Aadhaar Update: New Ordinance Passed, Businesses to Pay for Aadhaar KYC
Last week, India enacted the Aadhaar and Other Laws (Amendment) Ordinance, 2019, tweaking the law governing the country’s controversial biometric identification program – Aadhaar.
The Ordinance allows private business entities and banks to use the 12-digit biometric identification number as a voluntary know your customer (KYC) mechanism – months after the Supreme Court (SC) ruled the use of Aadhaar number for commercial purposes unconstitutional.
The SC judgment had dealt a blow to many private companies – from telecom to fintech firms – as they used Aadhaar number to simplify the verification and identification process for their customers.
The Ordinance offers industry players an alternative that is in compliance with the SC ruling – but at a cost.
What does the Aadhaar Ordinance entail?
The Ordinance permits voluntary use of Aadhaar for identity verification by companies, including banks and telecom service providers, under the Telegraph Act and Prevention of Money Laundering Act.
However, businesses must note that the government has made Aadhaar as one of the means of identity verification, and cannot be used as a mandatory requirement for KYC. In other words, companies cannot deny users services for refusing or being unable to undergo Aadhaar authentication.
Besides, individuals may choose to identify themselves using Aadhaar number in physical or electronic form by authentication or offline verification. They may also use their passport, or any other officially valid document to conceal their Aadhaar number.
Other amendments introduced in the Aadhaar Act include the following:
- Data security and privacy: the ordinance bans storing of core biometric information as well as Aadhaar number by service providers in cases of individuals who have voluntarily offered the national ID as a means of authentication. Besides, private firms can perform authentication only when they are compliant with the standards of privacy and security specified by the Unique Identification Authority of India (UIDAI).
- Penalties: it entails stiff penalty of up to INR 1 crore (US$143,760) for entities that violate the provisions of the Aadhaar Act, with an additional fine of up to INR 10 lakh (US$14,376) per day in case of continuous non-compliance. There is also a punishment of three-year imprisonment with a fine of INR 10,000 (US$143)s, or INR 100,000 (US$1,437) in case of a company seeking unauthorized use of identity information.
- Aadhaar for children: the ordinance specifies that children, who currently hold Aadhaar number, are allowed to exit from the Aadhaar program on attaining 18 years of age.
The changes also confer enhanced regulator-like powers on the Unique Identification Authority of India (UIDAI) to fine companies within the Aadhaar ecosystem if they contravene existing rules.
How much will the Aadhaar data cost businesses?
To access personal data using Aadhaar, companies will have to pay INR 20 (US$0.3) (including taxes) for each customer verification and INR 0.50 (US$0.0072) for each transaction carried out by the entity. This brings down the e-KYC costs for businesses by almost 90 percent. Previously, companies spent about INR 150-200 (US$2.1-2.88) for every customer verification post the SC ban on the commercial use of Aadhaar data.
There are no charges for government entities and department of posts.
As per the notification released by the UIDAI, businesses will have to deposit the authentication transaction charges within 15 days of issuance of the concerned invoice based on the usage.
The charges are in addition to the license fees and financial disincentives, as applicable.
In case of delay in payment beyond 15 days, the agency will charge interest compounded at 1.5 percent per month, and will discontinue authentication and e-KYC services to the entity.
The notification also states that if the existing business entities continue to use Aadhaar services beyond the date of publication of these regulations, they will be considered to have agreed to the specified authentication charges. To avoid extra charges, companies must deregister from Aadhaar services.