So it’s been a little over a month since the Supreme Court issued the Aadhaar judgment. The rumour mills have been going overboard about the future of Aadhaar and KYC. Regulated private entities have been hankering after their respective regulators to continue to allow paperless alternatives to Aadhaar-based eKYC so that customer on-boarding time and cost don’t go back to what they used to be before Aadhaar-based eKYC became the preferred mode of customer on-boarding.
In the midst of all this, the UIDAI has been doing curious things – such as uploading news clippings about its private communications with stakeholders in the Aadhaar ecosystem and about receiving a legal opinion in the matter (see: https://uidai.gov.in/media-center/aadhaar-in-news.html). It has supposedly, clarified to banks that traditional Aadhaar eKYC can still be used to authenticate beneficiaries of government subsidies and welfare schemes and for other customers, and it has hinted that options such as QR Code and offline Aadhaar KYC may be considered (see this report: https://www.business-standard.com/article/economy-policy/uidai-allows-banks-to-use-aadhaar-ekyc-to-authenticate-dbt-users-118102800290_1.html). A circular from the UIDAI (that the public has not yet been deemed worthy of being revealed to), is said to have encouraged banks to develop web and mobile applications that can leverage QR codes printed on Aadhaar copies for the purpose of doing KYC.
Sticklers for detail may be left wondering “Ummm…but what about the RBI Master Direction on KYC that still requires carrying out e-KYC authentication (biometric or OTP based) while opening new bank accounts for individuals who have Aadhaar?” While the sticklers continue to stickle, and the rest throw around words like ‘paperless KYC’, ‘offline Aadhaar verification’, ‘QR Code’ and so on a lot, we break down these terms for you without getting into the legality of the alternatives (in keeping with the best traditions followed by top lawyers world over).
The two alternatives to Aadhaar-based eKYC (that uses biometrics) that are currently doing the rounds are QR Code-Based Authentication and Paperless or Offline eKYC.
QR Code-Based Authentication
A QR Code is nothing but a barcode that contains machine-readable information. According to the UIDAI, the QR Code present on the Aadhaar print-letter and eAadhaar contains only demographic information (such as name, address, gender, date of birth, and photo of an individual) and not biometric information. The QR Code Based Authentication would work like this:
Paperless or Offline KYC
The UIDAI website currently also offers the option to download something called ‘Masked Aadhaar’ in which the Aadhaar number and biometric information are masked or redacted (the Aadhaar number is only partially masked). This can be shared with a service provider who can in turn authenticate the information displayed by scanning the QR Code like we discussed above.
There may exist minor variations of these alternatives but they are different from the biometric-based Aadhaar eKYC process in that biometric information is not shared with service providers or third parties, and verification is not done by accessing or ‘pinging’ the UIDAI’s Aadhaar database.
So All is Kosher Now?
Not Really! In the absence of biometric-verification, KYC based on QR Code Authentication may not always be fool-proof.
Consider this: let’s say a mischievous Mr. A obtains a Masked eAadhaar copy of Mr. B, who is unaware of Mr. A’s designs. Mr. A approaches the bank with Mr. B’s Masked eAadhaar to open a bank account with Mr. B’s credentials. Since all the bank would do is match information displayed on the eAadhaar copy with information detected by the scanner or the app based on the QR Code on the eAadhaar, unless there’s a stark dissimilarity in the facial features of Mr. A and Mr. B’s photo as it appears on the eAadhaar, the bank may not be able to detect a case of impersonation. Of course, Mr. A would also have to get hold of Mr. B’s PAN number and so on but that will hardly be a challenge if Mr. A is determined to have his way.
This, however, would not be possible under the biometric-based Aadhaar eKYC regime, in which Mr. A’s fingerprint or iris image would be matched by the bank against the fingerprint or iris image of Mr. B as it exists in UIDAI’s Aadhaar database and Mr. A’s grand plans would be foiled on account of a mismatch.
No, we are not saying that the Supreme Court’s judgment made our financial system more prone to fraud. We are only highlighting the fact that QR Code authentication – at this point in time – is not as secure as biometric-based authentication.
UIDAI and players in the financial sector would do well to brainstorm and come up with a more robust KYC process without treading in the direction of biometric verification.
Bhavin Patel (bhavin@baysideadvisors.in)
Hemant Krishna V. (hemant@baysideadvisors.in)