The Indian KYC Context. Mutual relationship between regulated businesses and their customers begins with a simple step: Know Your Customer (KYC). This process was fraught with paper work, delays, intrusive checks and excessive costs until a few years ago. Aadhaar changed this dramatically with the introduction of Aadhaar KYC which had limited but enough information to establish identity. All a citizen had to do was provide their Aadhaar (Unique 12 digit number) and biometrics (fingerprint of iris) and the KYC was done electronically. Instantly. Since its introduction in early 2014, over 6 billion Aadhaar electronic KYCs have been completed. No mean feat. If Aadhaar was a private company, it certainly would be the darling of venture capitalists battling to invest their last remaining penny.
The Supreme Court ruling on Aadhaar. This however was short lived as India’s Supreme Court – taking on as many as 31 petitions on the grounds that Aadhaar violated people’s privacy – on 26 September 2018, ruled that Section 57 of the Aadhaar Act, which allows wide use of Aadhaar KYC by private companies, is unconstitutional without the backing of new laws. The arguments for and against were so strong that it appeared like a boomerang having swung sharply forward, swung just as sharply backward. The opponents, convincingly, argued that the use of biometric authentication as the “only means of verifying ones identity” was creating a new kind of social exclusion, in particular, for those whose biometrics fail to authenticate them successfully (normally termed as false rejection). There are plenty of evidences on denial of services due to false rejections (or biometric authentication failures for legit citizens).
Ambiguity reigns supreme. Since this ruling, there has been tremendous ambiguity among regulators, service providers, and consumers alike. Whilst there has been attempts by proponents to instill confidence, the regulators, left in a state of pique, have not provided any clarity to the use of Aadhaar KYC. But one thing that is crystal is that Aadhaar is not binding in contemporary India and citizens can choose any form of government identity of his or her choice. Naturally, the industry’s fear is that this will lead to collecting paper documents which will increase operational costs and take them back to pre Aadhaar days.
Alternatives to Aadhaar KYC. In order to verify a person’s identity, the following information is needed: A proof of ID, A proof of address and a recent photograph. All of this is provided by Aadhaar KYC (albeit the recentness of the photograph is debatable as mine is about 7 years old at the time of writing this). The same can also be obtained in a variety of documents such as PAN Card, Voter ID, Driver’s license and Passport, all of which are officially valid government issued identity documents. As on date there are six different officially valid documents that citizens can use for financial services. Aadhaar provides a means to verify that the person holding the Aadhaar ID (1st factor) is the indisputable owner through a biometric (2nd factor) authentication in real time. With other IDs, the legitimacy can be established, however, it doesn’t prove that the ID belongs to the person holding it (e.g. stolen or compromised identities). Despite this weakness, the element of trust has long been long established that the holder of the ID is the true owner unless proven otherwise (e.g. through background checks to determine if the document is reported stolen or barred for previously reported fraud).
New Possibilities. Smart cards with a chip can be an ideal replacement which can hold the biometrics of the individual and can be verified offline without privacy violations (and the card can be blocked or replaced if it’s compromised). One potential issue is the cost of producing billions of cards with chips and catering to changes and replacements (e.g. lost or damaged or upgrading chips for security vulnerabilities). Given that the current cost of producing an Aadhaar card, end to end, is approximately $1 and the smart cards could be as high as $10, it might be prohibitive for a country like India with over a billion people and growing.
Another option is the digitally signed QR codes issued by Aadhaar that is now available for any citizen to download, print and use. Although the service providers are slow to catch up using QR codes, this could all change with clarity from the regulators and initiatives from UIDAI. The QR code comprises limited demographic data and the photograph. This could then open up the possibility of non-face to face verification using OTP (first factor) and matching the photo in the QR against the live face (second factor).
The physical Aadhaar card themselves, without the biometric authentication, will continue to be used widely as an identification document in the years to come; now that is has legal backing. There are products such as Atlas KYC which uses ID scanning technology to auto populate the digital form by reading any ID and facial recognition to verify that the person holding the ID is indeed the true owner of the ID. One of the benefits of Aadhaar KYC is the plug and play nature of the backend infrastructure which allowed businesses to quickly deploy it. Therefore, any alternative to Aadhaar KYC should exceed the current lean business model. And Atlas KYC is one such solution.
Concluding Thoughts. India has made a giant leap traversing the digital super highway and it would be catastrophic to travel twice as fast on the wrong way back to where we started. Service providers should come to terms that customers can provide any ID of choice for KYC and expect the process, no less, to be just as easy as Aadhaar KYC. The industry and the regulators need to act. And act fast.
FRSLABS is an award winning research and development company focussed on developing the simplest customer onboarding solution for businesses. Using advanced deep learning and computer vision techniques, Atlas software provides accurate and fast ID scanning (one of the fastest on the market), selfie or video capture with liveness detection and real time face verification and fraud checks (using internal and external data sources).