Adoption of DSC/e-Sign/EVC for e-Filing in GST to Eliminate any Need for Paper based

Acknowledgement System

1. Introduction

All filings under Goods and Service Tax will be electronic. To ensure non-repudiation, these
need to be digitally signed by the authorized signatory of the taxpayer. Use of Digital
Signature Certificate (DSC) has been recommended to be mandatory for all taxpayers who
are mandated to use the same under any other Act. Thus all Companies will have to use DSC
for signing the return or invoice information etc. as they have to file all documents with
MCA online using DSC. However, the business process document allows filing of papers
based reports in few cases as enumerated below:

1. Acknowledgement of registration application

2. Acknowledgement of filing of return like ITR-V of Income Tax

This was suggested by the Committee on the ground that small taxpayers may face difficulty
in getting the DSC especially in small places. Also, poor Internet connectivity in semi-urban
and rural areas was cited as another reason for this concession.

2. Law and Current Practices on Authentication of Electronic Records

2.1 Digital Signature Certificate

Information Technology Act, 2000 grants legal recognition to electronic records and
electronic signatures. IT Act,2000 provides that where any law requires that information or
any other matter shall be authenticated by affixing signature then notwithstanding anything
contained in the law, such requirement shall be deemed to be fulfilled if such information is
authenticated by means of electronic signatures affixed in a manner prescribed by the Central
Government. Under the IT Act, 2000, Electronic signatures means authentication of an
electronic record by a subscriber by means of electronic technique specified in second
schedule and includes Digital signatures. Digital Signature means authentication of any
electronic record by a subscriber by means of procedure specified in Section 3 of the IT Act,
2000. More information on Digital Signature Certificate is given at Annexure-2.

1
2.2 eSign: e-authentication technique using Aadhaar e-KYC services

The Government has introduced Electronic Signature or Electronic Authentication

Technique and Procedure Rules, 2015 in which the technique known as e-authentication
technique using Aadhaar e-KYC services has been introduced to eliminate stumbling block
in the widespread usage of Digital Signature. This service is termed as eSign Service.
eSign facilitates digitally signing a document by an Aadhaar holder using an Online Service.
eSign is designed for applying Digital Signature using authentication of signer through
Aadhaar e-KYC service. This is an integrated service which facilitates issuing a Digital
Signature Certificate and performing Signing of requested data by authenticating the Aadhaar
holder. Aadhaar ID is mandatory for availing the eSign Service.

2.2.1 Expected Benefits of eSign

i. Easy and secure way to digitally sign information anywhere, anytime eSign is an
online service that offers functionality to authenticate signers and perform the digital
signing of documents using Aadhaar e-KYC service. Hardware tokens are not required
to be used.

ii. Facilitates legally valid signatures eSign process involves consumer consent, Digital
Signature Certificate generation, Digital Signature creation & affixing and Digital
Signature Certificate acceptance in accordance with the provisions of the Information
Technology (IT) Act, 2000. Comprehensive digital audit trail - in-built to confirm the
validity of transactions is also preserved.

iii. Flexible and easy to implement - eSign provides configurable authentication options
in line with Aadhaar e-KYC service and also records the Aadhaar ID used to verify the
identity of the signer. The authentication options for eKYC include biometric
(fingerprint or iris scan) or OTP (through the registered mobile in the Aadhaar
database). eSign enables millions of Aadhaar holders easy access to legally valid Digital
Signature service.

2
 iv. Respecting privacy - eSign ensures the privacy of the signer by requiring that only the
thumbprint (hash) of the document be submitted for signature function instead of the
whole document.

v. Secure online service - The eSign Service is governed by e-authentication guidelines.

While authentication of the signer is carried out using Aadhaar e-KYC services, the
signature on the document is carried out on a backend server of the e-Sign provider.
eSign services are offered by trusted third party service provider, currently Certifying
Authorities (CA) licensed under the IT Act. To enhance security and prevent misuse,
Aadhaar holders private keys are created on Hardware Security Module (HSM) and
destroyed immediately after one time use.

More details on eSign are at Annexure-3. Comparison of DSC and eSign are at Annexure-4.

2.3 Paperless e-filing via Electronic Verification Code (EVC)

After the Committee on Business Processes under GST submitted its report, the Central
Board of Direct Taxes (CBDT) issued detailed procedures to enable Paperless e-filing via
Electronic Verification Code (EVC) vide Notification No. 2/2015 of Directorate of Income
Tax (Systems) dated 13th July 2015 (annexure-1). This is in addition to use of DSC and eSign
for signing online return under Income Tax Act. The EVC mechanism is meant to verify the
identity of the person furnishing the return of income (called the verifier) thus obviating
need of paper based acknowledgment, handling of which is a major task. Generation of EVC
can be done using Net Banking, Aadhaar based authentication using OTP, ATM generated
OTP and registered email/mobile number.

The EVC does not stand in the same category as DSC, however, mechanisms identified in
this notification are worth consideration for adoption under GST, especially for smaller
taxpayers. The highlights of the EVC system are given below:

2.3.1 Features of EVC

i. EVC is a 10 digit alpha numeric code which is unique for each Permanent Account
Number (PAN), and is generated for the purpose of electronic verification of the
person in the e-filing website. Small taxpayers are generally do not have presence

3
 in more than one state and hence a GSTIN holder can avail this facility as GSTIN is
based on PAN and EVC is unique for each PAN. Those having registration in more
than one State or having multiple units registered in a State under the same PAN
cannot use EVC.
ii. Each EVC can be used to validate only a single return of the taxpayer, irrespective
of the year or return filing.
iii. Generally, an EVC is valid for 72 hours.

2.3.2 Modes of Generation of EVC

The EVC generation process under Income Tax varies depending on the risk category of
the taxpayer, method of accessing the e-filing website or interface with third party
authenticating entity (like banking institutions). The various methods to generate the EVC
are detailed hereunder.

i. Netbanking - Several banks have registered with the income-tax department and
provide direct access to the e-filing website to a verifier through their internet
banking facility. Only those taxpayers would be able to use this facility whose bank
accounts as primary account holders have a validated PAN (which is the tax
registration number) provided as part of the Know Your Clients (KYC) norms of
the banks. After logging into their online bank account, the account holder can
choose to be redirected to the e-filing website, where an EVC can be generated. The
EVC will be displayed on the screen and also sent to the mobile number registered
with e-filing website, which can then be used to verify the return.

ii. Aadhaar authentication using Aadhaar One Time Password (Aadhaar OTP) A
verifier can provide his Aadhaar number for linking with his PAN on the e-filing
website which will be verified on the basis of his name, date of birth and gender as
per PAN database with similar data available under his Aadhaar with UIDAI. If the
Aadhaar authentication in this manner is successful, the Verifiers Aadhaar will be
linked to his PAN. Thereafter, an OTP will be generated by UIDAI and sent to the
Verifiers mobile number registered with UIDAI. This Aadhaar OTP will be the
EVC generated under this Aadhaar authentication and OTP mode and can be used
to verify the Assessees Income Tax return.

4
 iii. Automated Teller Machine (ATM) - A verifier can generate an EVC through this
mode if the verifiers bank is registered with the income-tax department. Either a
Debit/ Credit card can be used for generation of EVC. This mode can be used only
at ATMs of registered banks, where the option to generate an EVC will be made
available. Upon selecting this option on the ATM screen, the bank will
communicate this request to the e-filing website, which will generate the EVC and
send it to the taxpayers mobile number registered with the e-filing website. This
EVC can then be used to verify the return.

iv. Registered email and mobile number A verifier can use the e-filing website to
generate an EVC, which will be sent to the registered email id and mobile number
of the taxpayer as updated by the verifier on his on-line account on the e-filing
website. This mode, however, is only available to those whose total income is INR
0.5 million or below and there is no refund claim. This option may further be
restricted to taxpayers based on other risk criteria that may be determined from time
to time.

3 Case for e-filing using DSC/eSign/EVC in GST

The EVC mode has been adopted by more than 40 lakhs taxpayers under Income Tax for
filing returns after July 2015 notification. The Certifying Authority under Department of
Electronics and IT has notified two agencies as providers of eSign in India. These modes, if
adopted, will ensure 100% electronic filing under GST, which is the ultimate aim.
Elimination of paper based acknowledgement will eliminate manual system of paper
collection, categorization which is not only time consuming but also expensive. Secondly, if
paper based acknowledgement does not reach the CPC, the return or the application for
registration will be declared invalid. Unlike Income Tax where only one return is filed in a
year, GST is going to have 12 monthly returns or 4 quarterly returns apart from one annual
return. Thus paper based acknowledgement system handling will be more difficult to handle
under GST.

Keeping in view above mentioned new modes added by Income Tax department, following
suggestions are made for consideration of the Empowered Committee of Finance Ministers:

5
 3.1 Mandatory Use of Digital Signature Certificate: All companies and LLPs are
mandated to use Digital Signature Certificate (DSC) as per the Companies Act. Hence for
them use of DSC should be mandatory under GST. Others are also welcome to use DSC.

3.2 Use of eSign: Taxpayers other than those registered under Companies Act, that dont
have a DSC (significant in numbers) may use the eSign Service for the purpose of digitally
signing the documents under GST. Currently CDAC and e-Mudra are two eSign providers
approved by CCA, Government of India.

Note:

i. Taxpayers having all Indian turnover of Rs 1.5 Crores and above will have to use
either DSC or eSign. (The turnover limit has been suggested keeping in view the
limit prescribed for writing of HSN as mandatory)
ii. Those seeking refund will have to use either DSC or eSign.
iii. Those having operations in more than one State (one PAN with multiple GSTIN)
will have to use DSC or eSign

3.3 Use of EVC: EVC as implemented by CBDT can also be provided to taxpayers having
annual turnover below Rs 1.5 Crores as per details given below:

i. EVC using Net-Banking/ATM/Credit Card: For taxpayers having annual turnover

below Rs 1.5 Crores and not seeking refund.
ii. EVC using pre-registered email and mobile number: For taxpayers having annual
turnover upto Rs 5 lakhs (or any other limit fixed under the law) and no claim of
refund. The taxpayer with annual turnover upto Rs 5 lakhs (or any other limit fixed
under the law) can also use Net-Banking/ATM/Credit Card.

By enabling e-filing in GST through e-Sign/ EVC, all types of user groups that need to sign
documents on GSTN system would get covered, obviating the need for paper based summary
sheet or acknowledgement for those who are unable to obtain DSC. It would also help in
overcoming other challenges associated with paper based filing such as:

Cost associated with paper handling (setting up CPC) that would have an impact on
the per transaction cost and has not been included in the total project cost presently.

6
 Cost associated with sending acknowledgement to Central Processing Centre (CPC) to
be incurred by the taxpayer (if sent by Speed-Post it will lead to saving of Rs 650 (13
returns X Rs 50).
Retrieval of paper is time consuming
Environment non-friendly exercise

3.4 Who can sign using DSC/eSign/EVC?

Sl No Constitution Who can sign

1 Proprietor
2 Partnership
3 HUF
4 Company/LLP
5 Trust registration
6 Association of
persons
7 Club, Society
8 Local authority
9 Statutory Body
10 Government
department
Proprietor
Managing partner
Karta
Authorized Signatories , duly authorized by
the Board of the Company/LLP
Managing trustee
Authorized Signatories , duly authorized by
the management committee
Authorized Signatories
Authorized Signatories
Authorized Signatories

7
Annexure-1

Notification of CBDT No. 2/2015 of CBDT, Directorate of Income Tax (Systems) dated 13th
July 2015 on Electronic Verification Code (EVC)

8
9
10
 Annexure-2

Digital Signature Certificate

The Controller of Certifying Authorities (CCA) exercises supervision over activities of

Certifying Authorities (CA) and certifies public keys of certifying authorities. The Certifying
Authorities are granted license under the IT Act, 2000 by the Controller to issue Digital
Signature Certificates.

Any person can make an application to Certifying Authority for issue of an Electronic
signature Certificate in such form as may be prescribed by the Central Government. For
issuance of Digital Signature Certificates, the applicants Personal identity, address and other
details to be included in the DSC need to be verified by CAs against an identity document.
For class III, physical presence of the individual is also required. Digital signatures are
widely used for authentication in the electronic environment. The cost of verification of
individuals identity and address and also the secure storage of private keys are the
stumbling block in the widespread usage of Digital Signature in the electronic
environment.

X.509 Certificate Policy for India PKI states that the certificates will confirm that the
information in the application provided by the subscriber does not conflict with the
information in well-recognized consumer databases. The database of individuals
information maintained by Unique Identification Authority of India (UIDAI) is deemed
as authentic information by Government.

The Unique Identification Authority of India (UIDAI) has been established with the mandate
of providing a Unique Identification Number (Aadhaar Number) to all residents of India.
During enrolment, the following data is collected:

1) Demographic details such as the name of the resident, address, date of birth, and gender;

2) Biometric details such as the fingerprints, iris scans, and photograph; and

3) Optional fields for communication of such as the mobile number and email address.

11
The UIDAI offers an authentication service that makes it possible for residents to
authenticate their identity biometrically through presentation of their fingerprints or non-
biometrically using a One Time Password (OTP) sent to the registered mobile phone or e-
mail address.

Verification of the Proof of Identity (PoI) and Proof of Address (PoA) is a pre-requisite
for issuance of Digital Signature Certificates by Certifying Authorities. As part of the e-
KYC process, the resident authorizes UIDAI (through Aadhaar authentication using either
biometric/OTP) to provide their demographic data along with their photograph (digitally
signed and encrypted) to service providers.

Service providers can provide a paperless KYC experience by using e-KYC and avoid the
cost of repeated KYC, the cost of paper handling and storage, and the risk of forged
documents. The real-time e-KYC service makes it possible for service providers to provide
instant service delivery to residents, which otherwise would have taken a few days for
activation based on the verification of KYC documents, digitization, etc.

12
 Annexure-3

Stakeholders in eSign Ecosystem

Application Service Provider (ASP): An organization or an entity using eSign service

as part of their application to digitally sign the content. Examples include Government
Departments, Banks and other public or private organizations. Currently there is no
process of registration of ASP. ASP may contact the ESP (eSign Service Provider)
directly to avail the service within its framework.

Subscriber: An Individual using the application of ASP and represents himself/herself

for signing the document under the legal framework. For the purposes of KYC with
UIDAI, the end-user shall also be the resident holding the AADHAAR number. For
the purposes of DSC by the CA, the end-user shall also be the applicant/subscriber for
digital certificate, under the scope of IT Act.

eSign Service Provider (ESP): An organization or an entity providing eSign service.

ESP is a Trusted Third Party, as per the definitions of Second Schedule of Information
Technology Act. ESP must be a registered KYC User Agency (KUA) with UIDAI. ESP
will facilitate subscribers key pair-generation, storing of key pairs on hardware security
module and creation of digital signature. ESP can be a Licensed Certifying Authority
(CA), by themselves, or must be having an arrangement / integration with a CA for the
purpose of obtaining Signature Certificate for the generated Key-pair.

Certifying Authority (CA): An organization or an entity licensed under CCA for

issuance of Digital Certificate and carrying out allied CA operations.

UIDAI: An authority established by Government of India to provide unique identity to

all Indian residents. It also runs the eKYC authentication service for the registered KYC
User Agency (KUA).

Controller of Certifying Authorities (CCA): The IT Act provides for the Controller of
Certifying Authorities (CCA) to license and regulate the working of Certifying

13
 Authorities in compliance with the provisions of the Act. Certifying Authorities (CAs)
issue Digital Signature Certificates for authentication of users in cyberspace. CCA is
appointed under the IT Act to promote the use of Electronic Signatures in the Country.

eSign Operating Model Overview

When a subscriber needs to sign a document using the application of an ASP, following
will be the process:

(1) Subscriber requests ASP for Digital Signature

(2) ASP sends eSign request packet to ESP after verifying subscribers identity through
Aadhaar ID and Biometrics/ OTP
(3) ESP sends eKYC request to UIDAI
(4) UIDAI sends eKYC response to ESP
(5) ESP generates Key Pair on Hardware Security Module (HSM)
(6) ESP generates application form
(7) ESP sends Certificate signing request to Certifying Authority
(8) Certifying Authority issues Digital Signature Certificate to ESP
(9) ESP forwards DSC & Signature to ASP
(10) ASP attaches signature to the document

14
 Annexure-4

Comparison of existing DSC and envisaged eSign processes

DSC Process eSign Process

Stakeholders DSC Holders Aadhaar Holders

Relying Parties Application Service Providers

Registration Authorities eSign Service Provider(ESP)

(RA)

Certifying Authorities Certifying Authorities

UIDAI (already has verified PoI, PoA data)

Activities DSC applicant submit Application user through ASP submits

application document hash, Aadhaar number and OTP or
Biometric and consent for ESP to generate
keys, submit request for DSC CA, and also
to generate digital signature

RA verify (one time ESP facilitates invoking eKYC request to

verification PoA, PoI) UIDAIs Central Identity Data Repository
(CIDR)

RA issue Hardware crypto ESP facilitates generation of key pair and

Token submits application form.

DSC applicant generate ESP facilitates submission of request for

key DSC to CA

DSC applicant submit CA issues the DSC to ESP

request for DSC to CA

CA issue the DSC to ESP facilitates generation of digital signature

applicant and sends along with DSC to ASP

15
Highlights DSC issuance and Integrated Digital signature and DSC
applying digital signature issuance based on Aadhaar authentication
is independent process

Obtain DSC one time and Each time for digital signature, new DSC is
use unlimited time till the issued. DSC is of 30 minutes validity only.
validity of DSC

CRL verification No CRL verification

DSC subscriber uses Digital Signature integration is easy for user

software tool to apply and ASP.
digital signature

Safe custody of DSC On-demand basis digital signature

hardware token is with generation, no hardware token handling
user

Costly - Subscription is for Cheaper One time use charge

the validity period

16