In the context of growing demands for secure digital identity verification, the Pension Fund Regulatory and Development Authority (PFRDA) has recently issued new guidelines. The gazette notification S.O. 5683(E) now allows entities onboarded for Aadhaar authentication under the Prevention of Money-laundering Act, 2002 (PMLA) to perform such verification using the e-KYC setu system, subject to compliance with privacy and security standards.
The e-KYC setu system, maintained by the National Payments Corporation of India (NPCI), will enable identity verification without disclosing the individual’s Aadhaar number to the reporting entity. The responsibilities for compliance with Aadhaar Act are divided between the reporting entities and the NPCI, which will serve as the reporting entity for the e-KYC setu system.
Furthermore, the reporting entities are required to undertake certain measures, such as obtaining consent before collecting identity information, notifying the individual about each authentication attempt, and providing a mechanism for revocation of consent. In addition, NPCI is responsible for ensuring that the e-KYC setu system is compliant with privacy and security standards, undertaking regular audits, and facilitating smooth onboarding for reporting entities.
PENSION FUND REGULATORY AND DEVELOPMENT AUTHORITY
Circular no.: PERDA/2023/22/REG-POP/05 Date: July 25, 2023
To
PoPs, CRAs and NPS Trust
Subject: Verification of Identity by Reporting Entity under sub-section (1) of Section 11A of the Prevention of Money Laundering Act, 2002
Vide Gazette notification S.O. 5683(E) dated 6th December, 2022, issued by Department of Revenue (DoR), Ministry of Finance (copy attached), Central Government notifies that regulated entities onboarded to perform authentication under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016)(hereinafter referred to as the Aadhaar Act) for the purposes of section 11A of the Prevention of Money-laundering Act, 2002 using the e-KYC setu system be permitted to do so, after being satisfied that the e-KYC setu system complies with the standards of privacy and security under the Aadhaar Act.
2. The e-KYC setu shall be a system put in place by National Payments Corporation of India (NPCI) to enable verification of identity of a client or its beneficial owner by a reporting entity through authentication under the Aadhaar Act without disclosing the Aadhaar number of the individual to the reporting entity.
3. NPCI is required to ensure that the authentication is carried out using the Aadhaar number of the client as per the regulations laid down by UIDAI, without disclosing full Aadhaar number to the reporting entity and after carrying out authentication, NPCI shall share the last four digits of the Aadhaar number of the client, along with his demographic details made available to it by UIDAI, digitally signed by it, with the reporting entity and the reporting entity shall carry out identification of the client based on the details provided by the client and NPCI.
4. A list of entities on boarded for the purpose of carrying out the authentication using the e-KYC setu can be accessed at http://npci.org.in/e-KYCsetu/along with the date from which they have been on-boarded.
5. Whereas the DoR has issued the ibid notification under PMLA for the Reporting Entities regulated therein, however, at the same time the Requesting Entities sending authentication requests to UIDAI are regulated under the relevant provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 [the Aadhaar Act hereinafter]. Under the eKYC setu system the regulated entities shall function as the Reporting Entities as per provisions of PM LA. However, since the functions like collection of Aadhaar number and biometrics/OTP, creation of authentication request, use of authentication license key, communication and storage of authentication response obtaining consent, providing grievance handling mechanism, etc. are done independently and separately by regulated entities and NPCI — their responsibilities under Aadhaar Act as Requesting Entities shall accordingly be limited to the extent of functions performed by them.
6. To aid NPCI and the Reporting Entities using this system for smooth on-boarding, compliance with the Aadhaar Act and Regulations there under and friction free services the roles and responsibilities of various stakeholders are provided at Annexure A.
Ashish Kumar Bharati
(General Manager)
Enclosed: a/a
Annexure A
A. Reporting Entity:
i. The Reporting Entity shall ensure that relevant provisions under the Aadhaar Act, 2016 and Regulations there under and relevant circulars/guidelines issued by UIDAI from time to time are duly complied at all times for continuation of smooth and friction-free authentication services.
ii. The Reporting Entity shall submit license fee at prescribed rates to UIDAI subsequent to which a unique/identifier entity code shall be allotted to Reporting Entity from UIDAI.
iii. Reporting Entity shall not collect, use or store Aadhaar number or biometric information of any client or beneficial owner for any purpose.
iv. Reporting Entity shall obtain the consent of an individual before collecting his identity information for the purpose of authentication in such manner as specified by the Aadhaar Act, 2016 and regulations there under.
v. Reporting Entity shall notify its client or beneficial owner about any Aadhaar authentication, including success or failure of authentication of each request, performed by them through SMS, email or any other digital means or paper-based acknowledgement.
vi. Reporting Entity shall provide a mechanism for the client or its beneficial owner to revoke his consent given to Reporting Entity and upon such revocation Reporting Entity shall delete the e-KYC data in a verifiable manner and provide an acknowledgment of the same to the client or beneficial owner.
vii. Reporting Entity, after receiving digitally signed response packet including last 4 digits of Aadhaar number of the client along with his demographic details, shall carry out identification of the client based on the above details provided by the client and NPCI. Reporting Entity shall not share e-KYC data, obtained from NPCI under eKYC setu system, with any other entity or agency for any whatsoever reason.
viii. Reporting Entity shall retain the logs of authentication transactions (including that of consent taken) in a verifiable and auditable manner for the period as prescribed under the Aadhaar (Authentication and Offline Verification) Regulations, 2021. Purging of such logs upon expiry of the period shall also be in accordance to the Aadhaar Act and/or regulations thereof.
ix. The Reporting Entity shall undertake audit of the operations, systems and procedures through CERT-In empanelled IS auditors to ensure the compliance with the Aadhaar Act, rules, regulations, policies, procedures, directions, guidelines, circulars, MoU laid down. Further UIDAI reserves the right to undertake audit of Reporting Entities, either by itself or through audit agencies, appointed by it to ensure the compliance with Aadhaar Act, rules, regulations, policies, procedures, directions, guidelines, circulars, MoU.
x. Reporting Entities shall ensure its audit and inspection by NPCI or by any CERT-In empanelled third-party auditor appointed by NPCI or UIDAI, at such frequency or timeline as may be prescribed by NPCI and/or on the direction of UIDAI.
xi. The Reporting Entity if found in breach of compliances with Aadhaar Act, 2016, rules, regulations, policies, procedures, directions, guidelines, circulars, MoU shall be liable for offences and penalties as prescribed under the Aadhaar Act, 2016, rules and regulations framed there under.
xii. Reporting Entity shall immediately stop using the e-KYC Setu Services if its license or authorization to carry out regulated business has been suspended, cancelled or withdrawn by the appropriate regulatory authority.
xiii. Reporting Entity shall provide an effective grievance handling mechanism to the resident via multiple channels like website, call center, mobile app, SMS, physical center etc.
B. National Payments Corporation of India (NPCI):
i. NPCI shall design, develop and maintain e-KYC setu system in compliance with the standard of privacy and security laid down by Unique Identification Authority of India (UIDAI). NPCI shall perform Aadhaar-based eKYC authentication as a service to these Reporting Entities.
ii. NPCI shall get the e-KYC setu system audited from CERT-In empanelled IS Auditor before implementing it. Thereafter, NPCI shall undertake audit of the system, through a CERT-In empanelled IS Auditor, on yearly basis and shall submit the report to UIDAI. Further UIDAI reserves the right to undertake audit of the eKYC setu system, either by itself or through audit agencies appointed by it, to ensure the compliance with Aadhaar Act, rules, regulations, policies, procedures, directions, guidelines, circulars, MoU.
iii. NPCI shall ensure that Memorandum of Understanding (MoU) executed with Reporting Entities must incorporate relevant provisions of Aadhaar Act, 2016 and regulation there under. NPCI to seek concurrence of UIDAI on draft MoU with respect to provisions pertaining to Aadhaar.
iv. On receiving an on-boarding request or application from Reporting Entity, NPCI shall send the request details to UIDAI for issuing a unique/identifier entity code for the respective Reporting Entity.
v. NPCI to ensure that Reporting Entity puts up a grievance handling mechanism for the resident through its MoU/Agreement with the Reporting Entity.
vi. NPCI through adequate provisions of MoU shall ensure audit and inspection of Reporting Entities at such frequency or timeline as may be prescribed by NPCI and/or on the direction of UIDAI.
vii. UIDAI has notified the Aadhaar (Pricing of Aadhaar Authentication Services) Regulations, 2021 dated 14.10.2021 whereby UIDAI raise invoices on the basis of criteria laid down in these aforementioned regulations. In this backdrop, following is mentioned for authentication transaction billing purposes:
a. UIDAI CIDR provides response to authentication requests within 10 seconds and any response beyond that is not considered for pricing by UIDAI. Therefore, NPCI may keep the response timeout accordingly. It is the responsibility of NPCI to ensure proper connectivity with CIDR. If the response is given by CIDR, it cannot be considered a timeout transaction if not received at NPCI server.
b. UIDAI will raise invoice on NPCI as per the billing cycle for all the chargeable successful and failed Yes-No & e-KYC transactions as per the criteria mentioned in the Aadhaar (Pricing of Aadhaar Authentication Services) Regulations, 2021.
c. It shall be responsibility of NPCI to pay authentication charges within the stipulated time as and when invoice raised by UIDAI in this regard. Any delayed payment or nonpayment shall attract appropriate action from UIDAI including but not limited to imposition of interest, suspension of license key and termination of agreement. UIDAI shall not be concerned with any default in payment by clients of NPCI and no concessions/relaxations, whatsoever, be requested from UIDAI on this ground.
d. Any dispute between NPCI and its Reporting Entities regarding authentication transaction billing shall be exclusive to them and be dealt in accordance with their mutual agreement. UIDAI shall not have anything to do with that and it shall not be approached for any mediation or resolution of such disputes, whatsoever.
viii. NPCI shall, at all times, ensure compliance of provisions of Aadhaar Act, its associated regulations and other circulars/instructions issued by UIDAI from time to time and also obligations as per the agreement with UIDAI. It shall ensure compliance on the part of Reporting Entities also through its MoU/Agreement with them.
ix. Any Reporting Entity found to be in violation as per provisions of Para 6 of the DoR Notification shall be de-boarded by NPCI as per provisions of the said Para of the DoR notification.
