THE AADHAAR (AUTHENTICATION AND OFFLINE VERIFICA TION) REGULATIONS, 20211 [Updated as on 5.12.2024] In exercise of the powers conferred by s

1 · Short title and commencement: (1) These regulations may be called the Aadhaar (Authentication and Offline Verification) Regulations, 2021. (2) These regulations shall come into force o the date of their publication in the Official Gazette.

2 · Definitions:

66 · Aadhaar number holder means an individual who has been issued an Aadhaar number under the Act;

3 · Types of Authentication Facilities: There shall be two types of authentication facilities provided by the Authority, namely- Yes/No authentication facility, which may be carried out using any of the modes specified in regulation 4(2); and (ii) e-KYC authentication facility, which may be carried out oly using OTP and/ O biometric authentication modes as specified in regulation 4(2). 3A. Types of Offline Verification: 1. There shall be following types of Offline Verification services provided by the Authority, namely-

4 · Modes of Authentication. (1) An authentication request shall be entertained by the Authority only upon a request sent by a requesting entity electronically in accordance with these regulations and conforming to the specifications laid down by the Authority.

4A · Virtual Identity number (VID) (1) Authority shall provide an alternate identification number mapped with Aadhaar number for the purpose of authentication. (2) Aadhaar number holder may generate Or retrieve his/her VID through UIDAI website, SMS, mobile application, eAadhaar download and any other means as provided by Authority from time to time.

5 · Information to the Aadhaar number holder: -(1) At the time of authentication or Offline Verification; a requesting entity or Offline Verification Seeking Entity (OVSE) respectively shall inform the Aadhaar number holder 0r in case of a child, inform the parent Or guardian, of the following details:

6 · Consent of the Aadhaar number holder: - (1) After communicating the information in accordance with Regulation 5, a requesting entity or Offline Verification Seeking Entity (OVSE) shall obtain the consent of the Aadhaar number holder or in case of a child, the consent of the parent O guardian of the child for the authentication O verification.

7 · Capturing of biometric information by requesting entity.-( 1) requesting entity shall capture the biometric information of the Aadhaar number holder using certified biometric devices as per the processes and specifications laid down by the Authority.

9 · '[Process for performance of authentication]: (1) After collecting the Aadhaar number or any other identifier provided by the requesting entity which is mapped to Aadhaar number and necessary demographic and Or biometric information and/ 0r OTP from the Aadhaar number holder, the client application shall immediately package and encrypt these input parameters into PID block before any transmission, as per the specifications laid down by the Authority, and shall send it to server of the requesting entity using secure protocols as may be laid down by the Authority for this purpose. (2) After validation, the server of a requesting entity shall pass the authentication request to the CIDR, through the server of the Authentication Service Agency as per the specifications laid down by the Authority. The authentication request shall be digitally signed by the requesting entity andlor by the Authentication Service Agency, aS per the mutual agreement between them. 10[(3) Based on the mode of authentication request, after the input parameters have been matched against the information of the Aadhaar number available in the CIDR and CIDR has verified the correctness 0r lack thereof, the Authority shall return a digitally signed Yes o No response, Or a digitally signed e-KYC response with encrypted e-KYC data, as the case may be, along with related technical details.

10 · Notification/Acknowledgement of authentication o offline verification to Aadhaar number holder: -(1) The Aadhaar number holder shall be notified by the requesting entity about any authentication, through email and/or SMS andlor other digital means and/or paper based acknowledgement about success or failure of authentication on each request: Such notification/acknowledgement shall include requesting entity'$ name, date and time of authentication, auth response code, last 4 digits of Aadhaar number and purpose of authentication, as the case may be.

2 · The Aadhaar number holder shall be notified by the OVSE about any offline verification, through email andlor SMS andlor other digital means andlor paper based acknowledgement about success or failure of offline verification on each request: (3) In case of authentication failure the requesting entity should, in clear and precise language, inform the resident about the reasons of authentication 11 [failure, such as Aadhaar cancelled" "Aadhaar deactivated" Aadhaar locked" Aadhaar omitted" Aadhaar suspended" and "Biometrics locked]: 12[(4) In sub-regulation (3), the expression Aadhaar cancelled" or Aadhaar omitted in relation to an Aadhaar number; shall mean that such Aadhaar number has been omitted;

1l · Biometric locking; -(1) The Authority may enable an Aadhaar number holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication.

12 · Appointment of 1[requesting entity and Authentication Service Agency] __14[(1) An agency or other person seeking appointment as a requesting entity for use of an Authentication facility shall apply to the Authority for appointment, in such form as the Authority may provide upon request made to it by such agency Or person: Provided that such agency or person, on appointment as requesting entity, shall perform authentication only for such purpose as is a) allowed under sub-section (4) or required under any law as referred to in sub- section (7) of section 4 of the Act; Or required by the Central Government or a State Government under section 7 of the Act:]

13 · Procedure where application for appointment is not approved. -(1) In the event an application for appointment of requesting entity, Authentication Service Agency, as the case may be, does not satisfy the requirements specified by the Authority, the Authority may reject the application. (2) The decision of the Authority to reject the application shall be communicated to the applicant in writing within thirty days of such decision, stating therein the grounds 0n which the application has been rejected. (3) Any applicant, aggrieved by the decision of the Authority, may apply to the Authority, within a period of thirty days from the date of receipt of such intimation for reconsideration of its decision The Authority shall reconsider an application made by the applicant and communicate its decision thereon; aS soon as possible in writing:

14 · Roles and responsibilities of requesting entities (1) A requesting entity shall have the following functions and obligations: a) establish and maintain necessary authentication related operations, including own systems, processes, infrastructure, technology; security, etc , which may be necessary for performing authentication; establish network connectivity with the CIDR, through an ASA duly approved by the Authority, for sending authentication requests; ensure that the network connectivity between authentication devices and the CIDR, used for sending authentication requests is in compliance with the standards and specifications laid down by the Authority for this purpose; (ca) ensure that the Aadhaar number/ Virtual IDIANCS Token provided by the resident for authentication request shall not be retained by the device operator or within the device or at the AUA server(s); (cb) ensure that the provision of authentication using Virtual ID is provided; employ only those devices, equipment, o software, which are duly registered with or approved or certified by the Authority o agency specified by the Authority for this purpose as necessary, and are in accordance with the standards and specifications laid down by the Authority for this purpose; monitor the operations of its devices and equipment, on periodic basis, for compliance with the terms and conditions, standards, directions, and specifications, issued and communicated by the Authority, in this regard, from time to time,

144A · Obligations of Offline Verification Seeking Entities.- (1) An OVSE shall have the following obligations:

16 · Use of e-KYC authentication facility.-(1) A KUA may use the e-KYC authentication facility provided by the Authority for obtaining the e-KYC data of the Aadhaar number holder for its own purposes. (2) A KUA shall obtain specific permission from the Authority by submitting an application for sharing of e-KYC data with Sub-KUA and such data may be shared in encrypted form as per the guidelines issued by the Authority from time to time, with specific consent of Aadhaar number holder.

16A · Use of Offline Verification facility.-(1) An OVSE may use the Offline Verification facility provided by the Authority for obtaining the offline Aadhaar data of the Aadhaar number holder oly for the purpose specified to the Aadhaar number holder at the time of verification. (2) No entity shall perform Offline Verification on behalf of another entity or person. (3) An OVSE may store, with consent of the Aadhaar number holder; offline Aadhaar data of the Aadhaar number holder, received upon Offline Verification, securely as per the guidelines issued by the Authority from time to time. The Aadhaar number holder may, at any time, revoke consent given to an OVSE for storing his/her offline Aadhaar data, and upon such revocation, the OVSE shall delete the offline Aadhaar data in a verifiable manner and provide an acknowledgement of the same to the Aadhaar number holder.

16C · Conditions for accepting an Aadhaar number as proof of identity of the Aadhaar number holder: -(1) No Offline Verification Seeking Entity shall accept Aadhaar number, in physical or electronic form without authentication), as a proof of identity for a lawful purpose, without first verifying the digital signature of the Authority as provided in the Aadhaar secure QR Code on Aadhaar Letter or e-Aadhaar or m-Aadhaar Or Aadhaar Paperless Offline e-KYC (XML), as the case may be.

17 · Obligations relating to use of identity information by requesting entity.-(1) A requesting entity shall ensure that:

18 · Maintenance of logs by requesting entity.-(1) A requesting entity shall maintain logs of the authentication transactions processed by it; containing the following transaction details, namely: a) specified parameters of authentication request submitted excluding Aadhaar number, Virtual ID, ANCS Token or UID token; b specified parameters received as authentication response including full Aadhaar number or masked Aadhaar; as the case may be; the record of disclosure of purpose for which the authentication was performed, to the Aadhaar number holder Or parent Or guardian, in case of a child, at the time of authentication; and

19 · Roles, responsibilities and code of conduct of Authentication Service Agencies: ~An Authentication Service Agency shall have the following functions and obligations: a) provide secured connectivity to the CIDR to transmit authentication request from requesting entity in the manner as may specified by the Authority for this purpose; b) perform basic compliance and completeness checks on the authentication data packet before forwarding it to CIDR;

20 · Maintenance of logs by Authentication Service Agencies. (1) An Authentication Service Agency shall maintain logs of the authentication transactions processed by it, containing the following transaction details, namely: (a) identity of the requesting entity; b) parameters of authentication request submitted; and parameters received as authentication response: Provided that Aadhaar number; Virtual Id, UID Token, ANCS Token, PID information; device identity related data and e-KYC response data, where applicable shall not be retained. (2) Authentication logs shall be maintained by the ASA for a period of 2 (two) years, during which period the Authority andlor the requesting entity may require access to such records for grievance redressal, dispute redressal and audit in accordance with the procedure specified in these regulations. The authentication logs shall not be used for any purpose other than stated in this sub-regulation. (3) Upon expiry of the period specified in sub-regulation (2), the authentication logs shall be archived for a period of five years, and upon expiry of the said period of five years or the number of years as required by the laws or regulations governing the entity whichever is later, the authentication logs shall be deleted except those logs required to be retained by a court not inferior to that of a Judge of a High Court or which are required to be retained for any pending disputes. The ASA shall comply with all applicable laws in respect of storage and maintenance of these logs, including the Information Technology Act; 2000. 5) The obligations relating to authentication logs as specified in this regulation shall continue to remain in force despite termination of appointment in accordance with these regulations.

20A · . Optional Maintenance of Logs by Offline Verification Seeking Entity. _ (1) An Offline Verification Seeking Entity may maintain logs of the verification transactions processed by it, if deemed necessary by the OVSE and with consent of the resident; containing any of the following transaction details, namely:- a) the offline Aadhaar data document shared by the resident in a suitably secure manner any other data shared by the resident during the course of verification including mobile number; email id, photo etc; local verification transaction logs between OVSE and the resident; details of the notification related to the Offline Verification sent to the Aadhaar number holder: but shall not; in any event, store the Aadhaar number or Virtual ID of the Aadhaar number holder.

21 · Audit of requesting entities; Authentication Service Agencies and Offline Verification Seeking Entities. (1) The Authority may undertake audit of the operations, infrastructure, systems and procedures, of requesting entities, including their Sub-AUAs ad Sub-KUAs, Authentication Service Agencies and Offline Verification Seeking Entities, either by itself or through audit agencies appointed by it, to ensure that such entities are acting in compliance with the Act, rules, regulations, policies, procedures, guidelines issued by the Authority. (2) The Authority may conduct audits of the operations and systems of the entities referred to in sub-regulation (1), either by itself Or through an auditor appointed by the Authority. The frequency, time and manner of such audits shall be as may be notified by the Authority from time t0 time.

22 · Data Security.-(1) Requesting entities and Authentication Service Agencies/OVSEs shall have their servers used for Aadhaar authentication request formation and routing to CIDR/Offline Verification respectively, to be located within data centres or cloud storage centres located in India.

18 · [Every requesting entity, Authentication Service Agency and Offline Verification Seeking Entity] shall adhere to all regulations, information security policies, processes, standards, specifications and guidelines issued by the Authority from time to time.

23 · Surrender of the access to authentication facility by requesting entity or AJ 19 Authentication Service Agency _ (1) [requesting entity] or ASA, appointed under these regulations, desirous of surrendering the access to the authentication facility granted by Authority, may make a request for such surrender to the Authority.

24 · Agencies appointed before commencement of these regulations 1) Any Authentication User Agency (AUA) O e-KYC User Agency (KUA) appointed prior to the commencement of these regulations shall be deemed to be a requesting entity, and any Authentication Service Agency (ASA) O e-KYC Service Agency (KSA) shall be deemed to be an Authentication Service Agency, under these regulations, and all the agreements entered into between such agencies and the Unique Identification Authority of India, established vide notification of the Government of India in the Planning Commission number A 43011/02/2009-Admin: I, dated the 28th January, 2009 or any officer of such authority shall continue to be in force to the extent not inconsistent with the provisions of the Act, these regulations, and other regulations, policies, processes, procedures, standards and specifications issued by the Authority.

25 · Liability and action in case of default: -(1) Where any requesting entity O an ASA appointed under the Act; (a) fails to comply with any of the processes, procedures, standards, specifications or directions issued by the Authority, from time to time; b) is in breach of its obligations under the Act and these regulations; uses the Aadhaar authentication facilities for any purpose other than those specified in the application for appointment as requesting entity 0 ASA, fails to furnish any information required by the Authority for the purpose of these regulations; O fails to cooperate in any inspection Or investigation o enquiry Or audit conducted by the Authority, the Authority may, without prejudice to any other action which may be taken under the Act; take such steps to impose disincentives o the requesting entity or an ASA for contravention of the provisions of the Act; rules and regulations thereunder, including suspension of activities of such entity or agency, Or other steps as may be more specifically provided for in the agreement entered into by such entities with the Authority: Provided that the entity or agency shall be given the opportunity of being heard before the termination of appointment and discontinuance of its operations relating to Aadhaar authentication.

26 · Storage and Maintenance of Authentication Transaction Data: 1) The Authority shall store and maintain authentication transaction data, which shall contain the following information:

27 · . Duration of storage. (1) Authentication transaction data shall be retained by the Authority for a period of 6 months. The Authority may prescribe procedure to archive and perform analysis, for research purposes, from aggregated and anonymised authentication transaction data in the form of circulars.

28 · Access by Aadhaar number holder: (1) An Aadhaar number holder shall have the right to access his authentication records subject to conditions laid down and payment of such fees as prescribed by the Authority by making requests to the Authority within the period of retention of such records before they are archived: (2) The Authority may provide mechanisms such as online portal or mobile application O designated contact centers for Aadhaar number holders to obtain their digitally signed authentication records within the period of retention of such records before they are archived as specified in these regulations

29 · Repeal and savings. (1) All procedures, orders, processes, standards, specifications and policies issued and MOUs, agreements o contracts entered by the Unique Identity Authority of India, established vide notification of the Government of India in the Planning Commission number A-43011/02/2009-Admin. I, dated the Z8th January, 2009 0r any officer of such authority, prior to the establishment of the Authority under the Act shall continue to be in force to the extent that they are not inconsistent with the provisions of the Act and regulations framed thereunder: (2) Notwithstanding the repeal of the Aadhaar (Authentication) Regulations, 2016, anything done or any action taken under the said Regulations shall be deemed to have been done or taken under the corresponding provisions of these Regulations 30. Power to issue clarifications, guidelines and removal of difficulties:-~In order to remove any difficulties or clarify any matter pertaining to application or interpretation of these regulations, the Authority may issue clarifications and guidelines in the form of circulars.

31 · Power to issue policies, process documents, etc: The Authority may issue policies, orders, processes, standards, specifications and other documents not inconsistent with these regulations, which are required to be specified under these regulations O for which provision is necessary for the purpose of giving effect to these regulations. 20[32. Doing of act or thing related to delegated power or function: (1) Any act or thing that is to be Or may be done by the Authority under these regulations may also be done by any Member or officer of the Authority or any other person to whom the Authority has delegated the related power or function by general 0r special order in writing, under section 51 of the Act.

20 · Inserted vide notification No. HQ-13073/1/2020-AUTH.II (E), dated 29.9.2023 (W.e.f. 3.10.2023).

21 · [***]

22 · ![SCHEDULE A

2 · The technical and financial criteria for entities for appointment as ASA are as under:

21 · "Schedule A omitted vide notification No HQ-13011/240/2021-AUTH-II (No. 01 of 2023) dated 24.2.2023 (w.e.f: 27.2.2023) and"Schedule B" was substituted by "Schedule A vide the said notification No_ HQ- 13011/240/2021-AUTH-II (No. 01 of 2023) dated 24.2.2023(w.e.f: 27.2.2023). 22 Schedule A substituted vide notification No: HQ-13073/1/2020-AUTHII(E), dated 29.9.2023 (w.e.f. 3.10.2023).