THE AADHAAR (AUTHENTICATION AND OFFLINE VERIFICATION) REGULATIONS, 2021 1

1 · Short title and commencement. — (1) These regulations may be called the Aadhaar (Authentication and Offline Verification) Regulations, 2021.

2 · Definitions. — (1) In these regulations, unless the context otherwise requires,—

2 · [(ab) " Aadhaar Letter " means a document for conveying the Aadhaar number to a resident;]

1 · Published in the Gazette of India, Extraordinary, Part III, Section 4 , No. 542, dated 9.11.2021, vide notification No.K -11020/240/2021/Auth/UIDAI (No. 2 of 2021), dated 8.11.2021, and subsequently amended vide notification No. K -11020/240/2021/Auth/UIDAI (No. 1 of 2022), dated 4 . 2.2022 (w.e.f. 4.2.2022) , No. HQ13011/240/2021 -AUTH -II (No. 01 of 2023) dated 24.2.2023 (w.e.f. 27.2.2023) , No. HQ-13073/1/2020AUTH.II (E), dated 29.9.2023 (w.e.f. 3.10.2023) , No. HQ-13073/1/2020-AUTH.II(E), dated 31 . 1.2024 (w.e.f.31.1.2024) and notification No. HQ-13079/10/2024-AUTH-II(E), dated 3.12.2024 (w.e.f. 4.12.2024) .

2 · Ins. by notification No.K-11020/240/2021/Auth/UIDAI (No. 1 of 2022), dated 4 . 2.2022 (w.e.f. 4.2.2022).

3 · [(bd) " Aadhaar PVC Card " means a Polyvinyl Chloride Card (PVC), issued by the Authority upon payment of prescribed charges, which has Aadhaar number, demographic information and photograph of an Aadhaar number holder printed on it along with Aadhaar Secure QR code and is equivalent to paper-based Aadhaar Letter;]

4 · [(ib) " Digital signature " means digital signature as defined in clause (p) of sub-section (1) of Section 2 of the Information Technology Act, 2000 (21 of 2000);

3 · Ins. by notification No.K-11020/240/2021/Auth/UIDAI (No. 1 of 2022), dated 4 . 2.2022 (w.e.f. 4.2.2022).

4 · Ins. by notification No.K-11020/240/2021/Auth/UIDAI (No. 1 of 2022), dated 4.2.2022 (w.e.f. 4.2.2022).

5 · [(j) " e-KYC authentication facility" means a type of authentication facility—

6 · [(la) " mAadhaar " means the official mobile application developed by the Authority to provide an interface to Aadhaar Number holders to carry their Aadhaar details as registered with CIDR which inter alia includes Aadhaar number along with demographic information and photograph of the Aadhaar number holder;]

5 · Subs. by notification No. HQ-13073/1/2020-AUTH.II(E), dated 31.1.2024 (w.e.f. 31.1.2024).

6 · Ins. by notification No.K-11020/240/2021/Auth/UIDAI (No. 1 of 2022), dated 4.2.2022 (w.e.f. 4.2.2022).

8 · [(p) " Yes/No authentication facility" means a type of authentication facility—

7 · Subs. vide notification No. HQ-13079/10/2024-AUTH-II(E), dated 3.12.2024 (w.e.f. 4.12.2024).

8 · Subs. vide notification No. HQ-13073/1/2020-AUTH.II(E), dated 31.1.2024 (w.e.f. 31.1.2024).

3 · Types of Authentication Facilities. —There shall be two types of authentication facilities provided by the Authority, namely-

3A · Types of Offline Verification.—1. There shall be following types of Offline Verification services provided by the Authority, namely-

2 · The Authority shall provide various means to download QR Code, e-Aadhaar or Aadhaar Paperless Offline e-KYC through website, mobile application or other means.

4 · Modes of Authentication . — (1) An authentication request shall be entertained by the Authority only upon a request sent by a requesting entity electronically in accordance with these regulations and conforming to the specifications laid down by the Authority.

4A · Virtual Identity number (VID).—(1) Authority shall provide an alternate identification number mapped with Aadhaar number for the purpose of authentication.

5 · Information to the Aadhaar number holder. — (1) At the time of authentication or Offline Verification, a requesting entity or Offline Verification Seeking Entity (OVSE) respectively shall inform the Aadhaar number holder or in case of a child, inform the parent or guardian, of the following details: -

6 · Consent of the Aadhaar number holder. — (1) After communicating the information in accordance with Regulation 5, a requesting entity or Offline Verification Seeking Entity (OVSE) shall obtain the consent of the Aadhaar number holder or in case of a child, the consent of the parent or guardian of the child for the authentication or verification.

7 · Capturing of biometric information by requesting entity.—(1) A requesting entity shall capture the biometric information of the Aadhaar number holder using certified biometric devices as per the processes and specifications laid down by the Authority.

8 · Devices, client applications, etc. used in authentication.—(1) All devices and equipment used for authentication shall be certified as required and as per the specifications issued, by the Authority from time to time for this purpose.

9 · 9 [Process for performance of authentication] . — (1) After collecting the Aadhaar number or any other identifier provided by the requesting entity which is mapped to Aadhaar number and necessary demographic and / or biometric information and/ or OTP from the Aadhaar number holder, the client application shall immediately package and encrypt these input parameters into PID block before any transmission, as per the specifications laid down by the Authority, and shall send it to server of the requesting entity using secure protocols as may be laid down by the Authority for this purpose.

10 · [(3) Based on the mode of authentication request, after the input parameters have been matched against the information of the Aadhaar number available in the CIDR and CIDR has verified the correctness or lack thereof, f, the Authority shall return a digitally signed Yes or No response, or a digitally signed e-KYC response with encrypted e-KYC data, as the case may be, along with related technical details.

9 · Subs. by notification No. HQ-13073/1/2020-AUTH.II(E), dated 31.1.2024 (w.e.f.31.1.2024).

10 · Subs. by notification No. HQ-13073/1/2020-AUTH.II(E), dated 31.1.2024 (w.e.f.31.1.2024).

10 · Notification/Acknowledgement of authentication or offline verification to Aadhaar number holder. — (1) The Aadhaar number holder shall be notified by the requesting entity about any authentication, through email and/or SMS and/or other digital means and/or paper based acknowledgement about success or failure of authentication on each request. Such notification/acknowledgement shall include requesting entity's name, date and time of authentication, auth response code, last 4 digits of Aadhaar number and purpose of authentication, as the case may be.

12 · [(4) In sub-regulation (3), the expression—

11 · Subs. for "failure such as Suspended/Cancelled Aadhaar or Biometric/Aadhaar Locking", vide notification No. HQ-13073/1/2020-AUTH.II(E), dated 31.1.2024 (w.e.f. 31.1.2024).

12 · Subs. by notification No. HQ-13073/1/2020-AUTH.II(E), dated 31.1.2024 (w.e.f. 31.1.2024).

11 · Biometric locking.—(1) The Authority may enable an Aadhaar number holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication.

11A · Aadhaar locking.—(1) The Authority shall enable an Aadhaar number holder to lock his/her Aadhaar number and unlock it when needed for authentication.

12 · Appointment of 13 [requesting entity and Authentication Service Agency] . — 14 [(1) An agency or other person seeking appointment as a requesting entity for use of an Authentication facility shall apply to the Authority for appointment , in such form as the Authority may provide upon request made to it by such agency or person:

13 · Subs. vide notification No. HQ-13079/10/2024-AUTH-II(E), dated 3.12.2024 (w.e.f. 4.12.2024) .

14 · Subs . vide notification No. HQ-13073/1/2020-AUTH.II(E), dated 29.9.2023 for regulation 12(1) (w.e.f. 3 . 10.2023). Regulation 12(1), before substitution, stood as under:

15 · [(2) An entity seeking appointment as an ASA for use of an Authentication facility shall apply to the Authority for appointment, in such form as the Authority may provide upon request made to it by such entity.

15 · Subs. vide notification No. HQ-13073/1/2020-AUTH.II(E), dated 29.9.2023 (w.e.f. 3.10.2023), for regulation 12(2). Regulation 12(2), before substitution, stood as under:

16 · Subs. vide notification No. HQ-13079/10/2024-AUTH-II(E), dated 3.12.2024 (w.e.f. 4.12.2024).

13 · Procedure where application for appointment is not approved.—(1) In the event an application for appointment of requesting entity, Authentication Service Agency, as the case may be, does not satisfy the requirements specified by the Authority, the Authority may reject the application.

14 · Roles and responsibilities of requesting entities.—(1) A requesting entity shall have the following functions and obligations:

14A · Obligations of Offline Verification Seeking Entities.—(1) An OVSE shall have the following obligations: -

15 · Use of Yes/ No authentication facility.—(1) A requesting entity may use Yes/ No authentication facility provided by the Authority for verifying the identity of an Aadhaar number holder for its own use or on behalf of other agencies.

16 · Use of e -KYC authentication facility.—(1) A KUA may use the e-KYC authentication facility provided by the Authority for obtaining the e-KYC data of the Aadhaar number holder for its own purposes.

16A · Use of Offline Verification facility.—(1) An OVSE may use the Offline Verification facility provided by the Authority for obtaining the offline Aadhaar data of the Aadhaar number holder only for the purpose specified to the Aadhaar number holder at the time of verification.

17 · [16B. Manner of voluntary use of Aadhaar number.—(1) An Aadhaar number holder may, in accordance with sub-section (3) of section 4 of the Act, voluntarily use the Aadhaar number in physical form, including Aadhaar letter (or copy thereof) or printed e-Aadhaar or Aadhaar PVC Card for a lawful purpose for establishing his identity by way of offline verification and the OVSE shall verify the printed details on Aadhaar letter or printed eAadhaar or Aadhaar PVC card with digitally signed Aadhaar Secure QR code12.

17 · Ins. by notification No. K-11020/240/2021/Auth/UIDAI (No. 1 of 2022), dated 4.2.2022 (w.e.f. 4.2.2022).

16C · Conditions for accepting an Aadhaar number as proof of identity of the Aadhaar number holder. — (1) No Offline Verification Seeking Entity shall accept Aadhaar number, in physical or electronic form (without authentication), as a proof of identity for a lawful purpose, without first verifying the digital signature of the Authority as provided in the Aadhaar secure QR Code on Aadhaar Letter or e-Aadhaar or m-Aadhaar or Aadhaar Paperless Offline e-KYC (XML), as the case may be.

17 · Obligations relating to use of identity information by requesting entity.—(1) A requesting entity shall ensure that:

18 · Maintenance of logs by requesting entity.—(1) A requesting entity shall maintain logs of the authentication transactions processed by it, containing the following transaction details, namely: -

19 · Roles, responsibilities and code of conduct of Authentication Service Agencies.—An Authentication Service Agency shall have the following functions and obligations:-

20 · Maintenance of logs by Authentication Service Agencies.—(1) An Authentication Service Agency shall maintain logs of the authentication transactions processed by it, containing the following transaction details, namely:-

20A · Optional Maintenance of Logs by Offline Verification Seeking Entity.— (1) An Offline Verification Seeking Entity may maintain logs of the verification transactions processed by it, if deemed necessary by the OVSE and with consent of the resident, containing any of the following transaction details, namely:-

21 · Audit of requesting entities, Authentication Service Agencies and Offline Verification Seeking Entities.—(1) The Authority may undertake audit of the operations, infrastructure, systems and procedures, of requesting entities, including their Sub-AUAs and Sub -KUAs, Authentication Service Agencies and Offline Verification Seeking Entities, either by itself or through audit agencies appointed by it, to ensure that such entities are acting in compliance with the Act, rules, regulations, policies, procedures, guidelines issued by the Authority.

22 · Data Security . — (1) Requesting entities and Authentication Service Agencies/OVSEs shall have their servers used for Aadhaar authentication request formation and routing to CIDR/Offline Verification respectively, to be located within data centres or cloud storage centres located in India.

23 · Surrender of the access to authentication facility by requesting entity or Authentication Service Agency.— (1) A 19 [requesting entity] or ASA, appointed under these regulations, desirous of surrendering the access to the authentication facility granted by Authority, may make a request for such surrender to the Authority.

24 · Agencies appointed before commencement of these regulations. —(1) Any Authentication User Agency (AUA) or e-KYC User Agency (KUA), appointed prior to the commencement of these regulations shall be deemed to be a requesting entity, and any Authentication Service Agency (ASA) or e-KYC Service Agency (KSA) shall be deemed to be an Authentication Service Agency, under these regulations, and all the agreements entered into between such agencies and the Unique Identification Authority of India, established vide notification of the Government of India in the Planning Commission number A43011/02/2009 -Admin. I, dated the 28th January, 2009 or any officer of such authority shall continue to be in force to the extent not inconsistent with the provisions of the Act, these regulations, and other regulations, policies, processes, procedures, standards and specifications issued by the Authority.

18 · Subs. vide notification No. HQ-13079/10/2024-AUTH-II(E), dated 3.12.2024 (w.e.f. 4.12.2024).

19 · Subs. vide notification No. HQ-13079/10/2024-AUTH-II(E), dated 3.12.2024 (w.e.f. 4.12.2024).

25 · Liability and action in case of default.—(1) Where any requesting entity or an ASA appointed under the Act,

26 · Storage and Maintenance of Authentication Transaction Data.—(1) The Authority shall store and maintain authentication transaction data, which shall contain the following information: -

27 · Duration of storage.—(1) Authentication transaction data shall be retained by the Authority for a period of 6 months. The Authority may prescribe procedure to archive and perform analysis, for research purposes, from aggregated and anonymised authentication transaction data in the form of circulars.

28 · Access by Aadhaar number holder.—(1) An Aadhaar number holder shall have the right to access his authentication records subject to conditions laid down and payment of such fees as prescribed by the Authority by making requests to the Authority within the period of retention of such records before they are archived.

29 · Repeal and savings.—(1) All procedures, orders, processes, standards, specifications and policies issued and MOUs, agreements or contracts entered by the Unique Identity Authority of India, established vide notification of the Government of India in the Planning Commission number A -43011/02/2009 -Admin. I, dated the 28th January, 2009 or any officer of such authority, prior to the establishment of the Authority under the Act shall continue to be in force to the extent that they are not inconsistent with the provisions of the Act and regulations framed thereunder.

30 · Power to issue clarifications, guidelines and removal of difficulties.—In order to remove any difficulties or clarify any matter pertaining to application or interpretation of these regulations, the Authority may issue clarifications and guidelines in the form of circulars.

31 · Power to issue policies, process documents, etc.—The Authority may issue policies, orders, processes, standards, specifications and other documents not inconsistent with these regulations, which are required to be specified under these regulations or for which provision is necessary for the purpose of giving effect to these regulations.

20 · [32. Doing of act or thing related to delegated power or function.—(1) Any act or thing that is to be or may be done by the Authority under these regulations may also be done by any Member or officer of the Authority or any other person to whom the Authority has delegated the related power or function by general or special order in writing, under section 51 of the Act.

20 · Inserted vide notification No. HQ-13073/1/2020-AUTH.II (E), dated 29.9.2023 (w.e.f. 3 . 10.2023).

21 · [***]

22 · [ 10 [SCHEDULE A

1 · Entities seeking appointment as ASA are categorised as follows:

2 · The technical and financial criteria for entities for appointment as ASA are as under:

21 · "Schedule A" omitted vide notification No. HQ-13011/240/2021-AUTH-II (No. 01 of 2023) dated 24.2.2023 (w.e.f. 27.2.2023) and"Schedule B" was substituted by "Schedule A" vide the said notification No. HQ13011/240/2021 -AUTH -II (No. 01 of 2023) dated 24.2.2023(w.e.f. 27.2.2023).

22 · "Schedule A" substituted vide notification No. HQ-13073/1/2020-AUTH.II(E), dated 29.9.2023 (w.e.f. 3 . 10.2023).