The wisdom of the Supreme Court’s judgment upholding the constitutional validity of Aadhaar has put private companies including telecom companies, fintechs, and payment banks in a tough spot as it has restricted authentication by using Aadhaar, something that a large number of such companies were relying on previously. Breaking it down, it essentially means that private lending platforms such as wallets, payment banks, and fintechs will no longer be able to use Aadhaar based authentication as part of their basic infrastructure.
Until now these companies selling products and services like insurance, mutual funds, loans etc were using Aadhaar as a means to authenticate customers through the Aadhaar based-KYC (know your customer) norms in order to create a digital framework ruling out the need to submit physical documents.
On 26 September, a constitutional bench of the Supreme Court headed by former Chief Justice Dipak Misra struck down a portion of Section 57 of the Aadhaar (targeted delivery of financial and other subsidies, benefits and services) Act, 2016 Act, which enabled body corporate and individuals to seek authentication through Aadhaar. Section 57 of the Aadhaar Act allows the use of the unique ID for establishing the identity of an individual for any purpose, whether by the state or corporate or person. Accordingly, private entities cannot rely on Aadhaar based authentication for their services any longer.
As clear as this may sound, various aspects of this decision by the Supreme Court remain unclear. Private companies are not sure about the extent of personal data they need to delete and what they can hold. Struggling to cope with the ambiguity about a situation where a user volunteers to Aadhaar based authentication is another issue being faced by such companies. Most companies are operating cautiously and not making drastic changes in their operational behavior, mostly due to the huge costs involved and the inconvenience that may be caused to the users by resorting to a switch in the business model. Until any further clarity, digital industry players hit by this change are venturing into looking at alternative models to adopt.
As the provision was watered down, it became clearer to financial technology startups and payment banks that they need to scout for alternate methods and digress from a business model that relied on authentication through biometric details. This presents manifold problems for digital payment industry that consists of small fintechs, startups that have been running on low cost, paper-less business models using Aadhaar based information. To begin with, the operational cost of such companies is set to rise if they resort to an infrastructure relying on the traditional method of physical authentication.
To go back to traditional or paperbased authentication of customers also be a risky proposition as there is chance of misplacing physical proof of identification. This could, in turn, lead to a threat to the right to privacy of a customer, which is the ground on which Section 57 has been watered down. The core problem of threat to individual privacy of a customer therefore, has not been addressed by taking away the power to rely on Aadhaar based authentication; in fact, it has spiraled into a set of new complex issues around data privacy.
Apart from physical verification, there are other solutions available in the market like IDEN check from CRIF and other bureaus, according to Agarwal of Rubique Technologies. These solutions rely on the bureau data and previous loan and credit card issuance data to predict the address of the person and if banks
Aadhaar based verifications are one of the cheapest and most convenient modes of verification. Each Aadhaar verification costs around ` 15. Hence falling back to any other mode of verification will result in an expensive and cumbersome verification process along with higher turnaround time. Physical verification might cost up to ` 100. In such cases, companies will pass on this burden to consumers. We need to leverage enough digital data and customer’s previous transaction history with other banks and mobile companies available to reduce verification cost for customers who are not first-time borrowers.
Are satisfied with these predictions, they skip physical verification.
Telecom companies are one of the worst affected by the Supreme Court ruling restricting them from using Aadhaar to validate the identity of subscribers mandatorily. Scrounging to find alternate methods in such time till there is more clarity on the way forward, telcos are clear about one thing – that there is no going back to the old ways and are innovating their way through the challenge before them rather creatively.
Rather than pushing for the old system of Aadhaar based authentication or retracting to paper-based verification, the Cellular Operators Association of India has written to the telecom secretary proposing an alternate method.
The lobby group proposed a new system by which it aims to build the digital identity of a customer by acquiring details such as their live photo at the point of sale of mobile connection, watermarking the photo and assigning a unique code to prevent copying or re-use of photo. These details will be entered into the operator’s app that and used to build a digitalized customer profile.
According to the lobby group, returning to the physical paper-based system was not an option as it would lead to a waste of years of progress of moving towards a digitally backed India and the investment involved therein. It would also be more timeconsuming. Until now, telcos had been pushing customers to link their mobile numbers with Aadhaar under the e-KYC option that was quicker and more efficient than physical verification.
According to recent reports, Vodafone, Idea and Airtel have already started execution of this new digital KYC process using live location in certain locations and will subsequently be extending it to more circles.
Standing at a crossroad, companies are looking at exploiting big data through AI solutions and with the excessive use of social media, mobile phones, it is no more difficult to obtain and verify a persons’ social and location data.
Various members from the banking industry including fintech’s, NBFC’s are looking at AI-based solutions for meeting their e-KYC requirements under the law. The solution, currently under consideration will help to establish a person’s identity by matching it against live photographs of the person, through an application. Videobased KYC is also being considered as an additional form of authentication as the payments industry struggles to look for an
Alternate mechanism for digital authentication.
“Lot of technology companies leverage location data and its consistency over a period of time to assess the location of the person. Hence, big data solutions coupled with machine learning based algorithms can provide a breakthrough in the area of customer verification. We have also used AI algorithms to build address verification using location data and bureau data. We regularly capture location data and then use past data to predict the actual address”, said Suraj Agarwal of Rubique Tech.
There also persists ambiguity regarding the status of the Aadhaar data already shared by customers that is stored with them. What about the privacy of that data? Can digital companies be allowed to retain and use that data for future purposes? Whether they need to delete such data and to what extent is unclear. What is clear is that they aren’t allowed to perform authentication in private companies using Aadhaar which is the only form of identification in the country which can be used for authentication by providing API, using biometrics demographically.
At this juncture, it becomes important to understand the specific data being referred to as was collected by private organizations at one point in time and cannot be accessed anymore for authentication purpose. The data with private companies (including mutual fund companies, travel companies, startups etc) is of two kinds– first is the Aadhaar data collected for meeting the e- KYC norms and the other is the Aadhaar number for verification/authentication.
“The KYC data was collected by entities under the Indian law so anyway whether it was Aadhaar or anything else, they would have to collect such information. One ought to clarify what Aadhaar data is. There’s a lot of confusion around this. In most cases, private entities are legally obliged to hold that data. Even if they delete it, they have to get that data from the user in a different way.
Deletion of data required for KYC means that people who submitted Aadhaar for e- KYC will need to submit these documents again. People were pointing out how this is a horrible move by UIDAI, because its inconveniencing people and making them stick to Aadhaar and then when UIDAI clarified that you don’t have to perform KYC again, they were told to be in violation of the Supreme Court orders so either which way UIDAI loses”, Pranesh Prakash, a fellow at think tank Centre for Internet and Society explained.
According to Prakash, removing Aadhaar data means deletion of the Aadhaar numbers because there isn’t any other data that private companies haven’t directly collected from people or any third party. The only data they have which is UIDAI related is Aadhaar number.
While clarifications on delinking and limited usage of Aadhaar based data are awaited, digital players continue to hold such data. The clear-cut answer to this conundrum lies under the Data Protection law that is on the anvil under the supervision of the government appointed Srikrishna committee and is expected to lay down a secure data protection framework. But until then, the digital payment industry shall continue to stay in a limbo when it comes to the retrospective use of Aadhaar based personal data collected by private companies.
Finding it difficult to cope, members of the digital industry have approached the Central government through the finance and law ministry urging them to bail them out of this situation by formulating a law that will allow them access to the Aadhaar database. Information and technology minister Ravi Shankar Prasad has urged the digital industry not to panic and said that the government will look into the matter and consider bringing in a law if needed.
Striking down Section 57 partially has initiated a series of debates between lawyers, some of whom disagree with its validity and interpretation thereof. For instance, Pranay Prakash, while deliberating the impact of striking down parts of Section 57 is quick to point out a structural defect as the power of private companies to use Aadhaar for authentication does not arise from Section 57 but from Section 8 read with Section 2 of the Aadhaar Ac/t.
Digital payment companies are also holding consultations among themselves to find a way that will allow them to use Aadhaar database for customer verification in a secure way, without affecting the privacy safeguards as laid down by the Supreme Court.
www.grandmasters.in | 8 Years & Counting
www.rcls.in | 8 Years & Counting
www.itlegalsummit.com | 8 Years & Counting
www.bfls.in | 8 Years & Counting
www.maels.in | 8 Years & Counting
www.plcs.co.in | 8 Years & Counting
Copyright © 2020 Lex Witness - India's 1st Magazine on Legal & Corporate Affairs Rights of Admission Reserved
