Offline Aadhaar verification allows businesses to verify Aadhaar securely through XML-based verification, QR code scanning, face verification, etc. It helps prevent document tampering and identity theft. Businesses can conduct offline Aadhaar verification after becoming registered with UIDAI as an OVSE. OVSE registration offers several benefits; however, entities must follow the OVSE compliance guidelines, as non-compliance can lead to penalties and reputational damage. To avoid such issues, every OVSE must know the compliance guidelines. Here in this guide, you will learn about the rules OVSE must follow.
What Are Aadhaar OVSE Compliance Guidelines?
UIDAI has made several rules to make offline verification secure. Everfy Offline Verification Seeking Entities should follow these rules:
No Collection of Aadhaar Number or Biometric
According to the Aadhaar Act, 2016, OVSE can’t collect or store the full 12-digit Aadhaar number. OVSE also cannot collect fingerprints, iris scans, or facial data as per Regulation 14(A) of Aadhaar Authentication and Offline Verification Regulations, 2022.
Businesses can use masked Aadhaar or the last four digits of the Aadhaar card for reference according to section 7 of the Aadhaar Act, 2016, or any law passed by Parliament.
Prohibition on Data Sharing and Retention
It is the duty of OVSEs to keep Aadhaar details secure. It’s the obligation of OVSEs to ensure that Aadhaar data is safe. According to Regulation 14(A) and Section 8A(2) of the Aadhaar Act, 2016, an organization can’t sell, share, or transfer Aadhaar information to any other third-party, such as vendors, partners, or affiliates.
The subcontractors themselves aren’t allowed to use or process Aadhaar-related data. The information on the Aadhaar card cannot be shared to facilitate advertising, marketing profiling, or commercial analysis. These OVSE standards of compliance prevent the abuse and misuse of Aadhaar data.
OVSEs are expected to avoid the storage of Aadhaar information. After the verification, the data should be deleted from the systems. The organization needs to maintain deletion records of information. This compliance guideline limits data retention, which reduces the risk of unauthorized data access and cyber attacks.
Automate your KYC Process & Reduce Fraud!
We have helped 3000+ companies in reducing Fraud by 95%
Digital Signature Verification
OVSE must verify the digital signature embedded in the QR code and XML file through the UIDAI-approved tools and certificates. This is mandatory under Regulation 16(B) and Regulation 16(C) of Aadhaar Authentication and Offline Verification Regulations, 2022.
If OVSE finds forged, edited, or tampered documents, it should reject them immediately. It ensures that the original Aadhaar is accepted and reduces the risk of impersonation.
Redaction of Aadhaar Number
Only the masked Aadhaar number can be used for verification purposes. In case If the Aadhaar holder submits full Aadhaar details, including the Aadhaar number, it is the responsibility of OVSE to redact the Aadhaar number before processing or storing. It reduces the risk of misuse in case of data breach or document loss.
As per Regulation 16(B) and Section 4(4)(b)(ii) of the Aadhaar Act, 2016, full Aadhaar numbers can be collected only in special cases related to national or state interest or under Parliamentary approval.
User Consent is Mandatory
OVSEs need to obtain an informed and clear consent from the Aadhaar owner before conducting an offline Aadhaar verification. This requirement is required in Section 8A of the Aadhaar (Amendment) Act 2019 section 8A(2) from the Aadhaar Act, 2016. Aadhaar Act, 2016. The business must inform its client about the reason for verification, what kind of information is being utilized, and the method by which it will be kept. Consent should be clearly stated and freely given. Users are entitled to revoke at any point. If consent is not withdrawn, the data will be removed.
Security Measures Requirements
OVSE must maintain strong IT and security systems. This includes Access controls, secure servers, encrypted storage, restricted employee permissions, and regular internal audits. Following strong security measures prevents internal misuse and cyberattacks.
Resident Notification Obligations
After completing the offline verification process, an OVSE must inform the Aadhaar holder about successful verification. Notifications may be sent through digital receipts, email, SMS, or physical acknowledgment slips.
Identity Matching Requirements
In case where offline verification is conducted remotely, additional checks are required, as per Regulation 16(B) and 16(C). OVSEs should conduct a face match manually or using a tool. They can also use OTP verification. It confirms that the person submitting the Aadhaar is genuine. It reduces the risk of fraudulent transactions and identity theft.
Disclosure Notice
When Aadhaar information is viewed only. A notice should be displayed to explain how the information. This is required under Section 8A of the Aadhaar (Amendment) Act, 2019, and related regulations. Proper screen security and viewing controls should be maintained. It gives transparency and builds trust.
Breach Reporting
If OVSE identifies a data breach, data misuse, or unauthorized access. The organization should report it in 72 hours to UIDAI as well as the individual. It also cooperates with the investigation and takes appropriate actions.
Responsibility for Third Parties
If an OVSE takes the help of a third party for Aadhaar verification. OVSE will be responsible for non-compliance. If a third party makes a mistake or misuses data, it will be treated as OVSE’s fault. Every OVSE should ensure that data privacy rules are followed.
Log Maintenance
Maintaining a log is not mandatory. However, OVSE should maintain detailed records of verification, access histories, consent records, transaction logs and grievance details. Proper documentation helps during audits, inspections, and legal proceedings. In the future, if any user raises a complaint, proper audits help OVSEs resolve issues.
Are There Penalties for Non-Compliance?
Yes, non-compliance with privacy regulations can result in legal and financial penalties under Section 23A of the Aadhaar Act, 2016. Following the Aadhaar OVSE compliance guidelines is essential; otherwise, an entity can face:
Financial Penalties
An OVSE may face heavy monetary fines, including:
Fine of up to Rupees 1 Crore per violation
For continuous compliance violations, Ruppees pays 10 lakh per day
Compensation will be given to Aadhaar holders
Criminal Liability
In serious cases of data misuse, fraud, or unauthorized access, an OVSE can face:
Imprisonment of up to 3 years
Fine up to ₹10,000 (individual) and ₹1 lakh (company)
Both imprisonment and a fine for a severe case
Regulatory and Administrative Action
Apart from the imprisonment and financial penalties, UIDAI can take strong measures such as
- Suspension of OVSE registration
- Cancellation of authorization
- Blacklisting of the organization
- Permanent ban from Aadhaar verification services
Conclusion
OVSEs conducting offline Aadhaar verification must follow the OVSE Compliance Guidelines. They are made to protect the user Aadhaar holder’s privacy and ensure secure identity verification. By following compliance rules, OVSE can avoid legal risks and reputational damage. Compliance is not optional; it is a responsibility that every entity handling sensitive information should follow. For more information regarding support and compliance OVSE can contact [email protected].
FAQs
Ques: What are the penalties for violating compliance rules?
Ans: An entity can face financial penalties, suspension, blacklisting, and imprisonment for non-compliance.
Ques: What should an OVSE do if a data breach occurs?
Ans: If any data breach, misuse, or unauthorized access occurs, OVSE must report it to UIDAI within 72 hours and inform affected users.
Ques: What are OVSE Compliance Guidelines?
Ans: The compliance guidelines include:
- User Consent
- Data Privacy
- No biometric storage
- Digital Signature verification
- Strong Security
- Timely Deletion
- Log Maintenance
- Breach Reporting
Ques: Is OVSE Registration Mandatory for Offline Aadhaar Verification?
Ans: Yes, OVSE registration is mandatory for offline Aadhaar Verification.
Ques: Why is OVSE compliance guidelines important for businesses?
Ans: OVSE compliance helps businesses:
- Avoid legal penalties
- Protect customer information
- Prevent fraud
Automate your KYC Process & Reduce Fraud!
We have helped 3000+ companies in reducing Fraud by 95%
