Aadhaar e-KYC API Architecture

Introduction:

In India,customer needs to submit identity & address documents to several agencies to get the work done & this process of customer identification is known as KYC (Know Your Customer)

Aadhaar KYC API(Application Program Interface) eliminates complex,time consuming operations and provides agencies an electronic, paper-less KYC experience.

by Using KYC(Know Your Customer) API, agencies can carry electronic identity verification using biometrics/OTP -One Time Password (based on their choice) and obtain a digitally signed (by UIDAI) electronic identity document for storing within their system. This makes entire process simpler and cost effective for both customers and agencies.

e-KYC API Architecture :

Build KYC Service (API that enables purely electronic KYC for Aadhaar holders) as an “application” layer on top of core authentication service
Bring the concept of KSAs(KYC Service Agency) quite similar to ASAs in the auth scenario
KSAs offer the actual KYC service under regulation.
UIDAI(The Unique Identification Authority of India) provide necessary KYC API to “enable KSAs” to offer a full electronic KYC to end agencies
Clear agreement between UIDAI and KSAs for handling data sharing and usage
“License” the access to KYC service for KSAs and KUAs and available only through secure private network
KUAs(KYC User Agency) similar to AUAs(Authentication User Agency). specially licensed to access KYC API
Auth is implicit within the API
Since data is downloaded from CIDR(Central ID Repository), for security and audit reasons, this service should be enabled ONLY for KSAs under explicit data sharing and handling agreement through secure leased line
Residents should always have an option to opt-out this if they wish to do so
Biometric /OTP auth is mandatory(explicit validation on “uses” element)
Same security features as in auth (license key, encryption, audit, etc.)
Response will have digitally signed demographics data and photo which is encrypted using KSA public key and will also contain auth response as is for audit reasons
This design will ensure that when authentication gets improved and enhanced (Iris, better accuracy, etc), this service will automatically inherit those features
KYC API is a wrapper over Auth API
AUA must be a valid KUA (KYC User Agency) with KYC enabled license key
ASA must be a valid KSA (KYC Registration Agency) with KYC enabled license key
Uses element must have bio=“y” or otp=“y”
Txn namespace must be “UKC” (“txn” attribute must start with “UKC:”) for resident auth
Minimal audit (KUA code, KSA code, Txn Code, KYC Resp Code, KYC Error Code, Res Auth Resp Code, Res Auth Error Code, ver, rc, ra, ts).
Also audit entire response (before encryption in Hbase against the KYC Resp Code)
Separate BI event for analytics and reporting (Resident RefID, KUA code, KSA code, Txn Code, KYC Resp Code, KYC Error Code, Res Auth Resp Code, Res Auth Error Code, ver, rc, ra, ts, udc, pip, lot, lov).