Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

What They Talk About When They Talk About ‘QR Code Verification’ or ‘Paperless Aadhaar KYC’

By Bayside Advisors on October 29, 2018
Email this postTweet this postLike this postShare this post on LinkedIn

So it’s been a little over a month since the Supreme Court issued the Aadhaar judgment. The rumour mills have been going overboard about the future of Aadhaar and KYC. Regulated private entities have been hankering after their respective regulators to continue to allow paperless alternatives to Aadhaar-based eKYC so that customer on-boarding time and cost don’t go back to what they used to be before Aadhaar-based eKYC became the preferred mode of customer on-boarding.

In the midst of all this, the UIDAI has been doing curious things – such as uploading news clippings about its private communications with stakeholders in the Aadhaar ecosystem and about receiving a legal opinion in the matter (see: https://uidai.gov.in/media-center/aadhaar-in-news.html). It has supposedly, clarified to banks that traditional Aadhaar eKYC can still be used to authenticate beneficiaries of government subsidies and welfare schemes and for other customers, and it has hinted that options such as QR Code and offline Aadhaar KYC may be considered (see this report: https://www.business-standard.com/article/economy-policy/uidai-allows-banks-to-use-aadhaar-ekyc-to-authenticate-dbt-users-118102800290_1.html). A circular from the UIDAI (that the public has not yet been deemed worthy of being revealed to), is said to have encouraged banks to develop web and mobile applications that can leverage QR codes printed on Aadhaar copies for the purpose of doing KYC.

Sticklers for detail may be left wondering “Ummm…but what about the RBI Master Direction on KYC that still requires carrying out e-KYC authentication (biometric or OTP based) while opening new bank accounts for individuals who have Aadhaar?” While the sticklers continue to stickle, and the rest throw around words like ‘paperless KYC’, ‘offline Aadhaar verification’, ‘QR Code’ and so on a lot, we break down these terms for you without getting into the legality of the alternatives (in keeping with the best traditions followed by top lawyers world over).

The two alternatives to Aadhaar-based eKYC (that uses biometrics) that are currently doing the rounds are QR Code-Based Authentication and Paperless or Offline eKYC.

QR Code-Based Authentication

A QR Code is nothing but a barcode that contains machine-readable information. According to the UIDAI, the QR Code present on the Aadhaar print-letter and eAadhaar contains only demographic information (such as name, address, gender, date of birth, and photo of an individual) and not biometric information. The QR Code Based Authentication would work like this:

OfflineAadhaarKYCIllustration.001

Paperless or Offline KYC

The UIDAI website currently also offers the option to download something called ‘Masked Aadhaar’ in which the Aadhaar number and biometric information are masked or redacted (the Aadhaar number is only partially masked). This can be shared with a service provider who can in turn authenticate the information displayed by scanning the QR Code like we discussed above.

There may exist minor variations of these alternatives but they are different from the biometric-based Aadhaar eKYC process in that biometric information is not shared with service providers or third parties, and verification is not done by accessing or ‘pinging’ the UIDAI’s Aadhaar database.

So All is Kosher Now?

Not Really! In the absence of biometric-verification, KYC based on QR Code Authentication may not always be fool-proof.

Consider this: let’s say a mischievous Mr. A obtains a Masked eAadhaar copy of Mr. B, who is unaware of Mr. A’s designs. Mr. A approaches the bank with Mr. B’s Masked eAadhaar to open a bank account with Mr. B’s credentials. Since all the bank would do is match information displayed on the eAadhaar copy with information detected by the scanner or the app based on the QR Code on the eAadhaar, unless there’s a stark dissimilarity in the facial features of Mr. A and Mr. B’s photo as it appears on the eAadhaar, the bank may not be able to detect a case of impersonation. Of course, Mr. A would also have to get hold of Mr. B’s PAN number and so on but that will hardly be a challenge if Mr. A is determined to have his way.

This, however, would not be possible under the biometric-based Aadhaar eKYC regime, in which Mr. A’s fingerprint or iris image would be matched by the bank against the fingerprint or iris image of Mr. B as it exists in UIDAI’s Aadhaar database and Mr. A’s grand plans would be foiled on account of a mismatch.

No, we are not saying that the Supreme Court’s judgment made our financial system more prone to fraud. We are only highlighting the fact that QR Code authentication – at this point in time – is not as secure as biometric-based authentication.

UIDAI and players in the financial sector would do well to brainstorm and come up with a more robust KYC process without treading in the direction of biometric verification.

Bhavin Patel (bhavin@baysideadvisors.in)
Hemant Krishna V. (hemant@baysideadvisors.in)

Bayside Advisors

The Bayside Advisors is made up of Bhavin Patel and Hemant Krishna V.

Email
  • Posted in:
    Privacy & Data Security
  • Blog:
    The Data Lawyer
  • Organization:
    Bayside Advisors
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Boston ERISA & Insurance Litigation Blog
  • Stridon News and Insights
  • Taft Class Action & Consumer Insights
  • Labor and Employment Law Insights
  • Age of Disruption
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo