Just as we thought February 2019 was going to be a slow month for privacy and profiling laws in India, this Press Release, published at 10:34 p.m. on the very last day of the month, changed things around completely!
If you follow this space closely, you know by now that the Press Release announced the promulgation of an Ordinance that has the effect of bringing into force (albeit for the lifetime of the Ordinance) the provisions of the Aadhaar and Other Laws (Amendment) Bill, 2018 (the “Aadhaar Amendment Bill”), which was passed in the Lok Sabha on January 4 of this year, but was not passed before the Rajya Sabha, which adjourned sine die on February 13th.
While the Data Lawyer has already summarised some of the key effects of the Aadhaar Amendment Bill here, and the Press Release also lists the ‘salient features’ of the Ordinance (and, effectively, the Aadhaar Amendment Bill) here, neither of the two (one because it was written at an earlier point in time, and the other because it doesn’t necessarily have to), take into account the effects of the lesser-known Notification No. G.S.R. 108(E) of the Ministry of Finance (Department of Revenue), dated February 13, 2019 which promulgated the Prevention of Money-Laundering (Maintenance of Records) Amendment Rules, 2019 (the “2019 PML Amendment Rules”), and which you can access here.
So what are these 2019 PML Amendment Rules?
We understand that the promulgation of the 2019 PML Amendment Rules prior to the Ordinance effectuating the provisions of the Aadhaar Amendment Bill may lead to some confusion. Before we compare the two though, here is a summary of some of the key provisions of the 2019 PML Amendment Rules:
- The list of “officially valid documents” (or “OVDs”) in sub-rule 2(1)(d) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (the “PML Rules”) is now amended; Clause 2(iii) of the 2019 PML Amendment Rules amends sub-rule 2(1)(d) of the PML Rules, and, in essence, adds Aadhaar to the list of ‘Officially Valid Documents’ (“OVDs”). As such, Aadhaar now stands on the same footing as other documents like a driving license or a passport, for the purposes of the PML Rules.
- Clause 3(i) of the notification amends sub-rule 9(4) of the PML Rules, with the effect that the mandatory submission of Aadhaar (under the PML Rules) for account opening is now restricted to situations where a person seeks to open an account that is linked to DBTs (or Direct Benefit Transfers) under any scheme notified under Section 7 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”).
- Various changes have been incorporated into the lists of documents that must be provided to reporting entities at the time of account opening in respect of companies, partnership firms, trusts, unincorporated associations or bodies of individuals, which, in essence, remove the requirement for the mandatory submission of the Aadhaar number of persons holding an attorney to transact on behalf of the entity concerned.
- Sub-rule 9(15) has been replaced in its entirety, and the revised Rule essentially provides that reporting entities that have been issued a banking license by the Reserve Bank of India (the “RBI”) may carry out ‘authentication’ of a client’s Aadhaar number at the time of account opening where the client declares that they are desirous of receiving any benefit or subsidy under any scheme notified under Section 7 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act, 2016 (the “Aadhaar Act”) in their account.
- Sub-rule 9(16) has been replaced in its entirety, and the revised sub-Rule introduces the requirement on reporting entities to ‘ensure’ that their clients ‘redact or blackout’ their Aadhaar number through ‘appropriate means’ where an Aadhaar number is submitted, but authentication is not required under sub-rule 9(15).
- Sub-rule 9(17) has now been revised to the effect that non-provision of PAN within a period of six months of establishing an account-based relationship would lead to the temporary cessation of the account; the requirement for submission of Aadhaar in this regard has now been removed.
- That part of sub-rule 9(18) which provided that an OVD may be submitted where the Aadhaar or PAN submitted did not have the current address of the client has been removed, and the amended sub-rule 9(18) now lists a set of alternate documents that may be submitted in the event the OVD submitted by a client does not have their current address.
Where does this leave us?
The combined effect of the 2019 PML Amendment Rules and the Ordinance is that there is now some clarity on the process of ‘on-boarding’ new customers, or, in some cases, such as those relating to Prepaid Payment Instruments (“PPIs”), completing pending KYC processes, that reporting entities may adopt. Equally, there are a few open questions that remain to be answered:
- Is eKYC permissible again? Not just yet. For certain situations – while the effect of the Aadhaar Amendment Bill (via the Ordinance) is broader, in that the Bill permits all banking companies to conduct Aadhaar ‘authentication’, the 2019 PML Amendment Rules have the effect that such ‘authentication’ is only permissible where the client in question declares that they wish to receive benefits under any DBT schemes falling within the scope of Section 7 of the Aadhaar Act.
- Why not just yet? Because banking companies are, of course, regulated by the RBI. The RBI’s rules regarding KYC processes are, of course, under the ambit of the PML Act and Rules, but until such time as the RBI issues a revised set of KYC Directions, it is difficult to point out with certainty what situations permit the use of Aadhaar authentication, and, critically, the mechanism that can be adopted for such ‘authentication’.
- Why the doubt about eKYC? Because the word ‘authentication’ carries a defined meaning under the Aadhaar Act. Regulation 3 of the Aadhaar (Authentication) Regulations, 2016 states that there ‘shall be two types of authentication’, one of which is a simple ‘Yes/ No’ authentication, and the other, ‘eKYC’ authentication. These two adopt different mechanisms and deliver different results, and until we have a clear set of instructions in the form of Directions from the RBI, it cannot be said with certainty that eKYC is permissible again (for purposes other than availing DBT benefits).
- What about mutual funds? Can they use eKYC? As matters currently stand, no. The 2019 PML Amendment Rules and the Aadhaar Amendment Bill extend permission to conduct Aadhaar ‘authentication’ only to banking companies, and that too, under certain circumstances. Mutual funds, which fall within the SEBI-regulated regime, are not extended this permission.
- And telcos? Yes, possibly. The Aadhaar Amendment Bill provides that telcos may conduct Aadhaar ‘authentication’. Once again though, we would have to wait for specific directions from the sectoral regulator before anything can be said about this with any degree of finality.
What we do have now though is some visibility on the direction in which things may head. Many questions of great practical importance will hopefully be answered once we receive sector-specific directions from the regulator concerned (such as what ‘Offline KYC’ means in specific contexts, what means may be adopted for the ‘verification’ of OVDs, and whether such ‘verification’ can be conducted in a paperless manner), but we do know now that OVDs will be at the centre of KYC process for many types of entities, and the convenience and speed of Aadhaar eKYC is now available only to a few sets of players.
Some questions may exist regarding why the 2019 PML Amendment Rules were promulgated prior to the Ordinance, and whether that would have an effect on their validity: was the scope of the amended PML Rules wider than that of the PML Act in the post-Puttaswamy and pre-Ordinance world (i.e., the period between February 14 and 27, 2019)? Was the Aadhaar Amendment Bill promulgated by way of Ordinance to ensure that telcos could also conduct Aadhaar ‘authentication’ where an Aadhaar number is voluntarily submitted? And does any of this really matter until we see sector-specific regulations? Probably not.
Oh well. February, you were the cruellest month.