If we were to highlight issues in the payments industry, Aadhaar-enabled payment systems (“AePS”) would certainly feature on that list. While Aadhaar has revolutionized identity verification and enabled financial inclusion en-masse, it has also led to several forms of financial frauds making it a blessing and a curse at the same time, especially in the context of AePS.
At this juncture, one may question – what is an “AePS”?
The Reserve Bank of India (“RBI”) in its newly introduced Aadhaar Enabled Payment System – Due Diligence of AePS Touchpoint Operators (“AePS Directions”) published on 27th June 2025, states that “Aadhaar Enabled Payment System (AePS) is a payment system operated by National Payment Corporation of India (NPCI) that facilitates interoperable transactions using Aadhaar enabled authentication”. The AePS Directions defines AePS as “It is a Payment System in which transactions are enabled through Aadhaar number and biometrics or OTP authentication providing financial services such as cash withdrawal, cash deposit, fund transfer, and non-financial services such as mini statement and balance enquiry. etc.”
On the other hand, the National Payments Corporation of India (“NPCI”) vide its Aadhar enabled payments systems product overview page, explains that “AePS is a bank led model which allows online interoperable financial inclusion transaction at PoS (MicroATM) through the Business correspondent of any bank using the Aadhaar authentication.”
To put it simply, AePS is an NPCI product which enables a customer to access basic banking services at local service points, using nothing more than their Aadhaar number and biometric or OTP-based authentication. These transactions are conducted via Business Correspondents or AePS Touchpoint Operators, who use micro-ATMs to connect with the customer's bank, regardless of the bank they are personally affiliated with. This interoperability is what makes AePS especially valuable in rural and underserved areas where traditional banking infrastructure is limited. Owing to its ease of usage, AePS’s in 2023 alone, reached more than 37 crore users, establishing its pivotal role in India's financial inclusion strategy.
However, the very scale of AePS also exposes it to misuse, and fraud such as cloned fingerprints being used at AePS touchpoints, transactions made without customer knowledge or consent, misreporting of transaction failures, or inability to reverse unauthorized withdrawals due to poor grievance redress mechanisms.
Given its reliance on biometric data and third-party operators, questions around data privacy, consent, liability, and systemic risk have emerged, leading RBI to step in with tighter regulatory measures ensuring due diligence to be taken prior to AePS transactions.
In furtherance of the abovementioned objective, RBI vide its Statement on Developmental and Regulatory Policies published on 08th February 2024, announced its intention to:
(a) Streamline the onboarding of AePS Touchpoint Operators (“ATO”);
(b) Mandate due diligence and periodic know-your-customer checks of ATOs by acquiring banks;
(c) Introduce stricter fraud risk management guidelines; and
(d) Issue technology-related controls for APIs and third-party integrations.
More than a year later, RBI has published its AePS Directions wherein RBI has made it clear that acquiring banks (i.e., those responsible for onboarding AePS operators) must take full ownership of their touchpoint ecosystem. This means that acquiring banks must conduct:
(a) Mandatory KYC and Due Diligence of all ATOs as per the Master Direction – Know Your Customer, 2016. If an ATO has previously undergone KYC as a Business Correspondent, those records may be reused but periodic updating is mandatory.
(b) If an ATO remains inactive for over 3 months, the bank must conduct fresh due diligence before reactivation, preventing misuse by dormant or compromised accounts.
(c) Banks must integrate ATOs into their transaction monitoring systems, setting location-specific, transaction-volume-based thresholds to detect any unusual attribute about the transactions.
(d) Banks should ensure API-level integrity i.e., making sure that any integrations between their systems and third-party agents are used exclusively for AePS functions.
It is pertinent to note that despite these well thought out and necessary regulatory moves, few concerns remain. For example:
(a) Who is liable when an AePS transaction is fraudulent — the bank, the ATO, or the customer?
(b) How is consent established in assisted transactions where biometrics are used?
(c) What are the data protection obligations on ATOs who handle biometric and Aadhaar-linked data?
(d) Are customers truly aware of their right to redressal?
(e) Who should the grievance be addressed to - the acquiring bank or NPCI?
These questions highlight a growing need for comprehensive legislation that clearly defines the responsibilities, liabilities, consent protocols, and data protection obligations of all stakeholders involved in the AePS process. Such regulation should demonstrate that the objective is not merely en-masse access to banking services, but also the assurance of secure, transparent, and accountable transactions across the AePS ecosystem.
Author: Namrata Dubey – Senior Associate – NovoJuris Legal.
