This article in LiveMint indicates that the prepaid payments instrument (PPI) industry will soon request access to Aadhaar (India’s centralized ID database). The goal is to lower the cost of verifying the cardholders identity now that KYC has been made a requirement:
“New Delhi: The digital payments industry will seek access to the Aadhaar database for customer authentication to comply with the stringent customer verification rules set by the Reserve Bank of India (RBI).
The prepaid payments instrument (PPI) industry will write to the Unique Identification Authority of India (UIDAI) to allow mobile wallet providers to verify customers using the Aadhaar number.
“When UIDAI has to recognize a regulated entity they should recognize all RBI regulated entities. Why create differentiation within the regulated entities? I can understand if you differentiate between regulated and non-regulated ones. But if there are entities, which are RBI regulated, then why a different set of rules for one set of regulated entities and not for others. This is creating a non-level playing field,” said Gaurav Chopra, executive director of the Payments Council of India (PCI), the industry body representing all digital payment companies in India.
In April, RBI had updated its know-your-customer (KYC) guidelines mandating Aadhaar for customer verification and due diligence by entities regulated by it, including banks, non-banking finance companies (NBFCs), payment system providers (PSPs) and PPI issuers.”
Aadhaar has implemented two methods for accessing identities, a direct Aadhaar number which points directly to the persons records and a tokenized implementation that must be translated to connect to the person’s identity. Prepaid issuers have not been given access to the direct Aadhaar number which is required to perform e-KYC:
“UIDAI, in a move to regulate storage of Aadhaar numbers within databases, had introduced two categories of Authentication User Agency (AUA)—an entity engaged in providing Aadhaar-enabled services. The local AUA has limited access to Aadhaar data through a virtual ID, while global AUAs will have access to e-KYC using the Aadhaar number.
An AUA may be a government, public or a private legal agency registered in India, which uses the Aadhaar authentication services provided by UIDAI.
All banks, including commercial banks, payment banks, regional banks, rural banks, cooperative banks and small finance banks, as well as life insurance companies and the National Payments Corp. of India, had been categorized as global AUAs. PPIs, NBFCs, telcos and non-life insurance companies were among those classified as local AUAs.
The local AUAs are allowed to verify customers using virtual IDs only. Virtual ID is a 16-digit random number mapped with the Aadhaar number and can be used for the purpose of authentication in the same way the Aadhaar number is used. The date for implementation of Virtual IDs is 1 July.
“The concerns around security have to be rightly balanced, to be done in a phased and time-bound manner, and not stop the licences of PPI companies overnight, putting the entire business at risk… It is better to have directional implementation of virtual IDs,” said Chopra.
According to Chopra, UIDAI’s move to classify PPIs as local AUAs will prevent PPI holders from complying with the KYC norms set by RBI.”
Studying Aadhaar deployment issues can help inform other countries contemplating similar centralized identity databases where the issues are likely to develop.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group