India FinTech Forum organised a FinTech Policy Roundtable on Regulations related to Aadhaar e-KYC API access and the impact of policy uncertainty on fintech firms. This meeting was held on 24th April, 2018 at Rise Mumbai. The topic was introduced by Mr. Jitendra Gupta, MD, PayU and event was moderated by Mr. Vivek Belgavi, Partner, Financial Services – FinTech and Technology Consulting Leader, PwC. It was attended by 60 participants including CXOs of various fintech firms. Final set of recommendations shall be shared with UIDAI.
The key highlights and discussion points were:
- Devise optimal methodology for e-KYC decisions with transparent guidelines
- Establish clear Fintech governance (with focus on self regulation)
- Clarity and consistency across various regulatory bodies in India
- Sandbox approach to explore and embed various suggestions from the fintech industry to define consistent framework
- Recommendation to have regular roundtables and engage respective regulators
Following points were noted based on the participants’ concerns and views.
- Optimal Methodology for e-KYC:
- e-KYC guidelines need to be clear and transparent.
- e-KYC API access guidelines should be fair and not exclude smaller companies from innovating based on Aadhar APIs.
- The transaction limits of OTP based e-KYC users are often low and physical KYC is invariably required.
- In-person verification need to be clearly defined for all the fintechs and NBFCs.
- New issuances of AUA/KUA licenses are currently on hold. Some clarity on new licenses needs to be provided.
- No clarity on future of e-KYC regulations for fintech firms. There is uncertainty whether fintechs should move to other documents such as PAN, driving license, etc. or continue with Aadhaar.
- New digital identity and authentication solutions (e.g. facial recognition) must be actively considered by regulators to reduce IPVs .
- Have a well-defined FinTech route to access the AUA and KUA ecosystem. Lower requirement thresholds, clear compliance guidelines, data protection policy etc.
- Fintech Regulation:
- Currently there are multiple bodies such as RBI, UIDAI, Ministry of Finance, SEBI, etc who have various contradictory mandates on Aadhaar. Need to identify a single regulatory body to take decisions or a consensus mandate to be made along with all the defined regulatory bodies on e-KYC.
- Government has recently constituted a fintech panel. This panel needs to accessible to fintech firms and understand the concerns of entrepreneurs who are working in the relevant areas.
- Need of an industry body as a consolidated voice/representation to address concerns to the key policy making bodies such as GOI fintech panel, RBI, SEBI, IRDAI, etc.
- Misuse of customer’s data is an important issue and a fintech self regulation body (SRO) may be created.
- KYC is linked to AML which in turn is linked to PML Act. Flexibility to make new policies is limited.
- Consistencies across all the regulatory bodies for Aadhaar.
- Right to forget (delete one’s data) can be considered to minimize the risk of exposing customer data.
- Define process for custodians to access/revoke data from the entities who are using the data. Misuse of the same need to be duly addressed by the fintech SRO.
- Clear guidelines to be defined on Virtual IDs, Aadhaar tokens, etc.
- Stability of UIDAI services for a longer period. Enhancements/changes should not be adhoc.
- Well defined overarching Fintech panel to be constituted in association with RBI/SEBI/UIDAI/Ministry of Finance to take various decisions on the future of fintech regulations. Approach should be defined on how this panel can be reached and addressed.
- A think tank to be established for framing Aadhaar/e-KYC policies. Regulators need to have a consistent policy for e-KYC decisions, taking into considerations all policies of RBI, SEBI, UIDAI and Ministry of Finance.
- Fintech Sandbox Approach
- A Fintech Sandbox approach to be implemented which can be used to test POC and the results can be shown to regulators. This can help in maintaining consistencies across all regulators.
- Sandbox can be accessed as and when required.
- Sandbox should be owned by government/regulatory bodies/non-profit organization. Best practices from MAS, UK, etc. can be adopted.
Please feel free to share your comments below.