Read Rebooting India: Realizing a Billion Aspirations Online
Authors: Nandan Nilekani,Viral Shah
Apart from the ability to reach those segments of society who have been cut off from access to formal financial services, paperless products also make it easier to verify the authenticity of each transaction. Electronic documents come with in-built security measures that make them tamper-proof—for example, documents with a digital signature cannot be modified or forged in any way. With this level of safety, trust in the system increases and brings down the cost of doing business for everyone. If you’re buying a product from a financial company today, regulators require that you be physically present while the transaction is carried out and while the company representative is verifying your documents. The e-KYC service does away with this requirement, since the entire transaction can now be completed online.
The largest benefit of e-KYC comes from the fact that different forms of electronic data can now be combined to offer an entirely new class of services that could not exist otherwise. The potential impact is huge, especially in a society where people have to prove their identity, trustworthiness and reliability over and over to different institutions. For example, the computation of a credit score combines data from multiple sources, making it possible for those with a good credit score to get low-interest loans. Car insurance providers access your driving history to assess the level of risk and provide the most competitive pricing for an insurance policy.
Combine the speed of analysing digital data with the ease of
verifying a digital identity, and you have a model in which transactions can be completed in real time—in minutes instead of days. With the upcoming data revolution, smartphones will keep getting cheaper while data costs go down, so everyone with a mobile connection can easily access the internet, laying the foundation for an entire suite of electronic financial services to be offered across the country.
If this vision is to become a reality, it requires a combination of regulation and innovation in the marketplace. Data privacy is a concern, and no agency should be granted unfettered access to a person’s private information. On the other hand, it isn’t possible to develop new services and products without regulated access to consumer data. The job of balancing these two imperatives falls to a regulatory authority; regulators like the Securities and Exchange Board of India, the Telecom Regulatory Authority of India (TRAI) and the RBI provide oversight to specific industries, ensuring that the consumer’s interests are protected while also mandating a certain minimal amount of data sharing by all industry members so that things function smoothly. The same model can be implemented when it comes to building and offering paperless products and services.
The legislatory and regulatory framework needed for the emergence of a paperless society is largely in place in India. The Information Technology Act of 2000 lays down the criteria that electronic documents must fulfil in order to be treated on par with paper documents, which we will return to later in this chapter. The Electronic Delivery of Services Bill, introduced in the Lok Sabha in 2011, requires all public service delivery to be digital within a period of eight years. While the bill is yet to be passed, some Indian states have already implemented similar legislation. A further validation of the move towards a paperless government came on 15 August 2014, with the launch of the Digital India initiative; among other goals, It envisions the creation of a secure, Aadhaar-linked ‘digital locker’ for storing important documents electronically, as well as an eSign service that allows for secure digital signing of these documents. It is now in the early stages of implementation.
2
KYC norms were originally set in place to guard against money laundering and other fraudulent financial practices, but they took on a new, darker dimension after the terrorist attacks of 9/11. As Suyash Rai, a researcher at the National Institute of Public Finance and Policy, explains:
On 9 September 2001, Mohammad Atta hijacked American Airlines Flight 11 and flew it into the North Tower of the World Trade Centre. Tracing flows of money led to the observation that a high ranking official within Pakistan’s Inter-Services Intelligence (ISI) had allegedly ensured more than USD 100,000 was wired to Mohammad Atta, before the attack took place. Law enforcement authorities became quite keen to observe and block the ‘financing of terror’.
3
New laws against money laundering were implemented and existing laws were strengthened so that suspicious financial transactions could be closely monitored for terrorist links. The Financial Action Task Force (FATF), an inter-governmental organization set up to develop policies against money laundering and terrorist financing gained greater importance. India joined the FATF in 2002, which meant that it would have to comply with the international standards set in place by FATF. Such a decision made sense both in terms of security as well as economics—for example, Indian banks which were not FATF-compliant could not expand into other countries. As part of compliance with these regulations, India passed the Prevention of Money Laundering Act in 2005 and set up a Financial Intelligence Unit (FIU). Banks are supposed to report all suspicious transactions and customer behaviour to the FIU for further investigation.
As part of these heightened security measures, the RBI issued a directive that all new accounts opened in the second half of 2002 had to be compliant with KYC standards, and the same rule was extended to cover existing accounts by 2004. In practical terms, what this meant
for customers was that they now needed to produce a valid proof of identity and proof of address. Without a passport, a PAN card, a driver’s licence, a ration card or other such documents, it was no longer possible to open or operate a bank account with a recognized bank. At one stroke, the barriers for entry into the formal financial sector became impassably high for millions of Indians.
Even before the KYC norms were implemented, rural India had very limited access to banking facilities—some 600,000 villages had no access to banking services. The reason was largely economic—it is expensive to set up and staff a bank in a remote village, and the transaction volumes may be too small to cover such costs. Adhering to KYC norms is both costly and time-consuming, and this additional burden made banks even less enthusiastic about expanding into the rural sector. Suyash Rai continues, ‘India is a member of FATF, and Indian regulators are obliged to apply Customer Due Diligence (CDD). Regulators in India have applied CDD through excessive forms of “Know Your Customer” requirements, which go well beyond the requirements of CDD. As a result, financial firms in India face increased costs.’
Usha Thorat, former executive director at the RBI, adds, ‘Realizing that KYC was becoming a problem, the RBI mandated that small-value accounts—50,000 rupees or less—could be opened on behalf of an individual by a registered account holder who had already undergone the KYC process. Even though this was designed to make it easier for people to open accounts without getting caught up in KYC requirements, the banks were too worried about the FATF and the FIU to act on this decision.’
Another challenge came from the security concerns of the home ministry. Given the proliferation of prepaid SIM cards and cybercafes, anti-social elements could use phone networks and the internet for nefarious purposes without the fear of being traced, whether they were petty criminals or terrorists planning a major strike. To guard against this possibility, every customer buying a SIM card or using an internet connection must go through some form of identity verification.
The imposition of these stringent KYC standards has had the
unintended consequence of distorting the market for financial service providers. The people who most desperately need financial, telecom and internet services have found themselves out in the cold thanks to the prevailing regulatory climate, while the same regulations also make it financially unviable for providers to offer them these services. Our early discussions around the role of Aadhaar in KYC therefore centred around trying to solve both parts of the problem at once, providing a service that could successfully meet the competing needs of inclusion and security.
One of the earliest discussions we had about the need for electronic KYC was with Adhil Shetty, co-founder of BankBazaar.com, an online portal which helps banks disburse loans online. He told us that all parts of their loan disbursement process had been digitized, including getting customer details, salary details, bank details, the credit check, and even the bank’s decision on the loan. There were only three parts that they had not been able to digitize due to regulatory issues: a photograph, proof of identity, and proof of address. These documents had to be collected from the customers at a huge cost by sending a representative to collect the documents, verifying them and then often going back and picking up new copies in case of an error the first time around. If these requirements could somehow be satisfied electronically, the entire loan disbursement process could go digital. Such early discussions were crucial in shaping the need for e-KYC, a vision which finally became a reality in 2013 after a great deal of work on the ground.
We worked with the central and state governments to accept Aadhaar as a proof of identity and address for accessing government services and benefits. Many state governments, in consultation with the UIDAI, issued official notifications putting Aadhaar on par with other forms of government ID. For any document to be accepted as a valid KYC document in the financial sector, it must satisfy the requirements of the FATF and comply with the provisions listed under the Prevention of Money Laundering Act (PMLA). Both
of these fall under the jurisdiction of the department of revenue in the ministry of finance. Hence, our quest to add Aadhaar to the list of officially accepted KYC documents began here, and UIDAI patiently followed up for several months to get the necessary two lines added to the appropriate legal documents of the government. Once the government notification was in place, all the major regulatory bodies—the RBI, the SEBI and the Insurance Regulatory and Development Authority (IRDA)—followed suit, issuing their own notifications. Today, Aadhaar as a valid KYC document has been accepted by the telecom regulator, financial institutions, Indian Railways and all state governments.
The widespread acceptance of Aadhaar as a KYC document was half the battle won. Initially, we thought that the simplicity and standardization that Aadhaar could introduce would be enough to lower the costs of doing business for banks and service providers who were otherwise struggling with adherence to KYC norms. However, a meeting with the Financial Intelligence Unit (FIU)—the central agency tasked with monitoring financial transactions to detect activities such as money laundering—proved otherwise.
The UIDAI was represented at the meeting by a three-member team, consisting of Ashok Pal Singh, Rajesh Bansal and Viral. We presented the use of Aadhaar authentication as electronic KYC. In this transaction, the resident would provide his address, for example, and the service provider would enter it into the system, and cross-check it against the UIDAI database: Is this the address of person X? The database would merely answer Yes or No. The UIDAI would not actually share any information with the service provider at all; any questions would be met only with a Yes or No answer.
However, we learnt that this model would not meet the KYC norms. The main objection was that all the data would remain only with the UIDAI; the service provider would not have any customer data to enter into their records. Service providers usually need to have their customers’ information, such as their photograph, on file for audits and other operational reasons. A second objection was that every time the UIDAI’s database had to be queried, the service provider
would have to manually enter the details, such as typing in a person’s address and then asking, ‘Is this the address of person X?’ Manual data entry provides plenty of room for error, and this could unnecessarily complicate the KYC transaction. Apart from the FIU, other agencies like the department of telecommunications and the TRAI also raised similar concerns.
Given these issues, it was time for us at the UIDAI to go back to the drawing board, trying to come up with a solution that prioritized customer convenience while also satisfying regulatory requirements. The solution that emerged was the development of a paperless KYC system—the e-KYC service, as it came to be known. Similar to our earlier proposal, the first step remains the same, that of verifying an individual’s identity using their Aadhaar number and biometric data. The second step is where things change. Instead of manually querying the database, the customer authorizes UIDAI to release their demographic information—their date of birth, address and gender—and their photograph to a bank or any other service provider, who can now retain this information in their records. Ashok Pal Singh recollects, ‘When we were talking to the FIU about conventional paper-based Aadhaar, we asked them, “What is your wish list for KYC?” They indicated that they wanted something which was totally online, virtual and instant, as well as being foolproof and non-repudiable. All of these qualities were incorporated into e-KYC.’
While it seems simple enough in retrospect, it took us a long time to arrive at a workable solution. The original design of Aadhaar hinged on the fact that once a person’s data entered the database during enrolment, it would stay there. No data would be allowed to leave, and only Yes/No responses would be permitted during authentication and verification. The Aadhaar holder was the only person who could look up their own data and update it as needed.
The idea of any data leaving the Aadhaar database made many of us very uneasy, ingrained as it was in our minds that data could enter, but could never leave. It took us all a while to come to terms with the realization that the e-KYC solution was compliant with Aadhaar’s security and privacy framework. This mental journey was
quite instructive, helping our thought processes to mature to the point where we could envision Aadhaar being applied in many different domains. As closely as the trio of Ashok Pal Singh, Rajesh Bansal and Viral had been involved with the KYC story, it isn’t surprising that they were among the first to get comfortable with the e-KYC concept. Others were more resistant; Nandan himself was not fully convinced, and had asked our team to come up with an alternative solution. We were quite confident with the model we had proposed, and to move towards a final decision, we resorted to the time-honoured government tradition of ‘putting it on file’. After the dust had settled, Viral recalls Ashok Pal Singh saying, ‘Whoever does not like this solution can reject it on file.’ Rajesh Bansal was also given to proclaiming, ‘Nobody will ever reject a pukka file.’