Source: http://developer.uidai.gov.

in/site/book/export/html/41

Aadhaar e-KYC Basics

Disclaimer: This book is under construction. The information present could be incomplete.

Definitions, Abbreviation and Acronyms

The terms in use in the document are explained below

Acronym

Description

API

Application Program Interface

ASA

Authentication Service Agency. An organization or an entity providing secure leased

line connectivity to UIDAIs data centres for transmitting authentication requests
from various AUAs.

AUA

Authentication User Agency. An organization or an entity using Aadhaar

authentication as part of its applications to provide services to residents. Example:
Bank

CIDR

Central ID Repository

KSA

KYC Service Agency. Avalid ASA who has been approved and has signed the
agreement to access KYC API through their network.

KUA

KYC User Agency. A valid AUA who has been approved and has signed the
agreement to access KYC API.

KYC

Know Your Customer

OTP

One Time Password

PoA

Proof of Address

PoI

Proof of Identity

UID

Unique Identification

UIDAI

Unique Identification Authority of India

Introduction
Several services in India require residents to prove their identity and address and provide those
documents to the agency before availing a service. This customer identification process is known as
Know Your Customer (KYC) and is prevalent among financial institutions and telcos.
Aadhaar KYC API provides a convenient mechanism for agencies to offer an electronic, paper-less
KYC experience to Aadhaar holders. Using this KYC API, agencies can conduct electronic identity
verification using biometrics/OTP (based on their choice) and obtain a digitally signed (by UIDAI)
electronic identity document for storing within their system in lieu of paper copies. This makes the
entire process extremely simple for customers and agencies and cost effective.
KYC Service (API that enables purely electronic KYC for Aadhaar holders) is built as an
application layer on top of core Aadhaar authentication service. This allows UIDAI provide KYC
API to enable KSAs to offer a full electronic KYC to end agencies.
e-KYC Requirements

Need for KYC derives from membership in FATF/ATG for supporting AML/CFT
initiatives

PMLA enacted in India along with KYC rules

Basel III framework also requires banks to perform KYC

A Government-issued photo IDis required for KYC

Electronic KYC should have the ability to verify or provide demographic information
and photograph

Current UIDAI authentication provides capability to verify collected demographic and

biometric data


In order to address data-collection issues, photograph, and ease of use, a KYC
architecture is proposed as an application of UIDAI authentication
Planned KYC Framework by Govt

SEBI has defined the concept of a KRA (KYC Registration Agency)

Entities who take advantage of the electronic KYC (banks, brokerage houses, etc) are
called KUA (KYC User Agency)

Other regulators contemplating the use of KRAs

The FM announced the creation of a central KYC repository in his Budget Speech
(2012)

For enabling pure electronic KYC for Aadhaar holders, a 3-tier KYC architecture is
proposed comprising of KUA --> KSA -> UIDAI

API Architecture

Build KYC Service (API that enables purely electronic KYC for Aadhaar holders) as an
application layer on top of core authentication service

Bring the concept of KSAs quite similar to ASAs in the auth scenario

KSAs offer the actual KYC service under regulation.

UIDAI provide necessary KYC API to enable KSAs to offer a full electronic KYC to
end agencies

Clear agreement between UIDAI and KSAs for handling data sharing and usage

License the access to KYC service for KSAs and KUAs and available only through
secure private network

KUAs similar to AUAs specially licensed to access KYC API

Auth is implicit within the API

Since data is downloaded from CIDR, for security and audit reasons, this service should
be enabled ONLY for KSAs under explicit data sharing and handling agreement through
secure leased line

Residents should always have an option to opt-out this if they wish to do so

Bio/Otp auth is mandatory(explicit validation on uses element)

Same security features as in auth (license key, encryption, audit, etc.)

Response will have digitally signed demographics data and photo which is encrypted
using KSA public key and will also contain auth response as is for audit reasons

This design will ensure that when authentication gets improved and enhanced (Iris,
better accuracy, etc), this service will automatically inherit those features

KYC API is a wrapper over Auth API

AUA must be a valid KUA (KYC User Agency) with KYC enabled license key

ASA must be a valid KSA (KYC Registration Agency) with KYC enabled license key

Uses element must have bio=y or otp=y

Txn namespace must be UKC (txn attribute must start with UKC:) for resident
auth

Minimal audit (KUA code, KSA code, Txn Code, KYC Resp Code, KYC Error Code,
Res Auth Resp Code, Res Auth Error Code, ver, rc, ra, ts).

Also audit entire response (before encryption in Hbase against the KYC Resp Code)

Separate BI event for analytics and reporting (Resident RefID, KUA code, KSA code,
Txn Code, KYC Resp Code, KYC Error Code, Res Auth Resp Code, Res Auth Error Code,
ver, rc, ra, ts, udc, pip, lot, lov)

API Data Flow and High Level Logic

The data flow of a typical KYC API call from left to right and back is as follows:

1.
KYC front-end application (depicted as auth device in diagram above) captures Aadhaar
number + biometric/OTP of resident and forms the encrypted PID block
2.
KUA forms the Auth XML using the PID block, signs it, and uses that to form KYC XML
and signs it and sends to KSA
3.

KSA forwards the KYC XML to Aadhaar KYC API

4. Aadhaar KYC service authenticates the resident and if successful responds with digitally
signed and encrypted demographic and photograph in XML format
5.
Demographic data and photograph in response is encrypted with either KSA or KUA
public key as defined in the Aadhaar server (CIDR)
6.

KSA sends the response back to KUA enabling paper-less electronic KYC

Note:KSA can also form KYC XML on behalf of KUA. In that case, KSA needs to sign it.

High Level API Logic

Validate XML structure

Validates KUA code, KSA code, and ensure they are valid KUAs/KSAs

Validates KUA/KSA signature

Validates that txn namespace and rc

Validates bio/otp flag to ensure it is y

Invokes authentication service

Validates ra attribute and ensures it matches info of Auth response

If successful, reads demographic data and photo using getDemographics API (common
search API)

Create response XML and sign it

Write KYC audit (minimal audit details in RDBMS and entire response in HBase) in all
cases

Encrypt the response (either with KSA/KUA key) and sends back

Send notification to resident

Benefits of the Architecture

Allows authentication to be a pure play service and keep it independent with a pure
yes/no response

KYC service is built like an application, layered on top of core auth service

UIDAI acts as an enabler by issuing a digitally signed Govt issued photo ID in

electronic form for KSAs/KUAs supporting paper-less KYC schemes for Aadhaar holders

Data sharing is clearly managed through contracts between UIDAI and KSAs

KSAs are always ASAsand will sign additional KYC API usage along with ASA
contract (all ASAs are not KSAs)

KUAs are always AUAsand will be approved and enabled through KSA contract(all
AUAs are not KUAs)

Residents have clear understanding of who did KYC (SMS/Email alerts enabled) for
them since KUAs are authenticated and approved entities

Residents have an opt-in/opt-out scheme if they wishes to do so since KYC service is

a separate service from auth

API Usage
New customer

Resident comes to agency to get a service

KUA operator initiates KYC API using a front-end application (micro-atm/desktop/etc)

KYC data is returned after successful authentication

KUA stores electronic, UIDAI singed, data in their database

New account is created at KUA system based on data retrieved from CIDR

No paper trail maintained

Existing customer (linking scenario)

Resident comes to agency to get a service

KUA operator initiates KYC API using a front-end application (micro-atm/desktop/etc)

KYC data is returned after successful authentication

KUA stores electronic, UIDAI singed, data in their database

Manual workflow compares existing KYC data (electronic/paper) against data is

retrieved from CIDR

Once approved, links the Aadhaar to account

No additional paper trail maintained

API Input/Output
Input
<Kyc ver= ts= ra= rc=>
<Rad>base64 encoded fully valid Auth XML for resident</Rad>
<Signature/>
</Kyc>

Output
<Resp status=>encrypted and base64 encoded KycRes element</Resp>
<KycRes ret= code= txn= err= ts=>
<Rar>base64 encoded fully valid Auth response XML for resident</Rar>
<UidData uid=>
<Poi name= dob= gender= phone= email=/>
<Poa co= house= street= lm= loc= vtc=
subdist= dist= state= pc= po=/>
<LData lang= name= co= house= street= lm= loc= vtc=
subdist= dist= state= pc= po=/>
<Pht>base64 encoded JPEG photo of the resident</Pht>
</UidData>
<Signature />
</KycRes>

Error Codes and Description

KYC API can return following error codes in the response in case of failures:
Error code

Description

K-100

Resident authentication failed

K-200

Resident data currently not available

K-540

Invalid KYC XML

K-541

Invalid KYC API version

K-542

Invalid resident consent (rc attribute in Kyc

element)

K-543

Invalid timestamp (ts attribute in Kyc element)

K-544

Invalid resident auth type (ra attribute in Kyc

element)

K-545

Resident has opted out of this service

K-550

Invalid Uses element attributes must have either

bio or otp enabled for resident authentication

K-551

Invalid Txn namespace (should be UKC)

K-552

Invalid license key

K-569

Digital signature verification failed for KYC XML

(means that authentication request XML was
modified after it was signed)

K-570

Invalid key info in digital signature for KYC XML

(it is either expired, or does not belong to the KUA
or is not created by a well known Certification

Authority)

K-600

AUA is invalid or not an authorized KUA

K-601

ASA is invalid or not an authorized KSA

K-602

KUA encryption key not available

K-603

KSA encryption key not available

K-604

KSA not allowed to sign

K-999

Unknown error

K-955

Technical error