.e., using OTP based e-KYC, are subject to the following conditions:

        i.            There must be a specific consent from the customer for authentication through OTP

      ii.            the aggregate balance of all the deposit accounts of the customer shall not exceed rupees one lakh.

    iii.            the aggregate of all credits in a financial year, in all the deposit taken together, shall not exceed rupees two lakh.

    iv.            As regards borrowal accounts, only term loans shall be sanctioned. The aggregate amount of term loans sanctioned shall not exceed rupees sixty thousand in a year.

      v.            Accounts, both deposit and borrowal, opened using OTP based e-KYC shall not be allowed for more than one year within which Customer Due Diligence (CDD) procedure as provided in section 16 or as per the first proviso of Section 17 of the Principal Direction is to be completed. If the CDD procedure is not completed within a year, in respect of deposit accounts, the same shall be closed immediately. In respect of borrowal accounts no further debits shall be allowed.

    vi.            A declaration shall be obtained from the customer to the effect that no other account has been opened nor will be opened using OTP based KYC either with the same RE or with any other RE. Further, while uploading KYC information to CKYCR, REs shall clearly indicate that such accounts are opened using OTP based e-KYC and other REs shall not open accounts based on the KYC information of accounts opened with OTP based e-KYC procedure.

  vii.            REs shall have strict monitoring procedures including systems to generate alerts in case of any non-compliance/violation, to ensure compliance with the above mentioned conditions.

Govt notification dated   April 22, 2022  included Bajaj Finance, Shriram City Union Finance, Shriram Transport Finance, Tata Capital Housing Finance, and Tata Financial Services among these 38 non-banking finance companies and payment providers permitted by the government for Aadhaar Authentication License - KYC User Agency (KUA) License or sub-KUA License.

On Section 11A of the PMLA:


Under the PMLA, reporting entities are required to submit reports on cash transactions, counterfeit currency, non-profit organisations, suspicious transactions etc. The Ministry has allowed the 22 entities to verify clients by performing Aadhaar authentication under the Aadhaar Act for purposes outlined under section 11A of the PMLA, which allows for reporting entities (that are banking companies) to use Aadhaar for establishing the identity of clients under clause (a).

Section 11A also provisions the Indian government to permit non-banking reporting entities to perform authentication under clause (a), provided they satisfy requirements under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016), and that the UIDAI must be consulted before any notification is issued regarding this.

But, Section 11A specifies that if Aadhaar is being used for verification, entities must also allow clients the choice to opt for an offline verification using Aadhaar or use passport or any other official document as an identity proof. Further, the choice to submit Aadhaar must be voluntary, and entities cannot deny services on account of non-submission of Aadhaar.

Interestingly, according to a circular dated May 9, 2019, the Finance ministry laid out a procedure for processing applications by non-banking entities requesting for carrying out Aadhaar authentication for clients under Section 11A. 


The move to widen the scope of Aadhaar authentication, incentivises the use of Aadhaar for purposes, which remain vague in all official notifications and may not necessarily qualify as government services or benefits.


 In 2023, the Ministry of Electronics and IT (MeitY) proposed expanding Aadhaar authentication to include a broader range of private entities for various services, aiming to enhance digital identity use beyond government departments. This move is part of broader reforms to strengthen the Prevention of Money Laundering Act (PMLA) and address potential loopholes ahead of an upcoming evaluation by the Financial Action Task Force (FATF), the global watchdog for money laundering and terrorist financing, reports The Indian Express.

The proposal aligned with Section 11A of the PMLA, which permits identity verification by reporting entities. E-KYC using OTP-based Aadhaar authentication allows entities to offer limited services, with an annual renewal requirement and a cap of Rs 60,000 on term loans.

Previously, in 2019, the Aadhaar Act was amended to restrict authentication for KYC purposes to banking and telecom sectors, following a 2018 Supreme Court ruling that deemed Section 57 of the Aadhaar Act “unconstitutional”. This provision had allowed private companies to use Aadhaar data, a practice challenged in court.

It was under this provision that private companies like Paytm and Airtel Payments Bank sought Aadhaar details from customers prior to the landmark judgement. Even the subsequent 2019 amendment was challenged in the Supreme Court.

According to amendments proposed to the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2020 by the IT Ministry, private entities and state governments would be allowed to conduct Aadhaar-based authentication for promoting “ease of living”of residents and enabling better access to services for them, among other things.






Happy Reading,



Those who read this also read:



1. NBFCs and AML/CFT: RBI, India



Formerly Faculty for Finance & Associate Dean, IBS-Kochi MBA (Banking & Finance – CUSAT);CFA. Accredited Management Teacher from CME of AIMA, Delhi has been in Management Education from 1988. Exposure is in the field of Mutual Funds, Market Research, Project Report preparation & evaluation, Advertising & NGO Activities. This Chief Manager, UTI Asset Management Co Pvt. Ltd(1992-2003), Mumbai. Undergone training in Case Study method of teaching under Mr. Trevor Williams and Mr. Scott M Andrews conducted by the ECCH, UK . Published Books & Book Review, Series of academic articles and maintains a column on MFs under "Fund scan" in Business Manorama since January 2007,Contributes "Portfolio Doctor" column for 'Sampadyam' a wealth mgt publication in Malayalam from manorama group since February 2007, Listed her case studies at asiacase.com.Presented papers in national & international conferences on Mutual Funds. Faculty Member @ ASIET, Kalady from 2010 to June 2019. Dean @ SNGIST, N Paravur, Ernakulam from Sep 2019 -Jan 2021, I continue my efforts to spread the knowledge in area of Finance and contribute to Management Education

Comments

Post a Comment

Popular posts from this blog

National Risk Assessment (NRA): India

By
  India's National Risk Assessment (NRA) is  an ongoing exercise to identify sectors that are vulnerable to money laundering and terrorist financing (ML/TF) .  The NRA is based on recommendations from the Financial Action Task Force (FATF) and helps inform policy-making, resource allocation, and the implementation of effective AML/CFT measures. The NRA also ensures that national strategies address both domestic and international threats. The NRA provides a foundation for informed policy-making, resource allocation, and the implementation of effective AML/CFT measures . It ensures that national strategies are aligned with the specific risk landscape of the country and that they address both domestic and international threats. The subject matter of NRA  was discussed in the Anti-Money Laundering Steering Committee (AMLSC) set up with the approval of Finance Minister, and it was decided to conduct the NRA following the World Bank methodology. The Methodology requi...
Read more

Customer Due Diligence(CDD) : Individuals

By
Image
This post is based on RBI Master Circular dated Feb 25, 2016 updated on Jan 04, 2024  Part I - Customer Due Diligence (CDD) Procedure in case of Individuals For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity: (a)     the Aadhaar number where,   (i) He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or (ii) He decides to submit his Aadhaar number voluntarily to a bank or any RE notified under first proviso to sub-section (1) of section 11A of the PML Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or (ab) the proof of possession of Aa...
Read more

Periodic Updation of Customer Risk Profile

By
1. Preparation of Customer Profile from KYC Data In the initial years of KYC, RBI has been following a handholding approach as can be seen from their circular dated July 2009 and that of Feb 25, 2016 as updated on Jan 04, 2024. RBI requires REs to conduct risk profiling and risk categorization and periodic updation.  Extracts from RBI MD dated July 01, 2009 under Customer Acceptance Policy a)ii) Parameters of risk perception are clearly defined in terms of the nature of business activity , location of customer  and his clients, mode of payments, volume of turnover, social and financial status etc. to enable categorisation of customers into low, medium and high risk (banks may choose any suitable nomenclature viz. level I, level II and level III). Customers requiring very high level of monitoring, e.g. Politically Exposed Persons (PEPs) may, if considered necessary, be categorised even higher; b). Banks should prepare a profile for each new customer based on risk categorisatio...
Read more