linkedin
BROUGHT TO YOU BY
Exclusive Access, Inclusive Growth

WELCOME TO ET PRIME

BROUGTH TO YOU BY
Exclusive Access, Inclusive Growth
ET Prime
Under the lens

Offline Aadhaar heralds a digital-age KYC process, but stops just short of making a complete shift

Grey areas remain in conducting KYC with offline Aadhaar — the inherent risk of several identical files floating around; the hardware and software required to read the files; and the need to share the digital file and the share code with intermediaries.
font size
FONT SIZE
save
SAVE
saved
SAVED
Gift this article
GIFT ARTICLE
wriju113
25 Mar 2019 4 Mins Read 1 comments
A Niti Aayog employee marks her attendance through an Aadhaar-based system in New Delhi. Getty Images
A Niti Aayog employee marks her attendance through an Aadhaar-based system in New Delhi.
If the Supreme Court’s Aadhaar judgment on September 26 last year shocked the industry into silence, the Aadhaar and Other Laws (Amendment) Ordinance, has given it a new lease of life. However, questions remain on how Aadhaar can be unshackled and its use permitted beyond government subsidies, bank accounts, and telecom. One of the ways this might happen is Aadhaar Offline. But is offline Aadhaar all that it’s made out to be — effective in its purpose, universal in adoption, and safe for the masses? In other words, is it effective for a know-your-customer (KYC) mechanism? Know your KYC Let’s start with a basic question. What is KYC? While every business needs to know its customers to serve and bill them, regulated entities have to carry it out in specific, predefined ways. Regulators such as the RBI, Sebi, IRDAI, and TRAI lay out rules for KYC. In doing so, they are guided by laws such as the Prevention of Money Laundering Act and the Indian Telegraph Act. There are three precepts of KYC, each of them neatly condensed into three-letter acronyms — OVD (officially valid document, typically an ID card issued by the government), OSV (original seen and verified, the act of viewing the original by an authorised officer of the regulated entity), and IPV (in-person verification, the act of ensuring that the end user was present during sign up). At the turn of the century, as private banks and telcos blossomed, millions of users were signed up using these basic tools. As OVD was the most ubiquitous way available to identify a person, everybody now had to have a government ID card. Typically, the user would come to a branch or retail establishment, but increasingly entities began to use agents (often referred to as business correspondents) to visit the user’s location and complete the formality. The user had to present his/her original OVD. The business correspondent would check the original, compare it with the user’s face, and note on the photocopy that the original had been checked. This sort of process still works for most government ID cards, but offline Aadhaar is a strange beast. It appears to be challenging the very notion of this type of KYC. An identity for the digital age Offline Aadhaar is a digital ID card (an XML file). It doesn’t require anyone to connect to the Unique Identification Authority of India (UIDAI) to verify its authenticity. Instead, it relies on a digital signature, a concept whereby a trusted certifying authority certifies that a certain digital document is authentic. From the UIDAI’s site, users have to download their digital Aadhaar file, each of which is digitally signed by the UIDAI. A user may share the file with the requester along with a share code. The requester can open the file with the share code and check the certificate to note that the document is indeed authentic. The process does require at least a basic level of competence with technology, and this has been the subject of some criticism. However, in this article, I’d like to focus primarily on aspects linked to the KYC process. Offline Aadhaar is spooky Let’s start with OSV. For most government IDs, there is only one original card given to a citizen. However, in the case of offline Aadhaar, there can be more than one original ID card. This is because every copy of a digital file, such as an Aadhaar XML, is identical to the original. In OSV, the whole point of seeing the original was that it would be unique and, therefore, it would be expected that only the user would be in possession of it. Now, it appears that an original Aadhaar XML could be anywhere and with anyone. Moving next to IPV. One needs an application such as an XML viewer to read the Aadhaar XML ID card. Thus, the typical business correspondent will need to move around with a smartphone or a tablet loaded with an app that can handle Aadhaar XML. To further complicate matters, an Aadhaar XML file cannot be opened without a share code. In other words, the user would need to share the Aadhaar XML file and the share code with the business correspondent. This can be risky if not managed carefully. You might think that a simpler and safer approach would be to remove the business correspondent from the equation and simply share the Aadhaar XML directly with a website or an app. But that would render IPV meaningless, as there would now be no “person” involved. Why KYC? In a way, Aadhaar XML is asking a very existential question of KYC. The whole point of KYC was to identify the user. OSV and IPV were means to this end. With digital cards such as Aadhaar XML, KYC itself needs to adapt and digitise. There is no longer a need for a business correspondent to visit a person to conduct KYC. Rather, it is risky to do so. In the age of smartphones, by using technology it is possible to instantly read and verify digital ID cards and confirm that an Aadhaar holder is present. Aadhaar XML is now compelling regulators to recognise this and adapt the regulations accordingly. (Wriju Ray is co-founder and chief business officer at IDfy, one of world’s top 100 companies in regulatory technology (REGTECH 100); Twitter handle: @wriju_ray)
If the Supreme Court’s Aadhaar judgment on September 26 last year shocked the industry into silence, the Aadhaar and Other Laws (Amendment) Ordinance, has given it a new lease of life. However, questions remain on how Aadhaar can be unshackled and its use permitted beyond government subsidies, bank accounts, and telecom. One of the ways this might happen is Aadhaar Offline. But is offline Aadhaar all that it’s made out to be — effective in its purpose, universal in adoption, and safe for the masses? In other words, is it effective for a know-your-customer (KYC) mechanism? Know your KYC Let’s start with a basic question. What is KYC? While every business needs to know its customers to serve and bill them, regulated entities have to carry it out in specific, predefined ways. Regulators such as the RBI, Sebi, IRDAI, and TRAI lay out rules for KYC. In doing so, they are guided by laws such as the Prevention of Money Laundering Act and the Indian Telegraph Act. There are three precepts of KYC, each of them neatly condensed into three-letter acronyms — OVD (officially valid document, typically an ID card issued by the government), OSV (original seen and verified, the act of viewing the original by an authorised officer of the regulated entity), and IPV (in-person verification, the act of ensuring that the end user was present during sign up). At the turn of the century, as private banks and telcos blossomed, millions of users were signed up using these basic tools. As OVD was the most ubiquitous way available to identify a person, everybody now had to have a government ID card. Typically, the user would come to a branch or retail establishment, but increasingly entities began to use agents (often referred to as business correspondents) to visit the user’s location and complete the formality. The user had to present his/her original OVD. The business correspondent would check the original, compare it with the user’s face, and note on the photocopy that the original had been checked. This sort of process still works for most government ID cards, but offline Aadhaar is a strange beast. It appears to be challenging the very notion of this type of KYC. An identity for the digital age Offline Aadhaar is a digital ID card (an XML file). It doesn’t require anyone to connect to the Unique Identification Authority of India (UIDAI) to verify its authenticity. Instead, it relies on a digital signature, a concept whereby a trusted certifying authority certifies that a certain digital document is authentic. From the UIDAI’s site, users have to download their digital Aadhaar file, each of which is digitally signed by the UIDAI. A user may share the file with the requester along with a share code. The requester can open the file with the share code and check the certificate to note that the document is indeed authentic. The process does require at least a basic level of competence with technology, and this has been the subject of some criticism. However, in this article, I’d like to focus primarily on aspects linked to the KYC process. Offline Aadhaar is spooky Let’s start with OSV. For most government IDs, there is only one original card given to a citizen. However, in the case of offline Aadhaar, there can be more than one original ID card. This is because every copy of a digital file, such as an Aadhaar XML, is identical to the original. In OSV, the whole point of seeing the original was that it would be unique and, therefore, it would be expected that only the user would be in possession of it. Now, it appears that an original Aadhaar XML could be anywhere and with anyone. Moving next to IPV. One needs an application such as an XML viewer to read the Aadhaar XML ID card. Thus, the typical business correspondent will need to move around with a smartphone or a tablet loaded with an app that can handle Aadhaar XML. To further complicate matters, an Aadhaar XML file cannot be opened without a share code. In other words, the user would need to share the Aadhaar XML file and the share code with the business correspondent. This can be risky if not managed carefully. You might think that a simpler and safer approach would be to remove the business correspondent from the equation and simply share the Aadhaar XML directly with a website or an app. But that would render IPV meaningless, as there would now be no “person” involved. Why KYC? In a way, Aadhaar XML is asking a very existential question of KYC. The whole point of KYC was to identify the user. OSV and IPV were means to this end. With digital cards such as Aadhaar XML, KYC itself needs to adapt and digitise. There is no longer a need for a business correspondent to visit a person to conduct KYC. Rather, it is risky to do so. In the age of smartphones, by using technology it is possible to instantly read and verify digital ID cards and confirm that an Aadhaar holder is present. Aadhaar XML is now compelling regulators to recognise this and adapt the regulations accordingly. (Wriju Ray is co-founder and chief business officer at IDfy, one of world’s top 100 companies in regulatory technology (REGTECH 100); Twitter handle: @wriju_ray)

The latest from ET Prime is now on Telegram. To subscribe to our Telegram newsletter click here.

Gift this story

YOU CAN GIFT 0 MORE STORIES THIS MONTH

Maximum 10 Email IDs allowed

300 characters remaining

Gift Sent Successfully

Limit Reached
Limit Reached

You’ve gifted all the 0 articles from your monthly gift bucket!

Please come back next month.

0 more articles will be waiting for you in your gift bucket.

CONTRIBUTORS WHO HAVE COMMENTED ON THIS STORY

test

user Wriju Ray IDfy, CBO

Current Edition

The scientists who are creating a bio-internet of things
Internet of Things

The scientists who are creating a bio-internet of things

Why not use bacteria to create a biological version of the internet of things? The way bacteria store and process information is an emerging area of research. This kind of biohacking is becoming relatively common and shows the remarkable potential for a bio-internet of things. UK scientists Raphael Kim and Stefan Poslad, discuss the wide range of possibilities.

[[^message]]

Result

[[/message]] [[#message]]

[[message]]

[[/message]]