eKYC – Know Your Customer unassisted using Aadhaar, OTP and Face Biometrics

Context

Know Your Customer (KYC) is essential for obtaining Financial, Healthcare, Insurance, and Telecom services around the world. In the Indian context, until Aadhaar opened up its APIs, KYC was a laborious process costing billions to services providers and inconveniencing customers with a mountain of paper identity documents. The thoughts here are confined to the Banking sector but applies to other sectors equally.

eKYC “assisted”

With the advent of electronic KYC or eKYC using the Aadhaar biometrics platform, things haven’t changed a lot. It certainly has reduced paper documents. However, eKYC is still done in “assisted” mode – meaning either the customer has to be present at the Bank or a Bank Executive has to reach the customer to collect the biometric data. Besides, in most Banks, a paper trail is still maintained despite the biometrics data – reasons best known to themselves. What was costing the Banks earlier is what is costing today – perhaps more with the new biometric devices and the cost to maintain them.

eKYC “unassisted”

The Reserve Bank of India (RBI) took a significant step in December 2016 to allow opening of deposits and borrower accounts using OTP based eKYC, albeit with some restrictions (RBI notification on 08 December 2016, Chapter VI – Customer Due Diligence (CDD) Procedure – Clause 17 and 38 amendments). This has opened up the opportunity to provide this service to customers at the comfort of their homes at a vastly reduced cost to Banks. This would satisfy the two-factor authentication needed by RBI and would suffice to open an Account. However, with increasing volumes (500 million eKYCs projected for 2020 by UIDAI), and the possibility for this service to be abused through third party fraud, this would need additional authentication to ensure that the person completing the transaction is who he really says he is (as close to a physical check).

eKYC “unassisted” with three factor authentication – Aadhaar, OTP and Face Biometrics

To solve this particular problem, FRS Labs rolled out the “Atlas eKYC” solution – fully integrated with Aadhaar – with face biometrics as the third factor of authentication (watch the 60 second video here). While the face is captured by UIDAI as the third biometric element (fingerprints and IRIS being the other two), RBI has not mandated the use of face for biometric authentications – for reasons that face is considered not as unique as fingerprints and certainly not IRIS – and the false acceptance rates (e.g. twins) could be high and that people’s faces change over time – but as always research contradicts this notion and there are plenty of evidence to prove that face is a reliable biometric feature. And it can only get better.

Notwithstanding, RBI has not specified that face could not be used if a commercial organisation wishes to do so as additional factor of authentication to protect their businesses and consumers, so long as the mandatory 2 factor authentication is in force. In a similar tone, RBI has not ruled out authenticating customers using their voice (another biometric element not in Aadhaar). ICICI Bank and Citibank have rolled out voice biometrics to authenticate customers to call centres is a case in point – It is still two factor authentication (the registered mobile phone as the first factor and the consumer’s voice as the second factor of authentication). Therefore, there is a great opportunity here for Banks to provide face biometrics as the third factor of authentication for secure “unassisted” OTP based eKYC without the need for biometric devices. I can only begin to image the convenience for consumers and cost savings for Banks.

Author: P. Shankar – Founder & CEO of FRS Labs.

India Stack to bridge the digital divide in our country

India’s digital startups have an analog problem. They face a kagaz ka pahad. Literally. Many of them are designing for the digital desh of Bunty, the 37-yearold Udaipur shoe-seller who gets 40% of his business on his smartphone. Or, Chaitanya Bharti, Guntur’s 30-year-old single-room school teacher who gets remittances on her basic phone.

But every time they collect and store paper records, scrutinise “wet signatures”, and handle lots of physical cash, they can’t grow as fast, be as affordable or innovate to create the digital desh Bunty aur Bharti aspire to.

Nowhere is this more visible than in financial services where the kagaz ka pahad unwittingly aids what Prime Minister Modi called “financial untouchability”.

There is good news. The JAM trinity — a basic account like Jan Dhan, Aadhaar and mobile phones — makes it possible for digital services to reach every Indian. JAM is much more than aslogan — it is the result of public policy and technology that made this foundation a reality. With that foundation in place, public policy can go further. It must go further.

We don’t just give digital pioneers wings, we strap on booster rockets to launch them well over and past that kagaz ka pahad.

India Stack is just that. It is a series of new-age digital infrastructure which, when used together, makes it easier for digital pioneers to run faster, reach more people.

The Stack has four layers: (1) a presence-less layer where a universal biometric digital identity allows people to participate in any service from anywhere in the country; (2) a paper-less layer where digital records move with an individual’s digital identity eliminating the kagaz ka pahad; (3) cashless layer where a single interface to all the country’s bank accounts and wallets democratises payments; and (4) a consent layer which allows data to move freely and securely to democratise the market for data.

Each layer has a specific technology — Aadhaar authentication and eKYC, eSign and Digilocker, Unified Payments Interface, and consent architecture — with corresponding public APIs, under India’s Open API policy.

The National Payments Corporation of India released APIs for the Unified Payments Interface and is now running a hackathon for businesses to experiment.

You can go to indiastack-.org to participate. Each layer is managed as a public good. This is important. This makes the India Stack not just new-age technology but a smart policy. Technology stacks are not new. Uber, the highest valued startup on the planet, rose to success on GPS, Google maps, electronic payments and more.

In Kenya, the mobile payment service of M-PESA is like the cashless layer enabling a whole slew of digital businesses. What is different about the India Stack is that it is designed to level the playing field for newer, smaller entrants.

There is no one company or a handful of companies controlling access, behaving like bottleneck monopolies.

India Stack sets a global precedent. It is of Indian origin but not India-specific. Bits and pieces exist elsewhere in the world but nowhere under such a common frame and vision. For example, globally, data has become a battleground for the future of business.

The consent architecture, arguably, is a breakthrough to democratise the market for data without compromising on security. The India Stack is designed to propel the digital world forward in India or anywhere.

Guest Post by Kabir Kumar leads FinTech initiatives at CGAP. Sanjay Jain is a volunteer with iSPIRT Open API team. 

This was first published in Economic times