UIDAI through it’s circular issued on 10th Jan, 2018 announced the introduction of Virtual IDs (VID), UID Token and Limited KYC, as an additional layer of protection to assuage privacy and security concerns about Aadhaar numbers being captured and stored by many public and private sector enterprises.
These radical measures have been designed to address the data security concerns at two levels – one at the point of origination of the e-KYC transaction, and the other at the point of culmination of the transaction.
Data security at the point of origination of the transaction will now be augmented manifolds as the Aadhaar-holder will be able to initiate and complete his e-KYC transaction by giving a pseudo number (Called Virtual ID or VID) and will not be required to share his actual Aadhaar number with the authentication agency if he wishes to do so.
At the point of culmination of the transaction, UIDAI will generate an entity-specific Unique ID (UID) and the same will be shared with the entity (company initiating the e-KYC transaction) instead of the actual Aadhaar number of the customer, unless otherwise specified by the law.
UIDAI has made it mandatory for all authentication agencies (AUAs / KUAs / Sub-AUAs) to fully migrate to the new system by June 1, 2018.
Subsequent to our discussions with many of our AUA / KUA clients following this announcement, we witnessed a lot of ambiguities around these new measures as many are finding it difficult to comprehend the necessary technical and operational changes that need to be implemented in their e-KYC process flows to adhere to the new mandate.
While we are sure that the UIDAI will issue more information in due course of time, as an industry leader in Aadhaar e-KYC ecosystem, we feel morally obliged to address the current set of uncertainties for the benefit of our fellow industry peers as well as our customers.
Before we get down to listing the transaction process flows that needs to be adopted by Global AUAs and Local AUAs, let’s first revisit the basics associated with newly introduced measures:
1. Virtual ID (VID):
A 16-digit temporary number that can be generated by the Aadhaar-holder and which can be used instead of the actual Aadhaar number for e-KYC / Authentication transactions. VID can be generated, retrieved, revoked or replaced through UIDAI’s portal, mobile app, enrolment centres, etc.
2. UID Token:
A 72-character alphanumeric string sent by UIDAI to Authentication Agencies as a response to their authentication requests. The token for a specific Aadhaar number will remain the same for a specific agency but will be different for different agencies. This will enable the agency to use this UID token as a unique customer identifier in their ERP / CRM ecosystem.
3. Limited KYC:
Going forward, the UIDAI will categorize all AUAs / Sub-AUAs in two categories – “Global AUAs” and “Local AUAs”. Agencies that are required by law to use the Aadhaar number in their KYC process will be categorized as “Global AUAs” and ONLY they will have access to full e-KYC (with Aadhaar number) and the ability to store the Aadhaar number in their system. The rest will be categorized as “Local AUAs” and will get UID Tokens for their authentication requests.
Now that we are done with the basics, below is how the authentication transaction process flow will look like:
We sincerely hope that we were able to shed some light on the UIDAI’s new protection measures. In case you have any queries, or want to explore how ECS can help your organisation implement technical changes to your existing e-KYC processes, feel free to call our colleague Amit Joshi on 09820875525 / 07208155528 or email him on amit@eastcs.com.
–
Regards
Team ECS.