Beruflich Dokumente
Kultur Dokumente
in/site/book/export/html/41
Acronym
Description
API
ASA
AUA
CIDR
Central ID Repository
KSA
KYC Service Agency. Avalid ASA who has been approved and has signed the
agreement to access KYC API through their network.
KUA
KYC User Agency. A valid AUA who has been approved and has signed the
agreement to access KYC API.
KYC
OTP
PoA
Proof of Address
PoI
Proof of Identity
UID
Unique Identification
UIDAI
Introduction
Several services in India require residents to prove their identity and address and provide those
documents to the agency before availing a service. This customer identification process is known as
Know Your Customer (KYC) and is prevalent among financial institutions and telcos.
Aadhaar KYC API provides a convenient mechanism for agencies to offer an electronic, paper-less
KYC experience to Aadhaar holders. Using this KYC API, agencies can conduct electronic identity
verification using biometrics/OTP (based on their choice) and obtain a digitally signed (by UIDAI)
electronic identity document for storing within their system in lieu of paper copies. This makes the
entire process extremely simple for customers and agencies and cost effective.
KYC Service (API that enables purely electronic KYC for Aadhaar holders) is built as an
application layer on top of core Aadhaar authentication service. This allows UIDAI provide KYC
API to enable KSAs to offer a full electronic KYC to end agencies.
e-KYC Requirements
Need for KYC derives from membership in FATF/ATG for supporting AML/CFT
initiatives
Electronic KYC should have the ability to verify or provide demographic information
and photograph
In order to address data-collection issues, photograph, and ease of use, a KYC
architecture is proposed as an application of UIDAI authentication
Planned KYC Framework by Govt
Entities who take advantage of the electronic KYC (banks, brokerage houses, etc) are
called KUA (KYC User Agency)
The FM announced the creation of a central KYC repository in his Budget Speech
(2012)
For enabling pure electronic KYC for Aadhaar holders, a 3-tier KYC architecture is
proposed comprising of KUA --> KSA -> UIDAI
API Architecture
Build KYC Service (API that enables purely electronic KYC for Aadhaar holders) as an
application layer on top of core authentication service
Bring the concept of KSAs quite similar to ASAs in the auth scenario
UIDAI provide necessary KYC API to enable KSAs to offer a full electronic KYC to
end agencies
Clear agreement between UIDAI and KSAs for handling data sharing and usage
License the access to KYC service for KSAs and KUAs and available only through
secure private network
Since data is downloaded from CIDR, for security and audit reasons, this service should
be enabled ONLY for KSAs under explicit data sharing and handling agreement through
secure leased line
Response will have digitally signed demographics data and photo which is encrypted
using KSA public key and will also contain auth response as is for audit reasons
This design will ensure that when authentication gets improved and enhanced (Iris,
better accuracy, etc), this service will automatically inherit those features
AUA must be a valid KUA (KYC User Agency) with KYC enabled license key
ASA must be a valid KSA (KYC Registration Agency) with KYC enabled license key
Txn namespace must be UKC (txn attribute must start with UKC:) for resident
auth
Minimal audit (KUA code, KSA code, Txn Code, KYC Resp Code, KYC Error Code,
Res Auth Resp Code, Res Auth Error Code, ver, rc, ra, ts).
Also audit entire response (before encryption in Hbase against the KYC Resp Code)
Separate BI event for analytics and reporting (Resident RefID, KUA code, KSA code,
Txn Code, KYC Resp Code, KYC Error Code, Res Auth Resp Code, Res Auth Error Code,
ver, rc, ra, ts, udc, pip, lot, lov)
1.
KYC front-end application (depicted as auth device in diagram above) captures Aadhaar
number + biometric/OTP of resident and forms the encrypted PID block
2.
KUA forms the Auth XML using the PID block, signs it, and uses that to form KYC XML
and signs it and sends to KSA
3.
4. Aadhaar KYC service authenticates the resident and if successful responds with digitally
signed and encrypted demographic and photograph in XML format
5.
Demographic data and photograph in response is encrypted with either KSA or KUA
public key as defined in the Aadhaar server (CIDR)
6.
KSA sends the response back to KUA enabling paper-less electronic KYC
Note:KSA can also form KYC XML on behalf of KUA. In that case, KSA needs to sign it.
Validates KUA code, KSA code, and ensure they are valid KUAs/KSAs
If successful, reads demographic data and photo using getDemographics API (common
search API)
Write KYC audit (minimal audit details in RDBMS and entire response in HBase) in all
cases
Encrypt the response (either with KSA/KUA key) and sends back
KYC service is built like an application, layered on top of core auth service
Data sharing is clearly managed through contracts between UIDAI and KSAs
KSAs are always ASAsand will sign additional KYC API usage along with ASA
contract (all ASAs are not KSAs)
KUAs are always AUAsand will be approved and enabled through KSA contract(all
AUAs are not KUAs)
Residents have clear understanding of who did KYC (SMS/Email alerts enabled) for
them since KUAs are authenticated and approved entities
API Usage
New customer
New account is created at KUA system based on data retrieved from CIDR
API Input/Output
Input
<Kyc ver= ts= ra= rc=>
<Rad>base64 encoded fully valid Auth XML for resident</Rad>
<Signature/>
</Kyc>
Output
<Resp status=>encrypted and base64 encoded KycRes element</Resp>
<KycRes ret= code= txn= err= ts=>
<Rar>base64 encoded fully valid Auth response XML for resident</Rar>
<UidData uid=>
<Poi name= dob= gender= phone= email=/>
<Poa co= house= street= lm= loc= vtc=
subdist= dist= state= pc= po=/>
<LData lang= name= co= house= street= lm= loc= vtc=
subdist= dist= state= pc= po=/>
<Pht>base64 encoded JPEG photo of the resident</Pht>
</UidData>
<Signature />
</KycRes>
KYC API can return following error codes in the response in case of failures:
Error code
Description
K-100
K-200
K-540
K-541
K-542
K-543
K-544
K-545
K-550
K-551
K-552
K-569
K-570
Authority)
K-600
K-601
K-602
K-603
K-604
K-999
Unknown error
K-955
Technical error