Fintech Update: SEBI’s circular on Aadhaar based e-KYC
On 5 November, the Securities and Exchange Board of India (SEBI) issued a circular on use of e-KYC Authentication facility under section 11A of the Prevention of Money Laundering Act, 2002 by entities in the securities market for resident investors. The circular highlights the process by which SEBI registered intermediaries may also be registered with the Unique Identification Authority of India (UIDAI) as KYC user agency (KUA) or sub-KUAs, in order to use the Aadhaar authentication services.
This comes as a major relief for fintech companies regulated by SEBI who were struggling to authenticate their clients using Aadhaar.
In February, the Union Cabinet cleared an ordinance to allow use of Aadhaar by banks and telecom companies. This ordinance had no provision for non-banking entities. Following extensive advocacy to extend this provision to non-banking entities as well, Department of Revenue (DoR), the Ministry of Finance issued a circular which laid down the procedure for processing of applications under Section 11A of the Prevention of Money Laundering Act, 2002 (‘PMLA’) for use of Aadhaar authentication services by non-banking entities. This included, reporting entities having to file an application for use of Aadhaar authentication services with their respective regulator. The circular said that the application will have to undergo a three-tier approval process involving the regulator, UIDAI and the Central government.
The Ministry of Finance in its circular, did not prescribe any format in which the application has to be made, instead asked the regulators to specify any format in which the information from the applicant is to be obtained.
With the latest circular, SEBI becomes the first regulator to issue guidelines for entities regulated by it, to register with the UIDAI and eventually get notified by the Central Government, for carrying out Aadhaar based authentication.
Highlights of SEBI’s circular
- Entities in the securities market would be registered with UIDAI as KUA and shall allow all the SEBI registered intermediaries / mutual fund distributors to undertake Aadhaar Authentication of their clients for the purpose of KYC through them.
- The SEBI registered intermediaries / mutual fund distributors, who want to undertake Aadhaar authentication services through KUAs, shall enter into an agreement with any one KUA and get themselves registered with UIDAI as sub-KUAs. The agreement in this regard shall be as may be prescribed by UIDAI.
- Upon notification by the Central Government / registration with UIDAI, the KUAs and sub-KUAs shall adopt the following process for Aadhaar e-KYC of investors (resident) in the securities market.
Online Portal based Investor (Resident) e-KYC Process (Aadhaar as an OVD)
- Investor visits portal of KUA or the SEBI registered intermediary which is also a Sub-KUA to open account/invest through intermediary.
- For Aadhaar e-KYC, investor is redirected to KUA portal. Investor enters the Aadhaar Number or Virtual Id and provides consent on KUA portal. Adequate controls shall be in place to ensure that Aadhaar Number is not stored anywhere by the Sub-KUA or KUA.
- Investor will receive OTP in mobile number registered with Aadhaar. Investor enters the OTP sent by UIDAI on KUA portal for Aadhaar e-KYC.
- KUA will receive the e-KYC details from UIDAI upon successful Aadhaar authentication which will be further forwarded to Sub-KUA in encrypted format (using KUAs own encryption key) and will be displayed to the investor on portal. Sharing of e-KYC data by the KUA with Sub-KUA may be allowed under Regulation 16(2) of Aadhaar (Authentication) Regulation, 2016. Sub-KUA shall clearly specify the name of the KUA and Sub- KUA, and details of sharing of data among KUA and Sub-KUA while capturing investor consent.
- Investor will fill the additional detail as required under KYC format.
- SEBI registered Intermediary will upload additional KYC details to the KUA.
Assisted Investor (Resident) e-KYC process (Aadhaar as an OVD)
- Investor approaches any of the SEBI Registered Entity/ Sub-KUAs i.e. Mutual Fund Distributors or appointed persons for e-KYC through Aadhaar.
- SEBI registered entities (Sub-KUAs) will perform e-KYC using registered / Whitelisted devices with KUAs.
- KUA will ensure that all devices and device operators of Sub-KUA are registered / whitelisted devices with KUA.
- Investor will enter Aadhaar No. or Virtual Id and provides consent on the registered device.
- Investor provides biometric on the registered device.
- SEBI registered intermediary (Sub-KUA) fetches the e-KYC details through the KUA from UIDAI which will be displayed to the investor on the registered device.
- Investor will also provide the additional detail as required.
4. The KUA/ sub-KUA while performing the Aadhaar authentication shall also comply with the following:
- For sharing of e-KYC data with Sub-KUA under Regulation 16(2) of Aadhaar (Authentication) Regulations, 2016, KUA shall obtain special permission from UIDAI by submitting an application in this regard. Such permissible sharing of e-KYC details by KUA can be allowed with their associated Sub-KUAs only.
- KUA shall not share UIDAI digitally signed e-KYC data with other KUAs. However, KUAs may share data after digitally signing it using their own signature for internal working of the system.
- e-KYC data received as response upon successful Aadhaar authentication from UIDAI will be stored by KUA and Sub-KUA in the manner prescribed by Aadhaar Act/Regulations and circulars issued by UIDAI time to time.
- KUA/Sub-KUA shall not store Aadhaar number in their database under any circumstances. It shall be ensured that Aadhaar number is captured only using UIDAI`s Aadhaar Number Capture Services (ANCS).
- The KUA shall maintain auditable logs of all such transactions where e-KYC data has been shared with sub-KUA, for a period specified by the Authority.
- It shall be ensured that full Aadhaar number is not stored and displayed anywhere in the system and wherever required only last 4 digits of Aadhaar number may be displayed.
- As per Regulation 14(i) of the Aadhaar (Authentication) Regulation, 2016, requesting entity shall implement exception-handling mechanisms and backup identity authentication mechanism to ensure seamless provision of authentication services to Aadhaar number holders.
- UIDAI may conduct audit of all KUAs and Sub KUAs as per the Aadhaar Act, Aadhaar Regulations, AUA/KUA Agreement, Guidelines, circulars etc. issued by UIDAI from time to time.
- Monitoring of irregular transactions – KUAs shall develop appropriate monitoring mechanism to record irregular transactions and their reporting to UIDAI.
- Investor Grievance Handling Mechanism – Investor may approach KUA for their grievance redressal. KUA will ensure that the grievance is redressed within the timeframe as prescribed by UIDAI. KUA will also submit report on grievance redressal to UIDAI as per timelines prescribed by UIDAI.
5. On-boarding process of KUA/Sub-KUA by UIDAI:
- As provided in the DoR circular dated May 09, 2019, SEBI after scrutiny of the application forms of KUAs shall forward the applications along with its recommendation to UIDAI.
- For appointment of SEBI registered intermediary / MF distributors as Sub-KUAs, KUA will send list of proposed Sub-KUAs to SEBI and SEBI would forward the list of recommended Sub-KUAs to UIDAI for onboarding. An agreement will be signed between KUA and Sub-KUA, as prescribed by UIDAI. Sub-KUA shall also comply with the Aadhaar Act Regulations, circulars, Guidelines etc. issued by UIDAI from time to time.
- Each sub-KUA shall be assigned a separate Sub-KUA code by UIDAI.
6. The KUA/sub-KUA shall be guided by the above for use of Aadhaar authentication services of UIDAI for e-KYC.
For non-compliances if any observed on the part of the reporting entities (KUAs/ Sub-KUAs), SEBI may take necessary action under the applicable laws and also bring the same to the notice of DoR / FIU for further necessary action, if any. Reporting entity (KUAs/Sub-KUAs) shall also adhere to the continuing compliances and standards of privacy and security prescribed by UIDAI to carry out Aadhaar Authentication Services under section 11A of PMLA. Based on a report from SEBI / UIDAI or otherwise, if it is found that the reporting entity no longer fulfills the requirements for performing authentication under clause (a) of section 11A(1) of PMLA, the Central Government may withdraw the notification after giving an opportunity to the reporting entity.
7. Upon notification by the Central Government permitting the entities recommended by SEBI to undertake Aadhaar based authentication, the Circulars issued in the past by SEBI for e-KYC using Aadhaar based authentication shall stand modified/ revised in compliance with this Circular.