A guest column written by Wriju Ray, co-founder and CBO at IDfy, published in ET Prime on March 25, 2019
If the Supreme Court’s Aadhaar Judgment on 26th Sep had shocked the industry into silence, the Aadhaar Amendment Ordinance has breathed a new lease of life into it. However questions remain about how Aadhaar can be unshackled and its use permitted beyond government subsidies, bank accounts and telecom. One of the ways this might happen is Aadhaar Offline. So is Aadhaar Offline all that it’s made out to be – effective in its purpose, universal in adoption and safe for the masses? In other words, is it an effective mechanism to Know Your Customer (KYC)?
Know your KYC
Let’s start with a more basic question. What is KYC? While every business needs to know its customers to serve and bill them, regulated entities have to carry it out in specific, predefined ways. Regulators such as RBI, SEBI, IRDA and TRAI lay out rules for KYC. In doing so they are guided by laws such as PMLA and Telegraph Act.
There are three precepts of KYC, each of them neatly condensed into 3 letter acronyms – OVD (Officially Valid Document, typically an ID card issued by government), OSV (original seen and verified, the act of viewing the original by an authorized officer of the regulated entity) and IPV (in person verification, the act of ensuring that the end user was present during sign up).
At the turn of the century, as private banks and telcos blossomed, millions of users were signed up using these basic tools. OVD was the most ubiquitous way available to identify a person; everybody now had to have a government ID card. The user typically came to branch or retail establishment, but increasingly entities began to use agents (often referred to as business correspondents) to come to the user’s location and complete the formality. The user then had to present his/her original OVD. The business correspondent would simply see the original, compare it with the user’s face and note on the photocopy that the original had been checked.
This sort of process still works for most government ID cards, but offline Aadhaar is a strange beast. It appears to be challenging the very notion of this type of KYC.
An ID for the digital age
Offline Aadhaar is really quite avant garde. It is a digital ID card (an XML file). It doesn’t require anyone to connect to UIDAI to verify the authenticity of the ID card. Instead it relies on digital signature, a concept where a trusted certifying authority (CA) certifies that a certain digital document is authentic.
The user is expected to download the digital Aadhaar file from the UIDAI site. Every such file is digitally signed by UIDAI. The user may share it with the requester along with a share code. The requester can open the file with the share code and check the certificate to note that the document is indeed authentic.
The process does require at least a basic level of competence with technology, and this has been the subject of some criticism. However, in this article, I’d like to focus primarily on aspects linked to the process of KYC.
Offline Aadhaar is spooky
Let’s start with OSV. For most government IDs, there is only one original card given to a citizen. However in the case of offline Aadhaar, there can be more than one original ID card. This is because every copy of a digital file, such as an Aadhaar XML, is identical to the original. In OSV the whole point of seeing the original was that it would be unique, and therefore it would be expected that only the user would be in possession of it. Now, it appears that the original Aadhaar XML could be anywhere and with anyone.
Moving next to IPV. One needs an application such as an XML viewer to read the Aadhaar XML ID card. Thus the typical business correspondent will need to move around with a smart phone or a tablet loaded with an app that can handle Aadhaar XML. To further complicate matters, an Aadhaar XML file cannot be opened without a share code. In other words the user would need to share the Aadhaar XML file AND the share code with the business correspondent. This can be risky if not managed carefully. You might think that a simpler and safer approach would be to remove the business correspondent from the equation and simply share the Aadhaar XML directly with a website or app. But that would render ‘In Person Verification’ meaningless as there would now be no person involved.
In a way, Aadhaar XML is asking a very existential question of KYC. The whole point of KYC was to identify the user; OSV and IPV were means to this end. With digital cards such as Aadhaar XML, KYC itself needs to adapt and digitize. It is no longer needed to visit a person to conduct KYC. It is in fact more risky to do so. In the age of smart phones, it is possible to instantly read and verify digital ID cards and to confirm that the cardholder was present too, using technology. Aadhaar XML is now compelling regulators to recognize this and adapt regulations accordingly.