India’s digital identity landscape: Aadhaar, DigiLocker, and KYC compliance in 2026

India’s Aadhaar system crossed 150 billion cumulative authentication transactions in 2025, making it the most heavily used digital identity infrastructure on the planet according to PIB. For any business onboarding Indian customers, that number is not just a headline. It is the backbone of every eKYC check, every digital document pull, and every regulatory filing your compliance team will touch this year.

Yet most businesses still treat Aadhaar, DigiLocker, and the Central KYC Registry (CKYC) as separate systems. They are not. The three form one connected compliance stack, and the RBI’s August 2025 amendments to its KYC Master Direction tightened how they interact. This article maps the full stack so you know exactly what each layer does, what changed in 2025, and what your onboarding flow needs to handle in 2026.

How Aadhaar powers digital identity verification in India

Aadhaar assigns a unique 12-digit number to each resident, backed by biometric data (fingerprints, iris scans, and a facial photograph) stored with the Unique Identification Authority of India. With 1.44 billion Aadhaar numbers issued, coverage spans virtually the entire population.

The real operational value sits in Aadhaar-based authentication. UIDAI recorded 2.21 billion authentication transactions in August 2025 alone, a 10% year-on-year increase (UIDAI). Businesses can verify a customer’s identity through three channels. OTP-based eKYC sends a one-time password to the Aadhaar-linked mobile number. Biometric eKYC matches a live fingerprint or iris scan against the UIDAI database. Face authentication, the fastest-growing channel, processed over 213 crore cumulative transactions by August 2025.

The cost impact is measurable. The World Bank found that eKYC reduced the cost of customer authentication from approximately $23 per check to $0.15. That drop explains why fintechs, banks, and payment platforms have integrated Aadhaar-based verification into their onboarding flows at scale.

One constraint applies. OTP-based eKYC carries a transaction cap of 1 lakh rupees per year under RBI rules. Only Video Customer Identification Process (V-CIP) achieves face-to-face equivalent status and removes this restriction.

What role does DigiLocker play in KYC compliance?

DigiLocker is India’s government-backed digital document wallet, operated by the Ministry of Electronics and IT under the Digital India programme. The platform reached 676.3 million registered users and over 9.5 billion documents issued as of March 2026.

The platform connects citizens to document issuers (government departments, universities, insurers) and document requesters (banks, fintechs, telecom providers). When a business requests a PAN card, driving licence, or Aadhaar through DigiLocker, it receives a digitally signed document pulled directly from the issuing authority. This eliminates the risk of tampered photocopies and removes manual document handling from the identity verification process.

DigiLocker also feeds into the CKYC pipeline. A customer’s verified documents stored in DigiLocker can be referenced during periodic KYC updates, reducing friction for both the customer and the regulated entity. The documents carry digital signatures from issuing authorities, which means a bank or NBFC receiving a DigiLocker-pulled document does not need to re-verify it against the original source. With APAAR (Automated Permanent Academic Account Registry) now linking student IDs through DigiLocker, the platform’s role in identity verification continues to grow beyond financial services.

CKYC and the RBI’s 2025 KYC Master Direction updates

The Central KYC Records Registry (CKYCRR), managed by CERSAI, serves as India’s single KYC repository. Every regulated entity, from banks to NBFCs to payment aggregators, must upload a customer’s KYC record to CERSAI within three working days of account opening under the Prevention of Money Laundering Act. The registry crossed 1 billion records in 2025.

The RBI’s August 2025 amendments introduced three changes that affect onboarding workflows directly.

First, periodic KYC re-verification timelines are now risk-tiered. High-risk customers require re-verification every 2 years, medium-risk every 8 years, and low-risk every 10 years. All re-verification can be completed digitally from June 2025.

Second, V-CIP (video based customer identification process) sessions now require active deepfake detection. Financial institutions conducting video-based identity verification must detect AI-generated faces, video replays, and 3D mask attacks during live sessions.

Third, CKYCRR 2.0 introduced real-time validation, AI-based de-duplication, and mandatory watermarking of original valid document images with institution code, date, and time. The January 2026 implementation deadline means these requirements are already in force.

What businesses expanding into India need to know

The three systems, Aadhaar, DigiLocker, and CKYC, operate as a connected pipeline rather than independent tools. A typical compliant onboarding flow in 2026 works like this. The customer authenticates via Aadhaar eKYC (OTP or biometric). The business pulls verified documents from DigiLocker. The completed KYC record is uploaded to CKYC within three working days.

If your verification volumes exceed the OTP-based eKYC cap, you will need V-CIP capability with deepfake detection built in. Manual review processes that worked two years ago no longer meet the RBI’s updated standards. Non-compliance penalties under the PMLA can reach up to 1 lakh rupees per day for CKYC upload failures, and the RBI has already issued enforcement actions against several banks and NBFCs for inadequate periodic KYC processes.

For businesses outside India looking to onboard Indian customers remotely, the compliance requirements remain the same. You need Aadhaar-based authentication capability, DigiLocker integration for document pulls, CKYC upload workflows, and V-CIP readiness if you plan to operate above the OTP transaction cap.

The pace of India’s digital identity adoption shows no sign of slowing. The IMF recognised India’s digital public infrastructure as a leading global model in its 2025 assessment, and UPI alone processed 21.70 billion transactions in January 2026. Businesses that build their verification stack around this infrastructure now will avoid costly retrofits when the next round of regulatory updates arrives.

Without automated eKYC, your team faces slower conversions, higher drop-off rates, and compliance gaps that Indian regulators are actively penalising. Shufti’s eIDV and KYC verification solutions support Aadhaar-based authentication and database checks across 230+ countries, completing verification in under 15 seconds. Request a demo to see how the full onboarding flow works with your volumes.