Aadhaar-based eKYC (electronic know your customer) authentication is back in the news with the Reserve Bank of India (RBI) officially allowing banks to access the service, provided that the process is carried out with the consent of customers.
The fate of eKYC was uncertain after the Supreme Court’s judgement on Aadhaar in September 2018 effectively banned private companies from using the biometric authentication system. At the time, the verdict dealt a blow not only to telecom companies and banks, but also to a host of new-age financial tech start-ups.
Over the last nine months, the Centre and the Unique Identification Authority of India (UIDAI) have worked to slowly ensure that Aadhaar access is provided to private players. Much of this has come through tweaks in various rules and regulations, helped along by selective interpretation of the apex court’s judgement.
A section of India’s legal community has consistently maintained that a proper reading of the SC’s verdict rules out any form of Aadhaar authentication by private entities – voluntary or mandatory – even through the passing of new legislation.
Others, however, have argued that quick legal fixes, like the Aadhaar and Other Laws (Amendment) Bill, offer a creative method of restoring private sector access to the UIDAI’s authentication infrastructure by adhering to the letter, if not the spirit, of the apex court’s judgement.
How the UIDAI and other institutions have gone about restoring private access since September 2018 has been an interesting journey, as they don’t want to invite contempt of court.
In the immediate aftermath of the SC’s order, there was some confusion over how direct benefit transfers and the Aadhaar-enabled payment system would continue to function if private entities like banks were not allowed to use authentication services.
Information obtained under right to information (RTI) requests from the UIDAI shows that its CEO, Ajay Bhushan Pandey, sought the attorney general’s legal opinion (through letter D.O. No.1 /CEO/ UIDAI Seett/2018) in this matter.
The questions that Pandey posed to the attorney general were selective in nature and by no means as exhaustive as the length of the orders delivered by the judges.
The attorney general, replying to four specific questions posed by the UIDAI CEO, had this to say about access to be granted for the authentication services by UIDAI to banks and telecom companies:
“In my opinion, the effect of these observations is that authentication responses cannot be provided by the Querist, to a telecom company or a bank, even if it is voluntarily done by the Aadhaar number holder, unless a law is enacted by the parliament for this purpose, authorising such use of the Aadhaar number.”
Answering another query on banks being allowed to access Aadhaar authentication services under Section 7 of the Aadhaar Act for service delivery of Direct Benefit Transfer (DBT) through micro-ATMs, the attorney general, quoting para 446(b) of the majority judgment, opinionated:
“The above extract from the judgement would make it clear, in my opinion, that use of the Aadhaar number, including authentication, for the purpose of delivery of subsidies, services and benefits in terms of Section 7 of the Aadhaar Act, remains valid. Banks would, therefore, be entitled to seek authentication of the beneficiaries, who avail of subsidies/benefits/services covered by Section 7 of the Aadhaar Act, for the purpose of the transfer of any monetary subsidy or benefit to the bank account of beneficiary, as well as for facilitating the withdrawal of money by the beneficiary through Aadhaar based micro-ATM machines.”
Based on this opinion of the attorney general, the UIDAI, in October 2018, allowed banks and private firms to access eKYC authentication services for delivery of subsidies and other programmes that depended on direct benefit transfers. Along with this, access to eKYC remained for some fin-tech players through the obscure understanding that they facilitate the withdrawal of DBT through micro-ATMs.
To ensure that the UIDAI would not attract contempt of court for this narrow interpretation of the order, the Aadhaar agency sent letters on November 13, 2018 to private firms, mandating them to issue board resolutions that they will use biometric authentication services only for Section 7 subsidy deliveries.
It warned any non-compliance may be liable to contempt of court.
The letter clearly directed that the board resolutions should indicate the company understands the full contents of the Supreme Court’s Aadhaar judgement and that the company takes full responsibility on non-compliance of the judgement. In essence, yet another example of the UIDAI outsourcing the liabilities of the ecosystem it oversees.
All these interpretations and a narrow reading of the apex court’s judgement allowed UIDAI to ensure that eKYC access was never denied to private players.
Ordinances, bills and the way ahead
After failing to pass the Aadhaar and Other Laws (Amendment) Bill through parliament before the dissolution of the last Lok Sabha, the Aadhaar and Other Laws (Amendment) Ordinance, 2019 was pushed through.
Among other things, the ordinance made changes to the Aadhaar-specific sections of Prevention of Money Laundering Act (PMLA). In May 2019, this led to a new procedure being rolled out by the finance ministry’s revenue department which allows non-banking private sector players to apply for eKYC access. Essentially, open season for India’s fin-tech industry.
Each ‘application’ must fulfil a handful of conditions, all of which are broad and vaguely defined. For example, the appropriate regulator must first be satisfied that the proposed purpose for Aadhaar authentication is “necessary and expedient”. Following this, the UIDAI will grant approval to a company after examining whether it meets certain standards of security and privacy. Going by the UIDAI’s past history in this area, the lack of specificity is discomforting.
Private sector access to Aadhaar authentication infrastructure was built into the programme from the very start. Support for this came from the top government – as evidenced by a Cabinet Secretary letter to all government departments on November 2, 2016, asking all department secretaries to identify programmes to link Aadhaar. The letter clearly asks for identifying both government and private use of Aadhaar under Sections 7 and 57, the latter of which was struck down by the Supreme Court two years later.
The UIDAI promoted the Cabinet Secretary’s orders by issuing guidelines to departments on how to issue the gazette notifications that came swiftly in the months following November 2016.
What’s worse is that the plan to re-introduce private sector access, even though it was frowned upon by the Supreme Court, was made clear to all in the days following the apex court’s verdict. The ‘volunteers’ who built Aadhaar were ideally promised about the ordinance and had prior knowledge of it as early as a week after the Supreme Court judgement.
Fin-tech access to Aadhaar has always been important for UIDAI and the Centre. Without private players, the Aadhaar programme would not exist, help as they did during the enrolment stage. Ensuring they have access to eKYC is the UIDAI’s unofficial mandate.
What next? The Aadhaar and Other Laws (Amendment) Bill, 2019 was passed by the cabinet this week, which will replace the ordinance, and is expected to be passed in the upcoming parliament session. Such haste, even though the parliamentary committees that have investigated Aadhaar in the past or are doing it currently are yet to make their reports public.
The Bill needs further scrutiny, as is not only does little to stop the “rampant expansion and function creep of Aadhaar” but also circumvents the spirit of the Supreme Court’s observations on the biometric authentication programme.
Srinivas Kodali is an independent researcher working on data and the internet.