SEBI simplified the account opening process for investors vide Circular dated August 22, 2011. Further, SEBI vide circular dated October 05, 2011 issued guidelines for uniform KYC requirements for investors while opening accounts with any intermediary in the securities market.
SEBI vide Circular dated August 13, 2012 clarified that after consultation with Unique Identification Authority of India (UIDAI), Government of India, it was decided that the Aadhaar Letter issued by UIDAI shall be admissible as Proof of Address in addition to its being recognized as Proof of Identity.
Subsequently, vide circular dated October 08, 2013, SEBI clarified that in consultation with UIDAI and the market participants, it was decided to accept e-KYC service launched by UIDAI also, as a valid process for KYC verification. The information containing relevant client details and photograph made available from UIDAI as a result of e-KYC process shall be treated as sufficient Proof of identity and Address of the client. Also vide circular dated January 22, 2016, SEBI clarified that the usage of Aadhaar card as issued by the UIDAI is voluntary.
Hon’ble Supreme Court, in its judgement dated September 26, 2018, had struck down Section 57 of the Aadhaar Act as “unconstitutional” which means that no company or private entity can seek Aadhaar identification from clients or investors.
The Aadhaar and Other Laws (Amendment) Ordinance, 2019 was promulgated on March 02, 2019 through which a new Section 11A was inserted in chapter IV of the Prevention of Money-Laundering Act, 2002. The Aadhaar and Other Laws (Amendment) Act, 2019 was notified in the Gazette of India on July 24, 2019.
The Department of Revenue (DoR), Ministry of Finance issued a circular dated May 09, 2019 on procedure for processing of applications under section 11A of the Prevention of Money Laundering Act, 2002 (“PMLA”), for use of Aadhaar authentication services by entities other than the Banking companies. In terms of the said circular, if the Central Government is satisfied with the recommendations of the Regulator and Unique Identification Authority of India (“UIDAI”) and reporting entity complies with such standards of privacy and security under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act”), and it is necessary and expedient to do so, it may by notification, permit such entity to carry out authentication of the Aadhaar number of clients using e-KYC authentication facility.
The said circular also inter-alia specifies that, applications by the concerned entities under Section 11A of the PMLA for use of Aadhaar authentication services shall be filed before the Regulator, who after scrutiny shall forward the applications to UIDAI along with its recommendation. UIDAI shall scrutinize the applications received and send its recommendation to the Department of Revenue for notification under Section 11A of the PML Act. The Central Government, if satisfied with the recommendations of the Regulator and the UIDAI that the applicant fulfils all conditions under Section 11A, may by notification permit such applicant to perform authentication under clause (a) of sub-section (1) of Section 11A. At any point, after issue of such notification, based on a report of the appropriate Regulator or UIDAI or otherwise, if it is found that the reporting entity no longer fulfils the requirements for performing authentication under clause (a) of sub-section (1) of section 11A, the Central Government may withdraw the notification after giving an opportunity to the reporting entity.
Accordingly, entities in the securities market, as may be notified by the Central Government, shall be allowed to undertake Aadhaar Authentication under section 11A of the PMLA. SEBI Registered intermediaries for reasons such as online on-boarding of clients, customer convenience, increased efficiency and reduced time for client onboarding would prefer to use Aadhaar based e-KYC facility to complete the KYC of the client.
These entities would be registered with UIDAI as KYC user agency (“KUA”) and shall allow all the SEBI registered intermediaries / mutual fund distributors to undertake Aadhaar Authentication of their clients for the purpose of KYC through them.
The SEBI registered intermediaries / mutual fund distributors, who want to undertake Aadhaar authentication services through KUAs, shall enter into an agreement with any one KUA and get themselves registered with UIDAI as sub-KUAs. The agreement in this regard shall be as may be prescribed by UIDAI.
Upon notification by the Central Government / registration with UIDAI, the KUAs and subKUAs shall adopt the following process for Aadhaar e-KYC of investors (resident) in the securities market.
A. Online Portal based Investor (Resident) e-KYC Process (Aadhaar as an OVD) a. Investor visits portal of KUA or the SEBI registered intermediary which is also a Sub-KUA to open account/invest through intermediary. b. For Aadhaar e-KYC, investor is redirected to KUA portal. Investor enters the Aadhaar Number or Virtual Id and provides consent on KUA portal. Adequate controls shall be in place to ensure that Aadhaar Number is not stored anywhere by the Sub-KUA or KUA. c. Investor will receive OTP in mobile number registered with Aadhaar. Investor enters the OTP sent by UIDAI on KUA portal for Aadhaar e-KYC. d. KUA will receive the e-KYC details from UIDAI upon successful Aadhaar authentication which will be further forwarded to Sub-KUA in encrypted format (using KUAs own encryption key) and will be displayed to the investor on portal. Sharing of e-KYC data by the KUA with Sub-KUA may be allowed under Regulation 16(2) of Aadhaar (Authentication) Regulation, 2016. Sub-KUA shall clearly specify the name of the KUA and Sub- KUA, and details of sharing of data among KUA and Sub-KUA while capturing investor consent. e. Investor will fill the additional detail as required under KYC format. f. SEBI registered Intermediary will upload additional KYC details to the KUA.
B. Assisted Investor (Resident) e-KYC process (Aadhaar as an OVD) a. Investor approaches any of the SEBI Registered Entity/ Sub-KUAs i.e. Mutual Fund Distributors or appointed persons for e-KYC through Aadhaar. b. SEBI registered entities (Sub-KUAs) will perform e-KYC using registered / Whitelisted devices with KUAs. c. KUA will ensure that all devices and device operators of Sub-KUA are registered / whitelisted devices with KUA. d. Investor will enter Aadhaar No. or Virtual Id and provides consent on the registered device. e. Investor provides biometric on the registered device. f. SEBI registered intermediary (Sub-KUA) fetches the e-KYC details through the KUA from UIDAI which will be displayed to the investor on the registered device. g. Investor will also provide the additional detail as required
The KUA/ sub-KUA while performing the Aadhaar authentication shall also comply with the following: a. For sharing of e-KYC data with Sub-KUA under Regulation 16(2) of Aadhaar (Authentication) Regulations, 2016, KUA shall obtain special permission from UIDAI by submitting an application in this regard. Such permissible sharing of eKYC details by KUA can be allowed with their associated Sub-KUAs only. b. KUA shall not share UIDAI digitally signed e-KYC data with other KUAs. However, KUAs may share data after digitally signing it using their own signature for internal working of the system. c. e-KYC data received as response upon successful Aadhaar authentication from UIDAI will be stored by KUA and Sub-KUA in the manner prescribed by Aadhaar Act/Regulations and circulars issued by UIDAI time to time. d. KUA/Sub-KUA shall not store Aadhaar number in their database under any circumstances. It shall be ensured that Aadhaar number is captured only using UIDAI`s Aadhaar Number Capture Services (ANCS). e. The KUA shall maintain auditable logs of all such transactions where e-KYC data has been shared with sub-KUA, for a period specified by the Authority. f. It shall be ensured that full Aadhaar number is not stored and displayed anywhere in the system and wherever required only last 4 digits of Aadhaar number may be displayed. g. As per Regulation 14(i) of the Aadhaar (Authentication) Regulation, 2016, requesting entity shall implement exception-handling mechanisms and backup identity authentication mechanism to ensure seamless provision of authentication services to Aadhaar number holders. h. UIDAI may conduct audit of all KUAs and Sub KUAs as per the Aadhaar Act, Aadhaar Regulations, AUA/KUA Agreement, Guidelines, circulars etc. issued by UIDAI from time to time. i. Monitoring of irregular transactions – KUAs shall develop appropriate monitoring mechanism to record irregular transactions and their reporting to UIDAI. j. Investor Grievance Handling Mechanism – Investor may approach KUA for their grievance redressal. KUA will ensure that the grievance is redressed within the timeframe as prescribed by UIDAI. KUA will also submit report on grievance redressal to UIDAI as per timelines prescribed by UIDAI.
Onboarding process of KUA/Sub-KUA by UIDAI: a. As provided in the DoR circular dated May 09, 2019, SEBI after scrutiny of the application forms of KUAs shall forward the applications along with its recommendation to UIDAI. b. For appointment of SEBI registered intermediary / MF distributors as Sub-KUAs, KUA will send list of proposed Sub-KUAs to SEBI and SEBI would forward the list of recommended Sub-KUAs to UIDAI for onboarding. An agreement will be signed between KUA and Sub-KUA, as prescribed by UIDAI. Sub-KUA shall also comply with the Aadhaar Act Regulations, circulars, Guidelines etc. issued by UIDAI from time to time. c. Each sub-KUA shall be assigned a separate Sub-KUA code by UIDAI.
The KUA/sub-KUA shall be guided by the above for use of Aadhaar authentication services of UIDAI for e-KYC.
For non-compliances if any observed on the part of the reporting entities (KUAs/ SubKUAs), SEBI may take necessary action under the applicable laws and also bring the same to the notice of DoR / FIU for further necessary action, if any. Reporting entity (KUAs/Sub-KUAs) shall also adhere to the continuing compliances and standards of privacy and security prescribed by UIDAI to carry out Aadhaar Authentication Services under section 11A of PMLA. Based on a report from SEBI / UIDAI or otherwise, if it is found that the reporting entity no longer fulfills the requirements for performing authentication under clause (a) of section 11A(1) of PMLA, the Central Government may withdraw the notification after giving an opportunity to the reporting entity.