A guest column is written by Wriju Ray (co-founder, and CBO at IDfy) on Aadhaar offline XML, published in ET Prime on March 25, 2019
If the Supreme Court’s Aadhaar Judgment on 26th Sep had shocked the industry into silence, the Aadhaar Amendment Ordinance has breathed a new lease of life into it. However, questions remain about how Aadhaar can be unshackled and its use permitted beyond government subsidies, bank accounts, and telecom. One of the ways this might happen is Aadhaar offline. So is Aadhaar offline XML all that it’s made out to be – effective in its purpose, universal in adoption, and safe for the masses? In other words, is it an effective mechanism to Know Your Customer (KYC)?
Know your KYC
Let’s start with a more basic question. What is KYC? While every business needs to know its customers to serve and bill them, regulated entities have to carry it out in specific, predefined ways. Regulators such as RBI, SEBI, IRDA, and TRAI layout rules for KYC. In doing so they are guided by laws such as PMLA and Telegraph Act.
There are three precepts of KYC, each of them neatly condensed into 3 letter acronyms – OVD (Officially Valid Document, typically an ID card issued by the government), OSV (original seen and verified, the act of viewing the original by an authorized officer of the regulated entity) and IPV (in-person verification, the act of ensuring that the end-user was present during sign up).
At the turn of the century, as private banks and telcos blossomed, millions of users were signed up using these basic tools. OVD was the most ubiquitous way available to identify a person; everybody now had to have a government ID card. The user typically came to a branch or retail establishment, but increasingly entities began to use agents (often referred to as business correspondents) to come to the user’s location and complete the formality. The user then had to present his/her original OVD. The business correspondent would simply see the original, compare it with the user’s face, and note on the photocopy that the original had been checked.
This sort of process still works for most government ID cards, but offline Aadhaar is a strange beast. It appears to be challenging the very notion of this type of KYC.
An ID for the digital age
Offline Aadhaar XML is really quite avant-garde. It is a digital ID card (an XML file). It doesn’t require anyone to connect to UIDAI to verify the authenticity of the ID card. Instead, it relies on the digital signature, a concept where a trusted certifying authority (CA) certifies that a certain digital document is authentic.
The user is expected to download the digital Aadhaar XML file from UIDAI site. Every such file is digitally signed by UIDAI. The user may share it with the requester along with a share code. The requester can open the file with the share code and check the certificate to note that the document is indeed authentic.
The process does require at least a basic level of competence with technology, and this has been the subject of some criticism. However, in this article, I’d like to focus primarily on aspects linked to the process of KYC.
Aadhaar offline ekyc is spooky
Let’s start with OSV. For most government IDs, there is only one original card given to a citizen. However, in the case of offline Aadhaar, there can be more than one original ID card. This is because every copy of a digital file, such as an Aadhaar XML, is identical to the original. In OSV the whole point of seeing the original was that it would be unique, and therefore it would be expected that only the user would be in possession of it. Now, it appears that the original Aadhaar XML could be anywhere and with anyone.
Moving next to IPV. One needs an application such as an XML viewer to read the Aadhaar XML ID card. Thus the typical business correspondent will need to move around with a smartphone or a tablet loaded with an app that can handle Aadhaar XML. To further complicate matters, an Aadhaar XML file cannot be opened without a share code. In other words, the user would need to share the Aadhaar XML file AND the share code with the business correspondent. This can be risky if not managed carefully. You might think that a simpler and safer approach would be to remove the business correspondent from the equation and simply share the Aadhaar XML directly with a website or app. But that would render ‘In-Person Verification’ meaningless as there would now be no person involved.
In a way, Aadhaar XML is asking a very existential question of KYC. The whole point of KYC was to identify the user; OSV and IPV were meant to this end. With digital cards such as Aadhaar XML, KYC itself needs to adapt and digitise. It is no longer needed to visit a person to conduct KYC. It is in fact riskier to do so. In the age of smartphones, it is possible to instantly read and verify digital ID cards and to confirm that the cardholder was present too, using technology. Aadhaar XML is now compelling regulators to recognise this and adapt regulations accordingly.