Identity infrastructure Aadhaar UIDAI Aadhaar Act 2016 e-KYC Aadhaar e-sign PAN Aadhaar linkage Puttaswamy judgment

Aadhaar

From WebNotes, a public knowledge base. Last updated . Reading time ~16 min.

Aadhaar is a 12-digit unique identification number issued to Indian residents by the Unique Identification Authority of India (UIDAI) , a statutory authority constituted under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, commonly called the Aadhaar Act, 2016. Aadhaar is the world’s largest biometric identity system: as of 2026, over 1.4 billion Aadhaar numbers have been issued (more than 99 per cent of the eligible Indian resident population), with the enrolment infrastructure operated through enrolment agencies and Common Service Centres across India. The Aadhaar ecosystem includes the Aadhaar e-KYC API, the Aadhaar-based e-sign framework, Aadhaar Authentication services, and AAdhaar offline-XML pathway, which together form the operational backbone for digital identity verification across Indian financial services, government welfare delivery, telecom, and other regulated sectors.

Aadhaar’s role in Indian mutual funds, brokerage, banking, and insurance is foundational. Under the SEBI-prescribed KYC framework, Aadhaar e-KYC is the fastest and most operationally common path for retail-investor onboarding. The PPFAS SelfInvest portal , Zerodha Coin , Groww , Kuvera , and effectively every Indian fintech aggregator relies on Aadhaar e-KYC as the primary identity-verification mechanism. Under the Finance Act 2023, every PAN must be linked with Aadhaar by 30 June 2023 (with various extensions); an unlinked PAN is treated as inoperative, blocking transactions across mutual funds, brokerage, and most financial services.

Origin and statutory framework

Pre-Aadhaar identity landscape

Before Aadhaar’s launch, Indian residents could prove identity through a fragmented set of documents:

  • Voter ID (Election Commission of India).
  • Passport (Ministry of External Affairs).
  • Driving licence (state-level transport authorities).
  • PAN card (Income Tax Department).
  • Ration card (state public-distribution system).
  • Other state-level identity proofs.

This fragmentation produced several problems:

  • Exclusion: Many rural and economically disadvantaged Indians lacked any government-issued identity document, blocking access to welfare benefits.
  • Duplicate identities: The lack of a single identity registry enabled duplicate enrolment in welfare programmes (so-called “ghost beneficiaries”).
  • Inefficiency in service delivery: Each programme required separate identity verification, increasing administrative cost.
  • Limited financial inclusion: Without identity proof, opening bank accounts or obtaining formal financial services was effectively impossible for large sections of the population.

The Government of India in the late 2000s prioritised a unified identity solution.

2009 launch of UIDAI

UIDAI was set up in January 2009 as an attached office of the Planning Commission (later Ministry of Electronics and Information Technology), tasked with creating and managing a unique identity number for Indian residents. The first Aadhaar number was issued in September 2010 to a resident of Maharashtra. UIDAI operated initially under executive authority without formal statute, which would later be addressed by the 2016 Act.

Aadhaar Act 2016

After several years of operation under executive authority, Aadhaar was statutorily formalised through the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, enacted on 25 March 2016. Key provisions:

  • Section 3: Every Indian resident is entitled (not obligated) to obtain an Aadhaar number.
  • Section 7: Aadhaar may be used as proof of identity for receipt of subsidies, benefits, or services from consolidated funds.
  • Sections 4 and 5: UIDAI is responsible for issuing Aadhaar and maintaining the underlying Central Identities Data Repository (CIDR).
  • Section 8: Authentication mechanism using biometric and demographic data.
  • Sections 28-33: Data security, confidentiality, and disclosure framework.
  • Section 33A: UIDAI may disclose information for national security purposes only with specific authorisation.
  • Sections 38-47: Offences and penalties for unauthorised access, identity theft, and similar violations.

The Act formally established Aadhaar as a statutory mechanism and created UIDAI as a statutory authority.

Supreme Court constitutional review

Aadhaar’s constitutional validity was extensively litigated before the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India. Two key judgments:

  • Puttaswamy I (24 August 2017): The nine-judge constitutional bench unanimously held that the right to privacy is a fundamental right protected by the Constitution. This judgment did not strike down Aadhaar but established the privacy framework against which Aadhaar would later be assessed.
  • Puttaswamy II (26 September 2018): The five-judge bench addressed Aadhaar’s constitutionality directly. The judgment upheld Aadhaar’s core constitutionality but read down or struck down several provisions:
    • Section 57 struck down: The provision permitting private-entity Aadhaar authentication was held unconstitutional.
    • Section 33(2) struck down: The provision allowing disclosure for national security was modified.
    • Schools and CBSE cannot mandate Aadhaar for admission.
    • Banks cannot mandate Aadhaar for account opening (though may use it as one option).
    • Telecom companies cannot mandate Aadhaar for SIM linkage.
    • Aadhaar is mandatory for: PAN linkage, ITR filing, accessing subsidies and welfare programmes.

The Puttaswamy II judgment significantly narrowed Aadhaar’s mandatory-use scope.

2019 Aadhaar Amendment Act

In response to Puttaswamy II, the Aadhaar and Other Laws (Amendment) Act, 2019 was enacted. Key changes:

  • Allowed voluntary Aadhaar authentication by entities under specific conditions, with UIDAI approval and following strict data-protection norms.
  • Introduced offline Aadhaar verification (the Offline-XML mechanism) where authentication can occur without online connection to UIDAI’s CIDR.
  • Established the framework for Aadhaar-Linked Mobile (ALM) and other secondary uses.

This amendment provided the regulatory basis for the continuing financial-services use of Aadhaar e-KYC, with stricter privacy protections.

Enrolment and data structure

Demographic data

Aadhaar enrolment captures:

  • Full name (as legally documented).
  • Date of birth.
  • Gender (male, female, or transgender).
  • Address (residential).
  • Mobile number (optional but commonly registered).
  • Email (optional).

The demographic data is verifiable against documents the enrolee provides (e.g., proof of identity and proof of address from a SEBI-prescribed list).

Biometric data

Aadhaar’s distinctive feature is biometric capture:

  • 10 fingerprints (all fingers, in standardised positions).
  • 2 iris scans (left and right eye).
  • Facial photograph.

This biometric capture is what enables Aadhaar to detect duplicate enrolments: when a person attempts to enrol a second time, the biometric system matches against existing records and flags the duplicate.

Central Identities Data Repository (CIDR)

The CIDR is the centralised database maintained by UIDAI. It stores:

  • Demographic data for every enrolled resident.
  • Biometric data (with strict access controls).
  • Authentication-history metadata.

The CIDR is protected by extensive data-security controls and is not directly accessible by third parties; authentication requests are processed through UIDAI’s API.

Aadhaar number structure

The 12-digit Aadhaar number:

  • Is randomly generated (no intrinsic meaning).
  • Includes a checksum digit for error-detection.
  • Is unique per individual (no duplicates after biometric de-duplication).
  • Once issued, is permanent and does not change with address moves or other life events.

Authentication and e-KYC framework

Authentication types

UIDAI offers multiple authentication mechanisms:

  • Demographic authentication: Match name, DOB, address against UIDAI records.
  • OTP-based authentication: One-time password sent to the Aadhaar-registered mobile.
  • Biometric authentication: Fingerprint or iris scan against UIDAI records (subject to Puttaswamy II restrictions on private use).
  • Face authentication: Facial recognition against the UIDAI-stored photo (introduced later for accessibility).

For mutual fund and financial-services e-KYC, OTP-based authentication is the most common, given Puttaswamy II’s restrictions on private-entity biometric use.

Aadhaar e-KYC

Aadhaar e-KYC is the API service that allows authorised entities (banks, mutual funds, telecom operators with proper licensing) to verify a person’s identity and retrieve their demographic data with their explicit consent. The flow:

  1. The investor (or other resident) provides their Aadhaar number and consents to e-KYC.
  2. The entity sends an authentication request to UIDAI’s CIDR.
  3. UIDAI sends an OTP to the Aadhaar-registered mobile.
  4. The investor enters the OTP.
  5. On successful OTP verification, UIDAI returns the demographic data (name, DOB, address, photograph) to the entity.

The entity uses this data to populate the customer’s KYC profile.

For PPFAS investors, the PPFAS SelfInvest onboarding uses Aadhaar e-KYC as the standard flow.

Aadhaar-based e-sign

The Aadhaar-based e-sign framework allows electronic signing of documents with legal validity equivalent to physical signature under Section 3A of the Information Technology Act, 2000. The flow:

  1. The signer’s PAN and Aadhaar are linked.
  2. The document hash is sent to the e-sign service provider.
  3. The signer authenticates via Aadhaar OTP.
  4. A digital signature is generated and applied to the document.

This is used for SEBI broker-client agreements, mutual fund subscription forms, depository participant agreements, and other regulated documents.

Offline-XML

The Offline-XML mechanism allows Aadhaar verification without an online API call to UIDAI:

  • The resident generates an Offline-XML file from UIDAI’s portal (or app).
  • The file is digitally signed by UIDAI but contains a masked Aadhaar number (last 4 digits visible).
  • The entity verifying identity accepts the Offline-XML as proof.

Offline-XML provides privacy protection (the Aadhaar number itself is not transmitted) and is preferred by privacy-conscious investors.

PAN-Aadhaar linkage

Section 139AA of the Income Tax Act

The Finance Act 2017 introduced Section 139AA of the Income Tax Act, 1961, making Aadhaar mandatory for:

  • Obtaining a new PAN.
  • Filing income tax returns.
  • Linking with existing PAN.

The Section was upheld in Puttaswamy II as a permissible Aadhaar use under Section 7 of the Aadhaar Act.

Finance Act 2023 inoperative-PAN framework

The Finance Act 2023 strengthened the PAN-Aadhaar linkage mandate. Key provisions:

  • Every PAN must be linked with Aadhaar by 30 June 2023 (with extensions).
  • An unlinked PAN is treated as inoperative.
  • An inoperative PAN cannot be used for tax filing, mutual fund or brokerage transactions, or other tax-related activities.
  • The Income Tax Department’s e-filing portal blocks transactions on inoperative PANs.

This framework has direct operational impact across SEBI-registered intermediaries: an unlinked PAN cannot place new mutual fund subscriptions, redeem units, or perform similar regulated activities. PPFAS SelfInvest and other aggregator platforms verify PAN-Aadhaar linkage status before processing new transactions.

Exemptions

Certain categories are exempt from PAN-Aadhaar linkage:

  • Non-resident Indians (NRIs).
  • Foreign citizens.
  • Residents of Assam, Meghalaya, and Jammu and Kashmir (state-specific exemption).
  • Super-senior citizens (aged 80 years or above).

For these categories, alternative KYC pathways apply.

Aadhaar in financial services

Mutual fund e-KYC

Under the SEBI KYC framework, Aadhaar e-KYC is the principal pathway for first-time investor onboarding. The flow:

  1. Investor provides PAN and Aadhaar.
  2. The AMC or aggregator platform (SEBI-registered KRA, KYC Registration Agency) verifies PAN against the Income Tax database.
  3. Aadhaar e-KYC OTP verification is conducted.
  4. Demographic data populates the investor’s KYC profile.
  5. The KYC profile is registered with the SEBI KRA network (CAMS KRA, KFin KRA, etc.).

Aadhaar e-KYC typically completes in 10-15 minutes for new investors.

Bank account opening

Banks may use Aadhaar e-KYC for account opening on the investor’s consent, but post-Puttaswamy II, banks cannot mandate Aadhaar; alternative pathways must be available.

Telecom SIM linkage

Pre-Puttaswamy II, telecom operators were mandating Aadhaar for SIM card linkage. Post-Puttaswamy II, this is voluntary; alternative ID documents are accepted.

Insurance

Life and general insurance use Aadhaar e-KYC for policy issuance and KYC compliance.

Data protection framework

Section 28-33 of Aadhaar Act

The Aadhaar Act includes specific data-protection provisions:

  • Section 28: UIDAI must protect data security and ensure confidentiality.
  • Section 29: Use of Aadhaar information is restricted to authentication purposes only.
  • Section 30: Biometric data may not be shared with any agency for any purpose.
  • Section 32: Penalties for unauthorised access, including imprisonment up to three years.

Digital Personal Data Protection Act 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) provides the overarching data-protection framework for India. It:

  • Applies to all entities processing personal data of Indian residents.
  • Defines data principal (the individual) and data fiduciary (the entity processing).
  • Specifies consent, purpose limitation, and data-minimisation requirements.
  • Establishes the Data Protection Board for adjudicating violations.

Aadhaar-related data processing falls under both the Aadhaar Act and the DPDP Act, providing two-tier protection.

Operational ecosystem

Enrolment agencies and CSCs

Aadhaar enrolment is conducted through:

  • Permanent Enrolment Centres at banks, post offices, and Common Service Centres (CSCs).
  • Mobile enrolment vans for rural and remote areas.
  • Update centres for Aadhaar updates (address change, mobile linkage, photograph update).

UIDAI maintains a network of approximately 50,000+ enrolment and update centres.

Authentication-service providers (ASPs)

Banks, mutual funds, and other regulated entities access UIDAI’s authentication API through:

  • Authentication Service Providers (ASPs): SEBI/RBI-approved intermediaries that route authentication requests.
  • Direct UIDAI integration: For larger entities with technical capability.

The ASP framework provides standardised API access while maintaining UIDAI’s security controls.

Authentication User Agencies (AUAs) and e-KYC User Agencies (KUAs)

  • AUA: An entity authorised to use Aadhaar for authentication.
  • KUA: An entity authorised to use Aadhaar for e-KYC (retrieving demographic data).

Each AUA and KUA is licensed by UIDAI under defined data-protection commitments.

Criticism and debates

Privacy concerns

Civil-society and privacy-advocacy organisations have raised concerns:

  • Centralisation risk: The CIDR’s centralised structure creates single-point-of-failure risk.
  • Function creep: Aadhaar’s use has expanded beyond original welfare-delivery framework to financial services, telecom, etc.
  • Biometric exclusion: Workers in manual labour may have worn fingerprints, leading to authentication failures and welfare-access denial.
  • Data breaches: Periodic reports of unauthorised access to CIDR data, though UIDAI maintains the central database has not been breached.

Mandatory-versus-voluntary debate

Puttaswamy II constrained mandatory use, but operational practice often makes Aadhaar effectively unavoidable:

  • PAN-Aadhaar linkage is required (post Finance Act 2023).
  • ITR filing requires Aadhaar.
  • Many welfare programmes require Aadhaar.
  • Effective use of digital financial services is hard without Aadhaar e-KYC.

Quality of demographic data

The address data in Aadhaar reflects the residence at the time of enrolment; for citizens who have moved, the data may be outdated. Update mechanisms exist but require enrolee initiative.

See also

External references

References

  1. UIDAI official portal at uidai.gov.in.
  2. Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
  3. Justice K.S. Puttaswamy (Retd.) v. Union of India, Writ Petition (Civil) No. 494 of 2012, Supreme Court of India.
  4. Aadhaar and Other Laws (Amendment) Act, 2019.
  5. Digital Personal Data Protection Act, 2023.
  6. Income Tax Act, 1961, Section 139AA.
  7. Finance Act, 2023 (PAN-Aadhaar linkage mandate).
  8. Information Technology Act, 2000 (Section 3A on Aadhaar-based e-sign).
  9. SEBI KYC Registration Agency framework circulars.
  10. PMLA (Prevention of Money Laundering Act, 2002) framework for KYC.
  11. UIDAI Aadhaar Enrolment and Update Regulations, 2016.
  12. UIDAI Authentication Regulations, 2016.
  13. SEBI Master Circular for Mutual Funds, 22 May 2024 (KYC and onboarding framework).
  14. RBI Master Direction on Know Your Customer, 25 February 2016 (with subsequent amendments).
  15. UIDAI Annual Reports.

Reviewed and published by

The WebNotes Editorial Team covers Indian capital markets, payments infrastructure and retail investor procedures. Every article is fact-checked against primary sources, principally SEBI circulars and master directions, NPCI specifications and the official support documentation published by the intermediary in question. Drafts go through a second-pair-of-eyes review and a separate compliance read before publication, and revisions are tracked against the SEBI and NPCI rule changes referenced in the methodology section.

Last reviewed
Conflicts of interest
WebNotes is independent. No relationship with any broker, registrar or bank named in this article.