Introduction

The Aadhaar and Other Laws (Amendment) Bill 2018 (Aadhaar Bill) was recently passed in the Lok Sabha. The Aadhaar Bill seeks to amend the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 (Aadhaar Act), the Prevention of Money Laundering Act 2002 (PMLA Act) and the Indian Telegraph Act 1885. The Aadhaar Bill follows in the footsteps of the Supreme Court's decision in the matter of Justice KS Puttaswamy vs Union of India [Writ Petition (Civil) No. 494 OF 2012] (Puttaswamy case), whereby the provision of the Aadhaar Act, which permitted private entities to seek authentication of individuals using their Aadhaar data was held to be unconstitutional.

Erstwhile Regime under the PMLA Act

Prior to the pronouncement of the judgment in the Puttaswamy case, the PMLA Act and the Prevention of Money-Laundering (Maintenance of Records) Rules 2005 (PML Rules), as amended by the Prevention of Money-Laundering (Maintenance of Records) Second Amendment Rules 2017 (2017 Amendment) provided a framework under which the financial institutions1, including inter alia, entities carrying on the business of insurance2, were required to verify3 and authenticate4 the identity of their customers, by using Aadhaar5.

Pursuant to the foregoing provisions, financial institutions having an account based relationship with the customers were mandatorily required to collect the Aadhaar number of their customers within the stipulated timelines6. Consequently, mandatory Aadhaar based KYC regime was introduced across the financial sectors by the respective regulators to stipulate the norms governing authentication of customer identity using Aadhaar number by the financial institutions.

IRDAI Norms

Under the extant insurance regulatory and statutory framework, Insurers were allowed to perform KYC verification of customers using inter alia, Aadhaar e-KYC services, subject to the express consent of the customer7. The Insurers were permitted to authenticate the identity of their customers using Aadhaar information8 and were also required to maintain records of the Aadhaar information collected from the customers9.

However, pursuant to the 2017 Amendment, the IRDAI issued clarifications whereby Aadhaar based KYC was made mandatory in the insurance sector and each insurance policy was required to be mandatory linked with the Aadhaar number of the respective policyholder10. The IRDAI, further prescribed timelines within which the Aadhaar information was required to be provided by the customers to the respective Insurer. However, pursuant to the Supreme Court's interim order in Puttaswamy case of 13th March 2018, the timeline for linking Aadhaar with existing insurance policies was extended till the time the matter was finally heard and decided. Further for new insurance policies, customers who did not have an Aadhaar card were permitted to provide any other officially valid document to the Insurer11.

Aadhaar Judgment

Pursuant to the judgment in Puttaswamy case, the Supreme Court partially struck down the enabling provision of §57 of the Aadhaar Act, which permitted private entities to seek authentication using Aadhaar. Further to the Puttaswamy case, §57 of the Aadhaar Act, effectively read as follows:

"Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect."

Therefore, pursuant to the judgment, financial institutions were effectively prohibited from using Aadhaar based authentication of a customer's identity, which was the primary mode of customer due-diligence and KYC conducted by such private entities. However, the Supreme Court did not provide any clarity on usage of the Aadhaar information, already collected under the existing framework by private entities. `

Aadhaar Bill 2018

The Central Government introduced the Aadhaar Bill to revise the existing Aadhaar framework in harmony with the Puttaswamy case. The Aadhaar Bill removes the mandatory requirement of Aadhaar based KYC and stipulates that individual may provide other officially valid documents and passport, for the purpose of KYC12. The Aadhaar Bill also introduces Aadhaar based offline verification where the identity of the individual can be verified without authentication13.

Further, the Aadhaar Bill provides that where an individual voluntarily provides his Aadhaar information to the financial institutions, the following is required to be ensured:

  1. the financial institutions shall not store the core biometric information or Aadhaar number14;
  2. the financial institutions carrying out Aadhaar based offline verification are required to inform the client, the nature of information that may be shared, usage of the information and the alternatives to submission of the Aadhaar information15;
  3. the purpose for which the Aadhaar information shall be used and/or disclosed, is required to be informed to the client in writing at the time of collection of the Aadhaar information16.

The Aadhaar Bill further omits parts of §12 and §73 of the PMLA Act, which imposed an obligation on the financial institutions to verify the identity of the clients in the prescribed manner17. However, the Aadhaar Bill does not stipulate any amendment to the PML Rules, which imposed an obligation on the financial institutions to mandatorily collect Aadhaar number before commencement of an account based relationship with the client. It must however be noted that per the accepted principles of interpretation of statutes, a subordinated legislation made under a statute ceases to have effect after the repeal of the enabling statute18.

Impact on the Insurance Sector

Pursuant to the judgment of Supreme Court in Puttaswamy case, the IRDAI recently issued a circular on "Allowing Aadhaar Card as one of the acceptable documents for KYC – under certain conditions" of 29th January 2019 (Circular). The Circular provides that the Insurer may carry out Aadhaar based KYC, provided the customer has voluntarily opted for it19. Further, where the Insurer is collecting Aadhaar of the customer, it is required to ensure that at no point in time, more than last four digits of the Aadhaar number of any individual are stored by the Insurer, either in physical or digital form and the digits preceding the last four number are properly/ appropriately masked. Further, Insurers are expressly prohibited from carrying out authentication using "e-KYC facility" or "Yes/No authentication facility" offered by the UIDAI.

However, it is pertinent to note that the IRDAI has not issued any clarification or direction with respect to the usage of the Aadhaar information already existing with the entities engaged in insurance business.

Conclusion

The Aadhaar Bill has been a welcome proposed change to the law as it provides much needed clarity regarding use and storage of Aadhaar numbers of the customers of financial institutions. Regulators are taking cue from the Aadhaar Bill to provide clarity to the respective financial institutions regarding the norms to be followed vis-à-vis the Aadhaar data of the customers. Enactment of the Aadhaar Bill is the need of the hour as the bill in its present form is not enforceable in law.

Footnotes

1. §12 of the PMLA Act read with §2(1)(l) of the PMLA Act.

2. §45(I)(c)(iv) of the Reserve Bank of India Act 1934.

3. §12 of the PMLA Act.

4. Rule 9(15) of the PML Rules.

5. R9(1) and R9(4) of the PML Rules.

6. Rule 2 of the 2017 Amendment.

7. Circular on "e-KYC services of UIDAI" of 21st October 2013; "Master Circular on Anti Money Laundering/Counter- Financing of Terrorism (AML/CFT)-Guidelines for Life Insurers" of 28th September 2015.

8. Circular on "Clarification of Aadhaar based e-KYC" of 31st August 2017.

9. Ibid.

10. Circular on "The Prevention of Money-laundering (Maintenance of Records) Second Amendment Rules, 2017" of 8th November 2017.

11. Circular on "The Prevention of Money-laundering (Maintenance of Records) Second Amendment Rules, 2017" of 20th March 2018.

12. §25 of the Aadhaar Bill.

13. §2 and §25 of the Aadhaar Bill.

14. §7 of the Aadhaar Bill.

15. §7, §26 and §27 of the Aadhaar Bill.

16. §11 of the Aadhaar Bill.

17. §26 and §27 of the Aadhaar Bill.

18. Pg no 654, GP Singh, "Principles of Statutory Interpretation", 10th Edition, Wadhwa and Company, Nagpur (2006).

19. Circular on "Allowing Aadhaar Card as one of the acceptable documents for KYC – under certain conditions" of 29th January 2019.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.