Balancing privacy and benefits

Authors: Pratik Pathrabe, Shekhar Lele, Neema Kar, Mary Lou Rodrigues

On 26 September 2018, the Supreme Court of India announced its verdict on the Aadhaar framework and declared the Aadhaar Act as constitutionally valid. The judgement has been said to take into account the dignity and privacy of individuals, not only from a personal perspective but also from a community point of view. The most important points to consider from a FinTech perspective are the amendments to section 57 of the Aadhaar Act and Rule 9 of the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 which gives permission to private entities to perform Aadhaar-based authentication. The Court has, however, also observed that if a person wishes to voluntarily offer his/her Aadhaar card as a proof of identity it may be allowed.

The decision has raised several points that need immediate clarification and direction from policy makers to determine the course of action for FinTech entities. These include:

  • Definition and explanation of ‘body corporate’ and ‘person’ as used in Section 57 of the Aadhaar Act and whether it differentiates between regulated and unregulated entities.
  • Whether Aadhaar details of new customers can be accepted by FinTech players for the purpose of KYC verification.
  • Permission to accept Aadhaar card from customers, as an identity card, if the customer so chooses, i.e., voluntarily.
  • Course of action for entities authorised under the local and global AUA framework.
  • How should FinTech entities treat Aadhaar data of existing customers (whose KYC was performed using Aadhaar-based eKYC)?
  • Does the mandate of deletion of Aadhaar authentication data within six months extend to requesting FinTech entities to do so?
  • Permissibility and method of deletion of KYC authentication data of customers by companies that have obtained such data, by virtue of contractual obligations, such as unregulated FinTech entities.

This judgement, coupled with previous regulatory mandates such as localisation of payments data storage, has created an air of uncertainty in the FinTech ecosystem. While the industry awaits specific directions from regulators such as Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI) and Telecom Regulatory Authority of India (TRAI), it is worthwhile to evaluate the immediate plausible short-term impact and discuss ways for FinTech entities to be ready for the future.

Short-term impact

A) Brace for pushback and cost escalations

One of the critical cogs in achieving the vision of financial inclusion is easy access to financial services. Digital know your customer (eKYC) process has played a vital role in significantly reducing the time and cost involved in on-boarding of customers.

In the aftermath of the Supreme Court verdict, it will be an immediate challenge for new age entities to convince customers to share their Aadhaar details for identification purposes during the customer on-boarding process. It is envisaged that digital-only platforms could, also, possibly face initial hiccups and reluctance from customers, which would impact the growth rate of customer acquisition. Hence, such platforms would have to add alternatives for customer verification which would result in increased customer acquisition cost. With available options of traditional and digital customer verification, the customer cost of acquisition is expected to increase six to ten times post-verdict.i New age, tech-savvy lenders, who have been using eKYC to expand their customer base to small towns and migrant labourers, will also see a major impact in the rate of customer acquisition in near future.

To address this, FinTechs can explore some workarounds. Unique Identification Authority of India (UIDAI) had introduced an offline QR code for Aadhaar that holds users’ non-sensitive details such as name, address, photo, and date of birth and the user is not required to share 12 digit Aadhaar number along with biometrics or mobile number with private bodies. FinTechs can look at leveraging such features as a workaround, after taking voluntary consent of the customer, and as permitted by the law.

B) Uncertainty around on-going and future initiatives built on top of Aadhaar

While the development over next few days is expected to provide more clarity on the way forward, FinTechs and financial institutions (FI) will need to work on strategies to handle various on-going projects in various areas:

Direct benefit transfer (DBT)

  • With SC validating use of Aadhaar for DBT, the government is likely to continue usage for 465 existing DBT schemes

Digilocker

  • Aadhaar based profile management, feeders from government agencies such as RTO, Income Tax department may still continue, but those from private entities may face restrictions

Virtual Identifier and e-vault

  • Global authentication user agencies (AUA) have started investments in safe storage of Aadhaar numbers and local and global AUAs have started enhancing systems to handle virtual identifier. This may be impacted with restrictions on usage of Aadhaar by private entities

Existing payment instruments built on top of Aadhaar stack

  • Usage of Aadhaar for various instruments such as Aadhaar Pay, APB, AEPS, eNACH by NPCI and private sector banks needs examination.

eKYC

  • The government has indicated possibility of Aadhaar usage by private entities backed by law. eKYC would be impacted till there is clarity in this regard

Innovative future use cases

  • Firms may have to study the impact and re-prioritise usage of Aadhaar for various use cases including cardless withdrawal of cash at ATMs, credit profiling through fetching of details linked to Aadhaar and multi-factor authentication such as retinal scan linked to Aadhaar, among others.  

 

Gearing up for mid- and long-term sustainability

In light of the Supreme Court’s verdict on Aadhaar, service providers will be compelled to change their business model of on-boarding customers. Although service providers cannot mandate the usage of Aadhaar, they can incentivise the customer for its usage by adjusting against cost of physical verification of customers.

A few ways of adapting to these new ground realities are suggested below:

Industry-level awareness programs

The reading of the judgement indicates that requesting entities may on-board and service customers using Aadhaar as an identity card, if the customer so desires, i.e., voluntarily. FinTech service providers will be required to inform customers about various alternatives available to them, while also assuring them of the confidentiality of their Aadhaar details under such circumstances. While entity-level marketing is likely to have high cost implications, it is necessary for associations or communities to educate their existing and target customers.

Innovative ways of physical verification

One of the pain-points of physical on-boarding is the manual entry of details of identification documents such as PAN card or passport into a form. The data on various documents is manually entered into systems and then cross-checked manually by the document verification unit at the backend. This manual comparison can take a few minutes per case and are prone to errors including incomplete data entry, mismatch, etc. Irrespective of the issues, the entities will need to on-board customers who do not wish to share their Aadhaar card for physical on-boarding. Entities can then look at reducing costs and errors on manual data entry by implementing solutions such as Optical Character Recognition (OCR) and Robotic Process Automation (RPA) to read data fields in scanned copies of identity documents. This will take care of Identity and Address out of ISA (Identity, Signature and Address) at the time of on-boarding.

Block-chain based customer verification and monitoring

Start-ups can also build a shared model of Blockchain-based customer verification after taking customer consent. If the customer has been verified with a service provider, let’s say a mobile operator, his data will get stored on cloud and same can be used by other service providers based on the customer’s consent, which could be in the form of OTP. In this model, customers will not be sharing Aadhaar data and it will purely be based on customers’ consent. Any updates to customer details will need to be approved by all nodes in the Blockchain, thereby minimising the probability of frauds. A person wishing to delete or modify personal details frequently could be flagged off as suspicious, based on certain rules and his or her transactions can be monitored.

In this case also, necessary provisions and guidelines related to consent-based access need to be studied before implementation. 

CKYC

Central KYC Registry (CKYCR) is a centralised repository of KYC records of customers in the financial sector with uniform KYC norms and inter-usability of KYC records across the sector, with an objective to reduce the burden of producing KYC documents and getting them verified every time the customer starts a new relationship with a financial entity.1 Various entities are at different stages of implementation of CKYCR. With the new Aadhaar ruling, CKYCR could be seen as an efficient method of customer on-boarding and verification. A customer, using multiple financial products, will have to be verified only once, but can subsequently get verified using CKYCR for any other financial services or products.

While more clarity is expected from respective regulators in the next few weeks to months, it is clear that FinTech entities need to consider alternative modes for customer verification. While this is likely to have cost implications, it could be net positive in the future, since it will help FinTech entities build a sustainable model, which is not dependent on a single identifier. For instance, removing mandate of Aadhaar for banks and telecom operators could also be seen as additional ways available for entities to on-board more customers. Emerging start-ups who are going to get most impacted would have to find a sustainable and economical way of customer verification by developing a solution around traditional way of customer verification. The ultimate objective will be to help people remain comfortable with options provided by FinTech players and assure them of their benefits, while safeguarding their privacy.

Contact us

Vivek Belgavi

Partner, India FinTech Leader, PwC India

Amit Jain

Director, Financial Services - Regulatory, PwC India

Zubin Tafti

Associate Director
Payments Transformation, PwC India

Follow us