KYC Framework in Light of Aadhaar 2025 Amendment Regulations

RBI’s recent supervisory reviews of NBFCs repeatedly highlight one area of non-compliance: Aadhaar misuse in KYC — especially accepting unmasked Aadhaar copies, failing to obtain mandatory consent, or performing unauthorised Aadhaar verification.

On 9 December 2025, UIDAI notified the Aadhaar (Authentication and Offline Verification) Amendment Regulations, 2025 to amend the 2021 Regulations

This blog summarises what NBFCs must do now — and what must immediately stop.

Key Amendments:

1. New Definitions Introduced:

(i) "Aadhaar Application" [Reg. 2(1)(ac)]- UIDAI now defines authorised mobile/web applications — including mAadhaar, Aadhaar App, QR Scanner App, myAadhaar Portal — which alone may be used to perform offline Aadhaar verification.

NBFC implication: All offline Aadhaar verification must be done only through these UIDAI-approved apps/tools.

(ii) "Aadhaar Verifiable Credential (AVC)" [Reg. 2(1)(be)]- A new digital document containing:

  • Last 4 digits of Aadhaar;

  • Demographic details;

  • Photograph;

  • UIDAI-signed data.

This AVC can be shared in full or partly with NBFCs for offline verification.

NBFC implication: AVC becomes a legal, compliant alternative to masked Aadhaar XML.

(iii) "Offline Face Verification" [Reg. 2(1)(md)]UIDAI has now introduced offline face verification: Live facial image is captured and compared with the stored Aadhaar photo within the Aadhaar Application.

NBFC implication: If implemented, NBFCs can perform higher-assurance KYC without biometric authentication — still remaining “offline”.

2. Types of Offline Verification Expanded [Reg. 3A]:

UIDAI now recognises 5 forms of offline verification:

  1. QR Code verification;

  2. Aadhaar Paperless Offline e-KYC;

  3. Aadhaar Verifiable Credential verification;

  4. e-Aadhaar verification;

  5. Offline paper-based verification.

NBFC implication: KYC policy must list and permit all UIDAI-approved offline modes.

3. Introduction of Offline Verification Seeking Entity (OVSE) [Reg.13A]: Entities (including NBFCs) must apply to UIDAI to become an OVSE to carry out:

  • Aadhaar Paperless Offline e-KYC;

  • Aadhaar Verifiable Credential verification.

NBFC implication: If the NBFC uses QR/XML/AVC-based verification in digital onboarding, the NBFC must be registered with UIDAI.

4. Penalties for Misuse or Non-Compliance [Reg. 25(1A)]: UIDAI may impose penalties on an OVSE for:

  • Failing to follow UIDAI guidelines;

  • Using offline verification for unlawful purposes;

  • Failing to furnish information;

  • Not cooperating in inspection/audit.

NBFC implication: KYC errors will now attract UIDAI penalties, not just RBI supervisory findings.

Common KYC Mistakes NBFCs Must Stop Immediately:

  • Accepting/storing unmasked Aadhaar photocopies or Aadhaar XML or PDFs;

  • Loan Origination and Management System allowing entry of full Aadhaar numbers;

  • Not capturing customer consent;

  • DSAs collecting Aadhaar images on their phones;

  • Not maintaining verification logs;

  • Sharing Aadhaar files with outsourced vendors.

NBFC-Ready Compliance Checklist:

1. Update KYC policy and SOPs;

2. Use Masked Aadhaar Only;

3. Add Aadhaar-specific consent in digital and physical onboarding;

4. Register as an OVSE;

5. Update Systems: (i) Block “12-digit Aadhaar” fields; (ii) Enable QR/AVC verification only via UIDAI apps;

6. Strengthen Vendor/DSA Controls: Contracts must prohibit collecting/storing Aadhaar copies;

7. As per Reg. 23A, logs and records must be preserved even if OVSE access is surrendered;

8.  Quarterly audit of masked Aadhaar usage;

9. Frontline training of all branches/DSAs.

With the 2025 Amendment Regulations, NBFCs must treat Aadhaar with far higher governance, consent, and data-protection controls.

Comments

Post a Comment

Popular posts from this blog

RBI’s 100+ Penalties in a Year: What Went Wrong?

  In the past year, the Reserve Bank of India (RBI) has imposed more than 100 monetary penalties on banks, NBFCs, fintechs, and cooperative institutions. These penalties span a wide range of compliance failures—from customer due diligence lapses to weak cyber security, and from outsourcing gaps to violations of lending norms. While the penalties differ in size, they all point to a common theme: regulatory compliance is non-negotiable . Here’s a breakdown of the most frequent reasons behind these actions. Category Typical Lapses Illustrative Orders Key Directions Change in management Failed to take prior written permission of the RBI before appointing a director Grewal Brothers Finance Company Private Limited (15 May, 2025) Mahindra Rural Housing Finance Limited (28 March, 2025) Habitat Micro Build Ind...
Read more

RBI-Mandated Policies Every Base Layer NBFC Must Have: A Comprehensive Guide (Updated as on 5th December, 2025)

S. No. Policy Relevant Provision of Law Objective Remarks / Implementation Insights 1 Business Continuity Plan (BCP) & Disaster Recovery (DR) Policy Para 62, Reserve Bank of India (Non-Banking Financial Companies – Managing Risks in Outsourcing) Directions, 2025 Ensure uninterrupted business operations during disasters or cyberattacks. Ensure vendors follow recovery protocols; conduct regular mock drills and resilience testing. 2 Fair Practices Code Para 7, Reserve Bank of India (Non-Banking Financial Companies – Responsible Business Conduct) Directions, 2025 Promote transparency, ethical lending, and borrower protection. Use plain-language communications; disclose all charges upfront; avoid hidden clauses. ...
Read more

RBI and CIBIL Compliance Checklist for Base Layer NBFCs: What You Need to Know in 2025 (Updated as on 5th December, 2025)

S. No. Compliance Relevant Provision Relevant Form / Portal Timeline Remarks 1 Display following information: (a) name and contact details (Telephone/ Mobile nos. and email address) of Grievance Redressal Officer. (b) If complaint/ dispute is not redressed within 1 (One) month, customer may appeal to Officer-in-Charge of Regional Office of DNBS of RBI (complete contact details), under whose jurisdiction registered office of NBFC falls. Para 12 of Reserve Bank of India (Non-Banking Financial Companies– Credit Facilities) Directions, 2025 - Ongoing Published at branches/places of business 2 Display following information: (a) name and contact details (Telephone/mobile number and E-mail ID) of Principal Nodal Officer. (b) details of complaint lodging portal of Ombudsman (https://cms.rbi.org.in) Para ...
Read more