In September of 2018, the Supreme Court upheld the Aadhaar Act but struck down portions of Section 57 of the Act that was the basis on which the banks, NBFCs, and other lenders organized the e-KYC element of their digital lending process-flows. Legal and tech-policy experts have interpreted the breadth of the judgment differently, but the total effect on which there seems to be no disagreement is that, after the verdict, it is no longer possible for banks, NBFC, and other lenders to rely on the e-KYC services offered by the UIDAI for fulfilling the KYC mandate under anti-money laundering laws.
Since the verdict, the industry, regulators, and policymakers have worked towards evolving alternate ways through which Aadhaar can be leveraged to reduce the time taken to run the onboarding leg of the digital lending process-flow. These ways include reliance on so-called “offline” Aadhaar verification mechanisms that involves zero recourse (“hit”/“ping”) to the Aadhaar database. However, as the following section will show, these alternatives achieve compliance with the verdict at the expense of efficiency. Furthermore, by doubling down on Aadhaar number as the authenticating mechanism again, the industry risks facing uncertainty again given the likelihood of fresh round of litigation challenging these alternate forms of reliance as well. In the light of this, this article will suggest that the industry and the regulators should work together to evolve KYC processes agnostic of the ID document offered by the user and embed authentication/verification of the user in the process-flows so that the integrity of the customer journey is affected as little as possible. Furthermore, the regulators should consider recognizing/notifying these alternate ways for compliance with anti-money laundering laws.
Friction With Offline Aadhaar Verification Mechanisms
The offline Aadhaar verification apparatus comprises of two modes:
Aadhaar Offline KYC (XML route)
Aadhaar Offline KYC (Secure QR Code)
In light of the above, while both have the advantage of achieving compliance with the SC verdict because they do not involve any third-party interface with the Aadhaar database, the User journeys are not as efficient as earlier and as such the risk of drop-offs is high in both. In particular, these alternatives have the following drawbacks:
The XML route is user-driven end-to-end. While that may be useful for the limited class of (say) urban millennials, other user groups in India are habituated to assisted user journeys if the process involves multiple hoops as this does. Furthermore, the route requires continuously functional internet access, and that may be a bottleneck to acceptance in areas of intermittent access.
The QR Code route is easier in the sense that it entails “lesser cognitive” burden on the user, but appears from experience that the photo quality is poor, and as such will require the physical presence of the user for confirmation.
Finally, if the user has changed the mobile number registered with the UIDAI (this may happen if she has moved interstate, for instance, given number portability remains clunky to execute), neither XML nor secure QR Code remain viable because both rely on OTP.
Suggested Way Forward
As the epigram goes, “Never waste a crisis.” The Supreme Court verdict foreclosing the use of e-KYC services by private entities can be leveraged as a force for good if the industry and the regulators work towards having work-flows that are agnostic to any of the “Officially Valid Documents” (OVDs), as the PMLA Act calls it, for KYC compliance. Utilizing document-agnostic ways of authenticating ID avoids disruptions owing to “gray swan” events like the SC verdict mitigating the “single point of failure” risk.
Other OVDs like passport can be authenticated using the Machine-Readable Zones that appear on it for instance. Hologram checks and optical character recognition are other technologies that enable authentication of IDs. Furthermore, the verification of person (“IPV”) could be determined remotely as well by recognizing video-based modes, whether live or recorded. By way of comparison, the securities market regulator, SEBI has recognized video-based verification as good KYC compliance done through KRAs for investors in mutual funds.
The industry, the RBI and relevant regulators should run pilots involving process-flows that implicate other OVDs (like a passport for instance) and video-based IPVs for a defined time period and then transparently consult with stakeholders based on the results. Other regulators, like Bank Negara Malaysia, have taken pro-active steps to ease the burden of KYC compliance recently. The weight of regulatory practice appears to suggest the same. A “principles-based” approach where the regulations lay down a bunch of options and enabling technologies to achieve end-goals of KYC and AML is the way forward.
RupeePower is a leading CreditTech company in India. RupeePower’s platform “CreditOn” is a comprehensive digital-first product suite that enables banks & lending companies to transform themselves into state-of-the-art digital lending enterprises at scale. CreditOn has created success across banks & lending companies with names like State Bank of India, Kotak Mahindra Bank, Standard Chartered, RBL Bank, YES Bank, Fullerton India, AU Small Finance Bank, and Edelweiss. The platform has enabled these lenders to disburse over USD 4 billion in retail and SME credit to roughly 2 million customers over the last four years.