If the requirement of full know-your-customer guidelines wasn’t bad enough for mobile wallet companies, now even the easier way of authenticating customer details seems to be closing for them.
The Unique Identification Authority of India (UIDAI), which manages the country’s Aadhaar repository, has restricted the access of payment companies to its database by classifying them as local authentication user agencies, citing concerns over their security systems.
An authentication user agency (AUA) is allowed to capture Aadhaar information from a person and submit them to the Central Identities Data Repository for validation.
Following questions on privacy and security raised by the Supreme Court, UIDAI decided to categorise the agencies as either local or global AUAs and provide segregated access for the two groups.
In a letter to all authentication agencies dated May 16, a copy of which was seen by ET, UIDAI said only global AUAs will be allowed access to full eKYC with Aadhaar number, while local agencies will have restricted access.
While banks have been classified as global AUAs, all payment companies and other entities in the authentication business have been categorised as local ones. This means payment companies can only accept virtual Aadhaar numbers from consumers. UIDAI offers virtual IDs for consumers — to protect against misuse of their Aadhaar numbers — and these can be used for verification.
Some entities required to verify clients with Aadhaar number may not have the requisite security systems needed to use or store these numbers and have been precluded from the list of global AUAs, according to the letter from UIDAI.
“Even cooperative banks and regional rural banks seem to have greater safety systems than technology companies like ours — it will only make business more difficult, especially while gathering full details from the customer,” said the chief executive officer of a payments company that is a licenced AUA.
Digital wallet companies were mandated by the Reserve Bank of India to ensure complete KYC of their customers to be able to offer the full set of payment services from peer-to-peer payments to buying goods and services.
With this move, wallet executives said they will have to rely on customers to get their virtual ID from the UIDAI website to be able to use their wallets.
“There is no restriction on doing a biometric scan of customers through the UIDAI-certified dongle — that will continue to happen for people who are not digitised yet,” said a senior executive of a payments company that has an AUA licence. “But for those who are accessing wallets on the mobile or online, they would be required to use their virtual IDs from July 2018.”
While the industry lauded the efforts of the administration to ensure the safety of Aadhaar data, it also said more players could have been included in the global AUA list, which could have made business simpler.
Another top executive said this step will lead companies to go back to the original means of customer authentication such as using PAN cards or driving licences. While this is not impossible, it pushes up the cost of KYC.
“Our business models were not built for such changes. While we have to abide by such norms and we realise that data privacy concerns around this space are genuine, what it also causes is shooting up of costs and customer inconvenience,” the executive said.
As per data released by UIDAI, the number of eKYC transactions for May fell to 212.7 million from 227.9 million in April and 369 million in March. About 19.7 billion authentications have been processed through UIDAI and 1.2 billion Aadhaar numbers have been generated.