Unique Identification Authority of India (UIDAI)
The Unique Identification Authority of India (UIDAI) is the statutory authority constituted under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (commonly the Aadhaar Act 2016), headquartered in New Delhi, that issues Aadhaar , the 12-digit unique identification number, to Indian residents and operates the Central Identities Data Repository (CIDR), the centralised database of all Aadhaar records. As of 2026, UIDAI has issued over 1.4 billion Aadhaar numbers (more than 99 per cent of the eligible Indian resident population), making it the operator of the world’s largest biometric identity system.
UIDAI’s operational scope extends far beyond identity issuance. The authority operates the Aadhaar Authentication API and the Aadhaar e-KYC API that thousands of authorised entities use to verify identities and retrieve demographic data with resident consent. UIDAI is the foundational infrastructure underpinning Indian financial-services KYC, including for SEBI-registered intermediaries (mutual fund AMCs, brokers, RTAs), banking, insurance, and telecom. The PPFAS SelfInvest portal , Zerodha Coin , Groww , and effectively every Indian fintech aggregator relies on UIDAI’s API ecosystem for retail-investor onboarding.
Origin and statutory framework
Pre-UIDAI identity-infrastructure gap
Before UIDAI’s establishment, India did not have a centralised resident-identity database. The fragmented identity-document landscape created several problems for both citizens and the state:
- Welfare-delivery inefficiency: Welfare programmes such as the public distribution system, MGNREGA, and Direct Benefit Transfer relied on state-level beneficiary lists with significant duplicate and ghost enrolments.
- Financial inclusion limits: Without verifiable identity, rural and economically disadvantaged Indians faced barriers to opening bank accounts or obtaining formal financial services.
- Administrative cost: Each programme verified identity separately, creating administrative friction.
The Government of India under Prime Minister Manmohan Singh’s UPA-II administration prioritised a unified identity solution in the late 2000s.
2009 establishment under executive authority
UIDAI was established in January 2009 as an attached office of the Planning Commission (later moved to the Ministry of Electronics and Information Technology). Initially, UIDAI operated under executive authority without specific statute. Nandan Nilekani, co-founder of Infosys, was appointed as the founding Chairperson with the rank of Cabinet Minister; he served from 2009 to 2014. Under Nilekani’s leadership, UIDAI:
- Designed the Aadhaar number structure and biometric system.
- Built the CIDR infrastructure.
- Issued the first Aadhaar number to Ranjana Sonawane of Tembhli village in Maharashtra on 29 September 2010.
- Achieved rapid enrolment scale, crossing 1 billion Aadhaar numbers by 2016.
2016 statutory formalisation
In March 2016, UIDAI was formalised under the Aadhaar Act, 2016. The Act provided UIDAI with statutory authority, defining its governance, powers, and obligations. Key provisions:
- Sections 11 to 14: UIDAI structure as a body corporate with a Chairperson, two Members, and a Chief Executive Officer.
- Section 16: UIDAI’s powers to perform functions necessary for Aadhaar enrolment, authentication, and the CIDR.
- Sections 23-27: UIDAI’s functions including enrolment regulation, authentication services, and grievance redressal.
- Sections 28-33: Data security, confidentiality, and disclosure framework.
Post-2016, UIDAI operates as a statutory authority under the Ministry of Electronics and Information Technology.
Puttaswamy judgments and regulatory constraints
The Justice K.S. Puttaswamy (Retd.) v. Union of India judgments at the Supreme Court significantly affected UIDAI’s operational scope:
- Puttaswamy I (2017): Established right to privacy as fundamental right.
- Puttaswamy II (2018): Upheld Aadhaar’s constitutionality with significant limitations on mandatory private-sector use, particularly Section 57 of the Aadhaar Act (which allowed private-entity authentication).
UIDAI revised its operational practices post-Puttaswamy II to comply with the constitutional limits, including the introduction of voluntary-consent frameworks and the Offline-XML mechanism.
2019 Amendment Act
The Aadhaar and Other Laws (Amendment) Act, 2019 provided post-Puttaswamy regulatory clarity. Key changes affecting UIDAI:
- Allowed UIDAI to license entities for voluntary Aadhaar authentication under strict conditions.
- Established stronger data-protection commitments by AUAs (Authentication User Agencies) and KUAs (e-KYC User Agencies).
- Introduced the Offline-XML as a privacy-preserving alternative to online authentication.
Governance and leadership
Chairperson and Members
UIDAI is led by a Chairperson and two Members, all appointed by the central government:
- Chairperson: The executive head, traditionally with substantial public-administration or technology background.
- Members: Typically chosen for technical, legal, or administrative expertise.
- Chief Executive Officer: Manages day-to-day operations.
Notable past Chairpersons:
- Nandan Nilekani (2009-2014): Founding Chairperson; instrumental in technology design.
- Subsequent Chairpersons have led UIDAI through statutory formalisation, post-Puttaswamy implementation, and operational scaling.
Ministry of Electronics and Information Technology
UIDAI operates under the Ministry of Electronics and Information Technology (MeitY), reporting administratively while maintaining operational independence as a statutory authority. MeitY provides policy direction and budget allocation.
Regional offices
UIDAI operates regional offices across India for enrolment supervision, authentication-service licensing, and grievance handling. Each regional office covers multiple states.
Operational infrastructure
Central Identities Data Repository (CIDR)
The CIDR is UIDAI’s centralised database storing:
- Demographic data: Name, DOB, gender, address, mobile, email of every Aadhaar holder.
- Biometric data: 10 fingerprints, 2 iris scans, facial photograph.
- Authentication-history metadata: Records of authentication transactions (with strict access controls).
The CIDR is protected by extensive data-security controls:
- Physical security: Hardened data centres at multiple secret locations.
- Encryption at rest and in transit: All data is encrypted.
- Access controls: Restricted to authorised UIDAI personnel.
- Audit logging: All access is logged.
- Periodic security audits: By independent agencies.
UIDAI’s claim is that the central database has not been breached despite extensive scrutiny.
Enrolment infrastructure
Aadhaar enrolment is conducted through a multi-tier network:
- Permanent Enrolment Centres: At banks, post offices, Common Service Centres (CSCs), and UIDAI regional offices. Approximately 50,000+ such centres operate as of 2026.
- Mobile enrolment vans: For rural and remote areas where permanent centres are absent.
- Update centres: For Aadhaar updates (address change, mobile linkage, photograph refresh).
Enrolment agencies are licensed by UIDAI under strict operational and data-protection norms.
Authentication infrastructure
UIDAI’s authentication infrastructure handles billions of authentication requests annually:
- Authentication API: For real-time identity verification.
- e-KYC API: For demographic-data retrieval with consent.
- Offline-XML: For offline verification scenarios.
The infrastructure is designed for sub-second response times across the full geographic scale of India.
Authentication User Agencies (AUAs) and e-KYC User Agencies (KUAs)
- AUA: An entity authorised to use Aadhaar for authentication. Examples: banks for ATM-PIN verification, telecom operators for SIM linkage.
- KUA: An entity authorised to use Aadhaar for e-KYC (retrieving demographic data). Examples: mutual fund AMCs for investor onboarding, brokers for account opening.
Each AUA and KUA is licensed under defined commitments including:
- Purpose limitation (only the agreed purpose).
- Data-minimisation (only the necessary data).
- Storage limitation (cannot store Aadhaar number long-term unless legally required).
- Consent management (resident must provide explicit consent).
Violations can result in license cancellation and penalties.
Authentication services
Authentication types
UIDAI offers multiple authentication mechanisms:
- Demographic authentication: Match name, DOB, address against UIDAI records.
- OTP-based authentication: One-time password sent to the Aadhaar-registered mobile.
- Biometric authentication: Fingerprint or iris match against UIDAI records (subject to Puttaswamy II restrictions on private-sector use).
- Face authentication: Facial recognition against UIDAI-stored photo.
For mutual fund and brokerage e-KYC, OTP-based authentication is the primary mechanism given Puttaswamy II’s biometric restrictions.
e-KYC API
The e-KYC API is UIDAI’s most-used service for financial-services onboarding. The flow:
- Resident provides Aadhaar number and consents to e-KYC.
- Authorised entity (KUA) sends a request to UIDAI.
- UIDAI sends an OTP to the Aadhaar-registered mobile.
- Resident enters OTP.
- UIDAI verifies OTP and returns the demographic data (name, DOB, address, photograph) to the KUA.
- The KUA uses this data to populate the customer’s KYC profile.
The entire flow completes in approximately 30 seconds to 2 minutes.
Aadhaar-based e-sign
The Aadhaar-based e-sign framework allows electronic signing of documents with legal validity equivalent to physical signature under Section 3A of the Information Technology Act, 2000. The flow:
- Document hash sent to the e-sign service provider.
- Resident authenticates via Aadhaar OTP.
- UIDAI verifies and returns authentication confirmation.
- The e-sign service provider issues a digital signature applied to the document.
This is used for SEBI broker-client agreements, mutual fund subscription forms, depository participant agreements, and other regulated documents.
Offline-XML
Introduced post-Puttaswamy II as a privacy-preserving alternative:
- Resident generates an Offline-XML file from UIDAI’s portal or app.
- The file is digitally signed by UIDAI but contains masked Aadhaar (last 4 digits visible).
- The entity verifying identity accepts the Offline-XML as proof.
Offline-XML provides privacy protection (the full Aadhaar number is not transmitted to the verifying entity) and is preferred by privacy-conscious investors.
Role in financial services
SEBI-prescribed KYC framework
Under the SEBI KYC framework, UIDAI’s e-KYC is the principal pathway for first-time investor onboarding. SEBI-registered intermediaries (mutual fund AMCs, brokers, depository participants, RTAs) use UIDAI’s API ecosystem in onboarding flows.
The SEBI KRA (KYC Registration Agency) framework coordinates with UIDAI:
- CAMS KRA and KFin KRA are SEBI-registered KRAs.
- They use UIDAI’s e-KYC API to populate investor KYC profiles.
- They share validated KYC records across the SEBI-intermediary ecosystem.
Mutual fund onboarding
The mutual fund onboarding flow uses UIDAI’s e-KYC API:
- Investor provides PAN and Aadhaar.
- The AMC or aggregator platform (acting as KUA) initiates e-KYC.
- UIDAI OTP-verifies the investor.
- Demographic data populates the investor’s MF profile.
- The KYC profile is registered with the SEBI KRA network.
The flow completes in 10-15 minutes for first-time investors.
Bank account opening
Banks may use UIDAI’s e-KYC for account opening on the investor’s consent. Post-Puttaswamy II, banks cannot mandate Aadhaar; alternative ID documents are available.
Insurance and other financial services
Insurance, NBFC, and other regulated financial services use UIDAI’s e-KYC similarly, with applicable regulator-specific frameworks (IRDAI for insurance, RBI for NBFCs).
Data protection and privacy framework
Aadhaar Act provisions
Sections 28-33 of the Aadhaar Act establish UIDAI’s data-protection framework:
- Section 28: UIDAI’s duty to protect data security.
- Section 29: Restriction on use of Aadhaar information.
- Section 30: Prohibition on biometric data sharing.
- Section 32: Penalties for unauthorised access.
Digital Personal Data Protection Act 2023
The DPDP Act 2023 provides overarching data-protection. Under DPDP:
- UIDAI is a data fiduciary processing the resident’s personal data.
- UIDAI must obtain consent for non-statutory uses.
- The Data Protection Board can adjudicate violations.
Aadhaar-related processing falls under both the Aadhaar Act and DPDP, providing two-tier protection.
Authentication-history transparency
UIDAI provides residents with access to their authentication history:
- Through the mAadhaar mobile app.
- Through the UIDAI website.
- Through the e-Aadhaar download.
Residents can see when their Aadhaar was authenticated, by which entity, and for what purpose.
Aadhaar lock-unlock
Residents can lock their Aadhaar to prevent unauthorised authentication:
- Useful when not actively using Aadhaar.
- Unlocked temporarily when needed.
This is a privacy-protection mechanism introduced post-Puttaswamy.
Operational scale and impact
Enrolment scale
- Over 1.4 billion Aadhaar numbers issued as of 2026.
- Approximately 99 per cent of eligible Indian residents enrolled.
- The world’s largest biometric identity system.
Authentication scale
- Billions of authentication transactions annually.
- Tens of billions of e-KYC transactions cumulatively.
- Foundation for digital service delivery across financial services, welfare, telecom, and government.
Economic impact
- Direct Benefit Transfer (DBT): UIDAI’s Aadhaar enables efficient DBT, reducing leakage and improving welfare-delivery efficiency. Government estimates of savings range from tens of thousands of crores annually.
- Financial inclusion: Aadhaar e-KYC has facilitated bank account opening for previously excluded populations.
- Reduced compliance cost: Aadhaar e-KYC reduces operational cost across financial services.
Criticism and ongoing debates
Privacy concerns
Despite UIDAI’s protective frameworks, privacy concerns persist:
- Centralisation risk: The CIDR’s centralised structure creates single-point-of-failure risk.
- Function-creep: Aadhaar use has expanded substantially beyond original welfare-delivery framing.
- Authentication-failure exclusion: Biometric authentication failures (worn fingerprints, etc.) have caused welfare-access denial.
- Periodic data-access concerns: Independent reports of unauthorised access have surfaced, though UIDAI maintains the central CIDR has not been breached.
Constitutional limits
Puttaswamy II constrains UIDAI’s operational scope:
- Cannot make Aadhaar mandatory for private-sector services.
- Must rely on voluntary consent for authentication and e-KYC.
- Cannot share biometric data with any agency.
UIDAI’s operational compliance with these constraints is monitored by courts and civil-society organisations.
Authentication failure rates
Approximately 5-10 per cent of authentication transactions fail due to:
- Biometric mismatch (worn fingerprints, particularly common among manual labourers and elderly).
- Demographic mismatch.
- Connectivity issues.
UIDAI has progressively improved success rates through:
- Multi-modal authentication (multiple biometric or OTP attempts).
- Face authentication introduction.
- Continuous algorithm refinement.
See also
- Aadhaar
- Permanent Account Number
- Video KYC India
- Income Tax India
- SelfInvest PPFAS portal
- How to open a PPFAS SelfInvest direct-plan account
- How to complete video KYC for a PPFAS investment
- PPFAS Mutual Fund
- Mutual fund industry India
- CAMS
- Zerodha
- Groww
- Kuvera
- SEBI Mutual Funds Regulations 1996
External references
- UIDAI official portal
- Aadhaar Act, 2016
- Aadhaar and Other Laws (Amendment) Act, 2019
- Justice K.S. Puttaswamy v. Union of India (2017, 2018)
- Digital Personal Data Protection Act, 2023
- Ministry of Electronics and Information Technology
- Information Technology Act, 2000
References
- UIDAI official portal at uidai.gov.in.
- Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.
- Justice K.S. Puttaswamy (Retd.) v. Union of India, Writ Petition (Civil) No. 494 of 2012, Supreme Court of India (judgments of 2017 and 2018).
- Aadhaar and Other Laws (Amendment) Act, 2019.
- Digital Personal Data Protection Act, 2023.
- UIDAI Enrolment and Update Regulations, 2016.
- UIDAI Authentication Regulations, 2016.
- UIDAI Annual Reports.
- Information Technology Act, 2000 (Section 3A on Aadhaar e-sign).
- SEBI KYC Registration Agency framework circulars.
- SEBI Master Circular for Mutual Funds, 22 May 2024.
- RBI Master Direction on Know Your Customer, 25 February 2016 (with subsequent amendments).
- Government of India press releases on UIDAI milestones.
- Indian press archive of UIDAI coverage (Mint, Economic Times, Business Standard, etc.).
- CFA Institute and other industry references on Indian KYC frameworks.