The Aadhaar and Other Laws (Amendment) Bill 2018 (Aadhaar Bill) was recently passed in the Lok Sabha. It seeks to amend
- the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016 (Aadhaar Act);
- the Prevention of Money Laundering Act (PMLA) 2002; and
- the Telegraph Act 1885.
The Aadhaar Bill follows in the footsteps of the Supreme Court's decision in Justice KS Puttaswamy v Union of India,(1) wherein the provision of the Aadhaar Act which permitted private entities to seek authentication of individuals using their Aadhaar data was held to be unconstitutional.
Prior to the Puttaswamy judgment, the PMLA and the Prevention of Money Laundering (PML) (Maintenance of Records) Rules, as amended by the Prevention of Money Laundering (Maintenance of Records) Second Amendment Rules 2017 (2017 amendment), provided a framework(2) under which entities carrying out insurance business(3) (among others) were required to verify(4) and authenticate(5) the identity of their customers using Aadhaar (a 12-digit random number issued by the Unique Identification Authority of India (UIDAI)).(6)
Pursuant to the foregoing provisions, insurers (among others) with an account-based relationship with customers had to collect their customers' Aadhaar numbers within the stipulated timeframes.(7) Consequently, a mandatory Aadhaar-based 'know-your-customer' (KYC) regime was introduced by the respective regulators to set out norms for the authentication of customers' identity using Aadhaar numbers.
Under the extant insurance regulatory and statutory framework, insurers were allowed to perform KYC verification of customers using, among other things, Aadhaar e-KYC services, subject to customers' express consent.(8) Insurers were also permitted to authenticate the identity of their customers using Aadhaar information(9) and were required to maintain records of the Aadhaar information collected from customers.(10)
However, pursuant to the 2017 amendment, the Insurance Regulatory and Development Authority (IRDAI) issued clarifications whereby Aadhaar-based KYC verification was made mandatory in the insurance sector. Following this, all insurance policies had to be linked with the Aadhaar number of the respective policyholder.(11) The IRDAI further prescribed timeframes within which the Aadhaar information had to be provided by customers to their insurer. However, pursuant to the Supreme Court's 13 March 2018 interim order in Puttaswamy, the timeframe for linking Aadhaar with existing insurance policies was extended until the matter could be finally heard and decided. Further, for new insurance policies, customers without an Aadhaar card were permitted to provide any other officially valid document to their insurer.(12)
Pursuant to Puttaswamy, the Supreme Court partially struck down the enabling provision of Section 57 of the Aadhaar Act which permitted private entities to seek authentication using Aadhaar. Following this case, Section 57 was amended to remove the wording "or any contract to this effect". It now reads as follows:
Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force.
Therefore, pursuant to the judgment, insurers (among others) were effectively prohibited from using Aadhaar-based authentication of a customer's identity, which was the primary mode of customer due-diligence and KYC verification conducted by such private entities. However, the Supreme Court has provided no clarity on use of Aadhaar information which has already been collected by private entities under the existing framework.
The central government introduced the Aadhaar Bill to harmonise the existing Aadhaar framework with Puttaswamy. The Aadhaar Bill removes the mandatory requirement of Aadhaar-based KYC verification and stipulates that individuals may provide other officially valid documents and passport for KYC purposes.(13) The Aadhaar Bill also introduces Aadhaar-based offline verification where an individual's identity can be verified without authentication.(14)
Further, the Aadhaar Bill provides that where an individual voluntarily provides their Aadhaar information to an insurer, the insurer:
- cannot store the core biometric information or Aadhaar number;(15)
- must inform the client of:
- the nature of information that may be shared;
- how the information will be used; and
- any alternatives to submitting Aadhaar information if they are carrying out Aadhaar-based offline verification;(16) and
- must inform the client in writing about the purpose for which the Aadhaar information will be used or disclosed when such information is collected.(17)
The Aadhaar Bill further omits parts of Sections 12 and 73 of the PMLA, which imposed an obligation on insurers, among others, to verify the identity of clients in a prescribed manner.(18) However, the Aadhaar Bill does not amend the PML Rules, which impose an obligation on insurers to mandatorily collect Aadhaar numbers before commencing an account-based relationship with a client. Notably, however, according to the accepted principles under which statutes are interpreted, a subordinated legislation made under a statute ceases to have effect after the enabling statute is repealed.(19)
Pursuant to the Supreme Court's decision in Puttaswamy, the IRDAI issued a circular on 29 January 2019 entitled Allowing Aadhaar Card as one of the acceptable documents for KYC – under certain conditions. The circular provides that insurers may carry out Aadhaar-based KYC verification, provided that the customer has voluntarily opted for this.(20) Further, where the insurer is collecting a customer's Aadhaar number, it cannot store more than the last four digits of the Aadhaar number either in physical or digital form. The digits preceding the last four number must be properly masked. Further, insurers are expressly prohibited from carrying out authentication using e-KYC facilities or 'yes/no' authentication facilities offered by the Unique Identification Authority of India.
However, the IRDAI has issued no clarifications or directions regarding the use of Aadhaar information which has already been collected by insurers.
The Aadhaar Bill has been a welcome proposed change to the law, as it provides much-needed clarity regarding the use and storage of Aadhaar numbers. The IRDAI has taken the enactment of the Aadhaar Bill as a cue to start providing clarity on the norms that must be followed regarding the collection and storage of customers' Aadhaar data. It is hoped that the bill will be enacted quickly, as it is not enforceable in its present form.
For further information on this topic please contact Shubhangi Pathak, Priya Misra or Nimisha Srivastava at Tuli & Co by telephone (+91 11 2464 0906) or email ([email protected], p[email protected] or [email protected]). The Tuli & Co website can be accessed at www.tuli.co.in.
Endnotes
(1) Writ Petition (Civil) 494/2012.
(2) Section 12 of the PMLA read with Section 2(1)(l) of the PMLA.
(3) Section 45(I)(c)(iv) of the Reserve Bank of India Act 1934.
(5) Rule 9(15) of the PML Rules.
(6) Rules 9(1) and 9(4) of the PML Rules.
(7) Rule 2 of the 2017 amendment.
(8) e-KYC services of UIDAI, 21 October 2013 circular and Master Circular on Anti Money Laundering/Counter- Financing of Terrorism (AML/CFT)-Guidelines for Life Insurers, 28 September 2015 circular.
(9) Clarification of Aadhaar based e-KYC, 31 August 2017 circular.
(11) The Prevention of Money Laundering (Maintenance of Records) Second Amendment Rules, 2017, 8 November 2017 circular.
(12) The Prevention of Money Laundering (Maintenance of Records) Second Amendment Rules, 2017, 20 March 2018 circular.
(13) Section 25 of the Aadhaar Bill.
(14) Sections 2 and 25 of the Aadhaar Bill.
(15) Section 7 of the Aadhaar Bill.
(16) Sections 7,26 and 27 of the Aadhaar Bill.
(17) Section 11 of the Aadhaar Bill.
(18) Sections 26 and 27 of the Aadhaar Bill.
(19) GP Singh, "Principles of Statutory Interpretation", 10th Edition, Wadhwa and Company, Nagpur (2006), p 654.
(20) Allowing Aadhaar Card as one of the acceptable documents for KYC – under certain conditions, 29 January 2019 circular.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
