Earlier in the day, the Times of India reported that the Unique Identification Authority of India (UIDAI) had lodged a complaint with Delhi police against Axis Bank, Suvidhaa Infoserve and eMudhra for violating Aadhaar regulations. The report added that the UIDAI found the same biometric match in multiple consecutive transactions which could be only done if the biometric data was stored.

Storing biometric data is against the rules of the Aadhaar Act and can attract an imprisonment of up to three years. The publication added that UIDAI has suspended the authentication of the three firms.

Suvidha Infoserve is a services commerce company which also offers banking correspondent services for Axis Bank. The companies said that this was part of testing an application which was supposed to be used by banking correspondents.

Following this, eMudhra put out a statement which said that there is “no question of eMudhra (an eSign provider) storing biometrics …. The company never has and never will store biometric data.”

eMudhra is a company which issues digital signature certificates and also provides eSign services developed by India Stack. Suvidha Infoserve is an Application Service Provider (ASP) for eSigns and eMudhra acts as a provider of eSign services.

“For the purpose of eSigns, electronic Know Your Customer (eKYC) needs to be done wherein eMudhra acts as a KYC User Agency (KUA) of UIDAI and connects to UIDAI. According to the regulatory framework, eMudhra’s systems routes all authentications by ASPs to the UIDAI servers to complete an eSign,” the company explained.

“During an eSign authentication flow, ASP captures biometric/OTP, and encrypts it in their end and forms the authentication XML. The encrypted data is then sent to UIDAI through eMudhra eSign service, and the response is taken by eMudhra to complete an eSign. The encryption done so is using a UIDAI public key by the ASP, so only UIDAI can decrypt the biometric in their secure environment,” it added.

The company added that Suvidha Infoserve made concurrent transactions during product testing which were captured “through a biometric device and Aadhaar number xx-6506 which belonged to the same developer.”

Nonetheless, the Times of India report pointed out that UIDAI officials were sceptical that these were transactions which were done under a testing environment.