e-KYC Aggregator: The Inelegant Solution
[Anika is a student at Jindal Global Law School.]
Earlier this year, it was announced that the Unique Identification Authority of India (UIDAI) and the National Payments Corporation of India (NPCI) will be setting up an aggregator (Aggregator) platform for eKYC (electronic know-your-customer). It is believed that “the new platform will enable entities that are regulated by the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), the Pension Fund Regulatory and Developmental Authority (PFRDA) and the Insurance Regulatory and Development Authority of India (IRDAI) to register on it”. There has been no further official communication about the procedural nuances of this move/ its intended rationale. This incompleteness creates opacity in the industry pertaining to its potential risks and benefits. In a bid to reduce the ambiguity, this piece will try and breakdown the probable rationale behind the aggregator, its need in the presence of comparable systems, its benefits and risks, posed to consumers.
Under the current legal paradigm, the primary regulatory bodies – RBI, SEBI, PFRDA, IRDAI and the UIDAI – have formulated KYC rules and regulations that are separate for different entities governed by them. As a result, these regulations sprawl nebulously (confusing and) forcing entities and users to comply with multiple, convoluted directions that eventually aim to accomplish a similar goal i.e., prevention of money laundering under the Prevention of Money Laundering Act 2002 and the Prevention of Money Laundering rules (Maintenance of Records) 2005 (Rules). This duplicity of rule compliance becomes extremely inconvenient for multi-regulated entities (RE) such as CoinSwitch, Zerodha and Upstox (governed both by RBI and SEBI). There is no clarity on which regulation these entities need to comply with (either the KYC Master Directions by the RBI or the SEBI KYC Registration Agency Regulations 2011 by the SEBI or the UIDAI Aadhaar (Authentication and Offline Verification) Regulations 2021 or all of them simultaneously) which in turn forces them to comply with each of them in a silo. This becomes inconvenient from a logistical point of view, increases administrative / transactional costs, and arguably makes little commercial sense. Additionally, the appointment and responsibility of intermediaries needed in each set of regulation leads to long-winded and duplicitous processes, and the administrative red tape built into these regulations makes it difficult for all consumers to implement them.
Presumably, this rigmarole forced the government to look at centralized operations such as the Aggregator to gather the necessary data on a real-time basis so that, in the first instance, the institution and its management has a clearer picture of operations and risks, and in the second instance, the information can be repackaged as necessary to meet the requirements of regulators. Further, it may also be introduced because (i) the erstwhile mechanisms such as the Central KYC Registry (CKYCR) and DigiLocker were insufficient due to lack of integration between the central DigiLocker and the state DigiLocker, which led to administrative confusions; (ii) a centralized databank contains information on more individuals and the information is better integrated and correlated; this could provide the information sought more rapidly and more conveniently than a decentralized database; (iii) with the high visibility from public and legislative scrutiny, a centralized system is likely to have effective privacy protection requirements and their enforcement; and (iv) the increase in data-processing costs makes it impracticable for taxpayers to invest for every state / municipal agency to maintain a personal-information file, and so centralizing databases may be cheaper (this was also studied in Finland where the cost of carrying the process was reduced drastically).
It is argued that, among other things, (i) the Aggregator will eliminate the need for individual registration for undertaking e-KYC using Aadhaar and will have operational benefits such as reduced costs by preventing multiplicity of detail sharing; (ii) it may enhance privacy as “service players will have limited access to customer data i.e. only the last four digits of the customer documents and not the masked customer documents”; (iii) it will ensure ease of verification / updation which will encourage financial inclusion i.e., NBFCs can easily reach out to consumers and offer loans due to low operational costs; (iv) organizations can avoid the cost of setting up and maintaining their own KYC infrastructure, which will prove specially beneficial for smaller organizations; and (v) the databanks in a decentralized set are far less visible and this change would accord accountability.
The CKYCR established under Section 2(aa) and Section 9 of the Rules is entrusted with the responsibility of operating and maintaining a KYC Registry. It caters to REs of four major regulators i.e., RBI, SEBI, IRDAI and PFRDA. Under this framework, an RE furnishes updated KYC records of a consumer with the CKYCR that in turn gives a KYC identifier to the consumer (Section 9(1B)). Due to this, a consumer is able to transact through this number and need not furnish new details each time.
Alternatively, DigiLocker is a digital environment which stores official documents and certificates for consumers. It is governed under the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules 2016 and is a consumer centric initiative where it allows selective access to documents while a consumer undergoes the KYC process for REs.
In the presence of these, it is argued that there is no real need for an Aggregator (the problems of compliance for multi regulated entities is resolved through CKYCR). An Aggregator will only confuse consumers and be counterproductive to the idea of a single centralized database. Apart from privacy concerns, it will also have teething issues of compliance when the government decides that the documents already stored in the CKYCR and the DigiLocker should be collated in the Aggregator. This will warrant consumer’s consent, RE’s consent along with updation / uploading on the Aggregator.
The only point of difference between these and the Aggregator then is of the governing body. The CKYCR is an initiative by Central Registry of Securitisation Asset Reconstruction and Security Risk of India, a body that was primarily created to restrain fraudulent activity in lending transactions against equitable mortgages; and DigiLocker - an initiative by the Ministry of Communications and information Technology. Alternatively, the Aggregator is set up by NPCI primarily created for enabling a robust payment and settlement infrastructure and UIDAI, which was created to issue Aadhaar to Indian residents. This distinction is pertinent because NPCI and UIDAI are more adept at undertaking KYC and managing the challenges. NPCI was tasked and lauded for the Digital India initiative through the unified payments interface and has been trusted with bringing in innovation in the retail payment system, and UIDAI is responsible for setting up Aadhaar which is the most prominent form of undertaking KYC. Therefore, proponents of the Aggregator could argue that involvement of the UIDAI in its administration will make the process relatively more seamless than the erstwhile mechanisms. However, a risk benefit analysis needs to be undertaken on whether an entire new system is needed with the sole rationale of transferring administrative control to different entities in the government or whether the intended outcome can be alternately achieved by internally relinquishing control and creating robust committees to oversee operations.
An Aggregator could have multiple benefits, although lack of clarity yields multiple challenges that outweigh these benefits.
An often-stated concern about centralized KYC systems is that they will inevitably lead to endless information gathering about individuals until complete dossiers are created. This abundance of information may tempt participating agencies to retrieve more information than is necessary for their purposes. Similarly, concentration could also lead to overt invasions, i.e., physical entries, by force or subterfuge, into databank computer facilities, terminal rooms etc. Additionally, a centralized Aggregator will allow for increased seeding which may increase the possibilities of a data breach. A decentralized system inherently negates such breaches.
With the Aggregator hosting all the data of all REs and their registered clients, it could become the single point of failure. Arguably, Indian regulators are ill-equipped to deal with such databases, as seen with the COWIN database and periodically with Aadhaar authentication even today. This can compromise sensitive data, cause en-masse inconvenience and temporarily suspend rudimentary banking operations – becoming counterproductive to its fundamental rationale / need. Alternatively, erroneous personal information stored in a centralized databank system would be disseminated to a much larger user community amplifying the effects of such errors. Further, a much greater burden on the Aggregator ecosystem is that “any instance of malfunctioning could result in surveillance, exclusion, or theft and adversely affect the already existing power imbalance between the citizen and the State”.
Scholarship indicates that the current Aadhaar regime under UIDAI is insufficient – there is lack of adequate performance accountability mechanisms, excessive delegation and inherently contradictory provisions dictating usage of information. Embedding a deficient mechanism in a nascent one will create an unsteady financial ecosystem.
It has also been argued that the outsourcing of key administrative and regulatory functions to agencies (either purely administrative agencies such as CERSAI or NPCI or regulatory such as SEBI) dilutes accountability as they are one step removed from the people.
Prima facie, the Aggregator does not seem to fulfil a distinct need. Compliance costs may be an incentive for an RE, but it is detrimental to consumers. If this is to move forward, NPCI and the UIDAI must have clarity on the rules governing the Aggregator; they must tweak the Digital Personal Data Protection Bill 2023, establish ex-ante and ex-post accountability measures such as regular internal audits, mandating public consultations before notifying any rules, publishing a clear rationale for each decision etc., ensure negative obligations on REs and regulatory bodies (including themselves), and ensure a grievance redressal mechanism and a strong watchdog committee and a whistle-blower protection policy.