Fintech R&R ?? ?? x Under the Hood ?? - India’s Aadhaar Card in Bank IDV/eKYC

What is the largest biometric database in the world (clue is in the header)?

What benefit does centralised IDV & eKYC bring and what has the Eye of Sauron got to do with it?

What are the risks of centralised IDV for account opening?

How do residents set up and use Aadhaar to access Financial Services?

These questions and more will be answered in this week's edition of Fintech R&R

Hey Fintechers and Fintech newbies ????

The past couple of weeks have given me lots of inspiration for deep dives and write-ups.?

There’s the recent Open Finance Blueprint from CFIT that begins to outline what a UK Open Finance framework looks like, some of the key use cases, and the next steps. I jotted down my thoughts on the report in a brief post here, but it cemented some ideas I had about a PropTech deep dive and looking into Open Finance’s role in responsible short-term lending. A couple of areas that weren’t covered in this inaugural report.

I’ve also had a few conversations recently about customer loyalty. These have varied from chats with founders of customer loyalty & rewards-focused startups to giving some advice to neobanking propositions about building specific features to increase retention and building loyalty and reward schemes as differentiators. Although it’s an already huge space (think Starbucks, Amex, airline programs and others), there are still big opportunities, so another area to dive into, especially when looking at embedded customer loyalty.

Despite these inspiring occurrences, it was a Visa Enabler Open House I was kindly invited to that gave me inspiration for the most number of different things to write about. The event brought together enablement partners from the Visa ecosystem, such as program managers like Toqio and Andaria, BIN sponsors such as Modulr and Transact payments, and industry consultants like myself.

In the session, as well as providing discussion points and networking opportunities, Visa strategists, economists, and risk experts spoke about their and Visa’s key outlooks for the next few years, including:?

• Embedded finance
• Sellers growing into the billions
• Configurability of Payments
• Digital Identity
• …and AI (of course)

One of the really interesting talks was about the trillion-dollar elephant in the room; fraud and risk management. In it, the VP of Risk Europe talked about some growing fraud and risk factors including fraudsters using automated generative AI to created convincing OTPs, the rise of deep fakes and its application in defrauding customers and the system, and some of the things Visa is doing to prevent bad actors from doing mischievous things.

There was A LOT of interesting stuff to explore. I will explore Fraud and Risk management in a later edition, but I had to use this perfect opportunity to examine Identity Verification (IDV), specifically how different countries like India do it compared to the West.?

For me, a modern, reliable & secure IDV process isn’t the silver bullet that solves the fraud problem. It is, however, the first bullet loaded in the chamber for the fight against bad actors.?

So, this week, I’m diving under the hood of India’s Aadhaar identity verification process, with a little shout-out to a couple of other IDV processes and some thoughts on what a centralised UK IDV process would bring.

As well as interesting news, puns + movie references, this edition includes the following:

• A bit of background about Aadhaar
• How Aadhaar is used for financial onboarding: The end-to-end registration process, Using Aadhaar to verify identity and provide eKYC for banking products
• The three big benefits of centralised ID: 1. Cost, 2. Simplified process → Greater Innovation 3. Greater Fraud Detection Capabilities
• Two big downsides: 1. Single point of failure, 2. Privacy concerns
• Some similar notable programs
• Why IDV is central to the issue of fraud and what the UK can replicate?

Now let’s get into it ????

NOTE: Click below to read the original Substack version and subscribe to receive future editions a few days before it lands here on LinkedIn        

Read and Subscribe Now

A bit about Aadhaar ??

The Aadhaar card is a 12-digit unique identification number issued to Indian residents by the Unique Identification Authority of India (UIDAI), a statutory authority established in January 2009 by the Government of India, under the Ministry of Electronics and Information Technology. The Aadhaar card serves as a proof of identity and address for Indian citizens. It is considered the largest biometric identification system in the world, with a cumulative total of around 1.3 billion Aadhaar cards generated to date.

The idea of Aadhaar originated from the need for a robust and universally accepted identification system in India. The Indian government recognised the importance of having a unique identification number for each resident to facilitate efficient delivery of government services and subsidies, as well as to reduce fraud and identity theft.

That’s why the name Aadhaar was chosen. Translated to English from Sanskrit, it means ‘base’ or ‘foundation’.

The Aadhaar project was formally launched in September 2010 with the objective of providing every Indian resident with a unique identification number linked to their biometric and demographic information. The enrolment process involves collecting biometric data such as fingerprints and iris scans and demographic information, including name, date of birth, and address.

Aadhaar has since become an essential document for Indian residents, as it is required for various services such as opening bank accounts, obtaining a mobile phone connection, and accessing government welfare schemes and subsidies. Despite some controversies and concerns related to privacy and data security, Aadhaar has played a significant role in improving the efficiency and transparency of government services in India.

One point worth noting is that 2018 saw the final hearing of a legal challenge to the widespread rollout of Aadhaar and it being mandatory for things like bank accounts and mobile services on the basis that it could breach privacy, lead to the exclusion of certain services and be used to surveil citizens. The Supreme Court?upheld the constitutional validity?of the national ID program but ruled that banks, telcos, schools?cannot make Aadhaar mandatory?for accessing their services.

Despite court challenges to its validity, the central government has aggressively promoted Aadhaar linking with various services, from mobile SIM cards and bank accounts to vehicle registration and welfare schemes like the employment act, pension schemes and public health insurance programs. Many of these service providers also promote Aadhaar as a simple, quick and more secure way of accessing accounts and services.?

Since 2010, around 1.3 Billion Aadhaar numbers have been issued.?

Just hammering that point home for dramatic effect.

According to data published by the UIDAI in 2022 (more recent data is difficult to access), 99.9% of adults have an Aadhaar number with that group, and they use the number at least once a month for verification and other services. It also states that over 77 crore (1 crore=10,000,000, so 770 Million) Aadhaar IDs were linked to National Payments Corporation of India (NPCI) bank accounts, which include the State Bank of India, Punjab National Bank, Canara Bank, Bank of Baroda, Union Bank of India, Bank of India, ICICI Bank Limited, and HDFC Bank.

In terms of eligibility, any Indian resident over the age of 5 can apply and receive the 12-digit identification number and associated secured biometric data, which, as mentioned, can be used for a variety of services, including IDV and eKYC for banking services, which is what we’ll dive into now.

Aadhaar Registration and eKYC ??

Step 1 - Book an appointment

The Aadhaar registration process can deviate slightly, but the first step is to find the nearest Aadhar enrolment centre. This is done on the UIDAI website. There are over 35,000 run by banks, post offices, and state governments across the country. The site asks to book an appointment, fill out some basic information, and allow individuals to book an appropriate slot to visit an enrolment centre physically.?

Step 2 - Visit the centre with POI, POA, and POF

The individual enrolling then visits the enrolment centre with the relevant existing Proof of Identification (POI) and Proof of Address (POA) documents. UIDAI process accepts over 18 PoI and more than 33 PoA documents, including election photo ID cards, Ration cards, passports, driving licences, PAN cards, GovtID, and recent gas, electricity or water bills.

Members of a family who do not have the required documents can still enrol if they exist in what's called a family entitlement document, and the Head of the Family, usually a parent, can use a Proof of Relationship document like a birth certificate or marriage certificate as valid identification. In these cases, the Head of Family needs to be present for enrolment.

A full list of accepted POIs, POAS and POFs is?here.

Step 3 - Submit identification and enter personal details

The individual will submit their POA and POI to the Operator at the centre and will also enter their personal details via an online form. Details captured through the form include name, date of birth, gender, and address. People often enter their mobile and email addresses as well, although this is optional. Additional info that can be captured at this point includes the name of the Father/Mother/Guardian, relationship, marital status, occupation, educational qualification, and any identifying numbers from government-issued documents like Voter ID.

Step 4 - Picture, Iris and Biometrics taken

The Operator takes a picture of the individual, uses a device to capture a snapshot of the individual's iris, and captures all 10 fingerprints of the individual (where possible).

Step 5 - Individual verifies information and submits

The individual has the opportunity to review all information and make any amendments to the enrolment before submitting and receiving an acknowledgement slip with a temporary enrolment number and other details captured during enrolment.

Step 6 - Submission and authentication

The enrolment agency does an initial QA check before consolidating it into a data packet and sending it to a UIDAI data centre for validation and various screening stages within the Central Identities Data Repository, or CIDR. The data packet is checked against other records in the system to ensure there's no duplication. QA checks are done on the demographic data and cross-referenced with supplied documents as well as other national registers. There is also some ongoing algorithmic fraud and identity theft detection.

Step 7 - Aadhaar number created and sent to individual

Once the checks come back successful, the Aadhaar is generated, and a record is created in CIDR. The process from enrolment to receiving the number can take from 60-90 days on average. The individual receives a letter in the post notifying them. They can also check their status online and download the number once available, and many apply for a physical PVC card to use as a single identity card. It can then be used to open a bank account, apply for mobile services and many other key services.

eKYC using Aadhaar

Step 1 - Individual selects a bank and account type online

The first obvious initialisation step is finding a bank that provides an online onboarding process with the account type the individual is looking for. Many neobanks in India are digital-first, and 'traditional' banks like HDFC and IDFC First Bank also have many of their accounts available online and accessible via a digital onboarding process.

Step 2 - Personal details and Aadhaar number entered

The customer enters basic personal details via the online entry screen, such as full name, DOB, mobile number and 12-digit Aadhaar number, which must all be the same details provided during Aadhaar enrolment. In some cases, the onboarding institute may just ask for the mobile number and a couple of other verification factors.?

Step 3 - OTP request sent to the customer using data submitted?

The institute uses the data from the customer to initiate an OTP verification request to prove the customer signing up has access to the mobile device linked to the Aadhaar card. The 'Something you have' factor of authentication. The institute (generally referred to as the Authentication User Agency or AUA) can use a third party for the requests or request OTPs directly from the UIDAI service. The third party is called an Authentication Service Agency or ASA. If the data sent to the OTP services is correct, the service will generate an OTP and send it to the mobile number linked to the Aadhaar number.

Step 4 - Customer verifies via OTP

The?customer receives the OTP via SMS and enters it on the onboarding journey?to verify that they are, in fact, holders of the mobile device linked to the Aadhaar number and that they are the ones initialising the account opening process.?

Step 5 - Requesting institute initialises eKYC request

Once the OTP is verified, the institute?initialises the eKYC request?by first securely encrypting the data submitted through the online or mobile portal, along with the verified OTP, into a Personal Identity Data Block (PID block) and digitally signing it. This PID block is then sent as part of a request to obtain an eKYC report from the UIDAI servers via the eKYC API.?

Step 6 - UIDAI responds with an eKYC report

KYC service decrypts the PID, validates the request by comparing the provided data against the data held, and once everything checks out, an eKYC report containing the demographic data of the individual, photograph and other supporting information is created, digitally signed for audit and authentication purposes and sent back to the institute or AUA.

Step 7 - Video KYC

At this point, a potential customer has not provided visual verification of themselves, only confirming that they have the device, details and Aadhaar number of an individual, so a common step is to perform a final check via video that proves they are who they say they are.

Cue, a popular Eminem song.??

The video KYC is often done through a Facetime call with a bank/financial institute support operator guiding them through the process. This ticks the second authentication factor of 'Something you are' in addition to the 'Something you have' proven earlier. In the call, the individual's picture is taken and verified against the documents received from UIDAI, they will often be asked a few verification questions and sometimes present a form of ID on the call. If all is well, onboarding is complete and the account is opened.?

All-in-all, this onboarding process can be as quick as 5 minutes, giving customers fast access to an account, and financial institutes have a robust digital KYC process.

So what's different about this process and why is it pushed hard by the govt?

I started with a witty analogy about robust & secure IDV being the first bullet in the chamber in the gunfight against financial fraudsters. An analogy you can tell I'm pretty proud of.?

Because if you don't have anonymity when committing a crime, 1. It's generally a huge deterrent, and 2. It can be easier to track you down, recover losses and hand out punishments..

It's the whole reason behind why bank robbers wear masks as you need to be able to spend the money after you've heisted it. If, back in the day, banks had bouncers on the doors checking and registering the ID of every person who walked in, I'm certain the amount of money looted from branches would have dropped.?

That method probably wouldn't have deterred these guys though…

The point of starting with IDV & KYC when it comes to reducing fraud, is to better manage the flow and controls when it comes to allowing people onto a trusted network. And if those people turn out to be bad actors, track them down easily and restrict their access if needed.

There are a couple of reasons why I decided to dive into Aadhaar specifically.

???? To highlight the size of the initiative and despite many thinking China is the place with the most digitised biometric data on citizens, it's, in fact, India that has the biggest population coverage. If India proves on such a massive scale that the system works and fraud due to identity theft or hijacking is reduced, then it's surely a model to use.

???? To show a slightly different way of solving a problem that is faced around the globe. There will be folks reading this that only know one way of verifying an individual's identity to adhere with Money Laundering and KYC regulations. That is storing a copy of a driving licence, passport, proof of address and a live image of the individual for every single institute.?

???? It also highlights the overall benefits of a single centralised golden source of identity data and a standardised KYC report and weighs them against some of the drawbacks.

The case for Aadhaar ?

Cost ??

EKYC is generally cheaper than manual, paper-based KYC due to the time and manual effort required. But,?estimates from an IMF report?show that the cost of verifying identities using the Aadhaar system vs manually can mean a drop from Rs1,000 (approx $12) to Rs5 (approx $0.06).?

Other more conservative estimates from PWC show a smaller but still huge reduction in costs

Regardless using Aadhaar for identity verified and account onboarding leads to reduction in onboarding cost, which means the capital can be deployed elsewhere. Ideally, finance for customers who need it or a direct correlation to lower account maintenance charges for the customer.

Simplified IDV/KYC -> Greater Innovation ??

Centralised and simplified IDV where the bulk of the heavy lifting has been done up front and financial services (and other organisations like accountants, real-estate agents, telcos etc) can simplying capture up-to-date information and verify it against a central golden store means that innovators can focus on creating innovative products and services for customers rather than worrying about adherence to ML and KYC regulations.?

Not enough work is done in the early stages of propositions to bake regulatory procedures, operations and checks into the product, but I might be on an island of one there.?

Great fraud detection capabilities ????♀?

One of the big benefits, which, as I'll describe later, can also be used as a negative, is that a central store of biometric & photographic documents, demographic data, and other verified data points in a central golden source gives an easy way to identify individuals who do end up being bad actors and to maintaining a central store of good and bad nodes on the financial network.?

Bad actors who abuse the system can have their central record marked so institutes who perform subsequent KYC checks have a history of the authorisations they've requested and any 'red ink' on their record. These customers may be refused service or have to go through enhanced due diligence.

Good actors have simpler straight through onboarding as they have no blots on their record and the exercise is simply to cross verify the data that already exists in CIDR.

This is all great, but for me, the biggest specific benefit of a central golden source of identity data used to access financial services is the ability to tackle identity fraud and misuse in real-time by spotting patterns in access requests across the whole of financial services. The big issue preventing a national solution like this is the disparate and siloed nature of KYC and IDV data. There's a reason that data is captured by individual organisations (down to the regulation and record-keeping stipulation), but a centralised slightly decoupled from the FIs allows for a broad data lake which can be monitored by something that I envisage being like an AI-powered Eye of Sauron, looking out for patterns and characters doing things they shouldn't be.?

(I am aware that Hobbits are the heroes doing good, but that doesn't fit my Eye of Sauron narrative).

I think there's scope to do a version of this in the UK. Not necessarily the full centralised IDV but some mechanism, alliance, or secure central store of suspicious onboarding requests across all of FS that every institute can access and verify against. Here's to hoping.

Overall, a centralised identity system like Aadhaar offers significant benefits for KYC and bank onboarding by improving efficiency, reducing costs, enhancing security, and promoting financial inclusion.

As you've probably guessed, though, there are downsides to Aadhaar and a centralised IDV system.

Double Edged Sword

Data Breaches ??

Centralised systems mean a single, golden source of the truth, which is great.?

The downside is that it means it's a large single point of attack, leaks and data breaches.?

In 2019, the World Economic Forum's Global Risks Report said:?

"The largest (data breach) was in India, where the government ID database, Aadhaar, reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. It was reported in January 2018 that criminals were selling access to the database at a rate of Rs500 for 10 minutes, while in March, a leak at a state-owned utility company allowed anyone to download names and ID numbers."

Yep. You heard that right. The largest biometric database on the planet is also the source of the largest data breach. Records of 1.1 billion registered citizens were compromised. Not all fully leaked but accessible.??

Following the breach, the UIDAI:?

• Initiated a thorough investigation into the reported incident
• Introduced comprehensive and regular security audits
• Improved the authentication process
• Created a biometric locking feature to prevent unauthorised access
• Introduced a VirtualID (VID) to mask their Aadhaar number?

These are all great measures. It would have been great if they had some of these at the start.?

There's always a risk of a breach with sensitive centralised data which is why they should be built like Fort Knox, not out of straw.

Privacy concerns ??

As this is a government led initiative there are always going to be privacy concerns. These concerns were raised and why appeals went all the way to the Indian Supreme Court and led to Aadhaar being deemed 'not mandatory' for organisations to use.??

There was also a concern that its extensive data collection and centralised database could be misused for surveillance purposes by government agencies or other entities. Critics worry that Aadhaar could be used to track individuals' movements, monitor their activities, or conduct profiling based on their demographic or biometric information.

Basically, a China-like social credit system can be built and used as one of the controlling levers. Not beyond the realms of possibility.

Aadhaar is not alone…

The?Absher?system is an online platform introduced by the Saudi Arabian government to provide a wide range of government services to citizens and residents of Saudi Arabia. It allows users to access various services related to passports, visas, vehicle registration, traffic violations, healthcare appointments, and more. Users can also perform administrative tasks such as paying bills, renewing licences, and updating personal information.

Similarities of Absher with the Aadhaar system include:

• Digital Identity:?A digital identity that can be used to access government services online. Users are assigned a unique identification number linked to their personal information and biometric data
• Centralised Database:?Both Aadhaar and the Absher system operate on centralised databases maintained by their respective government authorities
• Online Authentication: Both Aadhaar and the Absher system use online authentication mechanisms to verify users' identities and grant access to government services securely

I'm aware of the intricacies of the Absher system, having worked on a couple of KSA fintech propositions where mobile authentication using Absher was one of the first steps in the onboarding journey.?

Absher is one of many comparable systems in the Middle East. The UAE has?EmiratesId, a mandatory identity card issued to all citizens and residents of the UAE by the Emirates Identity Authority (EIDA). It serves as the primary proof of identity for individuals in the UAE and is widely used for accessing government services, financial transactions, healthcare services, and other activities requiring identification.

The point is that many centralised systems provide a secure way of authenticating an individual's identity and simplify access to financial services.

India's system is unique due to the number of residents it serves and its ambitions to be the next big fintech superpower. I'll be watching the evolution of the system very closely, monitoring a few key areas in particular…

???? Seeing whether FIs will replace human video KYC with an automated VKYC verification process to further drive down KYC costs

???? Monitoring UIDAI's progress and seeing whether they release some industry-wide reporting on fraud trends, IDV patterns, and ways that the industry can make better use of the services

???? Watching the usage of Aadhaar for verification by fintechs in the region. This can be a good gauge of long-term adoption.

???? Seeing whether Aadhaar Enabled Payment Systems,AePS), a bank-led model that allows customers to perform basic banking transactions using their Aadhaar number and biometric authentication, takes off in a big way. This could be a really interesting way to give people in remote locations access to cash using the Aadhaar number and biometrics via enabled ATMs and merchants.

I said this in my UPI deep dive a few months back. India has such a diverse set of cultures, behaviours and demographics, with the largest population on the planet. There are lots of great innovations spreading from India across the world. UPI is just one example.?

Yes, the Aadhaar system has had a few issues, but in these post-data breach years, as I call them (2018-present), the system's usage, benefits, and security have grown.?

There have been murmurs that a few LATAM countries are looking to copy India's example and create their own centralised identity platforms.

I'm not surprised.?

There are also talks about centralised Digital ID programs here in the UK akin to Sweden's BankId.??

It pains me to say that an independent, centralised, government-led Digital ID system would make more sense and have uses beyond financial services as many of the programs I've described, including Aadhaar and Absher, do.?I wrote a bit more about this and Digital Identity here.

Regardless of what the UK, US or anyone else does, going to the next stage with IDV and KYC and creating a centralised verification service with access to authentication requests across the entire FI estate could and should be the first bullet in the chamber in the fight on fraud.

I hope this edition has shone a light on how and why.?

More editions on the other weapons in the arsenal will follow so stay tuned…?????

Don’t forget, if you enjoyed this edition, drop a like below, fire over your questions and share with a friend! Back again in two weeks!

Thank you for reading Fintech R&R ??. This post is public so feel free to share it.

Share with friends and colleagues

Fintech Spotlight ??

This is Fintech Spotlight. Each week I’ll tag a fintech that I think is interesting, has a cool new feature, or is just hyper relevant to that edition. This week I have to highlight an Indian fintech given the subject matter but it’s no minnow.

PhonePe , is a digital payments platform in India that allows users to make a wide range of transactions, including payments, transfers, bill payments, and online shopping, using their smartphones.?

It’s a Unified Payments Interface (UPI)-based platform, which means it leverages the UPI infrastructure to facilitate real-time payments between bank accounts. Users can link their bank accounts to the PhonePe app and use it to make seamless and secure transactions, from peer-to-peer payments, merchant payments, bill payments, online shopping and investments.

In 2023 it hit the milestone of 500 million lifetime registered users on its platform. That meant 1 in 3 Indians use PhonePe.

Favourite bits of news ??

Sage AI assistant a wise move??- This bit of AI news went under the radar. Sage launched Sage Copilot, its own generative AI-powered productivity assistant designed to help SMBs manage HR, payroll and other accounting processes. Sage CEO, Steve Hare said: "Sage Copilot will provide users with proactive options to improve cash flow; these include suggestions to accelerate customer payments, enhance working capital and support smarter financial decisions.". This will be transformative for SMBs and allow them to use the prompt-based interface to ask the accounting platform questions and better manage finances.