On the morning of September 26, 2018, every compliance officer in every Indian bank was watching the same live stream. The Supreme Court of India was about to deliver its verdict in Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India — and whatever the five-judge bench decided would determine whether the entire digital KYC infrastructure the RBI had spent five years building still had a legal foundation. By afternoon, the answer was clear: it did not. Section 57 of the Aadhaar Act was struck down, and the mandatory link between Aadhaar and banking was severed in a single judgment.
What followed was not a gradual policy adjustment. It was a regulatory scramble — circulars rewritten, frameworks restructured, and an entirely new identity verification method invented — that reshaped how over a billion people prove who they are to a bank.
Why Was Aadhaar Mandatory in the First Place?
The RBI's embrace of Aadhaar was not sudden. It began in late 2010, when a circular recognising the UIDAI letter as valid KYC allowed banks to accept Aadhaar enrolment letters as identity proof. By September 2013, the RBI went further: a circular permitting e-KYC through UIDAI's online authentication (since withdrawn) meant banks could verify a customer's identity electronically using Aadhaar biometrics or OTP, without any physical documents at all. A June 2014 notification recognising e-Aadhaar as an Officially Valid Document (since withdrawn) under the PML Rules sealed the deal — Aadhaar was now functionally equivalent to a passport for KYC purposes.
The logic was compelling. Over 1.1 billion Indians had Aadhaar numbers. No other identity document came close to that coverage. For the RBI's financial inclusion mandate — the push to bring hundreds of millions of unbanked citizens into the formal system — Aadhaar-based eKYC was the only technology that could work at scale. A customer could walk into a business correspondent's shop in a village, place a finger on a biometric reader, and open a bank account in minutes. No photocopies, no introducers, no second branch visit.
Then the government made it compulsory. The Prevention of Money-laundering (Maintenance of Records) Second Amendment Rules, 2017, required Aadhaar for all bank accounts. On June 1, 2017, the RBI issued a press release confirming that linking Aadhaar to bank accounts was mandatory:
"In applicable cases, linkage of Aadhaar number to bank account is mandatory under the Prevention of Money-laundering (Maintenance of Records) Second Amendment Rules, 2017 published in the Official Gazette on June 1, 2017. These Rules have statutory force and, as such, banks have to implement them without awaiting further instructions."
Banks began refusing to open accounts without Aadhaar. Existing customers received SMS warnings that their accounts would be frozen if they did not link their Aadhaar number by a government-set deadline. The entire KYC ecosystem — from the KYC Master Direction to bank branch operations — was built on the assumption that Aadhaar was compulsory. That assumption was about to collapse.
What Did the Supreme Court Actually Strike Down?
The Puttaswamy judgment did not abolish Aadhaar. It struck down Section 57 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 — the provision that allowed private entities, including banks and telecom companies, to require Aadhaar authentication.
The Court's reasoning went to the heart of constitutional law. In a separate 2017 judgment in the same case, a nine-judge bench had already unanimously declared privacy a fundamental right under Article 21 of the Constitution. The 2018 judgment applied that finding: mandatory Aadhaar for banking amounted to a disproportionate invasion of privacy because it enabled mass surveillance of financial transactions without adequate safeguards. The biometric database was too powerful, the data protection framework too weak, and the consequences of exclusion — denial of bank accounts — too severe.
The Court held that while the Aadhaar scheme itself was constitutionally valid for government subsidies, extending it to private sector activities under Section 57 "tends to enable commercial exploitation of an individual's biometric and demographic information by private entities" and was therefore unconstitutional.
The immediate effect was absolute. Banks could no longer mandate Aadhaar. Telecom companies could no longer demand it for SIM cards. Every institution that had built its customer onboarding around mandatory Aadhaar authentication was suddenly operating without a legal basis.
How Did the RBI Respond?
The regulatory response came in two phases — an emergency patch and a structural rebuild.
Phase 1: Making Aadhaar voluntary (May 2019). The government first amended the PML Rules in February 2019, and then the RBI issued the May 29, 2019 amendment to the KYC Master Direction (since withdrawn). This circular restructured the entire eKYC framework around a single principle: Aadhaar was now voluntary, and using it voluntarily created a different class of account than using it at a branch with biometrics. Banks were allowed to carry out Aadhaar authentication only for customers who "voluntarily" provided their number. For non-DBT beneficiaries — anyone not receiving a government subsidy — banks had to accept any Officially Valid Document, not just Aadhaar.
The May 2019 amendment also drew a critical distinction that persists today. Aadhaar OTP-based eKYC — where a customer enters an OTP sent to their Aadhaar-linked mobile number — was permitted, but only for opening accounts with hard limits: a maximum balance of Rs 1 lakh across all deposit accounts, an annual credit cap of Rs 2 lakh, and a validity of just one year before full KYC must be completed. The RBI treated OTP authentication as weaker verification than biometric authentication because an OTP proves possession of a phone number, not physical presence.
Phase 2: Inventing an alternative — V-CIP (January 2020). The Aadhaar gap created a practical problem: how does a bank verify identity remotely if it cannot mandate biometric authentication? The answer came on January 9, 2020, when the RBI introduced the Video-based Customer Identification Process (since withdrawn). V-CIP allowed a bank official to conduct a live video call with the customer, verify their identity against an OVD displayed on camera, and complete full KYC without any branch visit.
V-CIP was not merely a pandemic convenience — it was conceived months before COVID-19 reached India. Its genesis was directly linked to the post-Puttaswamy regulatory gap. If Aadhaar biometric authentication could no longer be compelled, the RBI needed another way to achieve face-to-face equivalent verification through digital channels. The January 2020 circular defined V-CIP as a "consent based alternate method of establishing the customer's identity" and embedded it directly into the KYC Master Direction alongside the restructured Aadhaar provisions.
The V-CIP requirements in the January 2020 amendment (since withdrawn) were granular by design. The RBI did not simply say "do a video call." It prescribed fourteen specific stipulations. The RE official must record video and capture a photograph. Banks could use either OTP-based Aadhaar e-KYC or offline Aadhaar verification; non-bank REs could only use offline verification. The customer must display their PAN card on camera for image capture and database verification. Geotagging of the customer's live location was mandatory — to confirm physical presence in India. The RE official had to vary the sequence and type of questions to establish that the interaction was real-time, not pre-recorded. And the circular imposed a strict freshness requirement on offline Aadhaar data:
"In case of offline verification of Aadhaar using XML file or Aadhaar Secure QR Code, it shall be ensured that the XML file or QR code generation date is not older than 3 days from the date of carrying out V-CIP."
The three-day limit was deliberately tight. An older Aadhaar XML could have been generated by someone other than the person on the video call. The freshness constraint, combined with the liveliness check requirement (since withdrawn) — where the RE must "carry out the liveliness check in order to guard against spoofing and such other fraudulent manipulations" — created a verification standard that was arguably more rigorous than in-branch KYC, where a customer simply hands over a photocopy. The circular also required that all V-CIP accounts be subject to concurrent audit before activation (since withdrawn), that video recordings be securely stored with timestamps, and that the audiovisual interaction originate from the RE's own domain — not from a third-party provider.
The RBI also explicitly encouraged the use of AI and face-matching technologies while placing ultimate responsibility on the RE, not the algorithm. Business Correspondents could assist at the customer end, but the official conducting the V-CIP had to be a bank employee. These requirements meant V-CIP was expensive and operationally demanding to implement — which is precisely why it produces full KYC with no account restrictions, unlike the cheaper OTP-based route.
By November 2025, when the RBI issued the entity-specific KYC Directions for Commercial Banks as part of the 244-direction consolidation, V-CIP was no longer a standalone amendment — it was absorbed into the permanent KYC architecture for every entity type. The V-CIP provisions now sit alongside in-person verification, eKYC, and Digital KYC as co-equal methods of customer identification. What started as an emergency substitute for mandatory Aadhaar biometrics became a permanent feature of the Indian KYC framework.
What Did Parliament Do Next?
The Supreme Court had closed one door. Parliament opened another. The Aadhaar and Other Laws (Amendment) Act, 2019 — passed in July 2019 — inserted Section 4(4) into the Aadhaar Act, creating a new legal basis for voluntary Aadhaar use by banks. Under this provision, banks could accept Aadhaar for authentication purposes if the customer gave explicit, informed consent. The amendment also added Section 8(2A), which allowed offline verification of Aadhaar — using QR codes or XML files — without connecting to the UIDAI's central database.
This was a deliberate legislative design. The government wanted banks to continue using Aadhaar because no other document matched its coverage for financial inclusion purposes. But the Court had ruled out compulsion. Parliament's solution was to preserve the infrastructure while making consent the gatekeeper. The RBI's September 2021 circular on Aadhaar e-KYC authentication licences (since withdrawn) operationalised this framework, requiring regulated entities to obtain specific UIDAI licences before conducting Aadhaar-based verification.
What Does the Framework Look Like Now?
The post-Puttaswamy settlement created a layered identity verification system that the current KYC Directions now codify. Aadhaar biometric authentication at a branch produces full KYC with no restrictions. Aadhaar OTP in non-face-to-face mode produces a limited account — Rs 1 lakh balance cap, one-year validity, transactions restricted to the mobile number used for account opening. V-CIP with any OVD produces full KYC. And for customers with no documents at all, the "small account" route survives with its own set of restrictions: Rs 50,000 balance, Rs 10,000 monthly withdrawal, valid for twelve months initially.
The amendment chain — from the 2013 eKYC circular (since withdrawn) through the May 2019 amendment that superseded it (since withdrawn) to the January 2020 V-CIP introduction (since withdrawn) and finally the November 2025 entity-specific KYC Directions that replaced all predecessors — tells the story of a regulator that built its digital KYC entirely on one technology, watched a court take the compulsory element away, and then had to rebuild from the principle of consent. The reason every KYC rule in India now distinguishes between "voluntary Aadhaar" and "mandatory OVD" traces to this single judgment. Every current KYC rule in India — the OTP limits, the V-CIP procedures, the distinction between full and limited accounts — traces back to that September afternoon in 2018.
For a broader view of how these KYC rules evolved from 2002 to 2025, see the complete KYC and AML regulatory timeline. For the technical details of how eKYC, V-CIP, and the Central KYC Registry work in practice, see Digital KYC: Aadhaar, V-CIP, and the Central KYC Registry. And for a practical answer to the question that started all of this — what documents do I actually need to open an account — see Can I Open a Bank Account With Just Aadhaar?
Last updated: April 2026